lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix XSS CWE-ID CWE-79

Browse Source
This commit is contained in:
Laurent Destailleur 2020-06-05 23:10:55 +02:00
parent 4fcaaa3387
commit 2344435416
4 changed files with 125 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
htdocs/adherents/card.php
View File

@ -243,18 +243,16 @@ if (empty($reshook))
require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
$birthdate = '';
if (isset($_POST["birthday"]) && $_POST["birthday"]
&& isset($_POST["birthmonth"]) && $_POST["birthmonth"]
&& isset($_POST["birthyear"]) && $_POST["birthyear"])
if (GETPOST("birthday", 'int') && GETPOST("birthmonth", 'int') && GETPOST("birthyear", 'int'))
{
$birthdate = dol_mktime(12, 0, 0, $_POST["birthmonth"], $_POST["birthday"], $_POST["birthyear"]);
$birthdate = dol_mktime(12, 0, 0, GETPOST("birthmonth", 'int'), GETPOST("birthday", 'int'), GETPOST("birthyear", 'int'));
}
$lastname = $_POST["lastname"];
$firstname = $_POST["firstname"];
$gender = $_POST["gender"];
$societe = $_POST["societe"];
$morphy = $_POST["morphy"];
$login = $_POST["login"];
$lastname = GETPOST("lastname", 'alphanohtml');
$firstname = GETPOST("firstname", 'alphanohtml');
$gender = GETPOST("gender", 'alphanohtml');
$societe = GETPOST("societe", 'alphanohtml');
$morphy = GETPOST("morphy", 'alphanohtml');
$login = GETPOST("login", 'alphanohtml');
if ($morphy != 'mor' && empty($lastname)) {
$error++;
$langs->load("errors");
@ -284,19 +282,19 @@ if (empty($reshook))
$object->oldcopy = clone $object;
// Change values
$object->civility_id = trim(GETPOST("civility_id", 'alpha'));
$object->firstname = trim(GETPOST("firstname", 'alpha'));
$object->lastname = trim(GETPOST("lastname", 'alpha'));
$object->gender = trim(GETPOST("gender", 'alpha'));
$object->civility_id = trim(GETPOST("civility_id", 'alphanohtml'));
$object->firstname = trim(GETPOST("firstname", 'alphanohtml'));
$object->lastname = trim(GETPOST("lastname", 'alphanohtml'));
$object->gender = trim(GETPOST("gender", 'alphanohtml'));
$object->login = trim(GETPOST("login", 'alpha'));
$object->pass = trim(GETPOST("pass", 'alpha'));
$object->societe = trim(GETPOST("societe", 'alpha')); // deprecated
$object->company = trim(GETPOST("societe", 'alpha'));
$object->societe = trim(GETPOST("societe", 'alphanohtml')); // deprecated
$object->company = trim(GETPOST("societe", 'alphanohtml'));
$object->address = trim(GETPOST("address", 'alpha'));
$object->zip = trim(GETPOST("zipcode", 'alpha'));
$object->town = trim(GETPOST("town", 'alpha'));
$object->address = trim(GETPOST("address", 'alphanohtml'));
$object->zip = trim(GETPOST("zipcode", 'alphanohtml'));
$object->town = trim(GETPOST("town", 'alphanohtml'));
$object->state_id = GETPOST("state_id", 'int');
$object->country_id = GETPOST("country_id", 'int');
@ -442,14 +440,14 @@ if (empty($reshook))
}
$typeid = GETPOST("typeid", 'int');
$civility_id = GETPOST("civility_id", 'alpha');
$lastname = GETPOST("lastname", 'alpha');
$firstname = GETPOST("firstname", 'alpha');
$gender = GETPOST("gender", 'alpha');
$societe = GETPOST("societe", 'alpha');
$address = GETPOST("address", 'alpha');
$zip = GETPOST("zipcode", 'alpha');
$town = GETPOST("town", 'alpha');
$civility_id = GETPOST("civility_id", 'alphanohtml');
$lastname = GETPOST("lastname", 'alphanohtml');
$firstname = GETPOST("firstname", 'alphanohtml');
$gender = GETPOST("gender", 'alphanohtml');
$societe = GETPOST("societe", 'alphanohtml');
$address = GETPOST("address", 'alphanohtml');
$zip = GETPOST("zipcode", 'alphanohtml');
$town = GETPOST("town", 'alphanohtml');
$state_id = GETPOST("state_id", 'int');
$country_id = GETPOST("country_id", 'int');
@ -465,9 +463,8 @@ if (empty($reshook))
$pass = GETPOST("password", 'alpha');
$photo = GETPOST("photo", 'alpha');
//$comment=GETPOST("comment",'none');
$morphy = GETPOST("morphy", 'alpha');
$subscription = GETPOST("subscription", 'alpha');
$public = GETPOST("public", 'alpha');
$morphy = GETPOST("morphy", 'alphanohtml');
$public = GETPOST("public", 'alphanohtml');
$userid = GETPOST("userid", 'int');
$socid = GETPOST("socid", 'int');
@ -976,7 +973,7 @@ else
print "</td>\n";
// Company
print '<tr><td id="tdcompany">'.$langs->trans("Company").'</td><td><input type="text" name="societe" class="minwidth300" maxlength="128" value="'.(GETPOST('societe', 'alpha') ?GETPOST('societe', 'alpha') : $object->company).'"></td></tr>';
print '<tr><td id="tdcompany">'.$langs->trans("Company").'</td><td><input type="text" name="societe" class="minwidth300" maxlength="128" value="'.(GETPOSTISSET('societe') ? GETPOST('societe', 'alphanohtml') : $object->company).'"></td></tr>';
// Civility
print '<tr><td>'.$langs->trans("UserTitle").'</td><td>';
@ -984,39 +981,39 @@ else
print '</tr>';
// Lastname
print '<tr><td id="tdlastname">'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" class="minwidth300" maxlength="50" value="'.(GETPOST('lastname', 'alpha') ?GETPOST('lastname', 'alpha') : $object->lastname).'"></td>';
print '<tr><td id="tdlastname">'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" class="minwidth300" maxlength="50" value="'.(GETPOSTISSET('lastname') ? GETPOST('lastname', 'alphanohtml') : $object->lastname).'"></td>';
print '</tr>';
// Firstname
print '<tr><td id="tdfirstname">'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" class="minwidth300" maxlength="50" value="'.(GETPOST('firstname', 'alpha') ?GETPOST('firstname', 'alpha') : $object->firstname).'"></td>';
print '<tr><td id="tdfirstname">'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" class="minwidth300" maxlength="50" value="'.(GETPOSTISSET('firstname') ? GETPOST('firstname', 'alphanohtml') : $object->firstname).'"></td>';
print '</tr>';
// Gender
print '<tr><td>'.$langs->trans("Gender").'</td>';
print '<td>';
$arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman"));
print $form->selectarray('gender', $arraygender, GETPOST('gender'), 1);
print $form->selectarray('gender', $arraygender, GETPOST('gender', 'alphanohtml'), 1);
print '</td></tr>';
// EMail
print '<tr><td>'.img_picto('', 'object_email').' '.($conf->global->ADHERENT_MAIL_REQUIRED ? '<span class="fieldrequired">' : '').$langs->trans("EMail").($conf->global->ADHERENT_MAIL_REQUIRED ? '</span>' : '').'</td><td><input type="text" name="member_email" class="minwidth300" maxlength="255" value="'.(GETPOST('member_email', 'alpha') ?GETPOST('member_email', 'alpha') : $object->email).'"></td></tr>';
print '<tr><td>'.img_picto('', 'object_email').' '.($conf->global->ADHERENT_MAIL_REQUIRED ? '<span class="fieldrequired">' : '').$langs->trans("EMail").($conf->global->ADHERENT_MAIL_REQUIRED ? '</span>' : '').'</td><td><input type="text" name="member_email" class="minwidth300" maxlength="255" value="'.(GETPOSTISSET('member_email') ? GETPOST('member_email', 'alpha') : $object->email).'"></td></tr>';
// Address
print '<tr><td class="tdtop">'.$langs->trans("Address").'</td><td>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="2">'.(GETPOST('address', 'alphanohtml') ?GETPOST('address', 'alphanohtml') : $object->address).'</textarea>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="2">'.(GETPOSTISSET('address') ?GETPOST('address', 'alphanohtml') : $object->address).'</textarea>';
print '</td></tr>';
// Zip / Town
print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
print $formcompany->select_ziptown((GETPOST('zipcode', 'alphanohtml') ?GETPOST('zipcode', 'alphanohtml') : $object->zip), 'zipcode', array('town', 'selectcountry_id', 'state_id'), 6);
print $formcompany->select_ziptown((GETPOSTISSET('zipcode') ? GETPOST('zipcode', 'alphanohtml') : $object->zip), 'zipcode', array('town', 'selectcountry_id', 'state_id'), 6);
print ' ';
print $formcompany->select_ziptown((GETPOST('town', 'alphanohtml') ?GETPOST('town', 'alphanohtml') : $object->town), 'town', array('zipcode', 'selectcountry_id', 'state_id'));
print $formcompany->select_ziptown((GETPOSTISSET('town') ? GETPOST('town', 'alphanohtml') : $object->town), 'town', array('zipcode', 'selectcountry_id', 'state_id'));
print '</td></tr>';
// Country
$object->country_id = $object->country_id ? $object->country_id : $mysoc->country_id;
print '<tr><td width="25%">'.$langs->trans('Country').'</td><td>';
print $form->select_country(GETPOST('country_id', 'alpha') ?GETPOST('country_id', 'alpha') : $object->country_id, 'country_id');
print $form->select_country(GETPOSTISSET('country_id') ? GETPOST('country_id', 'alpha') : $object->country_id, 'country_id');
if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"), 1);
print '</td></tr>';
@ -1026,7 +1023,7 @@ else
print '<tr><td>'.$langs->trans('State').'</td><td>';
if ($object->country_id)
{
print $formcompany->select_state(GETPOST('state_id', 'int') ?GETPOST('state_id', 'int') : $object->state_id, $object->country_code);
print $formcompany->select_state(GETPOSTISSET('state_id') ? GETPOST('state_id', 'int') : $object->state_id, $object->country_code);
}
else
{
@ -1036,18 +1033,18 @@ else
}
// Pro phone
print '<tr><td>'.img_picto('', 'object_phoning').' '.$langs->trans("PhonePro").'</td><td><input type="text" name="phone" size="20" value="'.(GETPOST('phone', 'alpha') ?GETPOST('phone', 'alpha') : $object->phone).'"></td></tr>';
print '<tr><td>'.img_picto('', 'object_phoning').' '.$langs->trans("PhonePro").'</td><td><input type="text" name="phone" size="20" value="'.(GETPOSTISSET('phone') ? GETPOST('phone', 'alpha') : $object->phone).'"></td></tr>';
// Personal phone
print '<tr><td>'.img_picto('', 'object_phoning').' '.$langs->trans("PhonePerso").'</td><td><input type="text" name="phone_perso" size="20" value="'.(GETPOST('phone_perso', 'alpha') ?GETPOST('phone_perso', 'alpha') : $object->phone_perso).'"></td></tr>';
print '<tr><td>'.img_picto('', 'object_phoning').' '.$langs->trans("PhonePerso").'</td><td><input type="text" name="phone_perso" size="20" value="'.(GETPOSTISSET('phone_perso') ? GETPOST('phone_perso', 'alpha') : $object->phone_perso).'"></td></tr>';
// Mobile phone
print '<tr><td>'.img_picto('', 'object_phoning_mobile').' '.$langs->trans("PhoneMobile").'</td><td><input type="text" name="phone_mobile" size="20" value="'.(GETPOST('phone_mobile', 'alpha') ?GETPOST('phone_mobile', 'alpha') : $object->phone_mobile).'"></td></tr>';
print '<tr><td>'.img_picto('', 'object_phoning_mobile').' '.$langs->trans("PhoneMobile").'</td><td><input type="text" name="phone_mobile" size="20" value="'.(GETPOSTISSET('phone_mobile') ? GETPOST('phone_mobile', 'alpha') : $object->phone_mobile).'"></td></tr>';
if (!empty($conf->socialnetworks->enabled)) {
foreach ($socialnetworks as $key => $value) {
if (!$value['active']) break;
print '<tr><td>'.$langs->trans($value['label']).'</td><td><input type="text" name="member_'.$key.'" size="40" value="'.(GETPOST('member_'.$key, 'alpha') ?GETPOST('member_'.$key, 'alpha') : $object->socialnetworks[$key]).'"></td></tr>';
print '<tr><td>'.$langs->trans($value['label']).'</td><td><input type="text" name="member_'.$key.'" size="40" value="'.(GETPOSTISSET('member_'.$key) ? GETPOST('member_'.$key, 'alpha') : $object->socialnetworks[$key]).'"></td></tr>';
}
}
@ -1196,14 +1193,14 @@ else
$morphys["phy"] = $langs->trans("Physical");
$morphys["mor"] = $langs->trans("Moral");
print '<tr><td><span class="fieldrequired">'.$langs->trans("MemberNature").'</span></td><td>';
print $form->selectarray("morphy", $morphys, (GETPOSTISSET("morphy") ?GETPOST("morphy", 'alpha') : $object->morphy));
print $form->selectarray("morphy", $morphys, (GETPOSTISSET("morphy") ? GETPOST("morphy", 'alpha') : $object->morphy));
print "</td></tr>";
// Type
print '<tr><td class="fieldrequired">'.$langs->trans("Type").'</td><td>';
if ($user->rights->adherent->creer)
{
print $form->selectarray("typeid", $adht->liste_array(), (GETPOSTISSET("typeid") ?GETPOST("typeid", 'int') : $object->typeid));
print $form->selectarray("typeid", $adht->liste_array(), (GETPOSTISSET("typeid") ? GETPOST("typeid", 'int') : $object->typeid));
}
else
{
@ -1213,27 +1210,27 @@ else
print "</td></tr>";
// Company
print '<tr><td id="tdcompany">'.$langs->trans("Company").'</td><td><input type="text" name="societe" class="minwidth300" maxlength="128" value="'.(isset($_POST["societe"]) ?GETPOST("societe", '', 2) : $object->company).'"></td></tr>';
print '<tr><td id="tdcompany">'.$langs->trans("Company").'</td><td><input type="text" name="societe" class="minwidth300" maxlength="128" value="'.(GETPOSTISSET("societe") ? GETPOST("societe", 'alphanohtml', 2) : $object->company).'"></td></tr>';
// Civility
print '<tr><td>'.$langs->trans("UserTitle").'</td><td>';
print $formcompany->select_civility(isset($_POST["civility_id"]) ? $_POST["civility_id"] : $object->civility_id)."\n";
print $formcompany->select_civility(GETPOSTISSET("civility_id") ? GETPOST("civility_id", 'alpha') : $object->civility_id)."\n";
print '</td>';
print '</tr>';
// Lastname
print '<tr><td id="tdlastname">'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" class="minwidth300" maxlength="50" value="'.(isset($_POST["lastname"]) ?GETPOST("lastname", '', 2) : $object->lastname).'"></td>';
print '<tr><td id="tdlastname">'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" class="minwidth300" maxlength="50" value="'.(GETPOSTISSET("lastname") ? GETPOST("lastname", 'alphanohtml', 2) : $object->lastname).'"></td>';
print '</tr>';
// Firstname
print '<tr><td id="tdfirstname">'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" class="minwidth300" maxlength="50" value="'.(isset($_POST["firstname"]) ?GETPOST("firstname", '', 3) : $object->firstname).'"></td>';
print '<tr><td id="tdfirstname">'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" class="minwidth300" maxlength="50" value="'.(GETPOSTISSET("firstname") ? GETPOST("firstname", 'alphanohtml', 3) : $object->firstname).'"></td>';
print '</tr>';
// Gender
print '<tr><td>'.$langs->trans("Gender").'</td>';
print '<td>';
$arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman"));
print $form->selectarray('gender', $arraygender, GETPOST('gender') ?GETPOST('gender') : $object->gender, 1);
print $form->selectarray('gender', $arraygender, GETPOSTISSET('gender') ? GETPOST('gender', 'alphanohtml') : $object->gender, 1);
print '</td></tr>';
// Photo
@ -1256,14 +1253,14 @@ else
// Address
print '<tr><td>'.$langs->trans("Address").'</td><td>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="'.ROWS_2.'">'.(isset($_POST["address"]) ?GETPOST("address", '', 2) : $object->address).'</textarea>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="'.ROWS_2.'">'.(GETPOSTISSET("address") ? GETPOST("address", 'alphanohtml', 2) : $object->address).'</textarea>';
print '</td></tr>';
// Zip / Town
print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
print $formcompany->select_ziptown((isset($_POST["zipcode"]) ?GETPOST("zipcode", '', 2) : $object->zip), 'zipcode', array('town', 'selectcountry_id', 'state_id'), 6);
print $formcompany->select_ziptown((GETPOSTISSET("zipcode") ? GETPOST("zipcode", 'alphanohtml', 2) : $object->zip), 'zipcode', array('town', 'selectcountry_id', 'state_id'), 6);
print ' ';
print $formcompany->select_ziptown((isset($_POST["town"]) ?GETPOST("town", '', 2) : $object->town), 'town', array('zipcode', 'selectcountry_id', 'state_id'));
print $formcompany->select_ziptown((GETPOSTISSET("town") ? GETPOST("town", 'alphanohtml', 2) : $object->town), 'town', array('zipcode', 'selectcountry_id', 'state_id'));
print '</td></tr>';
// Country
@ -1282,18 +1279,18 @@ else
}
// Pro phone
print '<tr><td>'.img_picto('', 'object_phoning').' '.$langs->trans("PhonePro").'</td><td><input type="text" name="phone" size="20" value="'.(isset($_POST["phone"]) ?GETPOST("phone") : $object->phone).'"></td></tr>';
print '<tr><td>'.img_picto('', 'object_phoning').' '.$langs->trans("PhonePro").'</td><td><input type="text" name="phone" size="20" value="'.(GETPOSTISSET("phone") ? GETPOST("phone") : $object->phone).'"></td></tr>';
// Personal phone
print '<tr><td>'.img_picto('', 'object_phoning').' '.$langs->trans("PhonePerso").'</td><td><input type="text" name="phone_perso" size="20" value="'.(isset($_POST["phone_perso"]) ?GETPOST("phone_perso") : $object->phone_perso).'"></td></tr>';
print '<tr><td>'.img_picto('', 'object_phoning').' '.$langs->trans("PhonePerso").'</td><td><input type="text" name="phone_perso" size="20" value="'.(GETPOSTISSET("phone_perso") ? GETPOST("phone_perso") : $object->phone_perso).'"></td></tr>';
// Mobile phone
print '<tr><td>'.img_picto('', 'object_phoning_mobile').' '.$langs->trans("PhoneMobile").'</td><td><input type="text" name="phone_mobile" size="20" value="'.(isset($_POST["phone_mobile"]) ?GETPOST("phone_mobile") : $object->phone_mobile).'"></td></tr>';
print '<tr><td>'.img_picto('', 'object_phoning_mobile').' '.$langs->trans("PhoneMobile").'</td><td><input type="text" name="phone_mobile" size="20" value="'.(GETPOSTISSET("phone_mobile") ? GETPOST("phone_mobile") : $object->phone_mobile).'"></td></tr>';
if (!empty($conf->socialnetworks->enabled)) {
foreach ($socialnetworks as $key => $value) {
if (!$value['active']) break;
print '<tr><td>'.$langs->trans($value['label']).'</td><td><input type="text" name="'.$key.'" class="minwidth100" value="'.(isset($_POST[$key]) ?GETPOST($key) : $object->socialnetworks[$key]).'"></td></tr>';
print '<tr><td>'.$langs->trans($value['label']).'</td><td><input type="text" name="'.$key.'" class="minwidth100" value="'.(GETPOSTISSET($key) ? GETPOST($key, 'alphanohtml') : $object->socialnetworks[$key]).'"></td></tr>';
}
}
@ -1304,7 +1301,7 @@ else
// Public profil
print "<tr><td>".$langs->trans("Public")."</td><td>\n";
print $form->selectyesno("public", (isset($_POST["public"]) ?GETPOST("public", '', 2) : $object->public), 1);
print $form->selectyesno("public", (GETPOSTISSET("public") ? GETPOST("public", 'alphanohtml', 2) : $object->public), 1);
print "</td></tr>\n";
// Categories

14
htdocs/product/card.php
View File

@ -193,7 +193,7 @@ if (empty($reshook))
{
$error = 0;
if (!GETPOST('label'))
if (!GETPOST('label', 'alphanohtml'))
{
setEventMessages($langs->trans('ErrorFieldRequired', $langs->transnoentities('Label')), null, 'errors');
$action = "create";
@ -217,8 +217,8 @@ if (empty($reshook))
$units = GETPOST('units', 'int');
$object->ref = $ref;
$object->label = GETPOST('label');
$object->price_base_type = GETPOST('price_base_type');
$object->label = GETPOST('label', 'alphanohtml');
$object->price_base_type = GETPOST('price_base_type', 'aZ09');
if ($object->price_base_type == 'TTC')
$object->price_ttc = GETPOST('price');
@ -293,7 +293,7 @@ if (empty($reshook))
$object->url = GETPOST('url');
$object->note_private = dol_htmlcleanlastbr(GETPOST('note_private', 'none'));
$object->note = $object->note_private; // deprecated
$object->customcode = GETPOST('customcode', 'alpha');
$object->customcode = GETPOST('customcode', 'alphanohtml');
$object->country_id = GETPOST('country_id', 'int');
$object->duration_value = $duration_value;
$object->duration_unit = $duration_unit;
@ -394,7 +394,7 @@ if (empty($reshook))
$object->oldcopy = clone $object;
$object->ref = $ref;
$object->label = GETPOST('label');
$object->label = GETPOST('label', 'alphanohtml');
$object->description = dol_htmlcleanlastbr(GETPOST('desc', 'none'));
$object->url = GETPOST('url');
if (!empty($conf->global->MAIN_DISABLE_NOTES_TAB))
@ -975,7 +975,7 @@ else
print '<tr>';
$tmpcode = '';
if (!empty($modCodeProduct->code_auto)) $tmpcode = $modCodeProduct->getNextValue($object, $type);
print '<td class="titlefieldcreate fieldrequired">'.$langs->trans("Ref").'</td><td colspan="3"><input id="ref" name="ref" class="maxwidth200" maxlength="128" value="'.dol_escape_htmltag(GETPOST('ref') ?GETPOST('ref') : $tmpcode).'">';
print '<td class="titlefieldcreate fieldrequired">'.$langs->trans("Ref").'</td><td colspan="3"><input id="ref" name="ref" class="maxwidth200" maxlength="128" value="'.dol_escape_htmltag(GETPOSTISSET('ref') ? GETPOST('ref', 'alphanohtml') : $tmpcode).'">';
if ($refalreadyexists)
{
print $langs->trans("RefAlreadyExists");
@ -983,7 +983,7 @@ else
print '</td></tr>';
// Label
print '<tr><td class="fieldrequired">'.$langs->trans("Label").'</td><td colspan="3"><input name="label" class="minwidth300 maxwidth400onsmartphone" maxlength="255" value="'.dol_escape_htmltag(GETPOST('label')).'"></td></tr>';
print '<tr><td class="fieldrequired">'.$langs->trans("Label").'</td><td colspan="3"><input name="label" class="minwidth300 maxwidth400onsmartphone" maxlength="255" value="'.dol_escape_htmltag(GETPOST('label', 'alphanohtml')).'"></td></tr>';
// On sell
print '<tr><td class="fieldrequired">'.$langs->trans("Status").' ('.$langs->trans("Sell").')</td><td colspan="3">';

106
htdocs/societe/card.php
View File

@ -390,23 +390,23 @@ if (empty($reshook))
if (GETPOST("private", 'int') == 1) // Ask to create a contact
{
$object->particulier = GETPOST("private");
$object->particulier = GETPOST("private", 'int');
$object->name = dolGetFirstLastname(GETPOST('firstname', 'alpha'), GETPOST('name', 'alpha'));
$object->civility_id = GETPOST('civility_id'); // Note: civility id is a code, not an int
$object->name = dolGetFirstLastname(GETPOST('firstname', 'alphanohtml'), GETPOST('name', 'alphanohtml'));
$object->civility_id = GETPOST('civility_id', 'alphanohtml'); // Note: civility id is a code, not an int
// Add non official properties
$object->name_bis = GETPOST('name', 'alpha');
$object->firstname = GETPOST('firstname', 'alpha');
$object->name_bis = GETPOST('name', 'alphanohtml');
$object->firstname = GETPOST('firstname', 'alphanohtml');
}
else
{
$object->name = GETPOST('name', 'alpha');
$object->name = GETPOST('name', 'alphanohtml');
}
$object->entity = (GETPOSTISSET('entity') ?GETPOST('entity', 'int') : $conf->entity);
$object->name_alias = GETPOST('name_alias');
$object->address = GETPOST('address');
$object->zip = GETPOST('zipcode', 'alpha');
$object->town = GETPOST('town', 'alpha');
$object->entity = (GETPOSTISSET('entity') ? GETPOST('entity', 'int') : $conf->entity);
$object->name_alias = GETPOST('name_alias', 'alphanohtml');
$object->address = GETPOST('address', 'alphanohtml');
$object->zip = GETPOST('zipcode', 'alphanohtml');
$object->town = GETPOST('town', 'alphanohtml');
$object->country_id = GETPOST('country_id', 'int');
$object->state_id = GETPOST('state_id', 'int');
//$object->skype = GETPOST('skype', 'alpha');
@ -425,19 +425,19 @@ if (empty($reshook))
$object->fax = GETPOST('fax', 'alpha');
$object->email = trim(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL));
$object->url = trim(GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL));
$object->idprof1 = trim(GETPOST('idprof1', 'alpha'));
$object->idprof2 = trim(GETPOST('idprof2', 'alpha'));
$object->idprof3 = trim(GETPOST('idprof3', 'alpha'));
$object->idprof4 = trim(GETPOST('idprof4', 'alpha'));
$object->idprof5 = trim(GETPOST('idprof5', 'alpha'));
$object->idprof6 = trim(GETPOST('idprof6', 'alpha'));
$object->prefix_comm = GETPOST('prefix_comm', 'alpha');
$object->idprof1 = trim(GETPOST('idprof1', 'alphanohtml'));
$object->idprof2 = trim(GETPOST('idprof2', 'alphanohtml'));
$object->idprof3 = trim(GETPOST('idprof3', 'alphanohtml'));
$object->idprof4 = trim(GETPOST('idprof4', 'alphanohtml'));
$object->idprof5 = trim(GETPOST('idprof5', 'alphanohtml'));
$object->idprof6 = trim(GETPOST('idprof6', 'alphanohtml'));
$object->prefix_comm = GETPOST('prefix_comm', 'alphanohtml');
$object->code_client = GETPOSTISSET('customer_code') ?GETPOST('customer_code', 'alpha') : GETPOST('code_client', 'alpha');
$object->code_fournisseur = GETPOSTISSET('supplier_code') ?GETPOST('supplier_code', 'alpha') : GETPOST('code_fournisseur', 'alpha');
$object->capital = GETPOST('capital', 'alpha');
$object->barcode = GETPOST('barcode', 'alpha');
$object->capital = GETPOST('capital', 'alphanohtml');
$object->barcode = GETPOST('barcode', 'alphanohtml');
$object->tva_intra = GETPOST('tva_intra', 'alpha');
$object->tva_intra = GETPOST('tva_intra', 'alphanohtml');
$object->tva_assuj = GETPOST('assujtva_value', 'alpha');
$object->status = GETPOST('status', 'alpha');
@ -964,16 +964,16 @@ else
if (GETPOST("type") == 'p') { $object->client = 2; }
if (!empty($conf->fournisseur->enabled) && (GETPOST("type") == 'f' || (GETPOST("type") == '' && !empty($conf->global->THIRDPARTY_SUPPLIER_BY_DEFAULT)))) { $object->fournisseur = 1; }
$object->name = GETPOST('name', 'alpha');
$object->name_alias = GETPOST('name_alias', 'alpha');
$object->firstname = GETPOST('firstname', 'alpha');
$object->name = GETPOST('name', 'alphanohtml');
$object->name_alias = GETPOST('name_alias', 'alphanohtml');
$object->firstname = GETPOST('firstname', 'alphanohtml');
$object->particulier = $private;
$object->prefix_comm = GETPOST('prefix_comm', 'alpha');
$object->prefix_comm = GETPOST('prefix_comm', 'alphanohtml');
$object->client = GETPOST('client', 'int') ?GETPOST('client', 'int') : $object->client;
if (empty($duplicate_code_error)) {
$object->code_client = GETPOST('customer_code', 'alpha');
$object->fournisseur = GETPOST('fournisseur') ?GETPOST('fournisseur') : $object->fournisseur;
$object->fournisseur = GETPOST('fournisseur') ? GETPOST('fournisseur', 'int') : $object->fournisseur;
$object->code_fournisseur = GETPOST('supplier_code', 'alpha');
}
else {
@ -981,9 +981,9 @@ else
}
$object->address = GETPOST('address', 'alpha');
$object->zip = GETPOST('zipcode', 'alpha');
$object->town = GETPOST('town', 'alpha');
$object->address = GETPOST('address', 'alphanohtml');
$object->zip = GETPOST('zipcode', 'alphanohtml');
$object->town = GETPOST('town', 'alphanohtml');
$object->state_id = GETPOST('state_id', 'int');
//$object->skype = GETPOST('skype', 'alpha');
//$object->twitter = GETPOST('twitter', 'alpha');
@ -1001,14 +1001,14 @@ else
$object->fax = GETPOST('fax', 'alpha');
$object->email = GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL);
$object->url = GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL);
$object->capital = GETPOST('capital', 'alpha');
$object->barcode = GETPOST('barcode', 'alpha');
$object->idprof1 = GETPOST('idprof1', 'alpha');
$object->idprof2 = GETPOST('idprof2', 'alpha');
$object->idprof3 = GETPOST('idprof3', 'alpha');
$object->idprof4 = GETPOST('idprof4', 'alpha');
$object->idprof5 = GETPOST('idprof5', 'alpha');
$object->idprof6 = GETPOST('idprof6', 'alpha');
$object->capital = GETPOST('capital', 'alphanohtml');
$object->barcode = GETPOST('barcode', 'alphanohtml');
$object->idprof1 = GETPOST('idprof1', 'alphanohtml');
$object->idprof2 = GETPOST('idprof2', 'alphanohtml');
$object->idprof3 = GETPOST('idprof3', 'alphanohtml');
$object->idprof4 = GETPOST('idprof4', 'alphanohtml');
$object->idprof5 = GETPOST('idprof5', 'alphanohtml');
$object->idprof6 = GETPOST('idprof6', 'alphanohtml');
$object->typent_id = GETPOST('typent_id', 'int');
$object->effectif_id = GETPOST('effectif_id', 'int');
$object->civility_id = GETPOST('civility_id', 'alpha');
@ -1023,7 +1023,7 @@ else
$object->localtax1_value = GETPOST('lt1', 'int');
$object->localtax2_value = GETPOST('lt2', 'int');
$object->tva_intra = GETPOST('tva_intra', 'alpha');
$object->tva_intra = GETPOST('tva_intra', 'alphanohtml');
$object->commercial_id = GETPOST('commercial_id', 'int');
$object->default_lang = GETPOST('default_lang');
@ -1252,7 +1252,7 @@ else
print '<td>'.$form->editfieldkey('Vendor', 'fournisseur', '', $object, 0, 'string', '', 1).'</td><td>';
$default = -1;
if (!empty($conf->global->THIRDPARTY_SUPPLIER_BY_DEFAULT)) $default = 1;
print $form->selectyesno("fournisseur", (GETPOST('fournisseur', 'int') != '' ?GETPOST('fournisseur', 'int') : (GETPOST("type", 'alpha') == '' ? $default : $object->fournisseur)), 1, 0, (GETPOST("type", 'alpha') == '' ? 1 : 0));
print $form->selectyesno("fournisseur", (GETPOST('fournisseur', 'int') != '' ? GETPOST('fournisseur', 'int') : (GETPOST("type", 'alpha') == '' ? $default : $object->fournisseur)), 1, 0, (GETPOST("type", 'alpha') == '' ? 1 : 0));
print '</td>';
@ -1651,15 +1651,15 @@ else
if (GETPOSTISSET('name'))
{
// We overwrite with values if posted
$object->name = GETPOST('name', 'alpha');
$object->prefix_comm = GETPOST('prefix_comm', 'alpha');
$object->name = GETPOST('name', 'alphanohtml');
$object->prefix_comm = GETPOST('prefix_comm', 'alphanohtml');
$object->client = GETPOST('client', 'int');
$object->code_client = GETPOST('customer_code', 'alpha');
$object->fournisseur = GETPOST('fournisseur', 'int');
$object->code_fournisseur = GETPOST('supplier_code', 'alpha');
$object->address = GETPOST('address', 'alpha');
$object->zip = GETPOST('zipcode', 'alpha');
$object->town = GETPOST('town', 'alpha');
$object->address = GETPOST('address', 'alphanohtml');
$object->zip = GETPOST('zipcode', 'alphanohtml');
$object->town = GETPOST('town', 'alphanohtml');
$object->country_id = GETPOST('country_id') ?GETPOST('country_id', 'int') : $mysoc->country_id;
$object->state_id = GETPOST('state_id', 'int');
//$object->skype = GETPOST('skype', 'alpha');
@ -1678,21 +1678,21 @@ else
$object->fax = GETPOST('fax', 'alpha');
$object->email = GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL);
$object->url = GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL);
$object->capital = GETPOST('capital', 'alpha');
$object->idprof1 = GETPOST('idprof1', 'alpha');
$object->idprof2 = GETPOST('idprof2', 'alpha');
$object->idprof3 = GETPOST('idprof3', 'alpha');
$object->idprof4 = GETPOST('idprof4', 'alpha');
$object->idprof5 = GETPOST('idprof5', 'alpha');
$object->idprof6 = GETPOST('idprof6', 'alpha');
$object->capital = GETPOST('capital', 'alphanohtml');
$object->idprof1 = GETPOST('idprof1', 'alphanohtml');
$object->idprof2 = GETPOST('idprof2', 'alphanohtml');
$object->idprof3 = GETPOST('idprof3', 'alphanohtml');
$object->idprof4 = GETPOST('idprof4', 'alphanohtml');
$object->idprof5 = GETPOST('idprof5', 'alphanohtml');
$object->idprof6 = GETPOST('idprof6', 'alphanohtml');
$object->typent_id = GETPOST('typent_id', 'int');
$object->effectif_id = GETPOST('effectif_id', 'int');
$object->barcode = GETPOST('barcode', 'alpha');
$object->barcode = GETPOST('barcode', 'alphanohtml');
$object->forme_juridique_code = GETPOST('forme_juridique_code', 'int');
$object->default_lang = GETPOST('default_lang', 'alpha');
$object->tva_assuj = GETPOST('assujtva_value', 'int');
$object->tva_intra = GETPOST('tva_intra', 'alpha');
$object->tva_intra = GETPOST('tva_intra', 'alphanohtml');
$object->status = GETPOST('status', 'int');
// Webservices url/key

18
htdocs/ticket/card.php
View File

@ -129,11 +129,11 @@ if ($cancel)
if (GETPOST('add', 'alpha') && $user->rights->ticket->write) {
$error = 0;
if (!GETPOST("subject", 'alpha')) {
if (!GETPOST("subject", 'alphanohtml')) {
$error++;
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("Subject")), null, 'errors');
$action = 'create';
} elseif (!GETPOST("message", 'alpha')) {
} elseif (!GETPOST("message", 'restricthtml')) {
$error++;
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("Message")), null, 'errors');
$action = 'create';
@ -142,10 +142,10 @@ if (GETPOST('add', 'alpha') && $user->rights->ticket->write) {
if (!$error) {
$db->begin();
$object->ref = GETPOST("ref", 'alpha');
$object->ref = GETPOST("ref", 'alphanohtml');
$object->fk_soc = GETPOST("socid", 'int') > 0 ? GETPOST("socid", 'int') : 0;
$object->subject = GETPOST("subject", 'alpha');
$object->message = GETPOST("message", 'none');
$object->subject = GETPOST("subject", 'alphanohtml');
$object->message = GETPOST("message", 'restricthtml');
$object->type_code = GETPOST("type_code", 'alpha');
$object->category_code = GETPOST("category_code", 'alpha');
@ -274,7 +274,7 @@ if (GETPOST('update', 'alpha') && GETPOST('id', 'int') && $user->rights->ticket-
$error++;
array_push($object->errors, $langs->trans("ErrorFieldRequired", $langs->transnoentities("Label")));
$action = 'edit';
} elseif (!GETPOST("subject")) {
} elseif (!GETPOST("subject", 'alphanohtml')) {
$error++;
array_push($object->errors, $langs->trans("ErrorFieldRequired", $langs->transnoentities("Subject")));
$action = 'edit';
@ -284,7 +284,7 @@ if (GETPOST('update', 'alpha') && GETPOST('id', 'int') && $user->rights->ticket-
$db->begin();
$object->label = GETPOST("label", 'alphanohtml');
$object->description = GETPOST("description", 'none');
$object->description = GETPOST("description", 'restricthtml');
//...
$ret = $object->update($user);
@ -459,7 +459,7 @@ if ($action == 'set_progression' && $user->rights->ticket->write) {
if ($action == 'setsubject') {
if ($object->fetch(GETPOST('id', 'int'))) {
if ($action == 'setsubject') {
$object->subject = trim(GETPOST('subject', 'alpha'));
$object->subject = trim(GETPOST('subject', 'alphanohtml'));
}
if ($action == 'setsubject' && empty($object->subject)) {
@ -512,7 +512,7 @@ elseif ($action == 'setcontract' && $user->rights->ticket->write) {
if (!GETPOST('cancel')) {
$object->fetch('', '', GETPOST('track_id', 'alpha'));
$oldvalue_message = $object->message;
$fieldtomodify = GETPOST('message_initial');
$fieldtomodify = GETPOST('message_initial', 'restricthtml');
$object->message = $fieldtomodify;
$ret = $object->update($user);