From 3fb1db1cf2b812120c8236d07e5f1971986e74e4 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Fri, 25 Nov 2011 16:47:57 +0100
Subject: [PATCH] Fix: XSS injection

---
 htdocs/compta/facture.php         | 35 +++++++++++++++----------------
 htdocs/core/lib/functions.lib.php | 32 ++++++++++++++--------------
 2 files changed, 33 insertions(+), 34 deletions(-)

diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php
index 44926e4ecf2..11856e52758 100644
--- a/htdocs/compta/facture.php
+++ b/htdocs/compta/facture.php
@@ -59,7 +59,10 @@ $action=GETPOST('action');
 $confirm=GETPOST('confirm');
 $lineid=GETPOST('lineid');
 $userid=GETPOST('userid');
-$search_ref=GETPOST('sf_ref')?GETPOST('sf_ref'):GETPOST('search_ref');
+$search_ref=GETPOST('sf_ref')?GETPOST('sf_ref','alpha'):GETPOST('search_ref','alpha');
+$search_societe=GETPOST('search_societe','alpha');
+$search_montant_ht=GETPOST('search_montant_ht','alpha');
+$search_montant_ttc=GETPOST('search_montant_ht','alpha');
 
 // Security check
 $fieldid = isset($_GET["ref"])?'facnumber':'rowid';
@@ -3053,8 +3056,8 @@ else
         $pageprev = $page - 1;
         $pagenext = $page + 1;
 
-        $month    =GETPOST('month','int');
-        $year     =GETPOST('year','int');
+        $month	= GETPOST('month','int');
+        $year	= GETPOST('year','int');
 
         $facturestatic=new Facture($db);
 
@@ -3088,21 +3091,21 @@ else
                 $sql .= ' AND ' . trim($filt[0]) . ' = ' . trim($filt[1]);
             }
         }
-        if ($_GET['search_ref'])
+        if ($search_ref)
         {
-            $sql.= ' AND f.facnumber LIKE \'%'.$db->escape(trim($_GET['search_ref'])).'%\'';
+            $sql.= ' AND f.facnumber LIKE \'%'.$db->escape(trim($search_ref)).'%\'';
         }
-        if ($_GET['search_societe'])
+        if ($search_societe)
         {
-            $sql.= ' AND s.nom LIKE \'%'.$db->escape(trim($_GET['search_societe'])).'%\'';
+            $sql.= ' AND s.nom LIKE \'%'.$db->escape(trim($search_societe)).'%\'';
         }
-        if ($_GET['search_montant_ht'])
+        if ($search_montant_ht)
         {
-            $sql.= ' AND f.total = \''.$db->escape(trim($_GET['search_montant_ht'])).'\'';
+            $sql.= ' AND f.total = \''.$db->escape(trim($search_montant_ht)).'\'';
         }
-        if ($_GET['search_montant_ttc'])
+        if ($search_montant_ttc)
         {
-            $sql.= ' AND f.total_ttc = \''.$db->escape(trim($_GET['search_montant_ttc'])).'\'';
+            $sql.= ' AND f.total_ttc = \''.$db->escape(trim($search_montant_ttc)).'\'';
         }
         if ($month > 0)
         {
@@ -3115,10 +3118,6 @@ else
         {
             $sql.= " AND f.datef BETWEEN '".$db->idate(dol_get_first_day($year,1,false))."' AND '".$db->idate(dol_get_last_day($year,12,false))."'";
         }
-        if (trim($search_ref) != '')
-        {
-            $sql.= ' AND f.facnumber LIKE \'%'.$db->escape(trim($search_ref)) . '%\'';
-        }
         if (! $sall)
         {
             $sql.= ' GROUP BY f.rowid, f.facnumber, f.type, f.increment, f.total, f.total_ttc,';
@@ -3183,11 +3182,11 @@ else
             print '</td>';
             print '<td class="liste_titre" align="left">&nbsp;</td>';
             print '<td class="liste_titre" align="left">';
-            print '<input class="flat" type="text" name="search_societe" value="'.$_GET['search_societe'].'">';
+            print '<input class="flat" type="text" name="search_societe" value="'.$search_societe.'">';
             print '</td><td class="liste_titre" align="right">';
-            print '<input class="flat" type="text" size="10" name="search_montant_ht" value="'.$_GET['search_montant_ht'].'">';
+            print '<input class="flat" type="text" size="10" name="search_montant_ht" value="'.$search_montant_ht.'">';
             print '</td><td class="liste_titre" align="right">';
-            print '<input class="flat" type="text" size="10" name="search_montant_ttc" value="'.$_GET['search_montant_ttc'].'">';
+            print '<input class="flat" type="text" size="10" name="search_montant_ttc" value="'.$search_montant_ttc.'">';
             print '</td>';
             print '<td class="liste_titre" align="right">';
             print '&nbsp;';
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index eafd2c9cb22..39fc2b599d9 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -185,22 +185,22 @@ function dol_shutdown()
  */
 function GETPOST($paramname,$check='',$method=0)
 {
-    if (empty($method)) $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:'');
-    elseif ($method==1) $out = isset($_GET[$paramname])?$_GET[$paramname]:'';
-    elseif ($method==2) $out = isset($_POST[$paramname])?$_POST[$paramname]:'';
-    elseif ($method==3) $out = isset($_POST[$paramname])?$_POST[$paramname]:(isset($_GET[$paramname])?$_GET[$paramname]:'');
-
-    if (!empty($check))
-    {
-        // Check if numeric
-        if ($check == 'int' && ! preg_match('/^[\.,0-9]+$/i',trim($out))) $out='';
-        // Check if alpha
-        //if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out='';
-        // '"' is dangerous because param in url can close the href= or src= and add javascript functions.
-        if ($check == 'alpha' && preg_match('/"/',trim($out))) $out='';
-    }
-
-    return $out;
+	if (empty($method)) $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:'');
+	elseif ($method==1) $out = isset($_GET[$paramname])?$_GET[$paramname]:'';
+	elseif ($method==2) $out = isset($_POST[$paramname])?$_POST[$paramname]:'';
+	elseif ($method==3) $out = isset($_POST[$paramname])?$_POST[$paramname]:(isset($_GET[$paramname])?$_GET[$paramname]:'');
+	
+	if (! empty($check))
+	{
+		// Check if numeric
+		if ($check == 'int' && ! preg_match('/^[\.,0-9]+$/i',trim($out))) $out='';
+		// Check if alpha
+		//if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out='';
+		// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
+		if ($check == 'alpha' && preg_match('/"/',trim($out))) $out='';
+	}
+	
+	return $out;
 }