Dolibarr / dolibarr

test/phpunit/SecurityTest.php

Spacing +57 added lines, -57 removed lines

@@ -25,36 +25,36 @@ 
  *		\remarks	To run this script as CLI:  phpunit filename.php
  */
 
-global $conf,$user,$langs,$db;
+global $conf, $user, $langs, $db;
 //define('TEST_DB_FORCE_TYPE','mysql');	// This is to force using mysql driver
 //require_once 'PHPUnit/Autoload.php';
 
-if (! defined('NOREQUIRESOC')) {
+if (!defined('NOREQUIRESOC')) {
 	define('NOREQUIRESOC', '1');
 }
-if (! defined('NOCSRFCHECK')) {
+if (!defined('NOCSRFCHECK')) {
 	define('NOCSRFCHECK', '1');
 }
-if (! defined('NOTOKENRENEWAL')) {
+if (!defined('NOTOKENRENEWAL')) {
 	define('NOTOKENRENEWAL', '1');
 }
-if (! defined('NOREQUIREMENU')) {
+if (!defined('NOREQUIREMENU')) {
 	define('NOREQUIREMENU', '1'); // If there is no menu to show
 }
-if (! defined('NOREQUIREHTML')) {
+if (!defined('NOREQUIREHTML')) {
 	define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
 }
-if (! defined('NOREQUIREAJAX')) {
+if (!defined('NOREQUIREAJAX')) {
 	define('NOREQUIREAJAX', '1');
 }
-if (! defined("NOLOGIN")) {
-	define("NOLOGIN", '1');       // If this page is public (can be called outside logged session)
+if (!defined("NOLOGIN")) {
+	define("NOLOGIN", '1'); // If this page is public (can be called outside logged session)
 }
-if (! defined("NOSESSION")) {
+if (!defined("NOSESSION")) {
 	define("NOSESSION", '1');
 }
 
-require_once dirname(__FILE__).'/../../htdocs/main.inc.php';	// We force include of main.inc.php instead of master.inc.php even if we are in CLI mode because it contains a lot of security components we want to test.
+require_once dirname(__FILE__).'/../../htdocs/main.inc.php'; // We force include of main.inc.php instead of master.inc.php even if we are in CLI mode because it contains a lot of security components we want to test.
 require_once dirname(__FILE__).'/../../htdocs/core/lib/security.lib.php';
 require_once dirname(__FILE__).'/../../htdocs/core/lib/security2.lib.php';
 require_once dirname(__FILE__).'/CommonClassTest.class.php';
@@ -228,8 +228,8 @@ 
 		$result = testSqlAndScriptInject($test, 0);
 		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject eee');
 
-		$test = "<IMG SRC=\"jav\tascript:alert('XSS');\">";		// Is locked by some browser like chrome because the default directive no-referrer-when-downgrade is sent when requesting the SRC and then refused because of browser protection on img src load without referrer.
-		$test = "<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">";	// Same
+		$test = "<IMG SRC=\"jav\tascript:alert('XSS');\">"; // Is locked by some browser like chrome because the default directive no-referrer-when-downgrade is sent when requesting the SRC and then refused because of browser protection on img src load without referrer.
+		$test = "<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">"; // Same
 
 		$test = '<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>';
 		$result = testSqlAndScriptInject($test, 0);
@@ -263,21 +263,21 @@ 
 		$result = testSqlAndScriptInject($test, 0);
 		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject lll');
 
-		$test = '<a onscrollend=alert(1) style="display:block;overflow:auto;border:1px+dashed;width:500px;height:100px;"><br><br><br><br><br><span+id=x>test</span></a>';	// Add the char %F6 into the variable
+		$test = '<a onscrollend=alert(1) style="display:block;overflow:auto;border:1px+dashed;width:500px;height:100px;"><br><br><br><br><br><span+id=x>test</span></a>'; // Add the char %F6 into the variable
 		$result = testSqlAndScriptInject($test, 0);
 		//print "test=".$test." result=".$result."\n";
 		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject mmm');
 
 
 		$test = "Text with ' encoded with the numeric html entity converted into text entity &#39; (like when submitted by CKEditor)";
-		$result = testSqlAndScriptInject($test, 0);	// result must be 0
+		$result = testSqlAndScriptInject($test, 0); // result must be 0
 		$this->assertEquals(0, $result, 'Error on testSqlAndScriptInject mmm, result should be 0 and is not');
 
 		$test = '<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt:&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.cookie)&rpar;">XSS</a>';
 		$result = testSqlAndScriptInject($test, 0);
 		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject nnn, result should be >= 1 and is not');
 
-		$test = "/dolibarr/htdocs/index.php/".chr('246')."abc";	// Add the char %F6 into the variable
+		$test = "/dolibarr/htdocs/index.php/".chr('246')."abc"; // Add the char %F6 into the variable
 		$result = testSqlAndScriptInject($test, 2);
 		//print "test=".$test." result=".$result."\n";
 		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject with a non valid UTF8 char');
@@ -389,21 +389,21 @@ 
 	{
 		global $conf;
 
-		$genpass1 = getRandomPassword(true);				// Should be a string return by dol_hash (if no option set, will be md5)
+		$genpass1 = getRandomPassword(true); // Should be a string return by dol_hash (if no option set, will be md5)
 		print __METHOD__." genpass1=".$genpass1."\n";
 		$this->assertEquals(strlen($genpass1), 32);
 
-		$genpass1 = getRandomPassword(true, array('I'));	// Should be a string return by dol_hash (if no option set, will be md5)
+		$genpass1 = getRandomPassword(true, array('I')); // Should be a string return by dol_hash (if no option set, will be md5)
 		print __METHOD__." genpass1=".$genpass1."\n";
 		$this->assertEquals(strlen($genpass1), 32);
 
 		$conf->global->USER_PASSWORD_GENERATED = 'None';
-		$genpass2 = getRandomPassword(false);				// Should return an empty string
+		$genpass2 = getRandomPassword(false); // Should return an empty string
 		print __METHOD__." genpass2=".$genpass2."\n";
 		$this->assertEquals($genpass2, '');
 
 		$conf->global->USER_PASSWORD_GENERATED = 'Standard';
-		$genpass3 = getRandomPassword(false);				// Should return a password of 12 chars
+		$genpass3 = getRandomPassword(false); // Should return a password of 12 chars
 		print __METHOD__." genpass3=".$genpass3."\n";
 		$this->assertEquals(strlen($genpass3), 12);
 
@@ -417,7 +417,7 @@ 
 	 */
 	public function testRestrictedArea()
 	{
-		global $conf,$user,$langs,$db;
+		global $conf, $user, $langs, $db;
 		$conf = $this->savconf;
 		$user = $this->savuser;
 		$langs = $this->savlangs;
@@ -448,40 +448,40 @@ 
 		$tmpvar = preg_match('/not supported/', $tmp['curl_error_msg']);
 		$this->assertEquals(1, $tmpvar, "Did not find the /not supported/ in getURLContent error message. We should.");
 
-		$url = 'https://www.dolibarr.fr';	// This is a redirect 301 page
-		$tmp = getURLContent($url, 'GET', '', 0);	// We do NOT follow
+		$url = 'https://www.dolibarr.fr'; // This is a redirect 301 page
+		$tmp = getURLContent($url, 'GET', '', 0); // We do NOT follow
 		print __METHOD__." url=".$url."\n";
 		$this->assertEquals(301, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Should GET url 301 response');
 
-		$url = 'https://www.dolibarr.fr';	// This is a redirect 301 page
-		$tmp = getURLContent($url);		// We DO follow a page with return 300 so result should be 200
+		$url = 'https://www.dolibarr.fr'; // This is a redirect 301 page
+		$tmp = getURLContent($url); // We DO follow a page with return 300 so result should be 200
 		print __METHOD__." url=".$url."\n";
 		$this->assertEquals(200, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Should GET url 301 with a follow -> 200 but we get '.(empty($tmp['http_code']) ? 0 : $tmp['http_code']));
 
 		$url = 'http://localhost';
-		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0);		// Only external URL
+		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL
 		print __METHOD__." url=".$url."\n";
-		$this->assertEquals(400, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Should GET url to '.$url.' that resolves to a local URL');	// Test we receive an error because localtest.me is not an external URL
+		$this->assertEquals(400, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Should GET url to '.$url.' that resolves to a local URL'); // Test we receive an error because localtest.me is not an external URL
 
 		$url = 'http://127.0.0.1';
-		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0);		// Only external URL
+		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL
 		print __METHOD__." url=".$url."\n";
-		$this->assertEquals(400, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Should GET url to '.$url.' that is a local URL');	// Test we receive an error because 127.0.0.1 is not an external URL
+		$this->assertEquals(400, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Should GET url to '.$url.' that is a local URL'); // Test we receive an error because 127.0.0.1 is not an external URL
 
 		$url = 'http://127.0.2.1';
-		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0);		// Only external URL
+		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL
 		print __METHOD__." url=".$url."\n";
-		$this->assertEquals(400, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Should GET url to '.$url.' that is a local URL');	// Test we receive an error because 127.0.2.1 is not an external URL
+		$this->assertEquals(400, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Should GET url to '.$url.' that is a local URL'); // Test we receive an error because 127.0.2.1 is not an external URL
 
 		$url = 'https://169.254.0.1';
-		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0);		// Only external URL
+		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL
 		print __METHOD__." url=".$url."\n";
-		$this->assertEquals(400, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Should GET url to '.$url.' that is a local URL');	// Test we receive an error because 169.254.0.1 is not an external URL
+		$this->assertEquals(400, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Should GET url to '.$url.' that is a local URL'); // Test we receive an error because 169.254.0.1 is not an external URL
 
 		$url = 'http://[::1]';
-		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0);		// Only external URL
+		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL
 		print __METHOD__." url=".$url."\n";
-		$this->assertEquals(400, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Should GET url to '.$url.' that is a local URL');	// Test we receive an error because [::1] is not an external URL
+		$this->assertEquals(400, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Should GET url to '.$url.' that is a local URL'); // Test we receive an error because [::1] is not an external URL
 
 		/*$url = 'localtest.me';
 		 $tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0);		// Only external URL
@@ -490,9 +490,9 @@ 
 		 */
 
 		$url = 'http://192.0.0.192';
-		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0);		// Only external URL but on an IP in blacklist
+		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL but on an IP in blacklist
 		print __METHOD__." url=".$url." tmp['http_code'] = ".(empty($tmp['http_code']) ? 0 : $tmp['http_code'])."\n";
-		$this->assertEquals(400, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Access should be refused and was not');	// Test we receive an error because ip is in blacklist
+		$this->assertEquals(400, (empty($tmp['http_code']) ? 0 : $tmp['http_code']), 'Access should be refused and was not'); // Test we receive an error because ip is in blacklist
 
 		return 0;
 	}
@@ -504,7 +504,7 @@ 
 	 */
 	public function testDolSanitizeUrl()
 	{
-		global $conf,$user,$langs,$db;
+		global $conf, $user, $langs, $db;
 		$conf = $this->savconf;
 		$user = $this->savuser;
 		$langs = $this->savlangs;
@@ -530,7 +530,7 @@ 
 	 */
 	public function testDolSanitizeEmail()
 	{
-		global $conf,$user,$langs,$db;
+		global $conf, $user, $langs, $db;
 		$conf = $this->savconf;
 		$user = $this->savuser;
 		$langs = $this->savlangs;
@@ -560,7 +560,7 @@ 
 	 */
 	public function testDolSanitizeFileName()
 	{
-		global $conf,$user,$langs,$db;
+		global $conf, $user, $langs, $db;
 		$conf = $this->savconf;
 		$user = $this->savuser;
 		$langs = $this->savlangs;
@@ -583,7 +583,7 @@ 
 	 */
 	public function testDolEval()
 	{
-		global $conf,$user,$langs,$db;
+		global $conf, $user, $langs, $db;
 		$conf = $this->savconf;
 		$user = $this->savuser;
 		$langs = $this->savlangs;
@@ -593,7 +593,7 @@ 
 		include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
 		include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php';
 
-		$result = dol_eval('1==\x01', 1, 0);	// Check that we can't make dol_eval on string containing \ char.
+		$result = dol_eval('1==\x01', 1, 0); // Check that we can't make dol_eval on string containing \ char.
 		print "result0 = ".$result."\n";
 		$this->assertStringContainsString('Bad string syntax to evaluate', $result);
 
@@ -640,12 +640,12 @@ 
 		// Now string not allowed
 
 		$s = '4 <5';
-		$result = (string) dol_eval($s, 1, 1, '2');		// in mode 2, char < is allowed only if followed by a space
+		$result = (string) dol_eval($s, 1, 1, '2'); // in mode 2, char < is allowed only if followed by a space
 		print "result = ".$result."\n";
 		$this->assertStringContainsString('Bad string syntax to evaluate', $result, 'Test 4 <5 - The string was not detected as evil');
 
 		$s = '4 < 5';
-		$result = (string) dol_eval($s, 1, 1, '1');		// in mode 1, char < is always forbidden
+		$result = (string) dol_eval($s, 1, 1, '1'); // in mode 1, char < is always forbidden
 		print "result = ".$result."\n";
 		$this->assertStringContainsString('Bad string syntax to evaluate', $result, 'Test 4 < 5 - The string was not detected as evil');
 
@@ -659,7 +659,7 @@ 
 		print "result = ".$result."\n";
 		$this->assertStringContainsString('Bad string syntax to evaluate', $result, 'The string was not detected as evil');
 
-		$result = dol_eval('$a=function() { }; $a', 1, 1, '0');		// result of dol_eval may be an object Closure
+		$result = dol_eval('$a=function() { }; $a', 1, 1, '0'); // result of dol_eval may be an object Closure
 		print "result5 = ".json_encode($result)."\n";
 		$this->assertStringContainsString('Bad string syntax to evaluate', json_encode($result), 'The string was not detected as evil');
 
@@ -701,7 +701,7 @@ 
 
 		// Must be allowed
 
-		global $leftmenu;	// Used into strings to eval
+		global $leftmenu; // Used into strings to eval
 
 		$leftmenu = 'AAA';
 		$result = dol_eval('$conf->currency && preg_match(\'/^(AAA|BBB)/\',$leftmenu)', 1, 1, '1');
@@ -725,13 +725,13 @@ 
 		$this->assertFalse($result);
 
 		$leftmenu = 'XXX';
-		$conf->global->MAIN_FEATURES_LEVEL = 1;		// Force for the case option is -1
+		$conf->global->MAIN_FEATURES_LEVEL = 1; // Force for the case option is -1
 		$string = '(isModEnabled("agenda") || isModEnabled("resource")) && getDolGlobalInt("MAIN_FEATURES_LEVEL") >= 0 && preg_match(\'/^(admintools|all|XXX)/\', $leftmenu)';
 		$result = dol_eval($string, 1, 1, '1');
 		print "result17 = ".$result."\n";
 		$this->assertTrue($result);
 
-		$result = dol_eval('1 && getDolGlobalInt("doesnotexist1") && $conf->global->MAIN_FEATURES_LEVEL', 1, 0);	// Should return false and not a 'Bad string syntax to evaluate ...'
+		$result = dol_eval('1 && getDolGlobalInt("doesnotexist1") && $conf->global->MAIN_FEATURES_LEVEL', 1, 0); // Should return false and not a 'Bad string syntax to evaluate ...'
 		print "result18 = ".$result."\n";
 		$this->assertFalse($result);
 
@@ -771,12 +771,12 @@ 
 		global $conf;
 
 		// Set options for cleaning data
-		$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0;	// disabled, does not work on HTML5 and some libxml versions
+		$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0; // disabled, does not work on HTML5 and some libxml versions
 		// Enabled option MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY if possible
 		if (extension_loaded('tidy') && class_exists("tidy")) {
 			$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 1;
 		}
-		$conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 0;	// disabled, does not work on HTML5 and some libxml versions
+		$conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 0; // disabled, does not work on HTML5 and some libxml versions
 
 
 		// For a string that is already HTML (contains HTML tags) with special tags but badly formatted
@@ -788,7 +788,7 @@ 
 		//$result = dol_escape_htmltag(dol_htmlwithnojs(dol_string_onlythesehtmltags(dol_htmlentitiesbr($stringtotest), 1, 1, 1, 0)), 1, 1, 'common', 0, 1);
 		$result = dolPrintHTML($stringtotest);
 		print __METHOD__." result=".$result."\n";
-		$this->assertEquals($stringfixed, $result, 'Error');    // Expected '' because should failed because login 'auto' does not exists
+		$this->assertEquals($stringfixed, $result, 'Error'); // Expected '' because should failed because login 'auto' does not exists
 
 
 		// For a string that is already HTML (contains HTML tags) with special tags but badly formatted
@@ -857,7 +857,7 @@ 
 		// With cleaning options of HTML TIDY
 		if (extension_loaded('tidy') && class_exists("tidy")) {
 			$stringtotest = "Message<br>with ' and &egrave; and &#39; !";
-			$stringexpected = "Message<br>\nwith ' and &egrave; and ' !";		// The &#39; is modified into ' because html tidy fix it.
+			$stringexpected = "Message<br>\nwith ' and &egrave; and ' !"; // The &#39; is modified into ' because html tidy fix it.
 			/*
 			var_dump($stringtotest);
 			var_dump(dol_htmlentitiesbr($stringtotest));
@@ -889,11 +889,11 @@ 
 		$this->assertEquals('a', $result);
 
 		// Test that testRealCharforNumericEntities return an emoji utf8 char when code is inside Emoji range
-		$arraytmp = array(0 => '&#9989;', 1 => '9989;');	// Encoded as decimal
+		$arraytmp = array(0 => '&#9989;', 1 => '9989;'); // Encoded as decimal
 		$result = realCharForNumericEntities($arraytmp);
 		$this->assertEquals('✅', $result);
 
-		$arraytmp = array(0 => '&#x2705;', 1 => 'x2705;');	// Encoded as hexadecimal
+		$arraytmp = array(0 => '&#x2705;', 1 => 'x2705;'); // Encoded as hexadecimal
 		$result = realCharForNumericEntities($arraytmp);
 		$this->assertEquals('✅', $result);
 
@@ -963,7 +963,7 @@ 
 		// For a string with js and link with restricthtmlallowlinkscript
 		$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0;
 		$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 0;
-		$s='<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700">
+		$s = '<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700">
 		<link rel="stylesheet" id="font-wasesome-css" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
 		<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
 		<script src="//cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script>';
@@ -976,7 +976,7 @@ 
 		// For a string with js and link with restricthtmlallowlinkscript
 		$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0;
 		$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 1;
-		$s='<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700">
+		$s = '<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700">
 		<link rel="stylesheet" id="font-wasesome-css" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
 		<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
 		<script src="//cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script>';
@@ -989,7 +989,7 @@ 
 		// For a string with js and link with restricthtmlallowlinkscript
 		$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 1;
 		$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 0;
-		$s='<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700">
+		$s = '<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700">
 		<link rel="stylesheet" id="font-wasesome-css" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
 		<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
 		<script src="//cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script>';