CVE-2019-17223

An attacker with permission to edit notes (e.g., a user with `user->user->creer` rights) can inject arbitrary HTML into the Note field via `user/note.php` [ref_id=2]. The injected payload is stored in the database and rendered without proper sanitization when any user views the note, resulting in stored Cross-site Scripting (XSS) [CWE-79]. The attacker can craft HTML containing `position: absolute !important` or `position: fixed !important` CSS to overlay malicious content over the page, or inject script tags and event handlers to steal session cookies or perform actions on behalf of the victim.

The vulnerability is in the Note field handling across multiple files. The core sanitization function `dol_string_onlythesehtmltags()` in `htdocs/core/lib/functions.lib.php` allowed dangerous HTML tags and did not strip `position: absolute/fixed !important` CSS. The display template `htdocs/core/tpl/notes.tpl.php` and the user note page `htdocs/user/note.php` output user-supplied note content without passing it through `dol_string_onlythesehtmltags()`. The form helper `htdocs/core/class/html.form.class.php` also lacked sanitization when rendering note values.

The patch [patch_id=1700700] applies multiple layers of defense. In `dol_string_onlythesehtmltags()`, a new parameter `$cleanalsosomestyles` strips `position: absolute !important` and `position: fixed !important` CSS directives that could be used for UI overlay attacks. The function also now properly wraps the allowed-tags string with angle brackets. In `html.form.class.php`, note output is now passed through `dol_string_onlythesehtmltags(dol_htmlentitiesbr(...))` instead of raw `dol_escape_htmltag()`, allowing safe HTML formatting while stripping dangerous tags. The template files (`notes.tpl.php`, `user/note.php`, `group/card.php`, etc.) now apply the same sanitization function and add the CSS class `sensiblehtmlcontent`, which forces all child elements to `position: static !important` to neutralize overlay-based attacks.