From c1f3f4c2b5f29ee1a9413540374f6ac79180d616 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 30 Jan 2019 20:01:55 +0100
Subject: [PATCH 1/6] Fix: text for empty line not visible in select

---
 htdocs/core/class/html.form.class.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index 4c4e51c4b13..ee0c35ac3a9 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -1982,7 +1982,7 @@ class Form
 		}
 		else
 		{
-			print $this->select_produits_list($selected,$htmlname,$filtertype,$limit,$price_level,'',$status,$finished,0,$socid,$showempty,$forcecombo,$morecss,$hidepriceinlabel, $warehouseStatus);
+			print $this->select_produits_list($selected, $htmlname, $filtertype, $limit, $price_level, '', $status, $finished, 0, $socid, $showempty, $forcecombo, $morecss, $hidepriceinlabel, $warehouseStatus);
 		}
 	}
 
@@ -2175,6 +2175,10 @@ class Form
 				if ($showempty && ! is_numeric($showempty)) $textifempty=$langs->trans($showempty);
 				else $textifempty.=$langs->trans("All");
 			}
+			else
+			{
+			    if ($showempty && ! is_numeric($showempty)) $textifempty=$langs->trans($showempty);
+			}
 			if ($showempty) $out.='<option value="0" selected>'.$textifempty.'</option>';
 
 			$i = 0;

From 01f1f6162f35dbaffc9dda096a6aec2b3b3af323 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 30 Jan 2019 20:06:05 +0100
Subject: [PATCH 2/6] Fix phpcs

---
 .../sociales/class/chargesociales.class.php      | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/htdocs/compta/sociales/class/chargesociales.class.php b/htdocs/compta/sociales/class/chargesociales.class.php
index 2912c75b201..c898a512911 100644
--- a/htdocs/compta/sociales/class/chargesociales.class.php
+++ b/htdocs/compta/sociales/class/chargesociales.class.php
@@ -303,13 +303,13 @@ class ChargeSociales extends CommonObject
 
 
     /**
-     *      Met a jour une charge sociale
+     *      Update social or fiscal contribution
      *
-     *      @param	User	$user   Utilisateur qui modifie
+     *      @param	User	$user           User that modify
      *      @param  int		$notrigger	    0=launch triggers after, 1=disable triggers
-     *      @return int     		<0 si erreur, >0 si ok
+     *      @return int     		        <0 if KO, >0 if OK
      */
-    function update($user,$notrigger=0)
+    function update($user, $notrigger=0)
     {
         $error=0;
         $this->db->begin();
@@ -325,11 +325,11 @@ class ChargeSociales extends CommonObject
 
         dol_syslog(get_class($this)."::update", LOG_DEBUG);
         $resql=$this->db->query($sql);
-        
+
         if (! $resql) {
             $error++; $this->errors[]="Error ".$this->db->lasterror();
         }
-        
+
         if (! $error)
         {
             if (! $notrigger)
@@ -340,7 +340,7 @@ class ChargeSociales extends CommonObject
                 // End call triggers
             }
         }
-        
+
         // Commit or rollback
         if ($error)
         {
@@ -357,8 +357,6 @@ class ChargeSociales extends CommonObject
             $this->db->commit();
             return 1;
         }
-        
-        
     }
 
     /**

From 045b8b13ed68721d5b6c961b16c2708a8f1ca7a5 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 30 Jan 2019 23:20:57 +0100
Subject: [PATCH 3/6] css

---
 htdocs/expedition/card.php | 2 +-
 htdocs/livraison/card.php  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/htdocs/expedition/card.php b/htdocs/expedition/card.php
index f92660a0110..6d5d8b17ffa 100644
--- a/htdocs/expedition/card.php
+++ b/htdocs/expedition/card.php
@@ -1752,7 +1752,7 @@ else if ($id || $ref)
     	print '<div class="fichehalfleft">';
     	print '<div class="underbanner clearboth"></div>';
 
-        print '<table class="border" width="100%">';
+        print '<table class="border tableforfield" width="100%">';
 
 		// Linked documents
 		if ($typeobject == 'commande' && $object->$typeobject->id && ! empty($conf->commande->enabled))
diff --git a/htdocs/livraison/card.php b/htdocs/livraison/card.php
index 260c333f362..36847d9c670 100644
--- a/htdocs/livraison/card.php
+++ b/htdocs/livraison/card.php
@@ -346,7 +346,7 @@ else
 			print '<input type="hidden" name="id" value="'.$object->id.'">';
 			print '<input type="hidden" name="ref" value="'.$object->ref.'">';
 
-			dol_fiche_head($head, 'delivery', $langs->trans("Shipment"), 0, 'sending');
+			dol_fiche_head($head, 'delivery', $langs->trans("Shipment"), -1, 'sending');
 
 			/*
 			 * Confirmation de la suppression
@@ -434,7 +434,7 @@ else
 			print '<div class="fichecenter">';
 			print '<div class="underbanner clearboth"></div>';
 
-		    print '<table class="border" width="100%">';
+		    print '<table class="border tableforfield" width="100%">';
 
 			// Shipment
 			/*

From 21c089fee93126419d716091fdd1c71037a01954 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 31 Jan 2019 10:16:49 +0100
Subject: [PATCH 4/6] FIX XSS

---
 htdocs/document.php  | 2 +-
 htdocs/viewimage.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/document.php b/htdocs/document.php
index ff6c6f6e635..1df59c07a16 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -74,7 +74,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
 
 $encoding = '';
 $action=GETPOST('action','alpha');
-$original_file=GETPOST('file','alpha');		// Do not use urldecode here ($_GET are already decoded by PHP).
+$original_file=GETPOST('file','alphanohtml');		// Do not use urldecode here ($_GET are already decoded by PHP).
 $hashp=GETPOST('hashp','aZ09');
 $modulepart=GETPOST('modulepart','alpha');
 $urlsource=GETPOST('urlsource','alpha');
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index ea29fe0d8bd..2385a558307 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -84,7 +84,7 @@ require 'main.inc.php';	// Load $user and permissions
 require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
 
 $action=GETPOST('action','alpha');
-$original_file=GETPOST('file','alpha');		// Do not use urldecode here ($_GET are already decoded by PHP).
+$original_file=GETPOST('file','alphanohtml');		// Do not use urldecode here ($_GET are already decoded by PHP).
 $hashp=GETPOST('hashp','aZ09');
 $modulepart=GETPOST('modulepart','alpha');
 $urlsource=GETPOST('urlsource','alpha');

From 5e46a359e073a4eca38753579f3fd924723ede35 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 31 Jan 2019 10:16:49 +0100
Subject: [PATCH 5/6] FIX XSS

---
 htdocs/document.php  | 2 +-
 htdocs/viewimage.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/document.php b/htdocs/document.php
index 725d079a9f6..d912c9a2d55 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -77,7 +77,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
 
 $encoding = '';
 $action=GETPOST('action','alpha');
-$original_file=GETPOST('file','alpha');		// Do not use urldecode here ($_GET are already decoded by PHP).
+$original_file=GETPOST('file','alphanohtml');		// Do not use urldecode here ($_GET are already decoded by PHP).
 $hashp=GETPOST('hashp','aZ09');
 $modulepart=GETPOST('modulepart','alpha');
 $urlsource=GETPOST('urlsource','alpha');
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index ae2a538ca04..17d5026c0bf 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -79,7 +79,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
 
 
 $action=GETPOST('action','alpha');
-$original_file=GETPOST('file','alpha');		// Do not use urldecode here ($_GET are already decoded by PHP).
+$original_file=GETPOST('file','alphanohtml');		// Do not use urldecode here ($_GET are already decoded by PHP).
 $hashp=GETPOST('hashp','aZ09');
 $modulepart=GETPOST('modulepart','alpha');
 $urlsource=GETPOST('urlsource','alpha');

From 484b4371c137bb57303451a44de2aa61a6a50cfe Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 31 Jan 2019 10:16:49 +0100
Subject: [PATCH 6/6] FIX XSS

Conflicts:
	htdocs/viewimage.php
---
 htdocs/document.php  | 2 +-
 htdocs/viewimage.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/document.php b/htdocs/document.php
index 1c722e4cb55..ee8b9e9c096 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -81,7 +81,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
 
 $encoding = '';
 $action=GETPOST('action','alpha');
-$original_file=GETPOST('file','alpha');		// Do not use urldecode here ($_GET are already decoded by PHP).
+$original_file=GETPOST('file','alphanohtml');		// Do not use urldecode here ($_GET are already decoded by PHP).
 $hashp=GETPOST('hashp','aZ09');
 $modulepart=GETPOST('modulepart','alpha');
 $urlsource=GETPOST('urlsource','alpha');
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index 7493ef6bee9..1053cc530c9 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -62,7 +62,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
 
 
 $action=GETPOST('action','alpha');
-$original_file=GETPOST("file",'alpha');
+$original_file=GETPOST('file','alphanohtml');		// Do not use urldecode here ($_GET are already decoded by PHP).
 $modulepart=GETPOST('modulepart','alpha');
 $urlsource=GETPOST("urlsource",'alpha');
 $entity=GETPOST('entity','int')?GETPOST('entity','int'):$conf->entity;