From 0e063a3bb328ac86907f3cac15bac318a920e83c Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 7 Dec 2019 15:46:14 +0100
Subject: [PATCH] Fix hreflang tag (must include itself)

---
 htdocs/core/lib/website2.lib.php       | 19 +++++++++++--------
 htdocs/core/website.inc.php            |  5 +++++
 htdocs/main.inc.php                    |  2 +-
 htdocs/website/class/website.class.php | 12 ++++++++++++
 htdocs/website/index.php               |  2 +-
 5 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/htdocs/core/lib/website2.lib.php b/htdocs/core/lib/website2.lib.php
index bb7217c8df5..48ef724e4dc 100644
--- a/htdocs/core/lib/website2.lib.php
+++ b/htdocs/core/lib/website2.lib.php
@@ -123,14 +123,17 @@ function dolSavePageContent($filetpl, Website $object, WebsitePage $objectpage)
 	$tplcontent .= '<meta name="generator" content="'.DOL_APPLICATION_TITLE.' '.DOL_VERSION.' (https://www.dolibarr.org)" />'."\n";
 	$tplcontent .= '<meta name="dolibarr:pageid" content="'.dol_string_nohtmltag($objectpage->id).'" />'."\n";
 	// Add translation reference (main language)
-	$translationof = $objectpage->fk_page;
-	if ($translationof) {
-		$tmppage = new WebsitePage($db);
-		$tmppage->fetch($translationof);
-		if ($tmppage->id > 0) {
-			$tmpshortlangcode = '';
-			if ($tmppage->lang) $tmpshortlangcode = preg_replace('/[_-].*$/', '', $tmppage->lang); // en_US or en-US -> en
-			$tplcontent .= '<link rel="alternate" hreflang="'.$tmpshortlangcode.'" href="'.($object->fk_default_home == $tmppage->id ? '/' : '/'.$tmppage->pageurl.'.php').'" />'."\n";
+	if ($object->isMultiLang()) {
+		$tplcontent .= '<link rel="alternate" hreflang="'.$shortlangcode.'" href="'.($object->fk_default_home == $objectpage->id ? '/' : '/'.$objectpage->pageurl.'.php').'" />'."\n";
+		$translationof = $objectpage->fk_page;
+		if ($translationof) {
+			$tmppage = new WebsitePage($db);
+			$tmppage->fetch($translationof);
+			if ($tmppage->id > 0) {
+				$tmpshortlangcode = '';
+				if ($tmppage->lang) $tmpshortlangcode = preg_replace('/[_-].*$/', '', $tmppage->lang); // en_US or en-US -> en
+				$tplcontent .= '<link rel="alternate" hreflang="'.$tmpshortlangcode.'" href="'.($object->fk_default_home == $tmppage->id ? '/' : '/'.$tmppage->pageurl.'.php').'" />'."\n";
+			}
 		}
 	}
 	// Add canonical reference
diff --git a/htdocs/core/website.inc.php b/htdocs/core/website.inc.php
index 2cc046ac818..fc6fa02cbec 100644
--- a/htdocs/core/website.inc.php
+++ b/htdocs/core/website.inc.php
@@ -63,6 +63,11 @@ if ($pageid > 0)
 
 if (! defined('USEDOLIBARRSERVER') && ! defined('USEDOLIBARREDITOR')) {
 	header("X-Content-Type-Options: nosniff");
+	/* TODO Manage allow_frames flag on websitepage.
+	if (empty($websitepage->allow_frames) && empty($conf->global->WEBSITE_ALLOW_FRAMES_ON_ALL_PAGES)) {
+		header("X-Frame-Options: SAMEORIGIN");
+	}
+	*/
 }
 
 // A lang was forced, so we change weblangs init
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index eae61993dd6..4824ced47db 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -1137,7 +1137,7 @@ function top_httphead($contenttype = 'text/html', $forcenocache = 0)
 	header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
 	if (!defined('XFRAMEOPTIONS_ALLOWALL')) header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
 	else header("X-Frame-Options: ALLOWALL");
-	//header("X-XSS-Protection: 1");      		// XSS protection of some browsers (note: use of Content-Security-Policy is more efficient). Disabled as deprecated.
+	//header("X-XSS-Protection: 1");      		// XSS filtering protection of some browsers (note: use of Content-Security-Policy is more efficient). Disabled as deprecated.
 	if (!defined('FORCECSP'))
 	{
 		//if (! isset($conf->global->MAIN_HTTP_CONTENT_SECURITY_POLICY))
diff --git a/htdocs/website/class/website.class.php b/htdocs/website/class/website.class.php
index f45298e082a..5c2bf40aa03 100644
--- a/htdocs/website/class/website.class.php
+++ b/htdocs/website/class/website.class.php
@@ -1161,6 +1161,18 @@ class Website extends CommonObject
 		}
 	}
 
+	/**
+	 * Return if web site is a multilanguage web site. Return false if there is only 0 or 1 language.
+	 *
+	 * @return boolean			True if web site is a multilanguage web site
+	 */
+	public function isMultiLang()
+	{
+		// TODO Can edit list of languages of web site. Return false if there is only 0 or 1 language.
+
+		return true;
+	}
+
 	/**
 	 * Component to select language inside a container (Full CSS Only)
 	 *
diff --git a/htdocs/website/index.php b/htdocs/website/index.php
index df479f0cd36..3d0d7f25871 100644
--- a/htdocs/website/index.php
+++ b/htdocs/website/index.php
@@ -25,7 +25,7 @@ define('NOSCANPOSTFORINJECTION', 1);
 define('NOSTYLECHECK', 1);
 define('USEDOLIBARREDITOR', 1);
 
-header('X-XSS-Protection:0');
+//header('X-XSS-Protection:0');	// Disable XSS filtering protection of some browsers (note: use of Content-Security-Policy is more efficient). Disabled as deprecated.
 
 require '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';