Fix alpha into alphanohtml
This commit is contained in:
Laurent Destailleur
parent
0bf0312d50
commit
2f100fdf79
@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/menubase.class.php';
|
||||
// Load translation files required by the page
|
||||
$langs->loadLangs(array("other", "admin"));
|
||||
|
||||
$cancel = GETPOST('cancel', 'alpha'); // We click on a Cancel button
|
||||
$cancel = GETPOST('cancel', 'alphanohtml'); // We click on a Cancel button
|
||||
|
||||
if (!$user->admin) accessforbidden();
|
||||
|
||||
@ -69,9 +69,9 @@ if ($action == 'update')
|
||||
if (!$cancel)
|
||||
{
|
||||
$leftmenu = ''; $mainmenu = '';
|
||||
if (GETPOST('menuIdParent', 'alpha') && !is_numeric(GETPOST('menuIdParent', 'alpha')))
|
||||
if (GETPOST('menuIdParent', 'alphanohtml') && !is_numeric(GETPOST('menuIdParent', 'alphanohtml')))
|
||||
{
|
||||
$tmp = explode('&', GETPOST('menuIdParent', 'alpha'));
|
||||
$tmp = explode('&', GETPOST('menuIdParent', 'alphanohtml'));
|
||||
foreach ($tmp as $s)
|
||||
{
|
||||
if (preg_match('/fk_mainmenu=/', $s))
|
||||
@ -89,21 +89,21 @@ if ($action == 'update')
|
||||
$result = $menu->fetch(GETPOST('menuId', 'int'));
|
||||
if ($result > 0)
|
||||
{
|
||||
$menu->title = GETPOST('titre', 'alpha');
|
||||
$menu->title = GETPOST('titre', 'alphanohtml');
|
||||
$menu->leftmenu = GETPOST('leftmenu', 'aZ09');
|
||||
$menu->url = GETPOST('url', 'alpha');
|
||||
$menu->langs = GETPOST('langs', 'alpha');
|
||||
$menu->url = GETPOST('url', 'alphanohtml');
|
||||
$menu->langs = GETPOST('langs', 'alphanohtml');
|
||||
$menu->position = GETPOST('position', 'int');
|
||||
$menu->enabled = GETPOST('enabled', 'alpha');
|
||||
$menu->perms = GETPOST('perms', 'alpha');
|
||||
$menu->target = GETPOST('target', 'alpha');
|
||||
$menu->user = GETPOST('user', 'alpha');
|
||||
$menu->mainmenu = GETPOST('propertymainmenu', 'alpha');
|
||||
if (is_numeric(GETPOST('menuIdParent', 'alpha')))
|
||||
$menu->enabled = GETPOST('enabled', 'alphanohtml');
|
||||
$menu->perms = GETPOST('perms', 'alphanohtml');
|
||||
$menu->target = GETPOST('target', 'alphanohtml');
|
||||
$menu->user = GETPOST('user', 'alphanohtml');
|
||||
$menu->mainmenu = GETPOST('propertymainmenu', 'alphanohtml');
|
||||
if (is_numeric(GETPOST('menuIdParent', 'alphanohtml')))
|
||||
{
|
||||
$menu->fk_menu = GETPOST('menuIdParent', 'alpha');
|
||||
$menu->fk_menu = GETPOST('menuIdParent', 'alphanohtml');
|
||||
} else {
|
||||
if (GETPOST('type', 'alpha') == 'top') $menu->fk_menu = 0;
|
||||
if (GETPOST('type', 'alphanohtml') == 'top') $menu->fk_menu = 0;
|
||||
else $menu->fk_menu = -1;
|
||||
$menu->fk_mainmenu = $mainmenu;
|
||||
$menu->fk_leftmenu = $leftmenu;
|
||||
@ -138,9 +138,9 @@ if ($action == 'add')
|
||||
}
|
||||
|
||||
$leftmenu = ''; $mainmenu = '';
|
||||
if (GETPOST('menuId', 'alpha', 3) && !is_numeric(GETPOST('menuId', 'alpha', 3)))
|
||||
if (GETPOST('menuId', 'alphanohtml', 3) && !is_numeric(GETPOST('menuId', 'alphanohtml', 3)))
|
||||
{
|
||||
$tmp = explode('&', GETPOST('menuId', 'alpha', 3));
|
||||
$tmp = explode('&', GETPOST('menuId', 'alphanohtml', 3));
|
||||
foreach ($tmp as $s)
|
||||
{
|
||||
if (preg_match('/fk_mainmenu=/', $s))
|
||||
@ -198,21 +198,21 @@ if ($action == 'add')
|
||||
{
|
||||
$menu = new Menubase($db);
|
||||
$menu->menu_handler = preg_replace('/_menu$/', '', GETPOST('menu_handler', 'aZ09'));
|
||||
$menu->type = GETPOST('type', 'alpha');
|
||||
$menu->title = GETPOST('titre', 'alpha');
|
||||
$menu->url = GETPOST('url', 'alpha');
|
||||
$menu->langs = GETPOST('langs', 'alpha');
|
||||
$menu->type = GETPOST('type', 'alphanohtml');
|
||||
$menu->title = GETPOST('titre', 'alphanohtml');
|
||||
$menu->url = GETPOST('url', 'alphanohtml');
|
||||
$menu->langs = GETPOST('langs', 'alphanohtml');
|
||||
$menu->position = GETPOST('position', 'int');
|
||||
$menu->enabled = GETPOST('enabled', 'alpha');
|
||||
$menu->perms = GETPOST('perms', 'alpha');
|
||||
$menu->target = GETPOST('target', 'alpha');
|
||||
$menu->user = GETPOST('user', 'alpha');
|
||||
$menu->mainmenu = GETPOST('propertymainmenu', 'alpha');
|
||||
if (is_numeric(GETPOST('menuId', 'alpha', 3)))
|
||||
$menu->enabled = GETPOST('enabled', 'alphanohtml');
|
||||
$menu->perms = GETPOST('perms', 'alphanohtml');
|
||||
$menu->target = GETPOST('target', 'alphanohtml');
|
||||
$menu->user = GETPOST('user', 'alphanohtml');
|
||||
$menu->mainmenu = GETPOST('propertymainmenu', 'alphanohtml');
|
||||
if (is_numeric(GETPOST('menuId', 'alphanohtml', 3)))
|
||||
{
|
||||
$menu->fk_menu = GETPOST('menuId', 'alpha', 3);
|
||||
$menu->fk_menu = GETPOST('menuId', 'alphanohtml', 3);
|
||||
} else {
|
||||
if (GETPOST('type', 'alpha') == 'top') $menu->fk_menu = 0;
|
||||
if (GETPOST('type', 'alphanohtml') == 'top') $menu->fk_menu = 0;
|
||||
else $menu->fk_menu = -1;
|
||||
$menu->fk_mainmenu = $mainmenu;
|
||||
$menu->fk_leftmenu = $leftmenu;
|
||||
@ -353,7 +353,7 @@ if ($action == 'create')
|
||||
|
||||
// Mainmenu code
|
||||
print '<tr><td class="fieldrequired">'.$langs->trans('MainMenuCode').'</td>';
|
||||
print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alpha') ?GETPOST("propertymainmenu", 'alpha') : '').'"></td>';
|
||||
print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOSTISSET("propertymainmenu") ? GETPOST("propertymainmenu", 'alphanohtml') : '').'"></td>';
|
||||
print '<td>';
|
||||
print $langs->trans("Example").': mytopmenukey';
|
||||
print '</td></tr>';
|
||||
@ -364,23 +364,23 @@ if ($action == 'create')
|
||||
{
|
||||
print '<td>'.$parent_rowid.'<input type="hidden" name="menuId" value="'.$parent_rowid.'"></td>';
|
||||
} else {
|
||||
print '<td><input type="text" class="minwidth300" id="menuId" name="menuId" value="'.(GETPOST("menuId", 'int') ?GETPOST("menuId", 'int') : '').'"></td>';
|
||||
print '<td><input type="text" class="minwidth300" id="menuId" name="menuId" value="'.(GETPOSTISSET("menuId") ? GETPOST("menuId", 'int') : '').'"></td>';
|
||||
}
|
||||
print '<td>'.$langs->trans('DetailMenuIdParent');
|
||||
print ', '.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def';
|
||||
print '</td></tr>';
|
||||
|
||||
// Title
|
||||
print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td><td><input type="text" class="minwidth300" name="titre" value="'.dol_escape_htmltag(GETPOST("titre", 'alpha')).'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>';
|
||||
print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td><td><input type="text" class="minwidth300" name="titre" value="'.dol_escape_htmltag(GETPOST("titre", 'alphanohtml')).'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>';
|
||||
|
||||
// URL
|
||||
print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td><td><input type="text" class="minwidth500" name="url" value="'.GETPOST("url", 'alpha').'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>';
|
||||
print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td><td><input type="text" class="minwidth500" name="url" value="'.GETPOST("url", 'alphanohtml').'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>';
|
||||
|
||||
// Langs
|
||||
print '<tr><td>'.$langs->trans('LangFile').'</td><td><input type="text" class="minwidth300" name="langs" value="'.$parent_langs.'"></td><td>'.$langs->trans('DetailLangs').'</td></tr>';
|
||||
|
||||
// Position
|
||||
print '<tr><td>'.$langs->trans('Position').'</td><td><input type="text" class="width100" name="position" value="'.dol_escape_htmltag(isset($_POST["position"]) ? $_POST["position"] : 100).'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>';
|
||||
print '<tr><td>'.$langs->trans('Position').'</td><td><input type="text" class="width100" name="position" value="'.dol_escape_htmltag(GETPOSTISSET("position") ? GETPOST("position", 'int') : 100).'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>';
|
||||
|
||||
// Target
|
||||
print '<tr><td>'.$langs->trans('Target').'</td><td><select class="flat" name="target">';
|
||||
@ -389,10 +389,10 @@ if ($action == 'create')
|
||||
print '</select></td></td><td>'.$langs->trans('DetailTarget').'</td></tr>';
|
||||
|
||||
// Enabled
|
||||
print '<tr><td>'.$langs->trans('Enabled').'</td><td><input type="text" class="minwidth500" name="enabled" value="'.(GETPOSTISSET('enabled') ?GETPOST("enabled", 'alpha') : '1').'"></td><td>'.$langs->trans('DetailEnabled').'</td></tr>';
|
||||
print '<tr><td>'.$langs->trans('Enabled').'</td><td><input type="text" class="minwidth500" name="enabled" value="'.(GETPOSTISSET('enabled') ? GETPOST("enabled", 'alphanohtml') : '1').'"></td><td>'.$langs->trans('DetailEnabled').'</td></tr>';
|
||||
|
||||
// Perms
|
||||
print '<tr><td>'.$langs->trans('Rights').'</td><td><input type="text" class="minwidth500" name="perms" value="'.(GETPOSTISSET('perms') ?GETPOST('perms', 'alpha') : '1').'"></td><td>'.$langs->trans('DetailRight').'</td></tr>';
|
||||
print '<tr><td>'.$langs->trans('Rights').'</td><td><input type="text" class="minwidth500" name="perms" value="'.(GETPOSTISSET('perms') ? GETPOST('perms', 'alphanohtml') : '1').'"></td><td>'.$langs->trans('DetailRight').'</td></tr>';
|
||||
|
||||
print '</table>';
|
||||
|
||||
@ -454,7 +454,7 @@ if ($action == 'create')
|
||||
}
|
||||
else
|
||||
{*/
|
||||
print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alpha') ?GETPOST("propertymainmenu", 'alpha') : $menu->mainmenu).'"></td>';
|
||||
print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alphanohtml') ?GETPOST("propertymainmenu", 'alphanohtml') : $menu->mainmenu).'"></td>';
|
||||
//}
|
||||
print '<td>';
|
||||
print $langs->trans("Example").': mytopmenukey';
|
||||
|
||||
@ -277,12 +277,13 @@ function GETPOSTISSET($paramname)
|
||||
* 'none'=no check (only for param that should have very rich content)
|
||||
* 'int'=check it's numeric (integer or float)
|
||||
* 'intcomma'=check it's integer+comma ('1,2,3,4...')
|
||||
* 'alpha'=check it's text and sign
|
||||
* 'alpha'=Same than alphanohtml since v13
|
||||
* 'alphanohtml'=check there is no html content and no " and no ../
|
||||
* 'aZ'=check it's a-z only
|
||||
* 'aZ09'=check it's simple alpha string (recommended for keys)
|
||||
* 'array'=check it's array
|
||||
* 'san_alpha'=Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string)
|
||||
* 'nohtml', 'alphanohtml'=check there is no html content
|
||||
* 'nohtml'=check there is no html content and no " and no ../
|
||||
* 'restricthtml'=check html content is restricted to some tags only
|
||||
* 'custom'= custom filter specify $filter and $options)
|
||||
* @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get)
|
||||
@ -555,13 +556,6 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
|
||||
case 'intcomma':
|
||||
if (preg_match('/[^0-9,-]+/i', $out)) $out = '';
|
||||
break;
|
||||
case 'alpha':
|
||||
if (!is_array($out)) {
|
||||
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
|
||||
// '../' is dangerous because it allows dir transversals
|
||||
$out = str_replace(array('"', '../'), '', trim($out));
|
||||
}
|
||||
break;
|
||||
case 'san_alpha':
|
||||
$out = filter_var($out, FILTER_SANITIZE_STRING);
|
||||
break;
|
||||
@ -592,6 +586,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
|
||||
case 'nohtml':
|
||||
$out = dol_string_nohtmltag($out, 0);
|
||||
break;
|
||||
case 'alpha': // No html and no " and no ../
|
||||
case 'alphanohtml': // Recommended for most scalar parameters and search parameters
|
||||
if (!is_array($out))
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user