Doc

atm-maxime · Jan 27, 2025 · 5a42720 · 5a42720
1 parent 9ef2a5a
commit 5a42720
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
@@ -2011,17 +2011,23 @@ function dol_escape_htmltag($stringtoescape, $keepb = 0, $keepn = 0, $noescapeta
 					$tmpold = $tmp;
 
 					if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)>/', $tmp, $reg)) {
+						// We want to pprotect the attribute part ... in '<xxx ...>' to avoid transformation by htmlentities() lafter
 						$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]);	// We must never have [ ] inside the attribute string
-						$tmpattributes = str_ireplace('href="http:', '__HREFHTTPA', $tmpattributes);
+						$tmpattributes = str_ireplace('href="http:', '__HREFHTTPA', $tmpattributes);	// TODO Try to remove this
 						$tmpattributes = str_ireplace('href="https:', '__HREFHTTPSA', $tmpattributes);
 						$tmpattributes = str_ireplace('src="http:', '__SRCHTTPIMG', $tmpattributes);
 						$tmpattributes = str_ireplace('src="https:', '__SRCHTTPSIMG', $tmpattributes);
 						$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes);
 						$tmpattributes = preg_replace('/[^a-z0-9_\/\?\;\s=&\.\-@:\.#\+]/i', '', $tmpattributes);
 						//$tmpattributes = preg_replace("/float:\s*(left|right)/", "", $tmpattributes);	// Disabled: we must not remove content
+
+						// TODO Test the replacement by using a memory array for attributes to restore them
+						// TODO Test a tag like '<a href="https://mydomain.com/aaa%20bbb">abc</a>'
 						$tmp = preg_replace('/<'.preg_quote($tagtoreplace, '/').'\s+'.preg_quote($reg[1], '/').'>/', '__BEGINTAGTOREPLACE'.$tagtoreplace.'['.$tmpattributes.']__', $tmp);
 					}
+					// TODO This may be already in previous case ? Try to remove this.
 					if (preg_match('/<'.preg_quote($tagtoreplace, '/').'\s+([^>]+)\s+\/>/', $tmp, $reg)) {
+						// We want to protect the attribute part ... in '<xxx ... />' to avoid transformation by htmlentities() lafter
 						$tmpattributes = str_ireplace(array('[', ']'), '_', $reg[1]);	// We must not have [ ] inside the attribute string
 						$tmpattributes = str_ireplace('"', '__DOUBLEQUOTE', $tmpattributes);
 						$tmpattributes = preg_replace('/[^a-z0-9_\/\?\;\s=&\.\-@:\.#\+]/i', '', $tmpattributes);