diff --git a/include/utils/VtlibUtils.php b/include/utils/VtlibUtils.php
index 48c315e1c18e92b913f975e9c04341d255a47ddb..77e56ce62b1c8cd032e08f32c3875f1ac2c89ea8 100644
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -715,20 +715,32 @@ function vtlib_purify($input, $ignore=false) {
* @return <String>
*/
function purifyHtmlEventAttributes($value,$replaceAll = false){
- $htmlEventAttributes = "onerror|onblur|onchange|oncontextmenu|onfocus|oninput|oninvalid|".
- "onreset|onsearch|onselect|onsubmit|onkeydown|onkeypress|onkeyup|".
- "onclick|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|".
- "ondragstart|ondrop|onmousedown|onmousemove|onmouseout|onmouseover|".
- "onmouseup|onmousewheel|onscroll|onwheel|oncopy|oncut|onpaste|onload|".
- "onselectionchange|onabort|onselectstart|onstart|onfinish|onloadstart|onshow";
+ $htmlEventAttributes = "onerror|onblur|onchange|oncontextmenu|onfocus|oninput|oninvalid|onresize|onauxclick|oncancel|oncanplay|oncanplaythrough|".
+ "onreset|onsearch|onselect|onsubmit|onkeydown|onkeypress|onkeyup|onclose|oncuechange|ondurationchange|onemptied|onended|".
+ "onclick|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragexit|onformdata|onloadeddata|onloadedmetadata|".
+ "ondragstart|ondrop|onmousedown|onmousemove|onmouseout|onmouseover|onmouseenter|onmouseleave|onpause|onplay|onplaying|".
+ "onmouseup|onmousewheel|onscroll|onwheel|oncopy|oncut|onpaste|onload|onprogress|onratechange|onsecuritypolicyviolation|".
+ "onselectionchange|onabort|onselectstart|onstart|onfinish|onloadstart|onshow|onreadystatechange|onseeked|onslotchange|".
+ "onseeking|onstalled|onsubmit|onsuspend|ontimeupdate|ontoggle|onvolumechange|onwaiting|onwebkitanimationend|onstorage|".
+ "onwebkitanimationiteration|onwebkitanimationstart|onwebkittransitionend|onafterprint|onbeforeprint|onbeforeunload|".
+ "onhashchange|onlanguagechange|onmessage|onmessageerror|onoffline|ononline|onpagehide|onpageshow|onpopstate|onunload".
+ "onrejectionhandled|onunhandledrejection|onloadend";
// remove malicious html attributes with its value.
if ($replaceAll) {
- //Handled to address multiple html entity encoding for '=' character
- $regex = '\s*(=|=|&#61;|&#x26;#61;|&#61;)\s*(?:"[^"]*"[\'"]*|\'[^\']*\'[\'"]*|[^]*[\s\/>])*/i';
+ $regex = '\s*[=&%#]\s*(?:"[^"]*"[\'"]*|\'[^\']*\'[\'"]*|[^]*[\s\/>])*/i';
$value = preg_replace("/\s*(" . $htmlEventAttributes . ")" . $regex, '', $value);
+
+ /**
+ * If anchor tag having 'javascript:' string then remove the tag contents.
+ * Right now, we fixed this for anchor tag as we don't see any other such things right now.
+ * All other event attributes are already handled above. Need to update this if any thing new found
+ */
+ $javaScriptRegex = '/<a [^>]*(j[\s]?a[\s]?v[\s]?a[\s]?s[\s]?c[\s]?r[\s]?i[\s]?p[\s]?t[\s]*[=&%#:])[^>]*?>/i';
+ $value = preg_replace($javaScriptRegex,'<a>',$value);
+
} else {
- if (preg_match("/\s*(" . $htmlEventAttributes . ")\s*(=|=|&#61;|&#x26;#61;|&#61;)/i", $value)) {
+ if (preg_match("/\s*(" . $htmlEventAttributes . ")\s*=/i", $value)) {
$value = str_replace("=", "=", $value);
}
}
diff --git a/layouts/v7/modules/Vtiger/uitypes/Text.tpl b/layouts/v7/modules/Vtiger/uitypes/Text.tpl
index 1c75e18b9b443b2a74b412da06538a59608f8e06..53b1d0f055ffe7744cad12e1de8954405d0271b2 100644
--- a/layouts/v7/modules/Vtiger/uitypes/Text.tpl
+++ b/layouts/v7/modules/Vtiger/uitypes/Text.tpl
@@ -22,7 +22,8 @@
data-specific-rules='{ZEND_JSON::encode($FIELD_INFO["validator"])}'
{/if}
>
- {$FIELD_MODEL->get('fieldvalue')}</textarea>
+ {purifyHtmlEventAttributes($FIELD_MODEL->get('fieldvalue'),true)|regex_replace:"/(?!\w)\ (?=\w)/":" "}
+ </textarea>
{else}
<textarea rows="5" id="{$MODULE}_editView_fieldName_{$FIELD_NAME}" class="inputElement {if $FIELD_MODEL->isNameField()}nameField{/if}" name="{$FIELD_NAME}" {if !empty($SPECIAL_VALIDATOR)}data-validator='{Zend_Json::encode($SPECIAL_VALIDATOR)}'{/if}
{if $FIELD_INFO["mandatory"] eq true} data-rule-required="true" {/if}
@@ -30,6 +31,7 @@
data-specific-rules='{ZEND_JSON::encode($FIELD_INFO["validator"])}'
{/if}
>
- {$FIELD_MODEL->get('fieldvalue')}</textarea>
+ {purifyHtmlEventAttributes($FIELD_MODEL->get('fieldvalue'),true)|regex_replace:"/(?!\w)\ (?=\w)/":" "}
+ </textarea>
{/if}
{/strip}
diff --git a/modules/Vtiger/uitypes/Text.php b/modules/Vtiger/uitypes/Text.php
index 074f19d29550e961d1ea61f30beb9c5934a6191f..054024feaf65d0df6407e816200055fbeb023bea 100644
--- a/modules/Vtiger/uitypes/Text.php
+++ b/modules/Vtiger/uitypes/Text.php
@@ -15,8 +15,15 @@ class Vtiger_Text_UIType extends Vtiger_Base_UIType {
* @param <Object> $value
* @return <Object>
*/
- public function getDisplayValue($value, $record=false, $recordInstance=false) {
- return nl2br($value);
+ public function getDisplayValue($value, $record=false, $recordInstance = false,$removeTags = false) {
+ //This API replaces newlines to html br tags, and spaces with
+ // It should not replace spaces within html tags
+ $value = decode_html(preg_replace('/\r\n|\r|\n|
|&NewLine;/','<br>',$value));
+ if($removeTags){
+ $value = strip_tags($value,'<br>');
+ }
+ $value = purifyHtmlEventAttributes($value, true);
+ return $value;
}
/**