lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix alpha into alphanohtml

Browse Source
This commit is contained in:
Laurent Destailleur 2020-09-17 12:53:58 +02:00
parent 0bf0312d50
commit 2f100fdf79
2 changed files with 40 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
htdocs/admin/menus/edit.php
View File

@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/menubase.class.php';
// Load translation files required by the page // Load translation files required by the page
$langs->loadLangs(array("other", "admin")); $langs->loadLangs(array("other", "admin"));
$cancel = GETPOST('cancel', 'alpha'); // We click on a Cancel button $cancel = GETPOST('cancel', 'alphanohtml'); // We click on a Cancel button
if (!$user->admin) accessforbidden(); if (!$user->admin) accessforbidden();
@ -69,9 +69,9 @@ if ($action == 'update')
if (!$cancel) if (!$cancel)
{ {
$leftmenu = ''; $mainmenu = ''; $leftmenu = ''; $mainmenu = '';
if (GETPOST('menuIdParent', 'alpha') && !is_numeric(GETPOST('menuIdParent', 'alpha'))) if (GETPOST('menuIdParent', 'alphanohtml') && !is_numeric(GETPOST('menuIdParent', 'alphanohtml')))
{ {
$tmp = explode('&', GETPOST('menuIdParent', 'alpha')); $tmp = explode('&', GETPOST('menuIdParent', 'alphanohtml'));
foreach ($tmp as $s) foreach ($tmp as $s)
{ {
if (preg_match('/fk_mainmenu=/', $s)) if (preg_match('/fk_mainmenu=/', $s))
@ -89,21 +89,21 @@ if ($action == 'update')
$result = $menu->fetch(GETPOST('menuId', 'int')); $result = $menu->fetch(GETPOST('menuId', 'int'));
if ($result > 0) if ($result > 0)
{ {
$menu->title = GETPOST('titre', 'alpha'); $menu->title = GETPOST('titre', 'alphanohtml');
$menu->leftmenu = GETPOST('leftmenu', 'aZ09'); $menu->leftmenu = GETPOST('leftmenu', 'aZ09');
$menu->url = GETPOST('url', 'alpha'); $menu->url = GETPOST('url', 'alphanohtml');
$menu->langs = GETPOST('langs', 'alpha'); $menu->langs = GETPOST('langs', 'alphanohtml');
$menu->position = GETPOST('position', 'int'); $menu->position = GETPOST('position', 'int');
$menu->enabled = GETPOST('enabled', 'alpha'); $menu->enabled = GETPOST('enabled', 'alphanohtml');
$menu->perms = GETPOST('perms', 'alpha'); $menu->perms = GETPOST('perms', 'alphanohtml');
$menu->target = GETPOST('target', 'alpha'); $menu->target = GETPOST('target', 'alphanohtml');
$menu->user = GETPOST('user', 'alpha'); $menu->user = GETPOST('user', 'alphanohtml');
$menu->mainmenu = GETPOST('propertymainmenu', 'alpha'); $menu->mainmenu = GETPOST('propertymainmenu', 'alphanohtml');
if (is_numeric(GETPOST('menuIdParent', 'alpha'))) if (is_numeric(GETPOST('menuIdParent', 'alphanohtml')))
{ {
$menu->fk_menu = GETPOST('menuIdParent', 'alpha'); $menu->fk_menu = GETPOST('menuIdParent', 'alphanohtml');
} else { } else {
if (GETPOST('type', 'alpha') == 'top') $menu->fk_menu = 0; if (GETPOST('type', 'alphanohtml') == 'top') $menu->fk_menu = 0;
else $menu->fk_menu = -1; else $menu->fk_menu = -1;
$menu->fk_mainmenu = $mainmenu; $menu->fk_mainmenu = $mainmenu;
$menu->fk_leftmenu = $leftmenu; $menu->fk_leftmenu = $leftmenu;
@ -138,9 +138,9 @@ if ($action == 'add')
} }
$leftmenu = ''; $mainmenu = ''; $leftmenu = ''; $mainmenu = '';
if (GETPOST('menuId', 'alpha', 3) && !is_numeric(GETPOST('menuId', 'alpha', 3))) if (GETPOST('menuId', 'alphanohtml', 3) && !is_numeric(GETPOST('menuId', 'alphanohtml', 3)))
{ {
$tmp = explode('&', GETPOST('menuId', 'alpha', 3)); $tmp = explode('&', GETPOST('menuId', 'alphanohtml', 3));
foreach ($tmp as $s) foreach ($tmp as $s)
{ {
if (preg_match('/fk_mainmenu=/', $s)) if (preg_match('/fk_mainmenu=/', $s))
@ -198,21 +198,21 @@ if ($action == 'add')
{ {
$menu = new Menubase($db); $menu = new Menubase($db);
$menu->menu_handler = preg_replace('/_menu$/', '', GETPOST('menu_handler', 'aZ09')); $menu->menu_handler = preg_replace('/_menu$/', '', GETPOST('menu_handler', 'aZ09'));
$menu->type = GETPOST('type', 'alpha'); $menu->type = GETPOST('type', 'alphanohtml');
$menu->title = GETPOST('titre', 'alpha'); $menu->title = GETPOST('titre', 'alphanohtml');
$menu->url = GETPOST('url', 'alpha'); $menu->url = GETPOST('url', 'alphanohtml');
$menu->langs = GETPOST('langs', 'alpha'); $menu->langs = GETPOST('langs', 'alphanohtml');
$menu->position = GETPOST('position', 'int'); $menu->position = GETPOST('position', 'int');
$menu->enabled = GETPOST('enabled', 'alpha'); $menu->enabled = GETPOST('enabled', 'alphanohtml');
$menu->perms = GETPOST('perms', 'alpha'); $menu->perms = GETPOST('perms', 'alphanohtml');
$menu->target = GETPOST('target', 'alpha'); $menu->target = GETPOST('target', 'alphanohtml');
$menu->user = GETPOST('user', 'alpha'); $menu->user = GETPOST('user', 'alphanohtml');
$menu->mainmenu = GETPOST('propertymainmenu', 'alpha'); $menu->mainmenu = GETPOST('propertymainmenu', 'alphanohtml');
if (is_numeric(GETPOST('menuId', 'alpha', 3))) if (is_numeric(GETPOST('menuId', 'alphanohtml', 3)))
{ {
$menu->fk_menu = GETPOST('menuId', 'alpha', 3); $menu->fk_menu = GETPOST('menuId', 'alphanohtml', 3);
} else { } else {
if (GETPOST('type', 'alpha') == 'top') $menu->fk_menu = 0; if (GETPOST('type', 'alphanohtml') == 'top') $menu->fk_menu = 0;
else $menu->fk_menu = -1; else $menu->fk_menu = -1;
$menu->fk_mainmenu = $mainmenu; $menu->fk_mainmenu = $mainmenu;
$menu->fk_leftmenu = $leftmenu; $menu->fk_leftmenu = $leftmenu;
@ -353,7 +353,7 @@ if ($action == 'create')
// Mainmenu code // Mainmenu code
print '<tr><td class="fieldrequired">'.$langs->trans('MainMenuCode').'</td>'; print '<tr><td class="fieldrequired">'.$langs->trans('MainMenuCode').'</td>';
print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alpha') ?GETPOST("propertymainmenu", 'alpha') : '').'"></td>'; print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOSTISSET("propertymainmenu") ? GETPOST("propertymainmenu", 'alphanohtml') : '').'"></td>';
print '<td>'; print '<td>';
print $langs->trans("Example").': mytopmenukey'; print $langs->trans("Example").': mytopmenukey';
print '</td></tr>'; print '</td></tr>';
@ -364,23 +364,23 @@ if ($action == 'create')
{ {
print '<td>'.$parent_rowid.'<input type="hidden" name="menuId" value="'.$parent_rowid.'"></td>'; print '<td>'.$parent_rowid.'<input type="hidden" name="menuId" value="'.$parent_rowid.'"></td>';
} else { } else {
print '<td><input type="text" class="minwidth300" id="menuId" name="menuId" value="'.(GETPOST("menuId", 'int') ?GETPOST("menuId", 'int') : '').'"></td>'; print '<td><input type="text" class="minwidth300" id="menuId" name="menuId" value="'.(GETPOSTISSET("menuId") ? GETPOST("menuId", 'int') : '').'"></td>';
} }
print '<td>'.$langs->trans('DetailMenuIdParent'); print '<td>'.$langs->trans('DetailMenuIdParent');
print ', '.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def'; print ', '.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def';
print '</td></tr>'; print '</td></tr>';
// Title // Title
print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td><td><input type="text" class="minwidth300" name="titre" value="'.dol_escape_htmltag(GETPOST("titre", 'alpha')).'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>'; print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td><td><input type="text" class="minwidth300" name="titre" value="'.dol_escape_htmltag(GETPOST("titre", 'alphanohtml')).'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>';
// URL // URL
print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td><td><input type="text" class="minwidth500" name="url" value="'.GETPOST("url", 'alpha').'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>'; print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td><td><input type="text" class="minwidth500" name="url" value="'.GETPOST("url", 'alphanohtml').'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>';
// Langs // Langs
print '<tr><td>'.$langs->trans('LangFile').'</td><td><input type="text" class="minwidth300" name="langs" value="'.$parent_langs.'"></td><td>'.$langs->trans('DetailLangs').'</td></tr>'; print '<tr><td>'.$langs->trans('LangFile').'</td><td><input type="text" class="minwidth300" name="langs" value="'.$parent_langs.'"></td><td>'.$langs->trans('DetailLangs').'</td></tr>';
// Position // Position
print '<tr><td>'.$langs->trans('Position').'</td><td><input type="text" class="width100" name="position" value="'.dol_escape_htmltag(isset($_POST["position"]) ? $_POST["position"] : 100).'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>'; print '<tr><td>'.$langs->trans('Position').'</td><td><input type="text" class="width100" name="position" value="'.dol_escape_htmltag(GETPOSTISSET("position") ? GETPOST("position", 'int') : 100).'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>';
// Target // Target
print '<tr><td>'.$langs->trans('Target').'</td><td><select class="flat" name="target">'; print '<tr><td>'.$langs->trans('Target').'</td><td><select class="flat" name="target">';
@ -389,10 +389,10 @@ if ($action == 'create')
print '</select></td></td><td>'.$langs->trans('DetailTarget').'</td></tr>'; print '</select></td></td><td>'.$langs->trans('DetailTarget').'</td></tr>';
// Enabled // Enabled
print '<tr><td>'.$langs->trans('Enabled').'</td><td><input type="text" class="minwidth500" name="enabled" value="'.(GETPOSTISSET('enabled') ?GETPOST("enabled", 'alpha') : '1').'"></td><td>'.$langs->trans('DetailEnabled').'</td></tr>'; print '<tr><td>'.$langs->trans('Enabled').'</td><td><input type="text" class="minwidth500" name="enabled" value="'.(GETPOSTISSET('enabled') ? GETPOST("enabled", 'alphanohtml') : '1').'"></td><td>'.$langs->trans('DetailEnabled').'</td></tr>';
// Perms // Perms
print '<tr><td>'.$langs->trans('Rights').'</td><td><input type="text" class="minwidth500" name="perms" value="'.(GETPOSTISSET('perms') ?GETPOST('perms', 'alpha') : '1').'"></td><td>'.$langs->trans('DetailRight').'</td></tr>'; print '<tr><td>'.$langs->trans('Rights').'</td><td><input type="text" class="minwidth500" name="perms" value="'.(GETPOSTISSET('perms') ? GETPOST('perms', 'alphanohtml') : '1').'"></td><td>'.$langs->trans('DetailRight').'</td></tr>';
print '</table>'; print '</table>';
@ -454,7 +454,7 @@ if ($action == 'create')
} }
else else
{*/ {*/
print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alpha') ?GETPOST("propertymainmenu", 'alpha') : $menu->mainmenu).'"></td>'; print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alphanohtml') ?GETPOST("propertymainmenu", 'alphanohtml') : $menu->mainmenu).'"></td>';
//} //}
print '<td>'; print '<td>';
print $langs->trans("Example").': mytopmenukey'; print $langs->trans("Example").': mytopmenukey';

13
htdocs/core/lib/functions.lib.php
View File

@ -277,12 +277,13 @@ function GETPOSTISSET($paramname)
* 'none'=no check (only for param that should have very rich content) * 'none'=no check (only for param that should have very rich content)
* 'int'=check it's numeric (integer or float) * 'int'=check it's numeric (integer or float)
* 'intcomma'=check it's integer+comma ('1,2,3,4...') * 'intcomma'=check it's integer+comma ('1,2,3,4...')
* 'alpha'=check it's text and sign * 'alpha'=Same than alphanohtml since v13
* 'alphanohtml'=check there is no html content and no " and no ../
* 'aZ'=check it's a-z only * 'aZ'=check it's a-z only
* 'aZ09'=check it's simple alpha string (recommended for keys) * 'aZ09'=check it's simple alpha string (recommended for keys)
* 'array'=check it's array * 'array'=check it's array
* 'san_alpha'=Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string) * 'san_alpha'=Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string)
* 'nohtml', 'alphanohtml'=check there is no html content * 'nohtml'=check there is no html content and no " and no ../
* 'restricthtml'=check html content is restricted to some tags only * 'restricthtml'=check html content is restricted to some tags only
* 'custom'= custom filter specify $filter and $options) * 'custom'= custom filter specify $filter and $options)
* @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get) * @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get)
@ -555,13 +556,6 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
case 'intcomma': case 'intcomma':
if (preg_match('/[^0-9,-]+/i', $out)) $out = ''; if (preg_match('/[^0-9,-]+/i', $out)) $out = '';
break; break;
case 'alpha':
if (!is_array($out)) {
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
$out = str_replace(array('"', '../'), '', trim($out));
}
break;
case 'san_alpha': case 'san_alpha':
$out = filter_var($out, FILTER_SANITIZE_STRING); $out = filter_var($out, FILTER_SANITIZE_STRING);
break; break;
@ -592,6 +586,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
case 'nohtml': case 'nohtml':
$out = dol_string_nohtmltag($out, 0); $out = dol_string_nohtmltag($out, 0);
break; break;
case 'alpha': // No html and no " and no ../
case 'alphanohtml': // Recommended for most scalar parameters and search parameters case 'alphanohtml': // Recommended for most scalar parameters and search parameters
if (!is_array($out)) if (!is_array($out))
{ {