diff --git a/build/debian/conf.php.install b/build/debian/conf.php.install
index c27d9e0985b0508092311cc60d0618fa030d034a..3fe41b98086ee96b843783d55718cf5a89b6b4e6 100644
--- a/build/debian/conf.php.install
+++ b/build/debian/conf.php.install
@@ -221,7 +221,13 @@ $dolibarr_main_prod='0';
# $dolibarr_main_limit_users='0';
# dolibarr_mailing_limit_sendbyweb
-# Can set a limit for mailing send by web, can be used for a restricted mode.
+# Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level.
# Default value: 0 (use database value if exist)
# Examples:
# $dolibarr_mailing_limit_sendbyweb='0';
+
+# dolibarr_mailing_limit_sendbycli
+# Can set a limit for mailing send by cli. This overwrite database value. Can be used to restrict on OS level.
+# Default value: 0 (use database value if exist)
+# Examples:
+# $dolibarr_mailing_limit_sendbycli='0';
diff --git a/htdocs/admin/system/constall.php b/htdocs/admin/system/constall.php
index 1ff005e88b23ed17d61aea3e4406d2ea853da91e..0fb3a6c9a7b18ddcff3b2b2d17f89f6c9b621ab1 100644
--- a/htdocs/admin/system/constall.php
+++ b/htdocs/admin/system/constall.php
@@ -90,7 +90,8 @@ $configfileparameters=array(
'?dolibarr_font_DOL_DEFAULT_TTF_BOLD',
'separator',
'?dolibarr_mailing_limit_sendbyweb',
- '?dolibarr_strict_mode'
+ '?dolibarr_mailing_limit_sendbycli',
+ '?dolibarr_strict_mode'
);
$configfilelib=array(
// 'separator',
diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php
index 2fe87a02e632bc8453da490ec4c8dba15a1ea557..21b79bcd7a1683edeef5dc3be4e4f1847a076b9b 100644
--- a/htdocs/admin/system/dolibarr.php
+++ b/htdocs/admin/system/dolibarr.php
@@ -286,7 +286,8 @@ $configfileparameters=array(
'separator4' => '',
'dolibarr_main_prod' => 'Production mode (Hide all error messages)',
'?dolibarr_mailing_limit_sendbyweb' => 'Limit nb of email sent by page',
- '?dolibarr_strict_mode' => 'Strict mode is on/off',
+ '?dolibarr_mailing_limit_sendbycli' => 'Limit nb of email sent by cli',
+ '?dolibarr_strict_mode' => 'Strict mode is on/off',
'?dolibarr_pdf_force_fpdf' => 'Force fpdf usage to generate PDF'
);
diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php
index 29d4fa26c18d819b6adba772e82fc894ee006a54..f43f3ecd04675a64c7120ba6cb8c5456af55448c 100644
--- a/htdocs/comm/mailing/card.php
+++ b/htdocs/comm/mailing/card.php
@@ -756,6 +756,7 @@ else
$sendingmode=$conf->global->MAIN_MAIL_SENDMODE;
if (empty($sendingmode)) $sendingmode='mail'; // If not defined, we use php mail function
+ // Note: MAILING_LIMIT_SENDBYWEB is always defined to something != 0
if (! empty($conf->global->MAILING_NO_USING_PHPMAIL) && $sendingmode == 'mail')
{
// EMailing feature may be a spam problem, so when you host several users/instance, having this option may force each user to use their own SMTP agent.
@@ -767,19 +768,21 @@ else
if (! empty($conf->global->MAILING_SMTP_SETUP_EMAILS_FOR_QUESTIONS)) setEventMessages($langs->trans("MailSendSetupIs3", $conf->global->MAILING_SMTP_SETUP_EMAILS_FOR_QUESTIONS), null, 'warnings');
$_GET["action"]='';
}
- else if (empty($conf->global->MAILING_LIMIT_SENDBYWEB))
+ else if ($conf->global->MAILING_LIMIT_SENDBYWEB == '-1')
{
- // Pour des raisons de securite, on ne permet pas cette fonction via l'IHM,
- // on affiche donc juste un message
+ // No limit was defined, so the feature is forbidden from GUI, we show just a message.
setEventMessages($langs->trans("MailingNeedCommand"), null, 'warnings');
setEventMessages('<textarea cols="60" rows="'.ROWS_1.'" wrap="soft">php ./scripts/emailings/mailing-send.php '.$object->id.'</textarea>', null, 'warnings');
- setEventMessages($langs->trans("MailingNeedCommand2"), null, 'warnings');
+ if ($conf->file->mailing_limit_sendbyweb != '-1')
+ {
+ setEventMessages($langs->trans("MailingNeedCommand2"), null, 'warnings'); // You can send online with constant...
+ }
$_GET["action"]='';
}
else
{
$text='';
- if ($conf->file->mailing_limit_sendbyweb == 0)
+ if ($conf->global->MAILING_LIMIT_SENDBYCLI >= 0)
{
$text.=$langs->trans("MailingNeedCommand");
$text.='<br><textarea cols="60" rows="'.ROWS_2.'" wrap="soft">php ./scripts/emailings/mailing-send.php '.$object->id.' '.$user->login.'</textarea>';
diff --git a/htdocs/conf/conf.php.example b/htdocs/conf/conf.php.example
index 83dbd300f6061865e5e1b0bd83b36610027894cf..c03e41b386c1b12631e9ec1dc241bbb733a98fa2 100644
--- a/htdocs/conf/conf.php.example
+++ b/htdocs/conf/conf.php.example
@@ -273,6 +273,18 @@ $dolibarr_nocsrfcheck='0';
// Examples:
// $dolibarr_main_limit_users='0';
+// dolibarr_mailing_limit_sendbyweb
+// Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level.
+// Default value: '0' (no overwrite, use database value if exists)
+// Examples: '-1' (sending by web is forbidden)
+// $dolibarr_mailing_limit_sendbyweb='0';
+
+// dolibarr_mailing_limit_sendbycli
+// Can set a limit for mailing send by cli. This overwrite database value. Can be used to restrict on OS level.
+// Default value: '0' (no overwrite, use database value if exists)
+// Examples: '-1' (sending by cli is forbidden)
+// $dolibarr_mailing_limit_sendbycli='0';
+
// dolibarr_strict_mode
// Set this to 1 to enable the PHP strict mode. For dev environment only.
// Default value: 0 (use database value if exist)
diff --git a/htdocs/core/class/CMailFile.class.php b/htdocs/core/class/CMailFile.class.php
index 3abd7dd58b5d2bf4f013f9ba7549fb6c99683451..31ec3d6e6b51fa7b2203549caa36ed9b4541192e 100644
--- a/htdocs/core/class/CMailFile.class.php
+++ b/htdocs/core/class/CMailFile.class.php
@@ -824,7 +824,7 @@ class CMailFile
global $conf;
$out = "";
- $host = dol_getprefix();
+ $host = dol_getprefix('email');
// Sender
//$out.= "Sender: ".getValidAddress($this->addr_from,2)).$this->eol2;
diff --git a/htdocs/core/class/smtps.class.php b/htdocs/core/class/smtps.class.php
index 72ee7e8b4ffd17a0757f95d9a2fa587f39bcb086..6cd5dfb28217f193368212fe4139582425736fea 100644
--- a/htdocs/core/class/smtps.class.php
+++ b/htdocs/core/class/smtps.class.php
@@ -1195,7 +1195,7 @@ class SMTPs
$host=preg_replace('@tcp://@i','',$host); // Remove prefix
$host=preg_replace('@ssl://@i','',$host); // Remove prefix
- $host=dol_getprefix().'-'.$host;
+ $host=dol_getprefix('email').'-'.$host;
//NOTE: Message-ID should probably contain the username of the user who sent the msg
$_header .= 'Subject: ' . $this->getSubject() . "\r\n";
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index fc463dadd718ae4d7a204a411f43c74fc55d3396..b3f08056d7d6ee3b5e1c155ba0ca9480a54919c2 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -321,19 +321,22 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL)
* This prefix is unique for instance and avoid conflict between multi-instances,
* even when having two instances with one root dir or two instances in virtual servers
*
+ * @param string $mode '' or 'email'
* @return string A calculated prefix
*/
-function dol_getprefix()
+function dol_getprefix($mode='')
{
global $conf;
+ // If MAIL_PREFIX_FOR_EMAIL_ID is set and prefix is for email
+ if ($mode == 'email' && ! empty($conf->global->MAIL_PREFIX_FOR_EMAIL_ID))
+ {
+ if ($conf->global->MAIL_PREFIX_FOR_EMAIL_ID != 'SERVER_NAME') return $conf->global->MAIL_PREFIX_FOR_EMAIL_ID;
+ else if (isset($_SERVER["SERVER_NAME"])) return $_SERVER["SERVER_NAME"];
+ }
+
if (isset($_SERVER["SERVER_NAME"]) && isset($_SERVER["DOCUMENT_ROOT"]))
{
- if (! empty($conf->global->MAIL_PREFIX_FOR_EMAIL_ID))
- {
- if ($conf->global->MAIL_PREFIX_FOR_EMAIL_ID == 'SERVER_NAME') return $_SERVER["SERVER_NAME"];
- return $conf->global->MAIL_PREFIX_FOR_EMAIL_ID;
- }
return dol_hash($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].DOL_DOCUMENT_ROOT.DOL_URL_ROOT);
// Use this for a "clear" cookie name
//return dol_sanitizeFileName($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].DOL_DOCUMENT_ROOT.DOL_URL_ROOT);
diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index 5ce08697913e260d3b6e5ebff68fcb6f1fbf468c..2954b4317088f37a0816c7f48ca40a21afde446b 100644
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -154,6 +154,7 @@ if (empty($dolibarr_main_db_encryption)) $dolibarr_main_db_encryption=0;
if (empty($dolibarr_main_db_cryptkey)) $dolibarr_main_db_cryptkey='';
if (empty($dolibarr_main_limit_users)) $dolibarr_main_limit_users=0;
if (empty($dolibarr_mailing_limit_sendbyweb)) $dolibarr_mailing_limit_sendbyweb=0;
+if (empty($dolibarr_mailing_limit_sendbycli)) $dolibarr_mailing_limit_sendbycli=0;
if (empty($dolibarr_strict_mode)) $dolibarr_strict_mode=0; // For debug in php strict mode
// TODO Multicompany Remove this. Useless.
if (empty($multicompany_transverse_mode)) $multicompany_transverse_mode=0;
diff --git a/htdocs/install/mysql/data/llx_c_payment_term.sql b/htdocs/install/mysql/data/llx_c_payment_term.sql
index a444bfbc466fc7a7457e5df87d355aa358cee4c5..783bf1e0dafe288c6254e30928fbbcd72718bc13 100644
--- a/htdocs/install/mysql/data/llx_c_payment_term.sql
+++ b/htdocs/install/mysql/data/llx_c_payment_term.sql
@@ -27,7 +27,7 @@
-- de l'install et tous les sigles '--' sont supprimés.
--
-insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (1,'RECEP', 1,1, 'A réception de facture','Réception de facture',0,1);
+insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (1,'RECEP', 1,1, 'Due Upon Receipt','Due Upon Receipt',0,1);
insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (2,'30D', 2,1, '30 jours','Réglement à 30 jours',0,30);
insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (3,'30DENDMONTH', 3,1, '30 jours fin de mois','Réglement à 30 jours fin de mois',1,30);
insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (4,'60D', 4,1, '60 jours','Réglement à 60 jours',0,60);
diff --git a/htdocs/langs/en_US/bills.lang b/htdocs/langs/en_US/bills.lang
index 1e4a745621c0dd4025d79d6b24ad9ef7c51f910d..f16fdf25413576abb71941b2ddab9af7e6de1392 100644
--- a/htdocs/langs/en_US/bills.lang
+++ b/htdocs/langs/en_US/bills.lang
@@ -333,8 +333,8 @@ DateIsNotEnough=Date not reached yet
InvoiceGeneratedFromTemplate=Invoice %s generated from recurring template invoice %s
# PaymentConditions
Statut=Status
-PaymentConditionShortRECEP=Immediate
-PaymentConditionRECEP=Immediate
+PaymentConditionShortRECEP=Due Upon Receipt
+PaymentConditionRECEP=Due Upon Receipt
PaymentConditionShort30D=30 days
PaymentCondition30D=30 days
PaymentConditionShort30DENDMONTH=30 days of month-end
diff --git a/htdocs/langs/en_US/mails.lang b/htdocs/langs/en_US/mails.lang
index 83a344623aa12e1deee965750fef225dcc5dae60..b9677805dcd3243781581f0709b03b5f2be30b40 100644
--- a/htdocs/langs/en_US/mails.lang
+++ b/htdocs/langs/en_US/mails.lang
@@ -88,9 +88,10 @@ MailNoChangePossible=Recipients for validated emailing can't be changed
SearchAMailing=Search mailing
SendMailing=Send emailing
SendMail=Send email
-MailingNeedCommand=For security reason, sending an emailing is better when performed from command line. If you have one, ask your server administrator to launch the following command to send the emailing to all recipients:
+SentBy=Sent by
+MailingNeedCommand=For security reason, sending an emailing must be performed from command line. Ask your server administrator to launch the following command to send the emailing to all recipients:
MailingNeedCommand2=You can however send them online by adding parameter MAILING_LIMIT_SENDBYWEB with value of max number of emails you want to send by session. For this, go on Home - Setup - Other.
-ConfirmSendingEmailing=If you can't or prefer sending them with your www browser, please confirm you are sure you want to send emailing now from your browser?
+ConfirmSendingEmailing=If you want to send emailing directly from this screen, please confirm you are sure you want to send emailing now from your browser ?
LimitSendingEmailing=Note: Sending of emailings from web interface is done in several times for security and timeout reasons, <b>%s</b> recipients at a time for each sending session.
TargetsReset=Clear list
ToClearAllRecipientsClickHere=Click here to clear the recipient list for this emailing
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 3a9ef61d7ecc5efbb84ddab9b429217f24747bf4..e07ef156124afe57201dc2bb844520c8303bd247 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -89,7 +89,6 @@ function test_sql_and_script_inject($val, $type)
$sql_inj += preg_match('/union.+select/i', $val);
$sql_inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
- $sql_inj += preg_match('/onerror=/i', $val);
}
// For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript:
@@ -98,7 +97,8 @@ function test_sql_and_script_inject($val, $type)
$sql_inj += preg_match('/<script/i', $val);
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
$sql_inj += preg_match('/base[\s]+href/si', $val);
- $sql_inj += preg_match('/<.*onmouse/si', $val); // onmouseover can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
+ $sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
+ $sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='>' onerror = alert(1)>
if ($type == 1)
{
$sql_inj += preg_match('/javascript:/i', $val);
diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php
index 7c0000bedea415997017f67b4fbcdf9f4929e264..80fc5d9a1d47e82d7c3d0cb2d4698579734ffdd9 100644
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@@ -61,6 +61,7 @@ if (defined('TEST_DB_FORCE_TYPE')) $conf->db->type=constant('TEST_DB_FORCE_TYPE'
// Set properties specific to conf file
$conf->file->main_limit_users = $dolibarr_main_limit_users;
$conf->file->mailing_limit_sendbyweb = $dolibarr_mailing_limit_sendbyweb;
+$conf->file->mailing_limit_sendbycli = $dolibarr_mailing_limit_sendbycli;
$conf->file->main_authentication = empty($dolibarr_main_authentication)?'':$dolibarr_main_authentication; // Identification mode
$conf->file->main_force_https = empty($dolibarr_main_force_https)?'':$dolibarr_main_force_https; // Force https
$conf->file->strict_mode = empty($dolibarr_strict_mode)?'':$dolibarr_strict_mode; // Force php strict mode (for debug)
@@ -188,6 +189,18 @@ if (! empty($conf->file->mailing_limit_sendbyweb))
{
$conf->global->MAILING_LIMIT_SENDBYWEB = $conf->file->mailing_limit_sendbyweb;
}
+if (empty($conf->global->MAILING_LIMIT_SENDBYWEB))
+{
+ $conf->global->MAILING_LIMIT_SENDBYWEB = 25;
+}
+if (! empty($conf->file->mailing_limit_sendbycli))
+{
+ $conf->global->MAILING_LIMIT_SENDBYCLI = $conf->file->mailing_limit_sendbycli;
+}
+if (empty($conf->global->MAILING_LIMIT_SENDBYCLI))
+{
+ $conf->global->MAILING_LIMIT_SENDBYCLI = 0;
+}
// If software has been locked. Only login $conf->global->MAIN_ONLY_LOGIN_ALLOWED is allowed.
if (! empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED))
diff --git a/scripts/emailings/mailing-send.php b/scripts/emailings/mailing-send.php
index 98455b2a2334875615e7149f400c64719bbbca94..fb8612977a8f3c4438ee124f6948bc90b7502980 100755
--- a/scripts/emailings/mailing-send.php
+++ b/scripts/emailings/mailing-send.php
@@ -61,6 +61,11 @@ $error=0;
@set_time_limit(0);
print "***** ".$script_file." (".$version.") pid=".dol_getmypid()." *****\n";
+if ($conf->global->MAILING_LIMIT_SENDBYCLI == '-1')
+{
+
+}
+
$user = new User($db);
// for signature, we use user send as parameter
if (! empty($login)) $user->fetch('',$login);
@@ -108,7 +113,11 @@ if ($resql)
$sql2 = "SELECT mc.rowid, mc.lastname as lastname, mc.firstname as firstname, mc.email, mc.other, mc.source_url, mc.source_id, mc.source_type, mc.tag";
$sql2.= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc";
$sql2.= " WHERE mc.statut < 1 AND mc.fk_mailing = ".$id;
-
+ if ($conf->global->MAILING_LIMIT_SENDBYCLI > 0)
+ {
+ $sql2.= " LIMIT ".$conf->global->MAILING_LIMIT_SENDBYCLI;
+ }
+
$resql2=$db->query($sql2);
if ($resql2)
{
diff --git a/test/phpunit/CoreTest.php b/test/phpunit/CoreTest.php
index 01f06e41af77a309a9040cbd2acc16c2f1d34a64..3a158260e96e3525af6759faf41657a1dab92cf8 100644
--- a/test/phpunit/CoreTest.php
+++ b/test/phpunit/CoreTest.php
@@ -219,7 +219,7 @@ class CoreTest extends PHPUnit_Framework_TestCase
print __METHOD__." DOL_MAIN_URL_ROOT=".DOL_MAIN_URL_ROOT."\n";
print __METHOD__." DOL_URL_ROOT=".DOL_URL_ROOT."\n";
- $this->assertEquals(DOL_URL_ROOT,$expectedresult);
+ $this->assertEquals($expectedresult, DOL_URL_ROOT);
return true;
}
@@ -245,7 +245,7 @@ class CoreTest extends PHPUnit_Framework_TestCase
global $dolibarr_main_db_prefix;
- // This is code copied from main.inc.php
+ // This is code copied from main.inc.php !!!!!!!!!!!!!!!
/**
* Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF).
@@ -258,14 +258,16 @@ class CoreTest extends PHPUnit_Framework_TestCase
{
$sql_inj = 0;
// For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests)
- if ($type != 2) {
- $sql_inj += preg_match('/delete[\s]+from/i', $val);
- $sql_inj += preg_match('/create[\s]+table/i', $val);
- $sql_inj += preg_match('/update.+set.+=/i', $val);
- $sql_inj += preg_match('/insert[\s]+into/i', $val);
- $sql_inj += preg_match('/select.+from/i', $val);
- $sql_inj += preg_match('/union.+select/i', $val);
- $sql_inj += preg_match('/(\.\.%2f)+/i', $val);
+ if ($type != 2)
+ {
+ $sql_inj += preg_match('/delete\s+from/i', $val);
+ $sql_inj += preg_match('/create\s+table/i', $val);
+ $sql_inj += preg_match('/update.+set.+=/i', $val);
+ $sql_inj += preg_match('/insert\s+into/i', $val);
+ $sql_inj += preg_match('/select.+from/i', $val);
+ $sql_inj += preg_match('/union.+select/i', $val);
+ $sql_inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
+ $sql_inj += preg_match('/(\.\.%2f)+/i', $val);
}
// For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript:
@@ -273,22 +275,40 @@ class CoreTest extends PHPUnit_Framework_TestCase
// All examples on page: http://ha.ckers.org/xss.html#XSScalc
$sql_inj += preg_match('/<script/i', $val);
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
- $sql_inj += preg_match('/base[\s]+href/i', $val);
- if ($type == 1) {
+ $sql_inj += preg_match('/base[\s]+href/si', $val);
+ $sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
+ $sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='>' onerror = alert(1)>
+ if ($type == 1)
+ {
$sql_inj += preg_match('/javascript:/i', $val);
$sql_inj += preg_match('/vbscript:/i', $val);
}
// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
if ($type == 1) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
- if ($type == 2) $sql_inj += preg_match('/[\s;"]/', $val); // PHP_SELF is an url and must match url syntax
+ if ($type == 2) $sql_inj += preg_match('/[;"]/', $val); // PHP_SELF is a file system path. It can contains spaces.
return $sql_inj;
}
- //type=2 key=0 value=/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices
+ // Run tests
+
$_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices';
- $result=test_sql_and_script_inject($_SERVER["PHP_SELF"],2);
+ $result=test_sql_and_script_inject($_SERVER["PHP_SELF"], 2);
+ $expectedresult=0;
+ $this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 1a');
+
+ $_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices;badaction';
+ $result=test_sql_and_script_inject($_SERVER["PHP_SELF"], 2);
$expectedresult=1;
-
- $this->assertEquals($result,$expectedresult);
+ $this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 1b');
+
+ $_GET['aaa']="<img src='1.jpg' onerror =javascript:alert('XSS')>";
+ $result=test_sql_and_script_inject($_GET['aaa'], 0);
+ $expectedresult=1;
+ $this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 2');
+
+ $_POST['bbb']="<img src='1.jpg' onerror =javascript:alert('XSS')>";
+ $result=test_sql_and_script_inject($_POST['bbb'], 2);
+ $expectedresult=1;
+ $this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 3');
}
}