Merge branch '10.0' of git@github.com:Dolibarr/dolibarr.git into 11.0

Conflicts: htdocs/resource/class/dolresource.class.php htdocs/resource/list.php
2020-01-29 11:44:04 +01:00 · 2020-01-29 11:44:04 +01:00 · 1e13f6fd0f
commit 1e13f6fd0f
parent d224c711cf d650258d39
4 changed files with 11 additions and 10 deletions
--- a/htdocs/categories/class/categorie.class.php
+++ b/htdocs/categories/class/categorie.class.php
@ -1116,7 +1116,7 @@ class Categorie extends CommonObject
        // Include or exclude leaf including $markafterid from tree
        if (count($markafterid) > 0)
        {
-            $keyfiltercatid = implode('|', $markafterid);
+            $keyfiltercatid = '(' . implode('|', $markafterid) . ')';

            //print "Look to discard category ".$markafterid."\n";
            $keyfilter1 = '^'.$keyfiltercatid.'$';
--- a/htdocs/core/class/extrafields.class.php
+++ b/htdocs/core/class/extrafields.class.php
@ -1324,6 +1324,7 @@ class ExtraFields
                        print 'Error in request '.$sql.' '.$this->db->lasterror().'. Check setup of extra parameters.<br>';
                    }
                } else {
+					require_once DOL_DOCUMENT_ROOT . '/categories/class/categorie.class.php';
                    $data = $form->select_all_categories(Categorie::$MAP_ID_TO_CODE[$InfoFieldList[5]], '', 'parent', 64, $InfoFieldList[6], 1, 1);
                    $out .= '<option value="0">&nbsp;</option>';
                    foreach ($data as $data_key => $data_value) {
@ -1550,6 +1551,7 @@ class ExtraFields
                        print 'Error in request ' . $sql . ' ' . $this->db->lasterror() . '. Check setup of extra parameters.<br>';
                    }
                } else {
+					require_once DOL_DOCUMENT_ROOT . '/categories/class/categorie.class.php';
                    $data = $form->select_all_categories(Categorie::$MAP_ID_TO_CODE[$InfoFieldList[5]], '', 'parent', 64, $InfoFieldList[6], 1, 1);
                    $out = $form->multiselectarray($keyprefix . $key . $keysuffix, $data, $value_arr, '', 0, '', 0, '100%');
                }
--- a/htdocs/resource/class/dolresource.class.php
+++ b/htdocs/resource/class/dolresource.class.php
@ -615,7 +615,7 @@ class Dolresource extends CommonObject
   					$sql .= ' AND '.$key.' = \''.$this->db->idate($value).'\'';
   				}
   				else {
-   					$sql .= ' AND '.$key.' LIKE \'%'.$value.'%\'';
+   					$sql .= ' AND '.$key.' LIKE \'%'.$this->db->escape($value).'%\'';
   				}
   			}
   		}
@ -697,7 +697,7 @@ class Dolresource extends CommonObject
    				$sql .= ' AND '.$key.' = \''.$this->db->idate($value).'\'';
    			}
    			else {
-    				$sql .= ' AND '.$key.' LIKE \'%'.$value.'%\'';
+    				$sql .= ' AND '.$key.' LIKE \'%'.$this->db->escape($value).'%\'';
    			}
    		}
    	}
--- a/htdocs/resource/list.php
+++ b/htdocs/resource/list.php
@ -52,20 +52,20 @@ $extrafields = new ExtraFields($db);
 $extrafields->fetch_name_optionals_label($object->table_element);
 $search_array_options = $extrafields->getOptionalsFromPost($object->table_element, '', 'search_');
 if (!is_array($search_array_options)) $search_array_options = array();
-$search_ref = GETPOST("search_ref");
-$search_type = GETPOST("search_type");
+$search_ref = GETPOST("search_ref", 'alpha');
+$search_type = GETPOST("search_type", 'alpha');

 $filter = array();

 if ($search_ref != '') {
-	$param .= '&search_ref='.$search_ref;
+	$param.='&search_ref='.urlencode($search_ref);
 	$filter['t.ref'] = $search_ref;
 }
 if ($search_type != '') {
-	$param .= '&search_type='.$search_type;
+	$param.='&search_type='.urlencode($search_type);
 	$filter['ty.label'] = $search_type;
 }
-if ($search_label != '') 		$param .= '&search_label='.$search_label;
+
 // Add $param from extra fields
 foreach ($search_array_options as $key => $val)
 {
@ -83,7 +83,7 @@ foreach ($search_array_options as $key => $val)
 		$filter['ef.'.$tmpkey] = natural_search('ef.'.$tmpkey, $crit, $mode_search);
 	}
 }
-if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.$contextpage;
+if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.urlencode($contextpage);


 $hookmanager->initHooks(array('resourcelist'));
@ -131,7 +131,6 @@ include DOL_DOCUMENT_ROOT.'/core/actions_changeselectedfields.inc.php';
 if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x', 'alpha') || GETPOST('button_removefilter', 'alpha')) // Both test are required to be compatible with all browsers
 {
 	$search_ref = "";
-	$search_label = "";
 	$search_type = "";
 	$search_array_options = array();
 	$filter = array();