diff --git a/lib/LMSManagers/LMSCustomerManager.php b/lib/LMSManagers/LMSCustomerManager.php index 998d6f7476..5ebeac2d50 100644 --- a/lib/LMSManagers/LMSCustomerManager.php +++ b/lib/LMSManagers/LMSCustomerManager.php @@ -591,10 +591,10 @@ public function customerAdd($customeradd) 'ssn' => $customeradd['ssn'], 'status' => $customeradd['status'], SYSLOG::RES_USER => Auth::GetCurrentUser(), - 'info' => Utils::removeInsecureHtmlElements($customeradd['info']), - 'notes' => Utils::removeInsecureHtmlElements($customeradd['notes']), - 'message' => Utils::removeInsecureHtmlElements($customeradd['message']), - 'documentmemo' => empty($customeradd['documentmemo']) ? null : Utils::removeInsecureHtmlElements($customeradd['documentmemo']), + 'info' => Utils::removeInsecureHtml($customeradd['info']), + 'notes' => Utils::removeInsecureHtml($customeradd['notes']), + 'message' => Utils::removeInsecureHtml($customeradd['message']), + 'documentmemo' => empty($customeradd['documentmemo']) ? null : Utils::removeInsecureHtml($customeradd['documentmemo']), 'pin' => $customeradd['pin'], 'regon' => $customeradd['regon'], 'rbename' => $customeradd['rbename'], @@ -1722,12 +1722,12 @@ public function customerUpdate($customerdata) 'ten' => $customerdata['ten'], 'ssn' => $customerdata['ssn'], SYSLOG::RES_USER => Auth::GetCurrentUser(), - 'info' => Utils::removeInsecureHtmlElements($customerdata['info']), - 'notes' => Utils::removeInsecureHtmlElements($customerdata['notes']), + 'info' => Utils::removeInsecureHtml($customerdata['info']), + 'notes' => Utils::removeInsecureHtml($customerdata['notes']), 'lastname' => $customerdata['lastname'], 'name' => $customerdata['name'], - 'message' => Utils::removeInsecureHtmlElements($customerdata['message']), - 'documentmemo' => empty($customerdata['documentmemo']) ? null : Utils::removeInsecureHtmlElements($customerdata['documentmemo']), + 'message' => Utils::removeInsecureHtml($customerdata['message']), + 'documentmemo' => empty($customerdata['documentmemo']) ? null : Utils::removeInsecureHtml($customerdata['documentmemo']), 'pin' => $customerdata['pin'], 'regon' => $customerdata['regon'], 'ict' => $customerdata['ict'], diff --git a/lib/Utils.php b/lib/Utils.php index 75dcded354..5990bd230f 100644 --- a/lib/Utils.php +++ b/lib/Utils.php @@ -441,23 +441,26 @@ public static function determineAllowedCustomerStatus($value, $default = null) } } - public static function removeInsecureHtmlElements($html) + public static function removeInsecureHtml($html) { - $dom = new DOMDocument(); - - $dom->loadHTML(mb_convert_encoding($html, 'HTML-ENTITIES', "UTF-8"), LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD); - - $scripts = $dom->getElementsByTagName('script'); - - $remove = array(); - foreach ($scripts as $item) { - $remove[] = $item; - } - - foreach ($remove as $item) { - $item->parentNode->removeChild($item); + static $hm_purifier; + if (!isset($hm_purifier)) { + $hm_config = HTMLPurifier_Config::createDefault(); + $hm_config->set('URI.AllowedSchemes', array( + 'http' => true, + 'https' => true, + 'mailto' => true, + 'ftp' => true, + 'nntp' => true, + 'news' => true, + 'tel' => true, + 'cid' => true, + )); + $hm_config->set('CSS.MaxImgLength', null); + $hm_config->set('HTML.MaxImgLength', null); + $hm_purifier = new HTMLPurifier($hm_config); } - return trim($dom->saveHTML()); + return $hm_purifier->purify($html); } }