From: Moritz Bunkus Date: Mon, 6 Feb 2017 10:46:31 +0000 (+0100) Subject: kivi.parse_amount: bei ungültigen Zeichen 0 zurückgeben X-Git-Tag: release-3.5.4~1524 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=0cd51f70d2676569387f5f6a9047eb9553fea708;p=kivitendo-erp.git kivi.parse_amount: bei ungültigen Zeichen 0 zurückgeben Es werden nun nur noch mathematische Zeichen erlaubt. --- diff --git a/js/kivi.js b/js/kivi.js index e17294a12..dbf5a0ed2 100644 --- a/js/kivi.js +++ b/js/kivi.js @@ -61,6 +61,10 @@ namespace("kivi", function(ns) { amount = amount.replace(/[\',]/g, "") + // Make sure no code wich is not a math expression ends up in eval(). + if (!amount.match(/^[0-9 ()\-+*/.]*$/)) + return 0; + /* jshint -W061 */ return eval(amount); }; diff --git a/js/t/kivi/parse_amount.js b/js/t/kivi/parse_amount.js index 9b7d2aa07..1ef2b1193 100644 --- a/js/t/kivi/parse_amount.js +++ b/js/t/kivi/parse_amount.js @@ -109,3 +109,9 @@ QUnit.test("kivi.parse_amount function numbers with leading 0 should still be pa assert.equal(kivi.parse_amount('0123456789'), 123456789, '0123456789'); assert.equal(kivi.parse_amount('000123456789'), 123456789, '000123456789'); }); + +QUnit.test("kivi.parse_amount function German number style with thousand separator & contains invalid characters", function( assert ) { + kivi.setup_formats({ numbers: '1.000,00' }); + + assert.equal(kivi.parse_amount('iuh !@#$% 10,00'), 0, 'iuh !@#$% 10,00'); +});