Squashed 'public/legacy/' changes from 817a12dc0c..f058c4c306

f058c4c306 Fix #9106 - Update securexss for backwards compatibility
05471a51f3 Update composer.lock
dee3305fce 7.11.19
0952712425 Fix Calender display issues in FullCalender 3.10
91bfb1cf3a Fix #7999 - Prevent securitygroups mass assign damage
e36e1a52f5 Fix #5624 - Make SWSPEditRoleButton::displayList compatible w. parent
8265b5e29b Fix #8571 - Remove duplicate code in users detailviewdefs
f63f05a4a2 Fix #8514 - Implement effective opcache file clearing
5e671f3b1b Fix #8461, #8462 - PHP files are potentially overwritten
0b18500b42 Fix #8700 - Various problems in PHPDocs throughout the codebase.
25dce7954d Fix #9067 - Fix the drop down width
28eecb4198 Add Additional api filter option `like`
8b5a152f7f Add filters in relationship API
7a92e5ec8a Add Relationship Beans in V8 API Response
c192ccdf2e Fix #9090 - User menu alignment
466f2d96e7 Fix #6051 - Modulebuilder labels edit fixes
fe5ed90fd9 Update JQuery JS Library to v3.6.0
e0382c1a6c Update FullCalendar JS Library to v3.10.2
86882a4d4f Update YUI JS Library to 2.9.1
540245494b Fix #8999 - Hardcoded 'by' label in calls
e4f3c6a2fb Fix #9034 - Business Hours does not work in non-english languages
b0a51cc667 Fix #8910 - Update the V8 Api to allow for upload of documents similar to notes
8408cd8e91 Fix #9010 - Add missing 'view task' label on calendar
faa46f5a4c Fix #8894 - Add missing label for calendar dashlet
5905f3d308 Fix #9032 - Prevent Notice Error During Import
5c9e8700ba Fix #8182 - Update updateTimeDateFields to handle undefined dates
fc3dd03386 Fix #9075 - Removing deleted related beans via link
039d9a69d2 Fix #8988 - Improve upon solution which doesn't cache incomplete beans
f562c57c8d Fix #7772 - Only index ElasticSearch when enabled
dd1a5bc244 Fix #9101 LangText exception breaking ElasticSearch
0c861d3f1a Fix #8472 - No or not complete Searchresults using elasticsearch engine
e4e884667c Fix #6800 - Elasticsearch: Elastic index name is hardcoded
e525634d7b Fix #8916 - Misspelled elasticsearch labels
28d7afaa59 Fix #9080 - Update config for google/apiclient at composer.json
66bd8998ec Fix #9060 - Project Form action should not be changed if delete is not confirmed
06195fe5f1 Fix #8676 - New Scheduled Reports does not run
89341758e2 Fix #2645 - Calendar quick create ignores required fields
a329377bc0 Deprecate PdfParser
e5c03ad198 Deprecate advanced open discovery (AOD)

git-subtree-dir: public/legacy
git-subtree-split: f058c4c3062e7fff72cc2b62440bf064a63e6843

include/utils.php

@@ -5,7 +5,7 @@
  * SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.
  *
  * SuiteCRM is an extension to SugarCRM Community Edition developed by SalesAgility Ltd.
- * Copyright (C) 2011 - 2018 SalesAgility Ltd.
+ * Copyright (C) 2011 - 2020 SalesAgility Ltd.
  *
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU Affero General Public License version 3 as published by the
@@ -42,10 +42,11 @@ if (!defined('sugarEntry') || !sugarEntry) {
     die('Not A Valid Entry Point');
 }
 
-require_once 'php_version.php';
-require_once 'include/SugarObjects/SugarConfig.php';
-require_once 'include/utils/security_utils.php';
+require_once __DIR__ . '/../php_version.php';
+require_once __DIR__ . '/../include/SugarObjects/SugarConfig.php';
+require_once __DIR__ . '/../include/utils/security_utils.php';
 
+use voku\helper\AntiXSS;
 
 /**
  * @param $sugar_config
@@ -214,6 +215,13 @@ function make_sugar_config(&$sugar_config)
         ) : $upload_badext,
         'upload_dir' => $upload_dir, // this must be set!!
         'upload_maxsize' => empty($upload_maxsize) ? 30000000 : $upload_maxsize,
+        'allowed_preview' => [
+            'pdf',
+            'gif',
+            'png',
+            'jpeg',
+            'jpg'
+        ],
         'import_max_execution_time' => empty($import_max_execution_time) ? 3600 : $import_max_execution_time,
         'lock_homepage' => false,
         'lock_subpanels' => false,
@@ -2587,23 +2595,39 @@ function str_end($str, $end)
     return substr($str, strlen($str) - strlen($end)) == $end;
 }
 
-function securexss($value)
+/**
+ * @param $uncleanString
+ * @return array
+ */
+function securexss($uncleanString)
 {
-    if (is_array($value)) {
-        $new = array();
-        foreach ($value as $key => $val) {
+    if (is_array($uncleanString)) {
+        $new = [];
+        foreach ($uncleanString as $key => $val) {
             $new[$key] = securexss($val);
         }
 
         return $new;
     }
 
-    static $xss_cleanup = ['&quot;' => '&#38;', '"' => '&quot;', "'" => '&#039;', '<' => '&lt;', '>' => '&gt;', '`' => '&#96;'];
+    static $xss_cleanup = [
+        '&quot;' => '&#38;',
+        '"' => '&quot;',
+        "'" => '&#039;',
+        '<' => '&lt;',
+        '>' => '&gt;',
+        '`' => '&#96;'
+    ];
 
-    $value = preg_replace(array('/javascript:/i', '/\0/'), array('java script:', ''), $value);
-    $value = preg_replace('/javascript:/i', 'java script:', $value);
+    $uncleanString = preg_replace(array('/javascript:/i', '/\0/', '/javascript:/i'),
+        array('java script:', '', 'java script:'), $uncleanString);
 
-    return str_replace(array_keys($xss_cleanup), array_values($xss_cleanup), $value);
+    $partialString = str_replace(array_keys($xss_cleanup), $xss_cleanup, $uncleanString);
+
+    $antiXss = new AntiXSS();
+    $antiXss->removeEvilAttributes(['style']);
+
+    return $antiXss->xss_clean($partialString);
 }
 
 function securexsskey($value, $die = true)