diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php
index acbffa109a2..9540c2b84cd 100644
--- a/htdocs/categories/class/categorie.class.php
+++ b/htdocs/categories/class/categorie.class.php
@@ -1116,7 +1116,7 @@ class Categorie extends CommonObject
// Include or exclude leaf including $markafterid from tree
if (count($markafterid) > 0)
{
- $keyfiltercatid = implode('|', $markafterid);
+ $keyfiltercatid = '(' . implode('|', $markafterid) . ')';
//print "Look to discard category ".$markafterid."\n";
$keyfilter1 = '^'.$keyfiltercatid.'$';
diff --git a/htdocs/core/class/extrafields.class.php b/htdocs/core/class/extrafields.class.php
index ef5f5d4e74c..36b83bb32b7 100644
--- a/htdocs/core/class/extrafields.class.php
+++ b/htdocs/core/class/extrafields.class.php
@@ -1324,6 +1324,7 @@ class ExtraFields
print 'Error in request '.$sql.' '.$this->db->lasterror().'. Check setup of extra parameters.
';
}
} else {
+ require_once DOL_DOCUMENT_ROOT . '/categories/class/categorie.class.php';
$data = $form->select_all_categories(Categorie::$MAP_ID_TO_CODE[$InfoFieldList[5]], '', 'parent', 64, $InfoFieldList[6], 1, 1);
$out .= '';
foreach ($data as $data_key => $data_value) {
@@ -1550,6 +1551,7 @@ class ExtraFields
print 'Error in request ' . $sql . ' ' . $this->db->lasterror() . '. Check setup of extra parameters.
';
}
} else {
+ require_once DOL_DOCUMENT_ROOT . '/categories/class/categorie.class.php';
$data = $form->select_all_categories(Categorie::$MAP_ID_TO_CODE[$InfoFieldList[5]], '', 'parent', 64, $InfoFieldList[6], 1, 1);
$out = $form->multiselectarray($keyprefix . $key . $keysuffix, $data, $value_arr, '', 0, '', 0, '100%');
}
diff --git a/htdocs/resource/class/dolresource.class.php b/htdocs/resource/class/dolresource.class.php
index 7e2f11e1bf5..4af42ea8ff2 100644
--- a/htdocs/resource/class/dolresource.class.php
+++ b/htdocs/resource/class/dolresource.class.php
@@ -615,7 +615,7 @@ class Dolresource extends CommonObject
$sql .= ' AND '.$key.' = \''.$this->db->idate($value).'\'';
}
else {
- $sql .= ' AND '.$key.' LIKE \'%'.$value.'%\'';
+ $sql .= ' AND '.$key.' LIKE \'%'.$this->db->escape($value).'%\'';
}
}
}
@@ -697,7 +697,7 @@ class Dolresource extends CommonObject
$sql .= ' AND '.$key.' = \''.$this->db->idate($value).'\'';
}
else {
- $sql .= ' AND '.$key.' LIKE \'%'.$value.'%\'';
+ $sql .= ' AND '.$key.' LIKE \'%'.$this->db->escape($value).'%\'';
}
}
}
diff --git a/htdocs/resource/list.php b/htdocs/resource/list.php
index 36415c0b951..2053e19dc72 100644
--- a/htdocs/resource/list.php
+++ b/htdocs/resource/list.php
@@ -52,20 +52,20 @@ $extrafields = new ExtraFields($db);
$extrafields->fetch_name_optionals_label($object->table_element);
$search_array_options = $extrafields->getOptionalsFromPost($object->table_element, '', 'search_');
if (!is_array($search_array_options)) $search_array_options = array();
-$search_ref = GETPOST("search_ref");
-$search_type = GETPOST("search_type");
+$search_ref = GETPOST("search_ref", 'alpha');
+$search_type = GETPOST("search_type", 'alpha');
$filter = array();
if ($search_ref != '') {
- $param .= '&search_ref='.$search_ref;
+ $param.='&search_ref='.urlencode($search_ref);
$filter['t.ref'] = $search_ref;
}
if ($search_type != '') {
- $param .= '&search_type='.$search_type;
+ $param.='&search_type='.urlencode($search_type);
$filter['ty.label'] = $search_type;
}
-if ($search_label != '') $param .= '&search_label='.$search_label;
+
// Add $param from extra fields
foreach ($search_array_options as $key => $val)
{
@@ -83,7 +83,7 @@ foreach ($search_array_options as $key => $val)
$filter['ef.'.$tmpkey] = natural_search('ef.'.$tmpkey, $crit, $mode_search);
}
}
-if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.$contextpage;
+if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.urlencode($contextpage);
$hookmanager->initHooks(array('resourcelist'));
@@ -131,7 +131,6 @@ include DOL_DOCUMENT_ROOT.'/core/actions_changeselectedfields.inc.php';
if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x', 'alpha') || GETPOST('button_removefilter', 'alpha')) // Both test are required to be compatible with all browsers
{
$search_ref = "";
- $search_label = "";
$search_type = "";
$search_array_options = array();
$filter = array();