diff --git a/ChangeLog b/ChangeLog index 78793b9d419..c43fd92f676 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,22 @@ English Dolibarr ChangeLog -------------------------------------------------------------- +***** ChangeLog for 5.0.4 compared to 5.0.3 ***** +FIX: #6880 +FIX: #6925 +FIX: #6926 +FIX: Can set supplier invoice to billed. +FIX: Can't create invoice if PO disapproved +FIX: contratligne update +FIX: CVE-2017-7886 +FIX: default param +FIX: Line of invoices not inserted when using POS module and VAT NPR. +FIX: origin & originid on supplierproposal +FIX: Redirect to payment page from member subscription page failed if a unique security key was defined. +FIX: REST api to get project when user has permission to read all. +FIX: situation_progress param default value must be 100 and not 0 +FIX: SQL injection on user/index.php parameter search_statut. +FIX: Warnings ***** ChangeLog for 5.0.3 compared to 5.0.2 ***** FIX: #6677 Expired contracts dashboard box does not show the name of the thirdparty diff --git a/htdocs/admin/tools/index.php b/htdocs/admin/tools/index.php index 8da041d05da..b8dfad44e8f 100644 --- a/htdocs/admin/tools/index.php +++ b/htdocs/admin/tools/index.php @@ -38,7 +38,7 @@ if (! $user->admin) $form = new Form($db); $title=$langs->trans("SystemToolsArea"); -if (GETPOST('leftmenu') == 'admintools') $title=$langs->trans("ModulesSystemTools"); +if (GETPOST('leftmenu',"aZ09") == 'admintools') $title=$langs->trans("ModulesSystemTools"); llxHeader('', $title); diff --git a/htdocs/bookmarks/bookmarks.lib.php b/htdocs/bookmarks/bookmarks.lib.php index 3cee534e797..e6d3125abed 100644 --- a/htdocs/bookmarks/bookmarks.lib.php +++ b/htdocs/bookmarks/bookmarks.lib.php @@ -40,7 +40,7 @@ function printBookmarksList($aDb, $aLangs) $langs->load("bookmarks"); - $url= $_SERVER["PHP_SELF"].(! empty($_SERVER["QUERY_STRING"])?'?'.$_SERVER["QUERY_STRING"]:''); + $url= $_SERVER["PHP_SELF"].(dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):''); $ret = ''; // Menu bookmark diff --git a/htdocs/comm/propal/document.php b/htdocs/comm/propal/document.php index 9b875e434f7..aef0ade7c84 100644 --- a/htdocs/comm/propal/document.php +++ b/htdocs/comm/propal/document.php @@ -1,6 +1,6 @@ - * Copyright (C) 2004-2009 Laurent Destailleur + * Copyright (C) 2004-2017 Laurent Destailleur * Copyright (C) 2005 Marc Barilley / Ocebo * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2013 Cédric Salvador @@ -63,17 +63,18 @@ if (! $sortfield) $sortfield="name"; $object = new Propal($db); $object->fetch($id,$ref); -if ($object->id > 0) -{ - $object->fetch_thirdparty(); - $upload_dir = $conf->propal->dir_output.'/'.dol_sanitizeFileName($object->ref); - include_once DOL_DOCUMENT_ROOT . '/core/actions_linkedfiles.inc.php'; -} + /* * Actions */ +if ($object->id > 0) +{ + $object->fetch_thirdparty(); + $upload_dir = $conf->propal->dir_output.'/'.dol_sanitizeFileName($object->ref); + include_once DOL_DOCUMENT_ROOT . '/core/actions_linkedfiles.inc.php'; +} /* @@ -101,10 +102,10 @@ if ($object->id > 0) // Proposal card - + $linkback = '' . $langs->trans("BackToList") . ''; - - + + $morehtmlref='
'; // Ref customer $morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', 0, 1); @@ -145,24 +146,24 @@ if ($object->id > 0) } } $morehtmlref.='
'; - + dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); - - + + print '
'; print '
'; - + print ''; - + // Files infos print ''; print ''; - + print "
'.$langs->trans("NbOfAttachedFiles").''.count($filearray).'
'.$langs->trans("TotalSizeOfAttachedFiles").''.$totalsize.' '.$langs->trans("bytes").'
\n"; - + print '
'; - - + + dol_fiche_end(); $modulepart = 'propal'; diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index efb72afb7b7..93c93850652 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -161,7 +161,7 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab } } -$object = new Propal($db); // To be passed as parameter of executeHooks that need +$object = new Propal($db); // To be passed as parameter of executeHooks that need /* @@ -273,25 +273,25 @@ if (! $user->rights->societe->client->voir && ! $socid) //restriction $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; } if ($search_town) $sql.= natural_search('s.town', $search_town); -if ($search_zip) $sql.= natural_search("s.zip",$search_zip); -if ($search_state) $sql.= natural_search("state.nom",$search_state); -if ($search_country) $sql .= " AND s.fk_pays IN (".$search_country.')'; -if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')'; -if ($search_ref) $sql .= natural_search('p.ref', $search_ref); +if ($search_zip) $sql.= natural_search("s.zip", $search_zip); +if ($search_state) $sql.= natural_search("state.nom", $search_state); +if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')'; +if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')'; +if ($search_ref) $sql .= natural_search('p.ref', $search_ref); if ($search_refcustomer) $sql .= natural_search('p.ref_client', $search_refcustomer); -if ($search_societe) $sql .= natural_search('s.nom', $search_societe); -if ($search_login) $sql.= " AND u.login LIKE '%".$db->escape(trim($search_login))."%'"; +if ($search_societe) $sql .= natural_search('s.nom', $search_societe); +if ($search_login) $sql .= natural_search("u.login", $search_login); if ($search_montant_ht != '') $sql.= natural_search("p.total_ht", $search_montant_ht, 1); if ($search_montant_vat != '') $sql.= natural_search("p.tva", $search_montant_vat, 1); if ($search_montant_ttc != '') $sql.= natural_search("p.total", $search_montant_ttc, 1); if ($sall) { $sql .= natural_search(array_keys($fieldstosearchall), $sall); } -if ($search_product_category > 0) $sql.=" AND cp.fk_categorie = ".$search_product_category; +if ($search_product_category > 0) $sql.=" AND cp.fk_categorie = ".$db->escape($search_product_category); if ($socid > 0) $sql.= ' AND s.rowid = '.$socid; if ($viewstatut != '' && $viewstatut != '-1') { - $sql.= ' AND p.fk_statut IN ('.$viewstatut.')'; + $sql.= ' AND p.fk_statut IN ('.$db->escape($viewstatut).')'; } if ($month > 0) { @@ -300,16 +300,16 @@ if ($month > 0) else if ($year > 0 && ! empty($day)) $sql.= " AND p.datep BETWEEN '".$db->idate(dol_mktime(0, 0, 0, $month, $day, $year))."' AND '".$db->idate(dol_mktime(23, 59, 59, $month, $day, $year))."'"; else - $sql.= " AND date_format(p.datep, '%m') = '".$month."'"; + $sql.= " AND date_format(p.datep, '%m') = '".$db->escape($month)."'"; } else if ($year > 0) { $sql.= " AND p.datep BETWEEN '".$db->idate(dol_get_first_day($year,1,false))."' AND '".$db->idate(dol_get_last_day($year,12,false))."'"; } -if ($search_sale > 0) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$search_sale; +if ($search_sale > 0) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$db->escape($search_sale); if ($search_user > 0) { - $sql.= " AND c.fk_c_type_contact = tc.rowid AND tc.element='propal' AND tc.source='internal' AND c.element_id = p.rowid AND c.fk_socpeople = ".$search_user; + $sql.= " AND c.fk_c_type_contact = tc.rowid AND tc.element='propal' AND tc.source='internal' AND c.element_id = p.rowid AND c.fk_socpeople = ".$db->escape($search_user); } // Add where from extra fields foreach ($search_array_options as $key => $val) @@ -357,28 +357,28 @@ if ($resql) else { $title = $langs->trans('ListOfProposals'); - } + } $num = $db->num_rows($resql); - + $arrayofselected=is_array($toselect)?$toselect:array(); - - $param='&viewstatut='.$viewstatut; - if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.$contextpage; - if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.$limit; - if ($sall) $param.='&sall='.$sall; - if ($month) $param.='&month='.$month; - if ($year) $param.='&year='.$year; - if ($search_ref) $param.='&search_ref=' .$search_ref; - if ($search_refcustomer) $param.='&search_refcustomer=' .$search_refcustomer; - if ($search_societe) $param.='&search_societe=' .$search_societe; - if ($search_user > 0) $param.='&search_user='.$search_user; - if ($search_sale > 0) $param.='&search_sale='.$search_sale; - if ($search_montant_ht) $param.='&search_montant_ht='.$search_montant_ht; - if ($search_login) $param.='&search_login='.$search_login; - if ($search_town) $param.='&search_town='.$search_town; - if ($socid > 0) $param.='&socid='.$socid; - if ($optioncss != '') $param.='&optioncss='.$optioncss; + + $param='&viewstatut='.urlencode($viewstatut); + if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.urlencode($contextpage); + if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.urlencode($limit); + if ($sall) $param.='&sall='.urlencode($sall); + if ($month) $param.='&month='.urlencode($month); + if ($year) $param.='&year='.urlencode($year); + if ($search_ref) $param.='&search_ref='.urlencode($search_ref); + if ($search_refcustomer) $param.='&search_refcustomer='.urlencode($search_refcustomer); + if ($search_societe) $param.='&search_societe='.urlencode($search_societe); + if ($search_user > 0) $param.='&search_user='.urlencode($search_user); + if ($search_sale > 0) $param.='&search_sale='.urlencode($search_sale); + if ($search_montant_ht) $param.='&search_montant_ht='.urlencode($search_montant_ht); + if ($search_login) $param.='&search_login='.urlencode($search_login); + if ($search_town) $param.='&search_town='.urlencode($search_town); + if ($socid > 0) $param.='&socid='.urlencode($socid); + if ($optioncss != '') $param.='&optioncss='.urlencode($optioncss); // Add $param from extra fields foreach ($search_array_options as $key => $val) { @@ -386,7 +386,7 @@ if ($resql) $tmpkey=preg_replace('/search_options_/','',$key); if ($val != '') $param.='&search_options_'.$tmpkey.'='.urlencode($val); } - + // List of mass actions available $arrayofmassactions = array( 'presend'=>$langs->trans("SendByMail"), @@ -395,7 +395,7 @@ if ($resql) if ($user->rights->propal->supprimer) $arrayofmassactions['delete']=$langs->trans("Delete"); if ($massaction == 'presend') $arrayofmassactions=array(); $massactionbutton=$form->selectMassAction('', $arrayofmassactions); - + // Lignes des champs de filtre print '
'; if ($optioncss != '') print ''; @@ -406,11 +406,11 @@ if ($resql) print ''; print_barre_liste($title, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, 'title_commercial.png', 0, '', '', $limit); - + if ($massaction == 'presend') { $langs->load("mails"); - + if (! GETPOST('cancel')) { $objecttmp=new Propal($db); @@ -429,17 +429,17 @@ if ($resql) } } } - + print ''; - + include_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php'; $formmail = new FormMail($db); - + dol_fiche_head(null, '', ''); - + $topicmail="SendSupplierProposalRef"; $modelmail="supplier_proposal_send"; - + // Cree l'objet formulaire mail include_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php'; $formmail = new FormMail($db); @@ -492,25 +492,25 @@ if ($resql) $formmail->substit['__REFCLIENT__']='__REFCLIENT__'; // We want to keep the tag $formmail->substit['__PERSONALIZED__']=''; $formmail->substit['__CONTACTCIVNAME__']=''; - + // Tableau des parametres complementaires du post $formmail->param['action']=$action; $formmail->param['models']=$modelmail; $formmail->param['models_id']=GETPOST('modelmailselected','int'); $formmail->param['id']=join(',',$arrayofselected); //$formmail->param['returnurl']=$_SERVER["PHP_SELF"].'?id='.$object->id; - + print $formmail->get_form(); - + dol_fiche_end(); } - + if ($sall) { foreach($fieldstosearchall as $key => $val) $fieldstosearchall[$key]=$langs->trans($val); print $langs->trans("FilterOnInto", $sall) . join(', ',$fieldstosearchall); } - + $i = 0; $moreforfilter=''; @@ -546,7 +546,7 @@ if ($resql) $reshook=$hookmanager->executeHooks('printFieldPreListTitle',$parameters); // Note that $action and $object may have been modified by hook if (empty($reshook)) $moreforfilter .= $hookmanager->resPrint; else $moreforfilter = $hookmanager->resPrint; - + if (! empty($moreforfilter)) { print '
'; @@ -556,10 +556,10 @@ if ($resql) $varpage=empty($contextpage)?$_SERVER["PHP_SELF"]:$contextpage; $selectedfields=$form->multiSelectArrayWithCheckbox('selectedfields', $arrayfields, $varpage); // This also change content of $arrayfields - + print '
'; print ''."\n"; - + // Fields title print ''; if (! empty($arrayfields['p.ref']['checked'])) print_liste_field_titre($arrayfields['p.ref']['label'],$_SERVER["PHP_SELF"],'p.ref','',$param,'',$sortfield,$sortorder); @@ -579,9 +579,9 @@ if ($resql) // Extra fields if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label)) { - foreach($extrafields->attribute_label as $key => $val) + foreach($extrafields->attribute_label as $key => $val) { - if (! empty($arrayfields["ef.".$key]['checked'])) + if (! empty($arrayfields["ef.".$key]['checked'])) { $align=$extrafields->getAlignFlag($key); print_liste_field_titre($extralabels[$key],$_SERVER["PHP_SELF"],"ef.".$key,"",$param,($align?'align="'.$align.'"':''),$sortfield,$sortorder); @@ -597,9 +597,9 @@ if ($resql) if (! empty($arrayfields['p.fk_statut']['checked'])) print_liste_field_titre($arrayfields['p.fk_statut']['label'],$_SERVER["PHP_SELF"],"p.fk_statut","",$param,'align="right"',$sortfield,$sortorder); print_liste_field_titre($selectedfields, $_SERVER["PHP_SELF"],"",'','','align="right"',$sortfield,$sortorder,'maxwidthsearch '); print ''."\n"; - + print ''; - if (! empty($arrayfields['p.ref']['checked'])) + if (! empty($arrayfields['p.ref']['checked'])) { print ''; } // Date - if (! empty($arrayfields['p.date']['checked'])) + if (! empty($arrayfields['p.date']['checked'])) { print ''; } // Date end - if (! empty($arrayfields['p.fin_validite']['checked'])) + if (! empty($arrayfields['p.fin_validite']['checked'])) { print ''; } @@ -736,7 +736,7 @@ if ($resql) $searchpitco=$form->showFilterAndCheckAddButtons($massactionbutton?1:0, 'checkforselect', 1); print $searchpitco; print ''; - + print "\n"; $now = dol_now(); @@ -747,16 +747,16 @@ if ($resql) { $obj = $db->fetch_object($resql); $var=!$var; - + $objectstatic->id=$obj->rowid; $objectstatic->ref=$obj->ref; - + print ''; - + if (! empty($arrayfields['p.ref']['checked'])) { print '\n"; if (! $i) $totalarray['nbfield']++; } - + if (! empty($arrayfields['p.ref_client']['checked'])) { // Customer ref @@ -798,12 +798,12 @@ if ($resql) print ''; if (! $i) $totalarray['nbfield']++; } - + $companystatic->id=$obj->socid; $companystatic->name=$obj->name; $companystatic->client=$obj->client; $companystatic->code_client=$obj->code_client; - + // Thirdparty if (! empty($arrayfields['s.nom']['checked'])) { @@ -812,7 +812,7 @@ if ($resql) print ''; if (! $i) $totalarray['nbfield']++; } - + // Town if (! empty($arrayfields['s.town']['checked'])) { @@ -853,7 +853,7 @@ if ($resql) print ''; if (! $i) $totalarray['nbfield']++; } - + // Date proposal if (! empty($arrayfields['p.date']['checked'])) { @@ -862,7 +862,7 @@ if ($resql) print "\n"; if (! $i) $totalarray['nbfield']++; } - + // Date end validity if (! empty($arrayfields['p.fin_validite']['checked'])) { @@ -877,7 +877,7 @@ if ($resql) } if (! $i) $totalarray['nbfield']++; } - + // Amount HT if (! empty($arrayfields['p.total_ht']['checked'])) { @@ -902,7 +902,7 @@ if ($resql) if (! $i) $totalarray['totalttcfield']=$totalarray['nbfield']; $totalarray['totalttc'] += $obj->total_ttc; } - + $userstatic->id=$obj->fk_user_author; $userstatic->login=$obj->login; @@ -915,7 +915,7 @@ if ($resql) print "\n"; if (! $i) $totalarray['nbfield']++; } - + // Extra fields if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label)) { @@ -1000,20 +1000,20 @@ if ($resql) else print ''; } print ''; - + } $db->free($resql); - + $parameters=array('arrayfields'=>$arrayfields, 'sql'=>$sql); $reshook=$hookmanager->executeHooks('printFieldListFooter',$parameters); // Note that $action and $object may have been modified by hook print $hookmanager->resPrint; - + print '
'; print ''; @@ -641,7 +641,7 @@ if ($resql) print ''; //print $langs->trans('Month').': '; @@ -653,7 +653,7 @@ if ($resql) print ' 
'; - + print ''; // Picto + Ref print '
'; @@ -785,11 +785,11 @@ if ($resql) $urlsource=$_SERVER['PHP_SELF'].'?id='.$obj->rowid; print $formfile->getDocumentsLink($objectstatic->element, $filename, $filedir); print '
'; - + print "
'."\n"; print '
'."\n"; print ''."\n"; - + if ($massaction == 'builddoc' || $action == 'remove_file' || $show_files) { /* @@ -1021,18 +1021,18 @@ if ($resql) */ $urlsource=$_SERVER['PHP_SELF'].'?sortfield='.$sortfield.'&sortorder='.$sortorder; $urlsource.=str_replace('&','&',$param); - + $filedir=$diroutputmassaction; $genallowed=$user->rights->propal->lire; $delallowed=$user->rights->propal->lire; - + print $formfile->showdocuments('massfilesarea_proposals','',$filedir,$urlsource,0,$delallowed,'',1,1,0,48,1,$param,'',''); } else { print '
'.$langs->trans("ShowTempMassFilesArea").''; } - + } else { diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php index c19c521ca65..2d0208d0c2b 100644 --- a/htdocs/compta/facture.php +++ b/htdocs/compta/facture.php @@ -3327,7 +3327,7 @@ else if ($id > 0 || ! empty($ref)) print $object->situation_counter; print ''; - print ''; + print ''; $prevsits_total_amount = 0; foreach ($prevsits as $situation) { @@ -3335,9 +3335,10 @@ else if ($id > 0 || ! empty($ref)) } $prevsits_total_amount += $object->total_ht; - print price($prevsits_total_amount); - print ''; - print '' . $langs->trans('Currency' . $conf->currency) . ''; + print price($prevsits_total_amount, 0, $langs, 1, -1, -1, (!empty($object->multicurrency_code) ? $object->multicurrency_code : $conf->currency) ); + + print ''; + // Previous situation(s) deduction(s) for ($i = 0; $i < $cprevsits; $i++) { @@ -3348,10 +3349,10 @@ else if ($id > 0 || ! empty($ref)) print $prevsits[$i]->situation_counter; print ''; - print ''; - print '- ' . price($prevsits[$i]->total_ht); - print ''; - print '' . $langs->trans('Currency' . $conf->currency) . ''; + print ''; + print '- ' . price($prevsits[$i]->total_ht, 0, $langs, 1, -1, -1, (!empty($object->multicurrency_code) ? $object->multicurrency_code : $conf->currency) ); + print ''; + } } } @@ -3489,7 +3490,7 @@ else if ($id > 0 || ! empty($ref)) if ($object->type == Facture::TYPE_SITUATION && ! empty($conf->global->INVOICE_USE_SITUATION)) { if (count($object->tab_previous_situation_invoice) > 0 || count($object->tab_next_situation_invoice) > 0) - print ''; + print '
'; if (count($object->tab_previous_situation_invoice) > 0) { // List of previous invoices @@ -3523,7 +3524,7 @@ else if ($id > 0 || ! empty($ref)) } print ''; - print ''; + print ''; print ''; print ''; print ''; @@ -3563,7 +3564,7 @@ else if ($id > 0 || ! empty($ref)) } print ''; - print ''; + print ''; print ''; print ''; print ''; diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php index 672da011a79..fb9f44edcfb 100644 --- a/htdocs/core/actions_linkedfiles.inc.php +++ b/htdocs/core/actions_linkedfiles.inc.php @@ -71,7 +71,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes') $ret = dol_delete_file($file, 0, 0, 0, $object); if (! empty($fileold)) dol_delete_file($fileold, 0, 0, 0, $object); // Delete file using old path - + // Si elle existe, on efface la vignette if (preg_match('/(\.jpg|\.jpeg|\.bmp|\.gif|\.png|\.tiff)$/i',$file,$regs)) { @@ -150,19 +150,28 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave')) { $filenamefrom=dol_sanitizeFileName(GETPOST('renamefilefrom')); $filenameto=dol_sanitizeFileName(GETPOST('renamefileto')); + + // Security: + // Disallow file with some extensions. We rename them. + // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code. + if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED)) + { + $filenameto.= '.noexe'; + } + if ($filenamefrom && $filenameto) { $srcpath = $upload_dir.'/'.$filenamefrom; $destpath = $upload_dir.'/'.$filenameto; - + $result = dol_move($srcpath, $destpath); - if ($result) + if ($result) { $object->addThumbs($destpath); - + // TODO Add revert function of addThumbs //$object->delThumbs($srcpath); - + setEventMessages($langs->trans("FileRenamed"), null); } else setEventMessages($langs->trans("ErrorFailToRenameFile", $filenamefrom, $filenameto), null, 'errors'); diff --git a/htdocs/core/ajax/ajaxdirpreview.php b/htdocs/core/ajax/ajaxdirpreview.php index 28f78e22ef4..bbc7647c802 100644 --- a/htdocs/core/ajax/ajaxdirpreview.php +++ b/htdocs/core/ajax/ajaxdirpreview.php @@ -139,7 +139,7 @@ if (! dol_is_dir($upload_dir)) } print ''."\n"; -print ''."\n"; +//print ''."\n"; $param=($sortfield?'&sortfield='.$sortfield:'').($sortorder?'&sortorder='.$sortorder:''); diff --git a/htdocs/core/ajax/bankconciliate.php b/htdocs/core/ajax/bankconciliate.php index 3a8a3e30687..76ab3045f93 100644 --- a/htdocs/core/ajax/bankconciliate.php +++ b/htdocs/core/ajax/bankconciliate.php @@ -45,7 +45,7 @@ $action=GETPOST('action'); //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -//print ''."\n"; +//print ''."\n"; if (($user->rights->banque->modifier || $user->rights->banque->consolidate) && $action == 'dvnext') { diff --git a/htdocs/core/ajax/box.php b/htdocs/core/ajax/box.php index 63f96a0c513..106822f998b 100644 --- a/htdocs/core/ajax/box.php +++ b/htdocs/core/ajax/box.php @@ -50,7 +50,7 @@ $userid=GETPOST('userid','int'); //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -print ''."\n"; +print ''."\n"; // Add a box if ($boxid > 0 && $zone !='' && $userid > 0) diff --git a/htdocs/core/ajax/constantonoff.php b/htdocs/core/ajax/constantonoff.php index 331a5e87513..f79753260d7 100644 --- a/htdocs/core/ajax/constantonoff.php +++ b/htdocs/core/ajax/constantonoff.php @@ -45,7 +45,7 @@ $name=GETPOST('name','alpha'); //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -print ''."\n"; +//print ''."\n"; // Registering the location of boxes if (! empty($action) && ! empty($name)) diff --git a/htdocs/core/ajax/contacts.php b/htdocs/core/ajax/contacts.php index c3788a8baeb..1c7c7a56e4b 100644 --- a/htdocs/core/ajax/contacts.php +++ b/htdocs/core/ajax/contacts.php @@ -41,20 +41,20 @@ $showempty = GETPOST('showempty','int'); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (! empty($id) && ! empty($action) && ! empty($htmlname)) { $form = new Form($db); - + $return=array(); if (empty($showempty)) $showempty=0; - + $return['value'] = $form->selectcontacts($id,'',$htmlname,$showempty,'','',0,'',true); $return['num'] = $form->num; $return['error'] = $form->error; - + echo json_encode($return); } diff --git a/htdocs/core/ajax/extraparams.php b/htdocs/core/ajax/extraparams.php index 510ef8a1cf8..f8a636e52a5 100644 --- a/htdocs/core/ajax/extraparams.php +++ b/htdocs/core/ajax/extraparams.php @@ -40,17 +40,17 @@ $type = GETPOST('type', 'alpha'); top_httphead(); -print ''."\n"; +print ''."\n"; if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type)) { $value = GETPOST('value','alpha'); $params=array(); - + dol_syslog("AjaxSetExtraParameters id=".$id." element=".$element." htmlelement=".$htmlelement." type=".$type." value=".$value, LOG_DEBUG); - + $classpath = $subelement = $element; - + // For compatibility if ($element == 'order' || $element == 'commande') { $classpath = $subelement = 'commande'; } else if ($element == 'propal') { $classpath = 'comm/propal'; $subelement = 'propal'; } @@ -60,19 +60,19 @@ if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type)) else if ($element == 'deplacement') { $classpath = 'compta/deplacement'; $subelement = 'deplacement'; } else if ($element == 'order_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.commande'; } else if ($element == 'invoice_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.facture'; } - + dol_include_once('/'.$classpath.'/class/'.$subelement.'.class.php'); - + if ($element == 'order_supplier') { $classname = 'CommandeFournisseur'; } else if ($element == 'invoice_supplier') { $classname = 'FactureFournisseur'; } else $classname = ucfirst($subelement); - + $object = new $classname($db); $object->fetch($id); - + $params[$htmlelement] = array($type => $value); $object->extraparams = array_merge($object->extraparams, $params); - + $result=$object->setExtraParameters(); } diff --git a/htdocs/core/ajax/loadinplace.php b/htdocs/core/ajax/loadinplace.php index de3a4e57d19..7e9e541c768 100644 --- a/htdocs/core/ajax/loadinplace.php +++ b/htdocs/core/ajax/loadinplace.php @@ -41,7 +41,7 @@ $fk_element = GETPOST('fk_element','alpha'); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (! empty($field) && ! empty($element) && ! empty($table_element) && ! empty($fk_element)) diff --git a/htdocs/core/ajax/objectonoff.php b/htdocs/core/ajax/objectonoff.php index 6ac5abd3bbb..37173ed9943 100644 --- a/htdocs/core/ajax/objectonoff.php +++ b/htdocs/core/ajax/objectonoff.php @@ -42,7 +42,7 @@ $object = new GenericObject($db); top_httphead(); -print ''."\n"; +print ''."\n"; // Registering new values if (($action == 'set') && ! empty($id)) diff --git a/htdocs/core/ajax/price.php b/htdocs/core/ajax/price.php index 5c891df14d5..d4a101fb497 100644 --- a/htdocs/core/ajax/price.php +++ b/htdocs/core/ajax/price.php @@ -39,7 +39,7 @@ $tva_tx = str_replace('*','',GETPOST('tva_tx','alpha')); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (! empty($output) && isset($amount) && isset($tva_tx)) diff --git a/htdocs/core/ajax/row.php b/htdocs/core/ajax/row.php index 41d411f01fd..827ee92d525 100644 --- a/htdocs/core/ajax/row.php +++ b/htdocs/core/ajax/row.php @@ -17,8 +17,8 @@ /** * \file htdocs/core/ajax/row.php - * \brief File to return Ajax response on Row move. - * This ajax page is called when doing an up or down drag and drop. + * \brief File to return Ajax response on Row move. + * This ajax page is called when doing an up or down drag and drop. */ if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disable token renewal @@ -39,7 +39,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php'; top_httphead(); -print ''."\n"; +print ''."\n"; // Registering the location of boxes if ((isset($_POST['roworder']) && ! empty($_POST['roworder'])) && (isset($_POST['table_element_line']) && ! empty($_POST['table_element_line'])) diff --git a/htdocs/core/ajax/saveinplace.php b/htdocs/core/ajax/saveinplace.php index 48797dd0432..eb04379a778 100644 --- a/htdocs/core/ajax/saveinplace.php +++ b/htdocs/core/ajax/saveinplace.php @@ -54,7 +54,7 @@ savemethodname: top_httphead(); -//print ''."\n"; +//print ''."\n"; //print_r($_POST); // Load original field value diff --git a/htdocs/core/ajax/security.php b/htdocs/core/ajax/security.php index 28a53a87679..cc7335618d0 100644 --- a/htdocs/core/ajax/security.php +++ b/htdocs/core/ajax/security.php @@ -17,8 +17,8 @@ /** * \file htdocs/core/ajax/security.php - * \brief This ajax component is used to generated has keys for security purposes - * like key to use into URL to protect them. + * \brief This ajax component is used to generated has keys for security purposes + * like key to use into URL to protect them. */ if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disables token renewal @@ -38,7 +38,7 @@ require '../../main.inc.php'; //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -//print ''."\n"; +//print ''."\n"; // Registering the location of boxes if (isset($_GET['action']) && ! empty($_GET['action'])) diff --git a/htdocs/core/ajax/vatrates.php b/htdocs/core/ajax/vatrates.php index fc30a13afec..ac9691bfa25 100644 --- a/htdocs/core/ajax/vatrates.php +++ b/htdocs/core/ajax/vatrates.php @@ -41,7 +41,7 @@ $productid = (GETPOST('productid','int')?GETPOST('productid','int'):0); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (! empty($id) && ! empty($action) && ! empty($htmlname)) diff --git a/htdocs/core/ajax/ziptown.php b/htdocs/core/ajax/ziptown.php index 30e0211ece1..9fa475039d9 100644 --- a/htdocs/core/ajax/ziptown.php +++ b/htdocs/core/ajax/ziptown.php @@ -45,7 +45,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php'; //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -//print ''."\n"; +//print ''."\n"; dol_syslog("GET is ".join(',',$_GET).', MAIN_USE_ZIPTOWN_DICTIONNARY='.(empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)?'':$conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)); //var_dump($_GET); diff --git a/htdocs/core/class/conf.class.php b/htdocs/core/class/conf.class.php index dc06bfe9ffa..203d41571a9 100644 --- a/htdocs/core/class/conf.class.php +++ b/htdocs/core/class/conf.class.php @@ -489,8 +489,8 @@ class Conf // By default, we propagate contacts if (! isset($this->global->MAIN_PROPAGATE_CONTACTS_FROM_ORIGIN)) $this->global->MAIN_PROPAGATE_CONTACTS_FROM_ORIGIN='*'; // Can be also '*' or '^(BILLING|SHIPPING|CUSTOMER|.*)$' (regex not yet implemented) - // By default, we use the zip town autofill - if (! isset($this->global->MAIN_USE_ZIPTOWN_DICTIONNARY)) $this->global->MAIN_USE_ZIPTOWN_DICTIONNARY=1; + // By default, we do not use the zip town autofill + if (! isset($this->global->MAIN_USE_ZIPTOWN_DICTIONNARY)) $this->global->MAIN_USE_ZIPTOWN_DICTIONNARY=0; // Define list of limited modules (value must be key found for "name" property of module, so for example 'supplierproposal' for Module "Supplier Proposal" if (! isset($this->global->MAIN_MODULES_FOR_EXTERNAL)) $this->global->MAIN_MODULES_FOR_EXTERNAL='user,societe,propal,commande,facture,categorie,supplierproposal,fournisseur,contact,projet,contrat,ficheinter,expedition,agenda,resource,adherent'; // '' means 'all'. Note that contact is added here as it should be a module later. diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index 98720d335b9..1771b6f7a4c 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -1062,7 +1062,7 @@ class FormOther async: false }); // We force reload to be sure to get all boxes into list - window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=delbox\'; + window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=delbox\'; } else { @@ -1084,7 +1084,7 @@ class FormOther url: \''.DOL_URL_ROOT.'/core/ajax/box.php?boxorder=\'+boxorder+\'&boxid=\'+boxid+\'&zone='.$areacode.'&userid='.$user->id.'\', async: false }); - window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=addbox&boxid=\'+boxid; + window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=addbox&boxid=\'+boxid; } });'; if (! count($arrayboxtoactivatelabel)) $selectboxlist.='jQuery("#boxcombo").hide();'; diff --git a/htdocs/core/datepicker.php b/htdocs/core/datepicker.php index eeb20ee265c..6253ead8c82 100644 --- a/htdocs/core/datepicker.php +++ b/htdocs/core/datepicker.php @@ -39,7 +39,7 @@ if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML',1); require_once '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; -if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL by the main.inc.php +if (GETPOST('lang', 'aZ09')) $langs->setDefaultLang(GETPOST('lang', 'aZ09')); // If language was forced on URL by the main.inc.php $langs->load("main"); $langs->load("agenda"); $right=($langs->trans("DIRECTION")=='rtl'?'left':'right'); diff --git a/htdocs/core/get_menudiv.php b/htdocs/core/get_menudiv.php index 655e10afd67..f8b3a652e08 100644 --- a/htdocs/core/get_menudiv.php +++ b/htdocs/core/get_menudiv.php @@ -35,7 +35,7 @@ if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML',1); require_once '../main.inc.php'; -if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL by the main.inc.php +if (GETPOST('lang', 'aZ09')) $langs->setDefaultLang(GETPOST('lang', 'aZ09')); // If language was forced on URL by the main.inc.php $langs->load("main"); $right=($langs->trans("DIRECTION")=='rtl'?'left':'right'); $left=($langs->trans("DIRECTION")=='rtl'?'right':'left'); diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index a4680ca81e2..29706e15341 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -634,9 +634,9 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable } } - // Security: - // Disallow file with some extensions. We renamed them. - // Car si on a mis le rep documents dans un rep de la racine web (pas bien), cela permet d'executer du code a la demande. + // Security: + // Disallow file with some extensions. We rename them. + // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code. if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED)) { $file_name.= '.noexe'; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 3ed597d50e5..f9f9c8557ee 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -611,7 +611,7 @@ function dol_string_unaccent($str) */ function dol_string_nospecial($str,$newstr='_',$badcharstoreplace='') { - $forbidden_chars_to_replace=array(" ","'","/","\\",":","*","?","\"","<",">","|","[","]",",",";","="); + $forbidden_chars_to_replace=array(" ", "'", "/", "\\", ":", "*", "?", "\"", "<", ">", "|", "[", "]", ",", ";", "="); $forbidden_chars_to_remove=array(); if (is_array($badcharstoreplace)) $forbidden_chars_to_replace=$badcharstoreplace; //$forbidden_chars_to_remove=array("(",")"); @@ -2928,8 +2928,8 @@ function dol_print_error($db='',$error='',$errors=null) $out.="".$langs->trans("Referer").": ".(isset($_SERVER["HTTP_REFERER"])?dol_htmlentities($_SERVER["HTTP_REFERER"],ENT_COMPAT,'UTF-8'):'')."
\n"; $out.="".$langs->trans("MenuManager").": ".(isset($conf->standard_menu)?$conf->standard_menu:'')."
\n"; $out.="
\n"; - $syslog.="url=".$_SERVER["REQUEST_URI"]; - $syslog.=", query_string=".$_SERVER["QUERY_STRING"]; + $syslog.="url=".dol_escape_htmltag($_SERVER["REQUEST_URI"]); + $syslog.=", query_string=".dol_escape_htmltag($_SERVER["QUERY_STRING"]); } else // Mode CLI { diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php index fc05e2c9194..8c16ae8309a 100644 --- a/htdocs/core/lib/security2.lib.php +++ b/htdocs/core/lib/security2.lib.php @@ -144,10 +144,6 @@ function dol_loginfunction($langs,$conf,$mysoc) $dol_url_root = DOL_URL_ROOT; - $php_self = $_SERVER['PHP_SELF']; - $php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:''; - if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home'; - // Title $appli=constant('DOL_APPLICATION_TITLE'); $title=$appli.' '.DOL_VERSION; @@ -422,7 +418,7 @@ function encodedecode_dbpassconf($level=0) fflush($fp); fclose($fp); clearstatcache(); - + // It's config file, so we set read permission for creator only. // Should set permission to web user and groups for users used by batch //@chmod($file, octdec('0600')); diff --git a/htdocs/core/menus/standard/auguria.lib.php b/htdocs/core/menus/standard/auguria.lib.php index 2c2d2c5ec63..4f8175c3fac 100644 --- a/htdocs/core/menus/standard/auguria.lib.php +++ b/htdocs/core/menus/standard/auguria.lib.php @@ -54,20 +54,20 @@ function print_auguria_menu($db,$atarget,$type_user,&$tabMenu,&$menu,$noout=0,$m if (empty($noout)) print_start_menu_array_auguria(); $usemenuhider = (GETPOST('testmenuhider') || ! empty($conf->global->MAIN_TESTMENUHIDER)); - + // Show/Hide vertical menu if ($mode != 'jmobile' && $mode != 'topnb' && $usemenuhider && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) { $showmode=1; $classname = 'class="tmenu menuhider"'; $idsel='menu'; - + if (empty($noout)) print_start_menu_entry_auguria($idsel,$classname,$showmode); if (empty($noout)) print_text_menu_entry_auguria('', 1, '#', $id, $idsel, $classname, $atarget); if (empty($noout)) print_end_menu_entry_auguria($showmode); $menu->add('#', '', 0, $showmode, $atarget, "xxx", ''); } - + $num = count($newTabMenu); for($i = 0; $i < $num; $i++) { @@ -77,7 +77,7 @@ function print_auguria_menu($db,$atarget,$type_user,&$tabMenu,&$menu,$noout=0,$m if ($showmode == 1) { $url = $shorturl = $newTabMenu[$i]['url']; - + if (! preg_match("/^(http:\/\/|https:\/\/)/i",$newTabMenu[$i]['url'])) { $tmp=explode('?',$newTabMenu[$i]['url'],2); @@ -85,11 +85,11 @@ function print_auguria_menu($db,$atarget,$type_user,&$tabMenu,&$menu,$noout=0,$m $param = (isset($tmp[1])?$tmp[1]:''); // Complete param to force leftmenu to '' to closed opend menu when we click on a link with no leftmenu defined. - if ((! preg_match('/mainmenu/i',$param)) && (! preg_match('/leftmenu/i',$param)) && ! empty($newTabMenu[$i]['url'])) + if ((! preg_match('/mainmenu/i',$param)) && (! preg_match('/leftmenu/i',$param)) && ! empty($newTabMenu[$i]['url'])) { $param.=($param?'&':'').'mainmenu='.$newTabMenu[$i]['url'].'&leftmenu='; } - if ((! preg_match('/mainmenu/i',$param)) && (! preg_match('/leftmenu/i',$param)) && empty($newTabMenu[$i]['url'])) + if ((! preg_match('/mainmenu/i',$param)) && (! preg_match('/leftmenu/i',$param)) && empty($newTabMenu[$i]['url'])) { $param.=($param?'&':'').'leftmenu='; } @@ -136,7 +136,7 @@ function print_auguria_menu($db,$atarget,$type_user,&$tabMenu,&$menu,$noout=0,$m function print_start_menu_array_auguria() { global $conf; - + print '
'; print '
    global->MAIN_OPTIMIZEFORTEXTBROWSER)?'':' title="Top menu"').'>'; } @@ -250,7 +250,7 @@ function print_left_auguria_menu($db,$menu_array_before,$menu_array_after,&$tabM $usemenuhider = (GETPOST('testmenuhider') || ! empty($conf->global->MAIN_TESTMENUHIDER)); global $usemenuhider; - + // Show logo company if (empty($noout) && ! empty($conf->global->MAIN_SHOW_LOGO) && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) { @@ -284,7 +284,7 @@ function print_left_auguria_menu($db,$menu_array_before,$menu_array_after,&$tabM print '
'."\n"; print "\n"; } - + // We update newmenu with entries found into database $menuArbo = new Menubase($db,'auguria'); $newmenu = $menuArbo->menuLeftCharger($newmenu,$mainmenu,$leftmenu,($user->societe_id?1:0),'auguria',$tabMenu); @@ -401,7 +401,7 @@ function print_left_auguria_menu($db,$menu_array_before,$menu_array_after,&$tabM for($j = ($i + 1); $j < $num; $j++) { if (empty($menu_array[$j]['level'])) $lastopened=false; - } + } if ($altok % 2 == 0) { print '
'."\n"; @@ -454,9 +454,12 @@ function print_left_auguria_menu($db,$menu_array_before,$menu_array_after,&$tabM // Menu niveau > 0 if ($menu_array[$i]['level'] > 0) { - if ($menu_array[$i]['enabled']) + $cssmenu = ''; + if ($menu_array[$i]['url']) $cssmenu = ' menu_contenu'.dol_string_nospecial(preg_replace('/\.php.*$/','',$menu_array[$i]['url'])); + + if ($menu_array[$i]['enabled']) { - print '
'.$tabstring; + print '
'.$tabstring; if ($menu_array[$i]['url']) print ''; else print ''; print $menu_array[$i]['titre']; @@ -468,7 +471,7 @@ function print_left_auguria_menu($db,$menu_array_before,$menu_array_after,&$tabM } else if ($showmenu) { - print '
'.$tabstring.''.$menu_array[$i]['titre'].'
'."\n"; + print '
'.$tabstring.''.$menu_array[$i]['titre'].'
'."\n"; } } @@ -480,7 +483,7 @@ function print_left_auguria_menu($db,$menu_array_before,$menu_array_after,&$tabM if ($blockvmenuopened) { print "
\n"; $blockvmenuopened=false; } } } - + if ($altok) print '
'; } @@ -493,7 +496,7 @@ function print_left_auguria_menu($db,$menu_array_before,$menu_array_after,&$tabM print '
'."\n"; print "\n"; } - + return count($menu_array); } diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php index ca6791475a6..66fe9f993a9 100644 --- a/htdocs/core/menus/standard/eldy.lib.php +++ b/htdocs/core/menus/standard/eldy.lib.php @@ -1561,9 +1561,12 @@ function print_left_eldy_menu($db,$menu_array_before,$menu_array_after,&$tabMenu // Menu niveau > 0 if ($menu_array[$i]['level'] > 0) { - if ($menu_array[$i]['enabled']) + $cssmenu = ''; + if ($menu_array[$i]['url']) $cssmenu = ' menu_contenu'.dol_string_nospecial(preg_replace('/\.php.*$/','',$menu_array[$i]['url'])); + + if ($menu_array[$i]['enabled']) { - print '
'.$tabstring; + print '
'.$tabstring; if ($menu_array[$i]['url']) print ''; else print ''; print $menu_array[$i]['titre']; @@ -1575,7 +1578,7 @@ function print_left_eldy_menu($db,$menu_array_before,$menu_array_after,&$tabMenu } else if ($showmenu) { - print '
'.$tabstring.''.$menu_array[$i]['titre'].'
'."\n"; + print '
'.$tabstring.''.$menu_array[$i]['titre'].'
'."\n"; } } diff --git a/htdocs/core/menus/standard/empty.php b/htdocs/core/menus/standard/empty.php index 6bc3df987cc..72dd10c7647 100644 --- a/htdocs/core/menus/standard/empty.php +++ b/htdocs/core/menus/standard/empty.php @@ -82,7 +82,7 @@ class MenuManager { return 1; } - + if ($mode == 'top' || $mode == 'jmobile') { if (empty($noout)) print_start_menu_array_empty(); @@ -98,13 +98,13 @@ class MenuManager $showmode=1; $classname = 'class="tmenu menuhider"'; $idsel='menu'; - + if (empty($noout)) print_start_menu_entry($idsel,$classname,$showmode); if (empty($noout)) print_text_menu_entry('', 1, '#', $id, $idsel, $classname, $atarget); if (empty($noout)) print_end_menu_entry($showmode); $menu->add('#', '', 0, $showmode, $atarget, "xxx", ''); - } - + } + if (empty($noout)) print_start_menu_entry_empty($idsel, $classname, $showmode); if (empty($noout)) print_text_menu_entry_empty($langs->trans("Home"), 1, dol_buildpath('/index.php',1).'?mainmenu=home&leftmenu=', $id, $idsel, $classname, $this->atarget); if (empty($noout)) print_end_menu_entry_empty($showmode); @@ -201,8 +201,12 @@ class MenuManager print '
'."\n"; } - if ($this->menu->liste[$i]['level'] > 0) { - print '
'; + if ($this->menu->liste[$i]['level'] > 0) + { + $cssmenu = ''; + if ($this->menu->liste[$i]['url']) $cssmenu = ' menu_contenu'.dol_string_nospecial(preg_replace('/\.php.*$/','',$this->menu->liste[$i]['url'])); + + print '
'; if ($this->menu->liste[$i]['enabled']) { @@ -229,7 +233,7 @@ class MenuManager print "
\n"; } } - + if ($altok) print '
'; } @@ -308,7 +312,7 @@ class MenuManager function print_start_menu_array_empty() { global $conf; - + print '
'; print '
    global->MAIN_OPTIMIZEFORTEXTBROWSER)?'':' title="Top menu"').'>'; } diff --git a/htdocs/core/search_page.php b/htdocs/core/search_page.php index 09b37f4bb8a..c0d98a001b8 100644 --- a/htdocs/core/search_page.php +++ b/htdocs/core/search_page.php @@ -35,7 +35,7 @@ if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU',1); require_once '../main.inc.php'; -if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL by the main.inc.php +if (GETPOST('lang', 'aZ09')) $langs->setDefaultLang(GETPOST('lang', 'aZ09')); // If language was forced on URL by the main.inc.php $langs->load("main"); $right=($langs->trans("DIRECTION")=='rtl'?'left':'right'); $left=($langs->trans("DIRECTION")=='rtl'?'right':'left'); @@ -76,11 +76,11 @@ if ($conf->use_javascript_ajax && 1 == 2) // select2 is ko with jmobile else { $conf->global->MAIN_HTML5_PLACEHOLDER = 1; - - + + $usedbyinclude = 1; // Used into next include include DOL_DOCUMENT_ROOT.'/core/ajax/selectsearchbox.php'; - + $accesskeyalreadyassigned=array(); foreach($arrayresult as $key => $val) { diff --git a/htdocs/core/tpl/ajax/fileupload_main.tpl.php b/htdocs/core/tpl/ajax/fileupload_main.tpl.php index b7437af4616..034e9ebc3fc 100644 --- a/htdocs/core/tpl/ajax/fileupload_main.tpl.php +++ b/htdocs/core/tpl/ajax/fileupload_main.tpl.php @@ -45,7 +45,7 @@ $(function () { // Events $('#fileupload').fileupload({ stop: function (e, data) { - location.href=''; + location.href=''; }, destroy: function (e, data) { var that = $(this).data('fileupload'); diff --git a/htdocs/core/tpl/login.tpl.php b/htdocs/core/tpl/login.tpl.php index 3772b44c9fc..608e508d717 100644 --- a/htdocs/core/tpl/login.tpl.php +++ b/htdocs/core/tpl/login.tpl.php @@ -31,6 +31,10 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1; // If we force to use jmobile, then we reenable javascript if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1; +$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']); +$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):''; +if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home'; + // Javascript code on logon page only to detect user tz, dst_observed, dst_first, dst_second $arrayofjs=array( '/includes/jstz/jstz.min.js'.(empty($conf->dol_use_jmobile)?'':'?version='.urlencode(DOL_VERSION)), @@ -80,7 +84,7 @@ $(document).ready(function () {
diff --git a/htdocs/core/tpl/objectline_create.tpl.php b/htdocs/core/tpl/objectline_create.tpl.php index d9b5b37d8f3..5e9786f2ba4 100644 --- a/htdocs/core/tpl/objectline_create.tpl.php +++ b/htdocs/core/tpl/objectline_create.tpl.php @@ -725,7 +725,7 @@ function setforpredef() { jQuery("#select_type").val(-1); jQuery("#prod_entry_mode_free").prop('checked',false); jQuery("#prod_entry_mode_predef").prop('checked',true); - jQuery("#price_ht").hide(); + jQuery("#price_ht").val('').hide(); jQuery("#multicurrency_price_ht").hide(); jQuery("#price_ttc").hide(); // May no exists jQuery("#tva_tx").hide(); diff --git a/htdocs/core/tpl/passwordforgotten.tpl.php b/htdocs/core/tpl/passwordforgotten.tpl.php index b641627b789..c05916d55a7 100644 --- a/htdocs/core/tpl/passwordforgotten.tpl.php +++ b/htdocs/core/tpl/passwordforgotten.tpl.php @@ -28,6 +28,9 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1; // If we force to use jmobile, then we reenable javascript if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1; +$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']); +$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):''; + print top_htmlhead('',$langs->trans('SendNewPassword')); ?> @@ -94,7 +97,7 @@ if (! empty($hookmanager->resArray['options'])) { } ?> -resArray['options'])) {
-
class="button" name="password" value="trans('SendNewPassword'); ?>" tabindex="4" /> +
class="button" name="password" value="trans('SendNewPassword'); ?>" tabindex="4" />
diff --git a/htdocs/don/card.php b/htdocs/don/card.php index 0ace5c88e76..f2e7ade706d 100644 --- a/htdocs/don/card.php +++ b/htdocs/don/card.php @@ -50,7 +50,7 @@ $cancel=GETPOST('cancel'); $amount=GETPOST('amount'); $donation_date=dol_mktime(12, 0, 0, GETPOST('remonth'), GETPOST('reday'), GETPOST('reyear')); $projectid = (GETPOST('projectid') ? GETPOST('projectid', 'int') : 0); - + $object = new Don($db); $extrafields = new ExtraFields($db); @@ -316,17 +316,17 @@ if ($action == 'create') print ''; // Amount - print "
".''; + print "".''; print '\n"; - print "".''; - print "".''; - print "".''; + print "".''; + print "".''; + print "".''; print "".''; + print ''; // Zip / Town print ''; - print "".''; + print "".''; // Public note print ''; @@ -384,9 +384,9 @@ if ($action == 'create') dol_fiche_end(); print '
'; - print ''; + print ''; print '     '; - print ''; + print ''; print '
'; print "\n"; @@ -438,7 +438,7 @@ if (! empty($id) && $action == 'edit') // Amount if ($object->statut == 0) { - print "".''; + print "".''; } else { @@ -453,11 +453,11 @@ if (! empty($id) && $action == 'edit') print "\n"; $langs->load("companies"); - print ''; - print ''; - print ''; + print ''; + print ''; + print ''; print ''; + print ''; // Zip / Town print ''; - print "".''; + print "".''; print "
' . price($total_prev_ht) . '' . price($total_prev_ttc) . ' 
' . price($total_next_ht) . '' . price($total_next_ttc) . ' 
'; -echo dol_escape_htmltag($title); +echo dol_escape_htmltag($title); if ($disablenofollow) echo ''; ?>
'.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).'
'.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).'
'.$langs->trans("PublicDonation").""; print $form->selectyesno("public",isset($_POST["public"])?$_POST["public"]:1,1); print "
'.$langs->trans("Company").'
'.$langs->trans("Lastname").'
'.$langs->trans("Firstname").'
'.$langs->trans("Company").'
'.$langs->trans("Lastname").'
'.$langs->trans("Firstname").'
'.$langs->trans("Address").''; - print '
'.$langs->trans("Zip").' / '.$langs->trans("Town").''; @@ -341,7 +341,7 @@ if ($action == 'create') if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1); print '
'.$langs->trans("EMail").'
'.$langs->trans("EMail").'
'.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).'
'.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).'
'.$langs->trans("Company").'
'.$langs->trans("Lastname").'
'.$langs->trans("Firstname").'
'.$langs->trans("Company").'
'.$langs->trans("Lastname").'
'.$langs->trans("Firstname").'
'.$langs->trans("Address").''; - print '
'.$langs->trans("Zip").' / '.$langs->trans("Town").''; @@ -472,7 +472,7 @@ if (! empty($id) && $action == 'edit') if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1); print '
'.$langs->trans("EMail").'
'.$langs->trans("EMail").'
".$langs->trans("PaymentMode")."\n"; @@ -544,9 +544,9 @@ if (! empty($id) && $action != 'edit') // Print form confirm print $formconfirm; - + $linkback = ''.$langs->trans("BackToList").''; - + $morehtmlref='
'; // Project if (! empty($conf->projet->enabled)) @@ -581,8 +581,8 @@ if (! empty($id) && $action != 'edit') } } $morehtmlref.='
'; - - + + dol_banner_tab($object, 'rowid', $linkback, 1, 'rowid', 'ref', $morehtmlref); @@ -592,13 +592,6 @@ if (! empty($id) && $action != 'edit') print ''; - // Ref - /* - print ''; - print ''; - */ // Date print ''; print ''; print ''; - /*print ''; - // Zip / Town - print ''; - - // Country - print ''; - - // EMail - print "".''; - */ - // Payment mode print "\n"; - - //print "".''; - - // Project - /* - if (! empty($conf->projet->enabled)) - { - print ''; - print ''; - print ''; - print ''; - }*/ - + // Other attributes $cols = 2; include DOL_DOCUMENT_ROOT . '/core/tpl/extrafields_view.tpl.php'; diff --git a/htdocs/ecm/ajax/ecmdatabase.php b/htdocs/ecm/ajax/ecmdatabase.php index ac3a45d5683..6753a4299b0 100644 --- a/htdocs/ecm/ajax/ecmdatabase.php +++ b/htdocs/ecm/ajax/ecmdatabase.php @@ -39,7 +39,7 @@ $element = GETPOST('element', 'alpha'); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (isset($action) && ! empty($action)) diff --git a/htdocs/expensereport/ajax/ajaxprojet.php b/htdocs/expensereport/ajax/ajaxprojet.php index 6b9dd7e062f..423677c5da5 100644 --- a/htdocs/expensereport/ajax/ajaxprojet.php +++ b/htdocs/expensereport/ajax/ajaxprojet.php @@ -46,7 +46,7 @@ require '../../main.inc.php'; //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -//print ''."\n"; +//print ''."\n"; dol_syslog(join(',',$_GET)); diff --git a/htdocs/externalsite/frames.php b/htdocs/externalsite/frames.php index c0b5cf92e7e..6005b8e55b6 100644 --- a/htdocs/externalsite/frames.php +++ b/htdocs/externalsite/frames.php @@ -34,11 +34,11 @@ if (empty($conf->global->EXTERNALSITE_URL)) llxFooter(); } -$mainmenu=GETPOST('mainmenu', 'alpha'); -$leftmenu=GETPOST('leftmenu', 'alpha'); +$mainmenu=GETPOST('mainmenu', "aZ09"); +$leftmenu=GETPOST('leftmenu', "aZ09"); $idmenu=GETPOST('idmenu', 'int'); $theme=GETPOST('theme', 'alpha'); -$codelang=GETPOST('lang', 'alpha'); +$codelang=GETPOST('lang', 'aZ09'); print " diff --git a/htdocs/fourn/ajax/getSupplierPrices.php b/htdocs/fourn/ajax/getSupplierPrices.php index af3d728dc78..9a8c24c4eba 100644 --- a/htdocs/fourn/ajax/getSupplierPrices.php +++ b/htdocs/fourn/ajax/getSupplierPrices.php @@ -46,7 +46,7 @@ $langs->load('margins'); top_httphead(); -//print ''."\n"; +//print ''."\n"; if ($idprod > 0) { @@ -55,7 +55,7 @@ if ($idprod > 0) $sorttouse = 's.nom, pfp.quantity, pfp.price'; if (GETPOST('bestpricefirst')) $sorttouse = 'pfp.unitprice, s.nom, pfp.quantity, pfp.price'; - + $productSupplierArray = $producttmp->list_product_fournisseur_price($idprod, $sorttouse); // We list all price per supplier, and then firstly with the lower quantity. So we can choose first one with enough quantity into list. if ( is_array($productSupplierArray)) { @@ -63,15 +63,15 @@ if ($idprod > 0) { $price = $productSupplier->fourn_price * (1 - $productSupplier->fourn_remise_percent / 100); $unitprice = $productSupplier->fourn_unitprice * (1 - $productSupplier->fourn_remise_percent / 100); - + $title = $productSupplier->fourn_name.' - '.$productSupplier->fourn_ref.' - '; - + if ($productSupplier->fourn_qty == 1) { $title.= price($price,0,$langs,0,0,-1,$conf->currency)."/"; } $title.= $productSupplier->fourn_qty.' '.($productSupplier->fourn_qty == 1 ? $langs->trans("Unit") : $langs->trans("Units")); - + if ($productSupplier->fourn_qty > 1) { $title.=" - "; @@ -84,19 +84,19 @@ if ($idprod > 0) $title.= price($productSupplier->fourn_unitcharges,0,$langs,0,0,-1,$conf->currency); $price += $productSupplier->fourn_unitcharges; } - + $label = price($price,0,$langs,0,0,-1,$conf->currency)."/".$langs->trans("Unit"); if ($productSupplier->fourn_ref) $label.=' ('.$productSupplier->fourn_ref.')'; - + $prices[] = array("id" => $productSupplier->product_fourn_price_id, "price" => price2num($price,0,'',0), "label" => $label, "title" => $title); // For price field, we must use price2num(), for label or title, price() } } - + // Add price for costprice $price=$producttmp->cost_price; $prices[] = array("id" => 'costprice', "price" => price2num($price), "label" => $langs->trans("CostPrice").': '.price($price,0,$langs,0,0,-1,$conf->currency), "title" => $langs->trans("PMPValueShort").': '.price($price,0,$langs,0,0,-1,$conf->currency)); // For price field, we must use price2num(), for label or title, price() - if(!empty($conf->stock->enabled)) + if(!empty($conf->stock->enabled)) { // Add price for pmp $price=$producttmp->pmp; diff --git a/htdocs/fourn/commande/card.php b/htdocs/fourn/commande/card.php index 033e9d43382..bc3c0822207 100644 --- a/htdocs/fourn/commande/card.php +++ b/htdocs/fourn/commande/card.php @@ -275,7 +275,7 @@ if (empty($reshook)) if ($action == 'addline' && $user->rights->fournisseur->commande->creer) { $db->begin(); - + $langs->load('errors'); $error = 0; @@ -441,7 +441,7 @@ if (empty($reshook)) $ht = $ttc / (1 + ($tva_tx / 100)); $price_base_type = 'HT'; } - + $pu_ht_devise = price2num($price_ht_devise, 'MU'); $result=$object->addline($desc, $ht, $qty, $tva_tx, $localtax1_tx, $localtax2_tx, 0, 0, '', $remise_percent, $price_base_type, $ttc, $type,'','', $date_start, $date_end, $array_options, $fk_unit, $pu_ht_devise); @@ -451,7 +451,7 @@ if (empty($reshook)) if (! $error && $result > 0) { $db->commit(); - + $ret=$object->fetch($object->id); // Reload to get new records // Define output language @@ -508,7 +508,7 @@ if (empty($reshook)) $db->rollback(); setEventMessages($object->error, $object->errors, 'errors'); } - + $action = ''; } @@ -543,7 +543,7 @@ if (empty($reshook)) $localtax1_tx=get_localtax($tva_tx,1,$mysoc,$object->thirdparty); $localtax2_tx=get_localtax($tva_tx,2,$mysoc,$object->thirdparty); - + $pu_ht_devise = GETPOST('multicurrency_subprice'); // Extrafields Lines @@ -1391,7 +1391,7 @@ if ($action=='create') // If not defined, set default value from constant if (empty($cond_reglement_id) && ! empty($conf->global->SUPPLIER_ORDER_DEFAULT_PAYMENT_TERM_ID)) $cond_reglement_id=$conf->global->SUPPLIER_ORDER_DEFAULT_PAYMENT_TERM_ID; if (empty($mode_reglement_id) && ! empty($conf->global->SUPPLIER_ORDER_DEFAULT_PAYMENT_MODE_ID)) $mode_reglement_id=$conf->global->SUPPLIER_ORDER_DEFAULT_PAYMENT_MODE_ID; - + print ''; print ''; print ''; @@ -1577,7 +1577,7 @@ if ($action=='create') elseif (! empty($object->id)) { $result = $object->fetch($id, $ref); - + $societe = new Fournisseur($db); $result=$societe->fetch($object->socid); if ($result < 0) dol_print_error($db); @@ -1587,7 +1587,7 @@ elseif (! empty($object->id)) $res=$object->fetch_optionals($object->id,$extralabels); - + $head = ordersupplier_prepare_head($object); $title=$langs->trans("SupplierOrder"); @@ -1724,11 +1724,11 @@ elseif (! empty($object->id)) // Print form confirm print $formconfirm; - + // Supplier order card $linkback = ''.$langs->trans("BackToList").''; - + $morehtmlref='
'; // Ref supplier $morehtmlref.=$form->editfieldkey("RefSupplier", 'ref_supplier', $object->ref_supplier, $object, $user->rights->fournisseur->commande->creer, 'string', '', 0, 1); @@ -1768,15 +1768,15 @@ elseif (! empty($object->id)) } } $morehtmlref.='
'; - - - dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); - + + + dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); + print '
'; print '
'; print '
'; - + print '
'.$langs->trans("Ref").''; - print $form->showrefnav($object, 'rowid', $linkback, 1, 'rowid', 'ref', ''); - print '
'.$langs->trans("Date").''; print dol_print_date($object->date,"day"); @@ -615,52 +608,12 @@ if (! empty($id) && $action != 'edit') print '
'.$langs->trans("Company").''.$object->societe.'
'.$langs->trans("Lastname").''.$object->lastname.'
'.$langs->trans("Firstname").''.$object->firstname.'
'.$langs->trans("Address").''.dol_nl2br($object->address).'
'.$langs->trans("Zip").' / '.$langs->trans("Town").''; - print $object->zip.($object->zip && $object->town?' / ':'').$object->town.'
'.$langs->trans('Country').''; - if (! empty($object->country_code)) - { - $img=picto_from_langcode($object->country_code); - print ($img?$img.' ':''); - print $object->country; - } - else - { - print $object->country_olddata; - } - print '
'.$langs->trans("EMail").''.dol_print_email($object->email).'
".$langs->trans("PaymentMode").""; $form->form_modes_reglement(null, $object->modepaymentid,'none'); print "
'.$langs->trans("Status").''.$object->getLibStatut(4).'
'.$langs->trans("Project").''; - $projettmp=new Project($db); - $projettmp->id=$object->fk_projet; - $projettmp->ref=$object->project; - if(! empty($object->fk_projet)) print $projettmp->getNomUrl(1); - print '
'; // Date @@ -1969,12 +1969,12 @@ elseif (! empty($object->id)) include DOL_DOCUMENT_ROOT . '/core/tpl/extrafields_view.tpl.php'; print '
'; - + print ''; print '
'; print '
'; print '
'; - + print ''; if (!empty($conf->multicurrency->enabled)) @@ -1983,18 +1983,18 @@ elseif (! empty($object->id)) print ''; print ''; print ''; - + // Multicurrency Amount VAT print ''; print ''; print ''; - + // Multicurrency Amount TTC print ''; print ''; print ''; } - + // Total print ''; print ''; @@ -2023,19 +2023,19 @@ elseif (! empty($object->id)) print ''; print '
' . fieldLabel('MulticurrencyAmountHT','multicurrency_total_ht') . '' . price($object->multicurrency_total_ht, '', $langs, 0, - 1, - 1, (!empty($object->multicurrency_code) ? $object->multicurrency_code : $conf->currency)) . '
' . fieldLabel('MulticurrencyAmountVAT','multicurrency_total_tva') . '' . price($object->multicurrency_total_tva, '', $langs, 0, - 1, - 1, (!empty($object->multicurrency_code) ? $object->multicurrency_code : $conf->currency)) . '
' . fieldLabel('MulticurrencyAmountTTC','multicurrency_total_ttc') . '' . price($object->multicurrency_total_ttc, '', $langs, 0, - 1, - 1, (!empty($object->multicurrency_code) ? $object->multicurrency_code : $conf->currency)) . '
'.$langs->trans("AmountHT").''.price($object->total_ht,'',$langs,1,-1,-1,$conf->currency).'
'; - + // Margin Infos /*if (! empty($conf->margin->enabled)) { $formmargin->displayMarginInfos($object); }*/ - - + + print '
'; print '
'; print ''; - + print '

'; - + if (! empty($conf->global->MAIN_DISABLE_CONTACTS_TAB)) { $blocname = 'contacts'; @@ -2591,19 +2591,29 @@ elseif (! empty($object->id)) // Create bill if (! empty($conf->facture->enabled)) { - if (! empty($conf->fournisseur->enabled) && ($object->statut >= 2 && $object->billed != 1)) // 2 means accepted + if (! empty($conf->fournisseur->enabled) && ($object->statut >= 2 && $object->statut != 7 && $object->billed != 1)) // statut 2 means approved, 7 means canceled { if ($user->rights->fournisseur->facture->creer) { print ''.$langs->trans("CreateBill").''; } - - if ($user->rights->fournisseur->commande->creer && $object->statut >= 2 && !empty($object->linkedObjectsIds['invoice_supplier'])) - { - print ''.$langs->trans("ClassifyBilled").''; - } } + } + // Classify billed manually (need one invoice if module invoice is on, no condition on invoice if not) + if ($user->rights->fournisseur->commande->creer && $object->statut >= 2 && $object->statut != 7 && $object->billed != 1) // statut 2 means approved + { + if (empty($conf->facture->enabled)) + { + print ''.$langs->trans("ClassifyBilled").''; + } + else if (!empty($object->linkedObjectsIds['invoice_supplier'])) + { + if ($user->rights->fournisseur->facture->creer) + { + print ''.$langs->trans("ClassifyBilled").''; + } + } } // Create a remote order using WebService only if module is activated @@ -2696,7 +2706,7 @@ elseif (! empty($object->id)) print ''; print ''; print load_fiche_titre($langs->trans("Receive"),'',''); - + print ''; //print ''; print ''; // DATE CREATE print ''; @@ -368,13 +368,13 @@ print ''; // DATE DEBUT print ''; // DATE FIN print ''; @@ -409,7 +409,7 @@ if (! empty($holiday->holiday)) $userstatic->login=$infos_CP['user_login']; $userstatic->statut=$infos_CP['user_statut']; $userstatic->photo=$infos_CP['user_photo']; - + // Valideur $approbatorstatic->id=$infos_CP['fk_validator']; $approbatorstatic->lastname=$infos_CP['validator_lastname']; @@ -417,7 +417,7 @@ if (! empty($holiday->holiday)) $approbatorstatic->login=$infos_CP['validator_login']; $approbatorstatic->statut=$infos_CP['validator_statut']; $approbatorstatic->photo=$infos_CP['validator_photo']; - + $date = $infos_CP['date_create']; print ''; diff --git a/htdocs/install/inc.php b/htdocs/install/inc.php index 840fa709ddf..68ad2cb6b2c 100644 --- a/htdocs/install/inc.php +++ b/htdocs/install/inc.php @@ -265,7 +265,7 @@ if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* removed in PHP 5. // Defini objet langs $langs = new Translate('..',$conf); -if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); +if (GETPOST('lang', 'aZ09')) $langs->setDefaultLang(GETPOST('lang', 'aZ09')); else $langs->setDefaultLang('auto'); $bc[false]=' class="bg1"'; @@ -452,9 +452,9 @@ function pFooter($nonext=0,$setuplang='',$jscheckfunction='', $withpleasewait=0) print '
'; if ($nonext == '2') { - print $langs->trans("ErrorFoundDuringMigration", $_SERVER["REQUEST_URI"].'&ignoreerrors=1').'

'; + print $langs->trans("ErrorFoundDuringMigration", $_SERVER["REQUEST_URI"].'&ignoreerrors=1').'

'; } - + print '"'; if ($jscheckfunction) print ' onClick="return '.$jscheckfunction.'();"'; print '>
'; diff --git a/htdocs/install/mysql/migration/3.5.0-3.6.0.sql b/htdocs/install/mysql/migration/3.5.0-3.6.0.sql index 2dc967e2546..1d7ad10d938 100755 --- a/htdocs/install/mysql/migration/3.5.0-3.6.0.sql +++ b/htdocs/install/mysql/migration/3.5.0-3.6.0.sql @@ -62,6 +62,21 @@ ALTER TABLE llx_societe MODIFY COLUMN fk_currency varchar(3) NULL; ALTER TABLE llx_bookmark ADD COLUMN entity integer DEFAULT 1 NOT NULL; ALTER TABLE llx_bookmark MODIFY COLUMN url varchar(255) NOT NULL; + +ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN tms timestamp DEFAULT '2001-01-01 00:00:00'; + +-- Clean corrupted values for tms +-- VMYSQL4.1 SET sql_mode = 'ALLOW_INVALID_DATES'; +-- VMYSQL4.1 update llx_opensurvey_sondage set tms = date_fin where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL; +-- VMYSQL4.1 SET sql_mode = 'NO_ZERO_DATE'; +-- VMYSQL4.1 update llx_opensurvey_sondage set tms = date_fin where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL; +-- Remove default not null on date_fin +-- VMYSQL4.3 ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN date_fin DATETIME NULL DEFAULT NULL; +-- VPGSQL8.2 ALTER TABLE llx_opensurvey_sondage ALTER COLUMN date_fin DROP NOT NULL; + +ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN tms timestamp DEFAULT CURRENT_TIMESTAMP; + + ALTER TABLE llx_opensurvey_sondage ADD COLUMN entity integer DEFAULT 1 NOT NULL; ALTER TABLE llx_opensurvey_sondage ADD COLUMN allow_comments tinyint NOT NULL DEFAULT 1; -- ALTER TABLE llx_opensurvey_sondage DROP COLUMN survey_link_visible; diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 82f008c2378..2806f2d06a0 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -97,8 +97,9 @@ function test_sql_and_script_inject($val, $type) $sql_inj += preg_match('/
'.$langs->trans("Receive").'
'.$langs->trans("DeliveryDate").''; diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index 1ab8fbd785f..90db40fd2e7 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -66,7 +66,7 @@ $year_end = GETPOST('year_end'); $search_employe = GETPOST('search_employe'); $search_valideur = GETPOST('search_valideur'); $search_statut = GETPOST('select_statut'); -$type = GETPOST('type','int'); +$type = GETPOST('type','int'); // List of fields to search into when doing a "search in all" $fieldstosearchall = array( @@ -82,7 +82,7 @@ $fieldstosearchall = array( * Actions */ -if (GETPOST("button_removefilter_x") || GETPOST("button_removefilter.x") || GETPOST("button_removefilter")) // Both test are required to be compatible with all browsers +if (GETPOST("button_removefilter_x") || GETPOST("button_removefilter.x") || GETPOST("button_removefilter")) // All tests are required to be compatible with all browsers { $search_ref=""; $month_create=""; @@ -138,7 +138,7 @@ if($year_start > 0) { } } else { if($month_start > 0) { - $filter.= " AND date_format(cp.date_debut, '%m') = '$month_start'"; + $filter.= " AND date_format(cp.date_debut, '%m') = '".$db->escape($month_start)."'"; } } @@ -153,7 +153,7 @@ if($year_end > 0) { } } else { if($month_end > 0) { - $filter.= " AND date_format(cp.date_fin, '%m') = '$month_end'"; + $filter.= " AND date_format(cp.date_fin, '%m') = '".$db->escape($month_end)."'"; } } @@ -168,7 +168,7 @@ if($year_create > 0) { } } else { if($month_create > 0) { - $filter.= " AND date_format(cp.date_create, '%m') = '$month_create'"; + $filter.= " AND date_format(cp.date_create, '%m') = '".$db->escape($month_create)."'"; } } @@ -313,7 +313,7 @@ print ''; -print ''; +print ''; $formother->select_year($year_create,'year_create',1, $min_year, 0); print ' '; -print ''; +print ''; $formother->select_year($year_start,'year_start',1, $min_year, $max_year); print ''; -print ''; +print ''; $formother->select_year($year_end,'year_end',1, $min_year, $max_year); print '