diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php
index afb2d31efce..9dd68c16326 100644
--- a/htdocs/admin/const.php
+++ b/htdocs/admin/const.php
@@ -37,11 +37,11 @@ $rowid=GETPOST('rowid','int');
$entity=GETPOST('entity','int');
$action=GETPOST('action','alpha');
$update=GETPOST('update','alpha');
-$delete=GETPOST('delete'); // Do not use alpha here
+$delete=GETPOST('delete','none'); // Do not use alpha here
$debug=GETPOST('debug','int');
$consts=GETPOST('const','array');
$constname=GETPOST('constname','alpha');
-$constvalue=GETPOST('constvalue');
+$constvalue=GETPOST('constvalue','none'); // We shoul dbe able to send everything here
$constnote=GETPOST('constnote','alpha');
@@ -248,7 +248,7 @@ if ($result)
while ($i < $num)
{
$obj = $db->fetch_object($result);
-
+
print "\n";
diff --git a/htdocs/admin/defaultvalues.php b/htdocs/admin/defaultvalues.php
index 0633ee90965..84271cff38f 100644
--- a/htdocs/admin/defaultvalues.php
+++ b/htdocs/admin/defaultvalues.php
@@ -34,7 +34,7 @@ if (!$user->admin) accessforbidden();
$id=GETPOST('rowid','int');
$action=GETPOST('action','alpha');
-$mode = GETPOST('mode')?GETPOST('mode'):'createform'; // 'createform', 'filters', 'sortorder', 'focus'
+$mode = GETPOST('mode','aZ09')?GETPOST('mode','aZ09'):'createform'; // 'createform', 'filters', 'sortorder', 'focus'
$limit = GETPOST('limit','int')?GETPOST('limit','int'):$conf->liste_limit;
$sortfield = GETPOST("sortfield",'alpha');
diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php
index cd236d85122..191db98a402 100644
--- a/htdocs/admin/menus/edit.php
+++ b/htdocs/admin/menus/edit.php
@@ -89,7 +89,7 @@ if ($action == 'update')
if ($result > 0)
{
$menu->titre=GETPOST('titre', 'alpha');
- $menu->leftmenu=GETPOST('leftmenu', 'alpha');
+ $menu->leftmenu=GETPOST('leftmenu', 'aZ09');
$menu->url=GETPOST('url','alpha');
$menu->langs=GETPOST('langs','alpha');
$menu->position=GETPOST('position','int');
diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php
index c0a1c610fe6..4b02e7941d2 100644
--- a/htdocs/admin/system/dolibarr.php
+++ b/htdocs/admin/system/dolibarr.php
@@ -157,7 +157,7 @@ $i=0;
foreach($_SESSION as $key => $val)
{
if ($i > 0) print ', ';
- print $key.' => '.$val;
+ print $key.' => '.dol_escape_htmltag($val);
$i++;
}
print ''."\n";
diff --git a/htdocs/admin/translation.php b/htdocs/admin/translation.php
index 55a407c3e61..cc21a8ff717 100644
--- a/htdocs/admin/translation.php
+++ b/htdocs/admin/translation.php
@@ -40,7 +40,7 @@ $transkey=GETPOST('transkey','alpha');
$transvalue=GETPOST('transvalue','alpha');
-$mode = GETPOST('mode')?GETPOST('mode'):'overwrite';
+$mode = GETPOST('mode','aZ09')?GETPOST('mode','aZ09'):'overwrite';
$limit = GETPOST('limit','int')?GETPOST('limit','int'):$conf->liste_limit;
$sortfield = GETPOST("sortfield",'alpha');
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index c03de343489..fdc3ddb1a05 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -193,7 +193,12 @@ class Form
$morealt=' style="width: '.$cols.'"';
$cols='';
}
- $ret.='';
+
+ $valuetoshow = ($editvalue?$editvalue:$value);
+
+ $ret.='';
}
else if ($typeofdata == 'day' || $typeofdata == 'datepicker')
{
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 00ac2093bdc..7b515fd1e46 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -4520,7 +4520,7 @@ function price($amount, $form=0, $outlangs='', $trunc=1, $rounding=-1, $forcerou
* 'MT'=Round to Max for totals with Tax (MAIN_MAX_DECIMALS_TOT)
* 'MS'=Round to Max for stock quantity (MAIN_MAX_DECIMALS_STOCK)
* @param int $alreadysqlnb Put 1 if you know that content is already universal format number
- * @return string Amount with universal numeric format (Example: '99.99999') or unchanged text if conversion fails.
+ * @return string Amount with universal numeric format (Example: '99.99999') or unchanged text if conversion fails. If amount is null or '', it returns ''.
*
* @see price Opposite function of price2num
*/
@@ -5448,7 +5448,7 @@ function picto_required()
* @param integer $strip_tags 0=Use internal strip, 1=Use strip_tags() php function (bugged when text contains a < char that is not for a html tag)
* @return string String cleaned
*
- * @see dol_escape_htmltag strip_tags
+ * @see dol_escape_htmltag strip_tags dol_string_onlythesehtmltags dol_string_neverthesehtmltags
*/
function dol_string_nohtmltag($stringtoclean, $removelinefeed=1, $pagecodeto='UTF-8', $strip_tags=0)
{
@@ -5480,6 +5480,51 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed=1, $pagecodeto='UT
return trim($temp);
}
+/**
+ * Clean a string to keep only desirable HTML tags.
+ *
+ * @param string $stringtoclean String to clean
+ * @return string String cleaned
+ *
+ * @see dol_escape_htmltag strip_tags dol_string_nohtmltag dol_string_neverthesehtmltags
+ */
+function dol_string_onlythesehtmltags($stringtoclean)
+{
+ $allowed_tags = array(
+ "html", "head", "meta", "body", "b", "br", "div", "em", "font", "img", "hr", "i", "li", "link",
+ "ol", "p", "s", "section", "span", "strong", "title",
+ "table", "tr", "th", "td", "u", "ul"
+ );
+
+ $allowed_tags_string = join("><", $allowed_tags);
+ $allowed_tags_string = preg_replace('/^>/','',$allowed_tags_string);
+ $allowed_tags_string = preg_replace('/<$/','',$allowed_tags_string);
+
+ $temp = strip_tags($stringtoclean, $allowed_tags_string);
+
+ return $temp;
+}
+
+/**
+ * Clean a string from some undesirable HTML tags.
+ *
+ * @param string $stringtoclean String to clean
+ * @param array $disallowed_tags Array of tags not allowed
+ * @return string String cleaned
+ *
+ * @see dol_escape_htmltag strip_tags dol_string_nohtmltag dol_string_onlythesehtmltags
+ */
+function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags=array('textarea'))
+{
+ $temp = $stringtoclean;
+ foreach($disallowed_tags as $tagtoremove)
+ {
+ $temp = preg_replace('/<\/?'.$tagtoremove.'>/', '', $temp);
+ $temp = preg_replace('/<\/?'.$tagtoremove.'\s+[^>]*>/', '', $temp);
+ }
+ return $temp;
+}
+
/**
* Return first line of text. Cut will depends if content is HTML or not.
diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php
index 70a7f8158fc..e576889d363 100644
--- a/htdocs/expensereport/list.php
+++ b/htdocs/expensereport/list.php
@@ -309,8 +309,7 @@ if ($search_status != '' && $search_status >= 0) $sql.=" AND d.fk_statut IN (".$
if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)
&& (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance)))
{
- $childids = $user->getAllChildIds();
- $childids[]=$user->id;
+ $childids = $user->getAllChildIds(1);
$sql.= " AND d.fk_user_author IN (".join(',',$childids).")\n";
}
// Add where from extra fields
@@ -447,12 +446,15 @@ if ($resql)
print ''.$langs->trans("Modify").'';
}
- $canedit=(($user->id == $user_id && $user->rights->expensereport->creer) || ($user->id != $user_id));
+ $childids = $user->getAllChildIds(1);
+
+ $canedit=((in_array($user_id, $childids) && $user->rights->expensereport->creer)
+ || ($conf->global->MAIN_USE_ADVANCED_PERMS && $user->rights->expensereport->writeall_advance));
// Boutons d'actions
if ($canedit)
{
- print ''.$langs->trans("AddTrip").'';
+ print ''.$langs->trans("AddTrip").'';
}
print '';