lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'develop' of https://github.com/Dolibarr/dolibarr.git into

Browse Source 
develop_dict
This commit is contained in:
Regis Houssin 2017-06-19 07:06:57 +02:00
commit 544d051fe3
68 changed files with 645 additions and 460 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
ChangeLog
View File

@ -31,6 +31,23 @@ Following changes may create regression for some external modules, but were nece
content by doing a print into function, sometimes by returning content into "resprint". This has been fixed to follow
hook specifications so you must return output into "resprint".
***** ChangeLog for 5.0.4 compared to 5.0.3 *****
FIX: #6880
FIX: #6925
FIX: #6926
FIX: Can set supplier invoice to billed.
FIX: Can't create invoice if PO disapproved
FIX: contratligne update
FIX: CVE-2017-7886
FIX: default param
FIX: Line of invoices not inserted when using POS module and VAT NPR.
FIX: origin & originid on supplierproposal
FIX: Redirect to payment page from member subscription page failed if a unique security key was defined.
FIX: REST api to get project when user has permission to read all.
FIX: situation_progress param default value must be 100 and not 0
FIX: SQL injection on user/index.php parameter search_statut.
FIX: Warnings
***** ChangeLog for 5.0.3 compared to 5.0.2 *****
FIX: #6677 Expired contracts dashboard box does not show the name of the thirdparty
FIX: #6813

4
build/debian/source/lintian-overrides
View File

@ -10,6 +10,8 @@ source-is-missing htdocs/includes/ckeditor/ckeditor/lang/*.js
source-is-missing htdocs/includes/ckeditor/ckeditor/plugins/*/dialogs/*.js
source-is-missing htdocs/includes/ckeditor/ckeditor/plugins/*/filter/*.js
source-is-missing htdocs/includes/ckeditor/ckeditor/plugins/templates/templates/default.js
source-is-missing htdocs/includes/mobiledetect/mobiledetectlib/Mobile_Detect.json
source-is-missing htdocs/includes/restler/framework/Luracast/Restler/explorer/lib/*.js
# Those are false positives, the files are their own sources since
# they are data files
source-is-missing htdocs/includes/mobiledetect/mobiledetectlib/Mobile_Detect.json

2
dev/initdemo/initdemo.sh
View File

@ -155,7 +155,7 @@ fi
#echo "mysql -P$port -u$admin $passwd $base < $mydir/$dumpfile"
#mysql -P$port -u$admin $passwd $base < $mydir/$dumpfile
#echo "drop old table"
echo "drop table llx_accounting_account;" | mysql -P$port -u$admin $passwd $base
echo "drop table if exists llx_accounting_account;" | mysql -P$port -u$admin $passwd $base
echo "mysql -P$port -u$admin -p***** $base < $mydir/$dumpfile"
mysql -P$port -u$admin $passwd $base < $mydir/$dumpfile
export res=$?

4
dev/initdemo/mysqldump_dolibarr_3.5.0.sql
View File

@ -528,7 +528,7 @@ CREATE TABLE `llx_bank` (
LOCK TABLES `llx_bank` WRITE;
/*!40000 ALTER TABLE `llx_bank` DISABLE KEYS */;
INSERT INTO `llx_bank` VALUES (1,'2010-07-08 23:56:14','2013-03-07 21:28:51','2010-07-08','2010-07-08',2000.00000000,'(Initial balance)',1,NULL,1,'SOLD','201210',NULL,1,NULL,0,NULL,NULL,NULL),(2,'2010-07-09 00:00:24','0000-00-00 00:00:00','2010-07-09','2010-07-09',500.00000000,'(Initial balance)',2,NULL,NULL,'SOLD',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(3,'2010-07-10 13:33:42','0000-00-00 00:00:00','2010-07-10','2010-07-10',0.00000000,'(Solde initial)',3,NULL,NULL,'SOLD',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(4,'2010-07-10 14:59:41','0000-00-00 00:00:00','2010-07-10','2010-07-10',0.02000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,'Client salon invidivdu',NULL),(5,'2011-07-18 20:50:24','0000-00-00 00:00:00','2011-07-08','2011-07-08',20.00000000,'(CustomerInvoicePayment)',1,1,NULL,'CB','201107',NULL,1,NULL,0,NULL,NULL,NULL),(6,'2011-07-18 20:50:47','0000-00-00 00:00:00','2011-07-08','2011-07-08',10.00000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(8,'2011-08-01 03:34:11','2013-03-07 21:28:51','2011-08-01','2011-08-01',5.63000000,'(CustomerInvoicePayment)',1,1,1,'CB','201210',NULL,1,NULL,0,NULL,NULL,NULL),(12,'2011-08-05 23:11:37','2013-03-07 21:33:57','2011-08-05','2011-08-05',-10.00000000,'(SocialContributionPayment)',1,1,1,'VIR','201210',NULL,1,NULL,0,NULL,NULL,NULL),(13,'2011-08-06 20:33:54','0000-00-00 00:00:00','2011-08-06','2011-08-06',5.98000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(14,'2011-08-08 02:53:40','0000-00-00 00:00:00','2011-08-08','2011-08-08',26.10000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(15,'2011-08-08 02:55:58','2013-03-07 21:39:20','2011-08-08','2011-08-08',26.96000000,'(CustomerInvoicePayment)',1,1,1,'TIP','201211',NULL,1,NULL,0,NULL,NULL,NULL),(16,'2012-12-09 15:28:44','2012-12-09 14:28:44','2012-12-09','2012-12-09',2.00000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(17,'2012-12-09 15:28:53','2012-12-09 14:33:07','2012-12-09','2012-12-09',-2.00000000,'(CustomerInvoicePaymentBack)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(18,'2012-12-09 17:35:55','2012-12-09 16:35:55','2012-12-09','2012-12-09',-2.00000000,'(CustomerInvoicePaymentBack)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(19,'2012-12-09 17:37:02','2012-12-09 16:37:02','2012-12-09','2012-12-09',2.00000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(20,'2012-12-09 18:35:07','2012-12-09 17:35:07','2012-12-09','2012-12-09',-2.00000000,'(CustomerInvoicePaymentBack)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(21,'2012-12-12 18:54:33','2013-03-07 21:28:51','2012-12-12','2012-12-12',1.00000000,'(CustomerInvoicePayment)',1,1,1,'TIP','201210',NULL,1,NULL,0,NULL,NULL,NULL),(22,'2013-03-06 16:48:16','2013-03-06 15:48:16','2013-03-06','2013-03-06',20.00000000,'(SubscriptionPayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(23,'2013-03-20 14:30:11','2013-03-20 13:30:11','2013-03-20','2013-03-20',10.00000000,'(SubscriptionPayment)',1,1,NULL,'VIR',NULL,NULL,0,NULL,0,NULL,NULL,NULL);
INSERT INTO `llx_bank` VALUES (1,'2010-07-08 23:56:14','2013-03-07 21:28:51','2010-07-08','2010-07-08',2000.00000000,'(Initial balance)',1,NULL,1,'SOLD','201210',NULL,1,NULL,0,NULL,NULL,NULL),(2,'2010-07-09 00:00:24','2010-07-09 00:00:24','2010-07-09','2010-07-09',500.00000000,'(Initial balance)',2,NULL,NULL,'SOLD',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(3,'2010-07-10 13:33:42','2010-07-10 13:33:42','2010-07-10','2010-07-10',0.00000000,'(Solde initial)',3,NULL,NULL,'SOLD',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(4,'2010-07-10 14:59:41','2010-07-10 14:59:41','2010-07-10','2010-07-10',0.02000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,'Client salon invidivdu',NULL),(5,'2011-07-18 20:50:24','2011-07-18 20:50:24','2011-07-08','2011-07-08',20.00000000,'(CustomerInvoicePayment)',1,1,NULL,'CB','201107',NULL,1,NULL,0,NULL,NULL,NULL),(6,'2011-07-18 20:50:47','2011-07-18 20:50:47','2011-07-08','2011-07-08',10.00000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(8,'2011-08-01 03:34:11','2013-03-07 21:28:51','2011-08-01','2011-08-01',5.63000000,'(CustomerInvoicePayment)',1,1,1,'CB','201210',NULL,1,NULL,0,NULL,NULL,NULL),(12,'2011-08-05 23:11:37','2013-03-07 21:33:57','2011-08-05','2011-08-05',-10.00000000,'(SocialContributionPayment)',1,1,1,'VIR','201210',NULL,1,NULL,0,NULL,NULL,NULL),(13,'2011-08-06 20:33:54','2011-08-06 20:33:54','2011-08-06','2011-08-06',5.98000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(14,'2011-08-08 02:53:40','2011-08-08 02:53:40','2011-08-08','2011-08-08',26.10000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(15,'2011-08-08 02:55:58','2013-03-07 21:39:20','2011-08-08','2011-08-08',26.96000000,'(CustomerInvoicePayment)',1,1,1,'TIP','201211',NULL,1,NULL,0,NULL,NULL,NULL),(16,'2012-12-09 15:28:44','2012-12-09 14:28:44','2012-12-09','2012-12-09',2.00000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(17,'2012-12-09 15:28:53','2012-12-09 14:33:07','2012-12-09','2012-12-09',-2.00000000,'(CustomerInvoicePaymentBack)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(18,'2012-12-09 17:35:55','2012-12-09 16:35:55','2012-12-09','2012-12-09',-2.00000000,'(CustomerInvoicePaymentBack)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(19,'2012-12-09 17:37:02','2012-12-09 16:37:02','2012-12-09','2012-12-09',2.00000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(20,'2012-12-09 18:35:07','2012-12-09 17:35:07','2012-12-09','2012-12-09',-2.00000000,'(CustomerInvoicePaymentBack)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(21,'2012-12-12 18:54:33','2013-03-07 21:28:51','2012-12-12','2012-12-12',1.00000000,'(CustomerInvoicePayment)',1,1,1,'TIP','201210',NULL,1,NULL,0,NULL,NULL,NULL),(22,'2013-03-06 16:48:16','2013-03-06 15:48:16','2013-03-06','2013-03-06',20.00000000,'(SubscriptionPayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(23,'2013-03-20 14:30:11','2013-03-20 13:30:11','2013-03-20','2013-03-20',10.00000000,'(SubscriptionPayment)',1,1,NULL,'VIR',NULL,NULL,0,NULL,0,NULL,NULL,NULL);
/*!40000 ALTER TABLE `llx_bank` ENABLE KEYS */;
UNLOCK TABLES;
@ -4844,7 +4844,7 @@ CREATE TABLE `llx_opensurvey_sondage` (
LOCK TABLES `llx_opensurvey_sondage` WRITE;
/*!40000 ALTER TABLE `llx_opensurvey_sondage` DISABLE KEYS */;
INSERT INTO `llx_opensurvey_sondage` VALUES ('m4467s2mtk6khmxc','m4467s2mtk6khmxci2ysw682','fdffdshfghfj jhgjgh','aaa@aaa.com','fdfds','fdffds','2013-03-06 23:00:00','D+','1',1,'dolibarr','0000-00-00 00:00:00');
INSERT INTO `llx_opensurvey_sondage` VALUES ('m4467s2mtk6khmxc','m4467s2mtk6khmxci2ysw682','fdffdshfghfj jhgjgh','aaa@aaa.com','fdfds','fdffds','2013-03-06 23:00:00','D+','1',1,'dolibarr','2000-01-01 00:00:00');
/*!40000 ALTER TABLE `llx_opensurvey_sondage` ENABLE KEYS */;
UNLOCK TABLES;

37
htdocs/accountancy/admin/accountmodel.php
View File

@ -54,6 +54,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
$confirm=GETPOST('confirm','alpha');
$id=GETPOST('id','int');
$rowid=GETPOST('rowid','alpha');
$code=GETPOST('code','alpha');
$acts[0] = "activate";
$acts[1] = "disable";
@ -225,7 +226,7 @@ if ($id == 25)
if (GETPOST('button_removefilter') || GETPOST('button_removefilter.x') || GETPOST('button_removefilter_x'))
{
$search_country_id = '';
$search_country_id = '';
}
// Actions add or modify an entry into a dictionary
@ -459,8 +460,8 @@ if ($action == $acts[0])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -479,8 +480,8 @@ if ($action == $acts[1])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -499,8 +500,8 @@ if ($action == 'activate_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -519,8 +520,8 @@ if ($action == 'disable_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -556,7 +557,7 @@ print "<br>\n";
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);
@ -574,7 +575,7 @@ if ($id)
else $sql.=" WHERE ";
$sql.= " c.rowid = ".$search_country_id;
}
if ($sortfield)
{
// If sort order is "country", we use country_code instead
@ -600,7 +601,7 @@ if ($id)
print '<form action="'.$_SERVER['PHP_SELF'].'?id='.$id.'" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<table class="noborder" width="100%">';
// Form to add a new line
@ -773,7 +774,7 @@ if ($id)
$paramwithsearch = $param;
if ($sortorder) $paramwithsearch.= '&sortorder='.$sortorder;
if ($sortfield) $paramwithsearch.= '&sortfield='.$sortfield;
// There is several pages
if ($num > $listlimit)
{
@ -865,9 +866,9 @@ if ($id)
foreach ($fieldlist as $field => $value)
{
$showfield=1; // By defaut
if ($fieldlist[$field]=='region_id' || $fieldlist[$field]=='country_id') { $showfield=0; }
if ($showfield)
{
if ($value == 'country')
@ -889,7 +890,7 @@ if ($id)
print $searchpicto;
print '</td>';
print '</tr>';
if ($num)
{
// Lines with values
@ -927,7 +928,7 @@ if ($id)
{
foreach ($fieldlist as $field => $value)
{
$showfield=1;
$align="left";
$valuetoshow=$obj->{$fieldlist[$field]};
@ -1169,7 +1170,7 @@ else
$showemptyline=0;
}
$value=$tabname[$i];
print '<tr class="oddeven"><td width="50%">';
if (! empty($tabcond[$i]))

19
htdocs/accountancy/admin/categories_list.php
View File

@ -54,6 +54,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
$confirm=GETPOST('confirm','alpha');
$id=GETPOST('id','int');
$rowid=GETPOST('rowid','alpha');
$code=GETPOST('code','alpha');
// Security access
if (! empty($user->rights->accountancy->chartofaccount))
@ -370,8 +371,8 @@ if ($action == $acts[0])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -390,8 +391,8 @@ if ($action == $acts[1])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -410,8 +411,8 @@ if ($action == 'activate_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -430,8 +431,8 @@ if ($action == 'disable_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -461,7 +462,7 @@ print load_fiche_titre($titre,$linkback,$titlepicto);
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);

11
htdocs/accountancy/admin/journals_list.php
View File

@ -38,6 +38,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
$confirm=GETPOST('confirm','alpha');
$id=GETPOST('id','int');
$rowid=GETPOST('rowid','alpha');
$code=GETPOST('code','alpha');
// Security access
if (! empty($user->rights->accountancy->chartofaccount))
@ -321,8 +322,8 @@ if ($action == $acts[0])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -341,8 +342,8 @@ if ($action == $acts[1])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -375,7 +376,7 @@ print load_fiche_titre($titre,$linkback,$titlepicto);
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);

19
htdocs/admin/dict.php
View File

@ -55,6 +55,7 @@ $confirm=GETPOST('confirm','alpha');
$id=GETPOST('id','int');
$rowid=GETPOST('rowid','alpha');
$entity=GETPOST('entity','int');
$code=GETPOST('code','alpha');
$allowed=$user->admin;
if ($id == 7 && ! empty($user->rights->accounting->chartofaccount)) $allowed=1; // Tax page allowed to manager of chart account
@ -818,8 +819,8 @@ if ($action == $acts[0])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : '');
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".dol_escape_htmltag(GETPOST('code'))."'".($entity != '' ? " AND entity = " . (int) $entity : '');
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : '');
}
$result = $db->query($sql);
@ -838,8 +839,8 @@ if ($action == $acts[1])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : '');
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".dol_escape_htmltag(GETPOST('code'))."'".($entity != '' ? " AND entity = " . (int) $entity : '');
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : '');
}
$result = $db->query($sql);
@ -858,8 +859,8 @@ if ($action == 'activate_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : '');
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".dol_escape_htmltag(GETPOST('code'))."'".($entity != '' ? " AND entity = " . (int) $entity : '');
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : '');
}
$result = $db->query($sql);
@ -878,8 +879,8 @@ if ($action == 'disable_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : '');
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".dol_escape_htmltag(GETPOST('code'))."'".($entity != '' ? " AND entity = " . (int) $entity : '');
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : '');
}
$result = $db->query($sql);
@ -941,7 +942,7 @@ if (GETPOST('from')) $paramwithsearch.= '&from='.GETPOST('from','alpha');
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'rowid='.$rowid.'&code='.urlencode(GETPOST('code')).$paramwithsearch, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'rowid='.$rowid.'&code='.urlencode($code).$paramwithsearch, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);

10
htdocs/admin/mails_templates.php
View File

@ -346,8 +346,8 @@ if ($action == $acts[0])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -366,8 +366,8 @@ if ($action == $acts[1])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -412,7 +412,7 @@ dol_fiche_head($head, 'templates', '', -1);
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);

2
htdocs/admin/tools/index.php
View File

@ -38,7 +38,7 @@ if (! $user->admin)
$form = new Form($db);
$title=$langs->trans("AdminTools");
//if (GETPOST('leftmenu') == 'admintools') $title=$langs->trans("ModulesSystemTools");
//if (GETPOST('leftmenu',"aZ09") == 'admintools') $title=$langs->trans("ModulesSystemTools");
llxHeader('', $title);

18
htdocs/bookmarks/bookmarks.lib.php
View File

@ -40,10 +40,10 @@ function printBookmarksList($aDb, $aLangs)
$langs->load("bookmarks");
$url= $_SERVER["PHP_SELF"].(! empty($_SERVER["QUERY_STRING"])?'?'.$_SERVER["QUERY_STRING"]:'');
$url= $_SERVER["PHP_SELF"].(dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'');
$ret = '';
// Menu bookmark
$ret.= '<div class="menu_top"></div>'."\n";
@ -83,12 +83,12 @@ function printBookmarksList($aDb, $aLangs)
dol_print_error($db);
}
}
$ret.= '</select>';
$ret.= '</form>';
$ret.=ajax_combobox('boxbookmark');
$ret.='<script type="text/javascript">
$(document).ready(function () {';
$ret.=' jQuery("#boxbookmark").change(function() {
@ -97,9 +97,9 @@ function printBookmarksList($aDb, $aLangs)
if (! urltarget) { urltarget=""; }
jQuery("form#actionbookmark").attr("target",urltarget);
jQuery("form#actionbookmark").attr("action",urlselected);
console.log("We change select bookmark. We choose urlselected="+urlselected+" with target="+urltarget);
// Method is POST for internal link, GET for external
if (urlselected.startsWith(\'http\'))
{
@ -107,7 +107,7 @@ function printBookmarksList($aDb, $aLangs)
jQuery("form#actionbookmark").attr("method",newmethod);
console.log("We change method to newmethod="+newmethod);
}
jQuery("#actionbookmark").submit();
});';
$ret.='})</script>';

34
htdocs/comm/action/index.php
View File

@ -423,8 +423,8 @@ else // If javascript off
$newparam=$param; // newparam is for birthday links
$newparam=preg_replace('/showbirthday=[0-1]/i','showbirthday='.(empty($showbirthday)?1:0),$newparam);
if (! preg_match('/showbirthday=/i',$newparam)) $newparam.='&showbirthday=1';
$link='<a href="'.$_SERVER['PHP_SELF'];
$link.='?'.$newparam;
$link='<a href="'.dol_escape_htmltag($_SERVER['PHP_SELF']);
$link.='?'.dol_escape_htmltag($newparam);
$link.='">';
if (empty($showbirthday)) $link.=$langs->trans("AgendaShowBirthdayEvents");
else $link.=$langs->trans("AgendaHideBirthdayEvents");
@ -1070,7 +1070,7 @@ if (empty($action) || $action == 'show_month') // View by month
}
echo "</table>\n";
echo '<form id="move_event" action="" method="POST"><input type="hidden" name="action" value="mupdate">';
echo '<input type="hidden" name="backtopage" value="'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'].'">';
echo '<input type="hidden" name="backtopage" value="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']).'">';
echo '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
echo '<input type="hidden" name="newdate" id="newdate">' ;
echo '</form>';
@ -1124,7 +1124,7 @@ elseif ($action == 'show_week') // View by week
echo "</table>\n";
echo '<form id="move_event" action="" method="POST"><input type="hidden" name="action" value="mupdate">';
echo '<input type="hidden" name="backtopage" value="'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'].'">';
echo '<input type="hidden" name="backtopage" value="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']).'">';
echo '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
echo '<input type="hidden" name="newdate" id="newdate">' ;
echo '</form>';
@ -1188,7 +1188,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
global $cachethirdparties, $cachecontacts, $cacheusers, $colorindexused;
$dateint = sprintf("%04d",$year).sprintf("%02d",$month).sprintf("%02d",$day);
print "\n";
// Line with title of day
@ -1247,7 +1247,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
if (in_array($user->id, $keysofuserassigned))
{
$nummytasks++; $cssclass='family_mytasks';
if (empty($cacheusers[$event->userownerid]))
{
$newuser=new User($db);
@ -1255,7 +1255,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
$cacheusers[$event->userownerid]=$newuser;
}
//var_dump($cacheusers[$event->userownerid]->color);
// We decide to choose color of owner of event (event->userownerid is user id of owner, event->userassigned contains all users assigned to event)
if (! empty($cacheusers[$event->userownerid]->color)) $color=$cacheusers[$event->userownerid]->color;
}
@ -1277,10 +1277,10 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
}
else
{
$numother++;
$numother++;
$color=($event->icalcolor?$event->icalcolor:-1);
$cssclass=(! empty($event->icalname)?'family_ext'.md5($event->icalname):'family_other');
if (empty($cacheusers[$event->userownerid]))
{
$newuser=new User($db);
@ -1288,7 +1288,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
$cacheusers[$event->userownerid]=$newuser;
}
//var_dump($cacheusers[$event->userownerid]->color);
// We decide to choose color of owner of event (event->userownerid is user id of owner, event->userassigned contains all users assigned to event)
if (! empty($cacheusers[$event->userownerid]->color)) $color=$cacheusers[$event->userownerid]->color;
}
@ -1364,9 +1364,9 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
print '">';
print '<tr>';
print '<td class="tdoverflow nobottom centpercent '.($nowrapontd?'nowrap ':'').'cal_event'.($event->type_code == 'BIRTHDAY'?' cal_event_birthday':'').'">';
$daterange='';
if ($event->type_code == 'BIRTHDAY') // It's a birthday
{
print $event->getNomUrl(1,$maxnbofchar,'cal_event','birthday','contact');
@ -1426,9 +1426,9 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
// Show title
$titletoshow = $daterange;
$titletoshow.=($titletoshow?' ':'').$event->libelle;
if ($event->type_code == 'ICALEVENT') print $titletoshow;
else
else
{
$savlabel=$event->libelle;
$event->libelle=$titletoshow;
@ -1449,11 +1449,11 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
$newuser->fetch($tmpid);
$cacheusers[$tmpid]=$newuser;
}
$listofusertoshow.=$cacheusers[$tmpid]->getNomUrl(-3, '', 0, 0, 0, 0, '', 'valigntextbottom');
}
print $listofusertoshow;
if ($event->type_code == 'ICALEVENT') print '<br>('.dol_trunc($event->icalname,$maxnbofchar).')';
// If action related to company / contact
@ -1506,7 +1506,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
if ($event->type_code != 'BIRTHDAY' && $event->type_code != 'ICALEVENT')
{
$withstatus=1;
if ($event->percentage >= 0) $withstatus=2;
if ($event->percentage >= 0) $withstatus=2;
}
print '<td class="nobottom right nowrap cal_event_right'.($withstatus >= 2 ?' cal_event_right_status':'').'">';
if ($withstatus) print $event->getLibStatut(3,1);

2
htdocs/comm/action/pertype.php
View File

@ -572,7 +572,7 @@ $newparam=preg_replace('/showbirthday_=/i','showbirthday=',$newparam); // Restor
$newparam.='&viewweek=1';
echo '<form id="move_event" action="" method="POST"><input type="hidden" name="action" value="mupdate">';
echo '<input type="hidden" name="backtopage" value="'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'].'">';
echo '<input type="hidden" name="backtopage" value="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']).'">';
echo '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
echo '<input type="hidden" name="newdate" id="newdate">' ;
echo '</form>';

6
htdocs/comm/action/peruser.php
View File

@ -86,12 +86,12 @@ $status=GETPOST("status");
$type=GETPOST("type");
$maxprint=(isset($_GET["maxprint"])?GETPOST("maxprint"):$conf->global->AGENDA_MAX_EVENTS_DAY_VIEW);
// Set actioncode (this code must be same for setting actioncode into peruser, listacton and index)
if (GETPOST('actioncode','array'))
if (GETPOST('actioncode','array'))
{
$actioncode=GETPOST('actioncode','array',3);
if (! count($actioncode)) $actioncode='0';
}
else
else
{
$actioncode=GETPOST("actioncode","alpha",3)?GETPOST("actioncode","alpha",3):(GETPOST("actioncode")=='0'?'0':(empty($conf->global->AGENDA_DEFAULT_FILTER_TYPE)?'':$conf->global->AGENDA_DEFAULT_FILTER_TYPE));
}
@ -579,7 +579,7 @@ $newparam=preg_replace('/showbirthday_=/i','showbirthday=',$newparam); // Restor
$newparam.='&viewweek=1';
echo '<form id="move_event" action="" method="POST"><input type="hidden" name="action" value="mupdate">';
echo '<input type="hidden" name="backtopage" value="'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'].'">';
echo '<input type="hidden" name="backtopage" value="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']).'">';
echo '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
echo '<input type="hidden" name="newdate" id="newdate">' ;
echo '</form>';

39
htdocs/comm/propal/document.php
View File

@ -1,6 +1,6 @@
<?php
/* Copyright (C) 2003-2004 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2004-2009 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2004-2017 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005 Marc Barilley / Ocebo <marc@ocebo.com>
* Copyright (C) 2005-2012 Regis Houssin <regis.houssin@capnetworks.com>
* Copyright (C) 2013 Cédric Salvador <csalvador@gpcsolutions.fr>
@ -63,17 +63,18 @@ if (! $sortfield) $sortfield="name";
$object = new Propal($db);
$object->fetch($id,$ref);
if ($object->id > 0)
{
$object->fetch_thirdparty();
$upload_dir = $conf->propal->dir_output.'/'.dol_sanitizeFileName($object->ref);
include_once DOL_DOCUMENT_ROOT . '/core/actions_linkedfiles.inc.php';
}
/*
* Actions
*/
if ($object->id > 0)
{
$object->fetch_thirdparty();
$upload_dir = $conf->propal->dir_output.'/'.dol_sanitizeFileName($object->ref);
include_once DOL_DOCUMENT_ROOT . '/core/actions_linkedfiles.inc.php';
}
/*
@ -101,10 +102,10 @@ if ($object->id > 0)
// Proposal card
$linkback = '<a href="' . DOL_URL_ROOT . '/comm/propal/list.php' . (! empty($socid) ? '?socid=' . $socid : '') . '">' . $langs->trans("BackToList") . '</a>';
$morehtmlref='<div class="refidno">';
// Ref customer
$morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', 0, 1);
@ -145,24 +146,24 @@ if ($object->id > 0)
}
}
$morehtmlref.='</div>';
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
print '<div class="fichecenter">';
print '<div class="underbanner clearboth"></div>';
print '<table class="border" width="100%">';
// Files infos
print '<tr><td class="titlefield">'.$langs->trans("NbOfAttachedFiles").'</td><td>'.count($filearray).'</td></tr>';
print '<tr><td>'.$langs->trans("TotalSizeOfAttachedFiles").'</td><td>'.$totalsize.' '.$langs->trans("bytes").'</td></tr>';
print "</table>\n";
print '</div>';
dol_fiche_end();
$modulepart = 'propal';

59
htdocs/comm/propal/list.php
View File

@ -275,25 +275,25 @@ if (! $user->rights->societe->client->voir && ! $socid) //restriction
$sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
}
if ($search_town) $sql.= natural_search('s.town', $search_town);
if ($search_zip) $sql.= natural_search("s.zip",$search_zip);
if ($search_state) $sql.= natural_search("state.nom",$search_state);
if ($search_country) $sql .= " AND s.fk_pays IN (".$search_country.')';
if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')';
if ($search_ref) $sql .= natural_search('p.ref', $search_ref);
if ($search_zip) $sql.= natural_search("s.zip", $search_zip);
if ($search_state) $sql.= natural_search("state.nom", $search_state);
if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')';
if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')';
if ($search_ref) $sql .= natural_search('p.ref', $search_ref);
if ($search_refcustomer) $sql .= natural_search('p.ref_client', $search_refcustomer);
if ($search_societe) $sql .= natural_search('s.nom', $search_societe);
if ($search_login) $sql.= " AND u.login LIKE '%".$db->escape(trim($search_login))."%'";
if ($search_societe) $sql .= natural_search('s.nom', $search_societe);
if ($search_login) $sql .= natural_search("u.login", $search_login);
if ($search_montant_ht != '') $sql.= natural_search("p.total_ht", $search_montant_ht, 1);
if ($search_montant_vat != '') $sql.= natural_search("p.tva", $search_montant_vat, 1);
if ($search_montant_ttc != '') $sql.= natural_search("p.total", $search_montant_ttc, 1);
if ($sall) {
$sql .= natural_search(array_keys($fieldstosearchall), $sall);
}
if ($search_product_category > 0) $sql.=" AND cp.fk_categorie = ".$search_product_category;
if ($search_product_category > 0) $sql.=" AND cp.fk_categorie = ".$db->escape($search_product_category);
if ($socid > 0) $sql.= ' AND s.rowid = '.$socid;
if ($viewstatut != '' && $viewstatut != '-1')
{
$sql.= ' AND p.fk_statut IN ('.$viewstatut.')';
$sql.= ' AND p.fk_statut IN ('.$db->escape($viewstatut).')';
}
if ($month > 0)
{
@ -302,16 +302,16 @@ if ($month > 0)
else if ($year > 0 && ! empty($day))
$sql.= " AND p.datep BETWEEN '".$db->idate(dol_mktime(0, 0, 0, $month, $day, $year))."' AND '".$db->idate(dol_mktime(23, 59, 59, $month, $day, $year))."'";
else
$sql.= " AND date_format(p.datep, '%m') = '".$month."'";
$sql.= " AND date_format(p.datep, '%m') = '".$db->escape($month)."'";
}
else if ($year > 0)
{
$sql.= " AND p.datep BETWEEN '".$db->idate(dol_get_first_day($year,1,false))."' AND '".$db->idate(dol_get_last_day($year,12,false))."'";
}
if ($search_sale > 0) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$search_sale;
if ($search_sale > 0) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$db->escape($search_sale);
if ($search_user > 0)
{
$sql.= " AND c.fk_c_type_contact = tc.rowid AND tc.element='propal' AND tc.source='internal' AND c.element_id = p.rowid AND c.fk_socpeople = ".$search_user;
$sql.= " AND c.fk_c_type_contact = tc.rowid AND tc.element='propal' AND tc.source='internal' AND c.element_id = p.rowid AND c.fk_socpeople = ".$db->escape($search_user);
}
// Add where from extra fields
foreach ($search_array_options as $key => $val)
@ -365,23 +365,24 @@ if ($resql)
$arrayofselected=is_array($toselect)?$toselect:array();
$param='&viewstatut='.$viewstatut;
if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.$contextpage;
if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.$limit;
if ($sall) $param.='&sall='.$sall;
if ($month) $param.='&month='.$month;
if ($year) $param.='&year='.$year;
if ($search_ref) $param.='&search_ref=' .$search_ref;
if ($search_refcustomer) $param.='&search_refcustomer=' .$search_refcustomer;
if ($search_societe) $param.='&search_societe=' .$search_societe;
if ($search_user > 0) $param.='&search_user='.$search_user;
if ($search_sale > 0) $param.='&search_sale='.$search_sale;
if ($search_montant_ht) $param.='&search_montant_ht='.$search_montant_ht;
if ($search_login) $param.='&search_login='.$search_login;
if ($search_town) $param.='&search_town='.$search_town;
if ($search_zip) $param.='&search_zip='.$search_zip;
if ($socid > 0) $param.='&socid='.$socid;
if ($optioncss != '') $param.='&optioncss='.$optioncss;
$param='&viewstatut='.urlencode($viewstatut);
if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.urlencode($contextpage);
if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.urlencode($limit);
if ($sall) $param.='&sall='.urlencode($sall);
if ($month) $param.='&month='.urlencode($month);
if ($year) $param.='&year='.urlencode($year);
if ($search_ref) $param.='&search_ref='.urlencode($search_ref);
if ($search_refcustomer) $param.='&search_refcustomer='.urlencode($search_refcustomer);
if ($search_societe) $param.='&search_societe='.urlencode($search_societe);
if ($search_user > 0) $param.='&search_user='.urlencode($search_user);
if ($search_sale > 0) $param.='&search_sale='.urlencode($search_sale);
if ($search_montant_ht) $param.='&search_montant_ht='.urlencode($search_montant_ht);
if ($search_login) $param.='&search_login='.urlencode($search_login);
if ($search_town) $param.='&search_town='.urlencode($search_town);
if ($search_zip) $param.='&search_zip='.urlencode($search_zip);
if ($socid > 0) $param.='&socid='.urlencode($socid);
if ($optioncss != '') $param.='&optioncss='.urlencode($optioncss);
// Add $param from extra fields
foreach ($search_array_options as $key => $val)
{

12
htdocs/compta/facture/card.php
View File

@ -3590,15 +3590,14 @@ else if ($id > 0 || ! empty($ref))
if ($object->type == Facture::TYPE_SITUATION && ! empty($conf->global->INVOICE_USE_SITUATION))
{
if (count($object->tab_previous_situation_invoice) > 0 || count($object->tab_next_situation_invoice) > 0)
print '<table class="nobordernopadding paymenttable" width="100%">';
print '<table class="noborder situationstable" width="100%">';
if (count($object->tab_previous_situation_invoice) > 0) {
// List of previous invoices
print '<tr class="liste_titre">';
print '<td>' . $langs->trans('ListOfPreviousSituationInvoices') . '</td>';
print '<td></td>';
if (! empty($conf->banque->enabled))
print '<td align="right"></td>';
if (! empty($conf->banque->enabled)) print '<td align="right"></td>';
print '<td align="right">' . $langs->trans('AmountHT') . '</td>';
print '<td align="right">' . $langs->trans('AmountTTC') . '</td>';
print '<td width="18">&nbsp;</td>';
@ -3612,8 +3611,7 @@ else if ($id > 0 || ! empty($ref))
print '<tr class="oddeven">';
print '<td>' . $prev_invoice->getNomUrl(1) . '</td>';
print '<td></td>';
if (! empty($conf->banque->enabled))
print '<td align="right"></td>';
if (! empty($conf->banque->enabled)) print '<td align="right"></td>';
print '<td align="right">' . price($prev_invoice->total_ht) . '</td>';
print '<td align="right">' . price($prev_invoice->total_ttc) . '</td>';
print '<td align="right">' . $prev_invoice->getLibStatut(3, $totalpaye) . '</td>';
@ -3622,7 +3620,9 @@ else if ($id > 0 || ! empty($ref))
}
print '<tr class="oddeven">';
print '<td colspan="2" align="right"></td>';
print '<td></td>';
print '<td></td>';
if (! empty($conf->banque->enabled)) print '<td></td>';
print '<td align="right"><b>' . price($total_prev_ht) . '</b></td>';
print '<td align="right"><b>' . price($total_prev_ttc) . '</b></td>';
print '<td width="18">&nbsp;</td>';

19
htdocs/core/actions_linkedfiles.inc.php
View File

@ -73,7 +73,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes')
$ret = dol_delete_file($file, 0, 0, 0, $object);
if (! empty($fileold)) dol_delete_file($fileold, 0, 0, 0, $object); // Delete file using old path
// Si elle existe, on efface la vignette
if (preg_match('/(\.jpg|\.jpeg|\.bmp|\.gif|\.png|\.tiff)$/i',$file,$regs))
{
@ -152,19 +152,28 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave'))
{
$filenamefrom=dol_sanitizeFileName(GETPOST('renamefilefrom'));
$filenameto=dol_sanitizeFileName(GETPOST('renamefileto'));
// Security:
// Disallow file with some extensions. We rename them.
// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
{
$filenameto.= '.noexe';
}
if ($filenamefrom && $filenameto)
{
$srcpath = $upload_dir.'/'.$filenamefrom;
$destpath = $upload_dir.'/'.$filenameto;
$result = dol_move($srcpath, $destpath);
if ($result)
if ($result)
{
$object->addThumbs($destpath);
// TODO Add revert function of addThumbs
//$object->delThumbs($srcpath);
setEventMessages($langs->trans("FileRenamed"), null);
}
else

2
htdocs/core/ajax/ajaxdirpreview.php
View File

@ -139,7 +139,7 @@ if (! dol_is_dir($upload_dir))
}
print '<!-- ajaxdirpreview type='.$type.' -->'."\n";
print '<!-- Page called with mode='.(isset($mode)?$mode:'').' type='.$type.' module='.$module.' url='.$url.' '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Page called with mode='.dol_escape_htmltag(isset($mode)?$mode:'').' type='.dol_escape_htmltag($type).' module='.dol_escape_htmltag($module).' url='.dol_escape_htmltag($url).' '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
$param=($sortfield?'&sortfield='.$sortfield:'').($sortorder?'&sortorder='.$sortorder:'');

2
htdocs/core/ajax/bankconciliate.php
View File

@ -45,7 +45,7 @@ $action=GETPOST('action','aZ09');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
if (($user->rights->banque->modifier || $user->rights->banque->consolidate) && $action == 'dvnext')
{

2
htdocs/core/ajax/box.php
View File

@ -50,7 +50,7 @@ $userid=GETPOST('userid','int');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Add a box
if ($boxid > 0 && $zone !='' && $userid > 0)

2
htdocs/core/ajax/constantonoff.php
View File

@ -45,7 +45,7 @@ $name=GETPOST('name','alpha');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering the location of boxes
if (! empty($action) && ! empty($name))

8
htdocs/core/ajax/contacts.php
View File

@ -41,20 +41,20 @@ $showempty = GETPOST('showempty','int');
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (! empty($id) && ! empty($action) && ! empty($htmlname))
{
$form = new Form($db);
$return=array();
if (empty($showempty)) $showempty=0;
$return['value'] = $form->selectcontacts($id,'',$htmlname,$showempty,'','',0,'',true);
$return['num'] = $form->num;
$return['error'] = $form->error;
echo json_encode($return);
}

18
htdocs/core/ajax/extraparams.php
View File

@ -40,17 +40,17 @@ $type = GETPOST('type', 'alpha');
top_httphead();
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type))
{
$value = GETPOST('value','alpha');
$params=array();
dol_syslog("AjaxSetExtraParameters id=".$id." element=".$element." htmlelement=".$htmlelement." type=".$type." value=".$value, LOG_DEBUG);
$classpath = $subelement = $element;
// For compatibility
if ($element == 'order' || $element == 'commande') { $classpath = $subelement = 'commande'; }
else if ($element == 'propal') { $classpath = 'comm/propal'; $subelement = 'propal'; }
@ -60,19 +60,19 @@ if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type))
else if ($element == 'deplacement') { $classpath = 'compta/deplacement'; $subelement = 'deplacement'; }
else if ($element == 'order_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.commande'; }
else if ($element == 'invoice_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.facture'; }
dol_include_once('/'.$classpath.'/class/'.$subelement.'.class.php');
if ($element == 'order_supplier') { $classname = 'CommandeFournisseur'; }
else if ($element == 'invoice_supplier') { $classname = 'FactureFournisseur'; }
else $classname = ucfirst($subelement);
$object = new $classname($db);
$object->fetch($id);
$params[$htmlelement] = array($type => $value);
$object->extraparams = array_merge($object->extraparams, $params);
$result=$object->setExtraParameters();
}

2
htdocs/core/ajax/loadinplace.php
View File

@ -41,7 +41,7 @@ $fk_element = GETPOST('fk_element','alpha');
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (! empty($field) && ! empty($element) && ! empty($table_element) && ! empty($fk_element))

2
htdocs/core/ajax/objectonoff.php
View File

@ -42,7 +42,7 @@ $object = new GenericObject($db);
top_httphead();
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering new values
if (($action == 'set') && ! empty($id))

2
htdocs/core/ajax/price.php
View File

@ -39,7 +39,7 @@ $tva_tx = str_replace('*','',GETPOST('tva_tx','alpha'));
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (! empty($output) && isset($amount) && isset($tva_tx))

6
htdocs/core/ajax/row.php
View File

@ -18,8 +18,8 @@
/**
* \file htdocs/core/ajax/row.php
* \brief File to return Ajax response on Row move.
* This ajax page is called when doing an up or down drag and drop.
* \brief File to return Ajax response on Row move.
* This ajax page is called when doing an up or down drag and drop.
*/
if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disable token renewal
@ -40,7 +40,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php';
top_httphead();
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering the location of boxes
if ((isset($_POST['roworder']) && ! empty($_POST['roworder'])) && (isset($_POST['table_element_line']) && ! empty($_POST['table_element_line']))

2
htdocs/core/ajax/saveinplace.php
View File

@ -54,7 +54,7 @@ savemethodname:
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
//print_r($_POST);
// Load original field value

6
htdocs/core/ajax/security.php
View File

@ -17,8 +17,8 @@
/**
* \file htdocs/core/ajax/security.php
* \brief This ajax component is used to generated has keys for security purposes
* like key to use into URL to protect them.
* \brief This ajax component is used to generated has keys for security purposes
* like key to use into URL to protect them.
*/
if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disables token renewal
@ -38,7 +38,7 @@ require '../../main.inc.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering the location of boxes
if (isset($_GET['action']) && ! empty($_GET['action']))

2
htdocs/core/ajax/vatrates.php
View File

@ -41,7 +41,7 @@ $productid = (GETPOST('productid','int')?GETPOST('productid','int'):0);
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (! empty($id) && ! empty($action) && ! empty($htmlname))

2
htdocs/core/ajax/ziptown.php
View File

@ -45,7 +45,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog("GET is ".join(',',$_GET).', MAIN_USE_ZIPTOWN_DICTIONNARY='.(empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)?'':$conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY));
//var_dump($_GET);

4
htdocs/core/class/html.formother.class.php
View File

@ -1062,7 +1062,7 @@ class FormOther
async: false
});
// We force reload to be sure to get all boxes into list
window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=delbox\';
window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=delbox\';
}
else
{
@ -1084,7 +1084,7 @@ class FormOther
url: \''.DOL_URL_ROOT.'/core/ajax/box.php?boxorder=\'+boxorder+\'&boxid=\'+boxid+\'&zone='.$areacode.'&userid='.$user->id.'\',
async: false
});
window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=addbox&boxid=\'+boxid;
window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=addbox&boxid=\'+boxid;
}
});';
if (! count($arrayboxtoactivatelabel)) $selectboxlist.='jQuery("#boxcombo").hide();';

4
htdocs/core/lib/files.lib.php
View File

@ -910,8 +910,8 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable
}
// Security:
// Disallow file with some extensions. We renamed them.
// Car si on a mis le rep documents dans un rep de la racine web (pas bien), cela permet d'executer du code a la demande.
// Disallow file with some extensions. We rename them.
// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
{
$file_name.= '.noexe';

7
htdocs/core/lib/functions.lib.php
View File

@ -414,9 +414,6 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)
case 'intcomma':
if (preg_match('/[^0-9,]+/i',$out)) $out='';
break;
case 'intcomma':
if (preg_match('/[^0-9,]+/i',$out)) $out='';
break;
case 'alpha':
$out=trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
@ -3171,8 +3168,8 @@ function dol_print_error($db='',$error='',$errors=null)
$out.="<b>".$langs->trans("Referer").":</b> ".(isset($_SERVER["HTTP_REFERER"])?dol_htmlentities($_SERVER["HTTP_REFERER"],ENT_COMPAT,'UTF-8'):'')."<br>\n";
$out.="<b>".$langs->trans("MenuManager").":</b> ".(isset($conf->standard_menu)?$conf->standard_menu:'')."<br>\n";
$out.="<br>\n";
$syslog.="url=".$_SERVER["REQUEST_URI"];
$syslog.=", query_string=".$_SERVER["QUERY_STRING"];
$syslog.="url=".dol_escape_htmltag($_SERVER["REQUEST_URI"]);
$syslog.=", query_string=".dol_escape_htmltag($_SERVER["QUERY_STRING"]);
}
else // Mode CLI
{

4
htdocs/core/lib/security2.lib.php
View File

@ -144,10 +144,6 @@ function dol_loginfunction($langs,$conf,$mysoc)
$dol_url_root = DOL_URL_ROOT;
$php_self = $_SERVER['PHP_SELF'];
$php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
// Title
$appli=constant('DOL_APPLICATION_TITLE');
$title=$appli.' '.constant('DOL_VERSION');

2
htdocs/core/tpl/ajax/fileupload_main.tpl.php
View File

@ -45,7 +45,7 @@ $(function () {
// Events
$('#fileupload').fileupload({
stop: function (e, data) {
location.href='<?php echo $_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"]; ?>';
location.href='<?php echo dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]); ?>';
},
destroy: function (e, data) {
var that = $(this).data('fileupload');

2
htdocs/core/tpl/ajaxrow.tpl.php
View File

@ -63,7 +63,7 @@ $(document).ready(function(){
function() {
console.log("tableDND end of ajax call");
if (reloadpage == 1) {
location.href = '<?php echo $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']; ?>';
location.href = '<?php echo dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']); ?>';
} else {
$("#<?php echo $tagidfortablednd; ?> .drag").each(
function( intIndex ) {

6
htdocs/core/tpl/login.tpl.php
View File

@ -31,6 +31,10 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
// If we force to use jmobile, then we reenable javascript
if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']);
$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
// Javascript code on logon page only to detect user tz, dst_observed, dst_first, dst_second
$arrayofjs=array(
'/includes/jstz/jstz.min.js'.(empty($conf->dol_use_jmobile)?'':'?version='.urlencode(DOL_VERSION)),
@ -82,7 +86,7 @@ $(document).ready(function () {
<div class="login_table_title center" title="<?php echo dol_escape_htmltag($title); ?>">
<?php
if ($disablenofollow) echo '<a class="login_table_title" href="https://www.dolibarr.org" target="_blank">';
echo dol_escape_htmltag($title);
echo dol_escape_htmltag($title);
if ($disablenofollow) echo '</a>';
?>
</div>

7
htdocs/core/tpl/passwordforgotten.tpl.php
View File

@ -28,6 +28,9 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
// If we force to use jmobile, then we reenable javascript
if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
$php_self = $_SERVER['PHP_SELF'];
$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
print top_htmlhead('',$langs->trans('SendNewPassword'));
?>
<!-- BEGIN PHP TEMPLATE PASSWORDFORGOTTEN.TPL.PHP -->
@ -56,7 +59,7 @@ $(document).ready(function () {
<div class="login_table_title center" title="<?php echo dol_escape_htmltag($title); ?>">
<?php
if ($disablenofollow) echo '<a class="login_table_title" href="https://www.dolibarr.org" target="_blank">';
echo dol_escape_htmltag($title);
echo dol_escape_htmltag($title);
if ($disablenofollow) echo '</a>';
?>
</div>
@ -96,7 +99,7 @@ if (! empty($hookmanager->resArray['options'])) {
}
?>
<?php if ($captcha) {
<?php if ($captcha) {
// Add a variable param to force not using cache (jmobile)
$php_self = preg_replace('/[&\?]time=(\d+)/','',$php_self); // Remove param time
if (preg_match('/\?/',$php_self)) $php_self.='&time='.dol_print_date(dol_now(),'dayhourlog');

75
htdocs/don/card.php
View File

@ -316,17 +316,17 @@ if ($action == 'create')
print '</td>';
// Amount
print "<tr>".'<td class="fieldrequired">'.$langs->trans("Amount").'</td><td><input type="text" name="amount" value="'.GETPOST("amount").'" size="10"> '.$langs->trans("Currency".$conf->currency).'</td></tr>';
print "<tr>".'<td class="fieldrequired">'.$langs->trans("Amount").'</td><td><input type="text" name="amount" value="'.dol_escape_htmltag(GETPOST("amount")).'" size="10"> '.$langs->trans("Currency".$conf->currency).'</td></tr>';
print '<tr><td class="fieldrequired">'.$langs->trans("PublicDonation")."</td><td>";
print $form->selectyesno("public",isset($_POST["public"])?$_POST["public"]:1,1);
print "</td></tr>\n";
print "<tr>".'<td>'.$langs->trans("Company").'</td><td><input type="text" name="societe" value="'.GETPOST("societe").'" size="40"></td></tr>';
print "<tr>".'<td>'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" value="'.GETPOST("lastname").'" size="40"></td></tr>';
print "<tr>".'<td>'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" value="'.GETPOST("firstname").'" size="40"></td></tr>';
print "<tr>".'<td>'.$langs->trans("Company").'</td><td><input type="text" name="societe" value="'.dol_escape_htmltag(GETPOST("societe")).'" class="maxwidth200"></td></tr>';
print "<tr>".'<td>'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" value="'.dol_escape_htmltag(GETPOST("lastname")).'" class="maxwidth200"></td></tr>';
print "<tr>".'<td>'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" value="'.dol_escape_htmltag(GETPOST("firstname")).'" class="maxwidth200"></td></tr>';
print "<tr>".'<td>'.$langs->trans("Address").'</td><td>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="3">'.GETPOST("address").'</textarea></td></tr>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="3">'.dol_escape_htmltag(GETPOST("address")).'</textarea></td></tr>';
// Zip / Town
print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
@ -341,7 +341,7 @@ if ($action == 'create')
if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1);
print '</td></tr>';
print "<tr>".'<td>'.$langs->trans("EMail").'</td><td><input type="text" name="email" value="'.GETPOST("email").'" size="40"></td></tr>';
print "<tr>".'<td>'.$langs->trans("EMail").'</td><td><input type="text" name="email" value="'.dol_escape_htmltag(GETPOST("email")).'" class="maxwidth200"></td></tr>';
// Public note
print '<tr>';
@ -385,9 +385,9 @@ if ($action == 'create')
dol_fiche_end();
print '<div class="center">';
print '<input type="submit" class="button" name="save" value="'.$langs->trans("Save").'">';
print '<input type="submit" class="button" name="save" value="'.dol_escape_htmltag($langs->trans("Save")).'">';
print '&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;';
print '<input type="button" class="button" value="' . $langs->trans("Cancel") . '" onClick="javascript:history.go(-1)">';
print '<input type="button" class="button" value="'.dol_escape_htmltag($langs->trans("Cancel")).'" onClick="javascript:history.go(-1)">';
print '</div>';
print "</form>\n";
@ -439,7 +439,7 @@ if (! empty($id) && $action == 'edit')
// Amount
if ($object->statut == 0)
{
print "<tr>".'<td class="fieldrequired">'.$langs->trans("Amount").'</td><td><input type="text" name="amount" size="10" value="'.$object->amount.'"> '.$langs->trans("Currency".$conf->currency).'</td></tr>';
print "<tr>".'<td class="fieldrequired">'.$langs->trans("Amount").'</td><td><input type="text" name="amount" size="10" value="'.dol_escape_htmltag($object->amount).'"> '.$langs->trans("Currency".$conf->currency).'</td></tr>';
}
else
{
@ -454,11 +454,11 @@ if (! empty($id) && $action == 'edit')
print "</tr>\n";
$langs->load("companies");
print '<tr><td>'.$langs->trans("Company").'</td><td><input type="text" name="societe" size="40" value="'.$object->societe.'"></td></tr>';
print '<tr><td>'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" size="40" value="'.$object->lastname.'"></td></tr>';
print '<tr><td>'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" size="40" value="'.$object->firstname.'"></td></tr>';
print '<tr><td>'.$langs->trans("Company").'</td><td><input type="text" name="societe" class="maxwidth200" value="'.dol_escape_htmltag($object->societe).'"></td></tr>';
print '<tr><td>'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" class="maxwidth200" value="'.dol_escape_htmltag($object->lastname).'"></td></tr>';
print '<tr><td>'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" class="maxwidth200" value="'.dol_escape_htmltag($object->firstname).'"></td></tr>';
print '<tr><td>'.$langs->trans("Address").'</td><td>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="'.ROWS_3.'">'.$object->address.'</textarea></td></tr>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="'.ROWS_3.'">'.dol_escape_htmltag($object->address).'</textarea></td></tr>';
// Zip / Town
print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
@ -473,7 +473,7 @@ if (! empty($id) && $action == 'edit')
if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1);
print '</td></tr>';
print "<tr>".'<td>'.$langs->trans("EMail").'</td><td><input type="text" name="email" size="40" value="'.$object->email.'"></td></tr>';
print "<tr>".'<td>'.$langs->trans("EMail").'</td><td><input type="text" name="email" class="maxwidth200" value="'.dol_escape_htmltag($object->email).'"></td></tr>';
print "<tr><td>".$langs->trans("PaymentMode")."</td><td>\n";
@ -594,13 +594,6 @@ if (! empty($id) && $action != 'edit')
print '<table class="border" width="100%">';
// Ref
/*
print '<tr><td class="titlefield">'.$langs->trans("Ref").'</td><td colspan="2">';
print $form->showrefnav($object, 'rowid', $linkback, 1, 'rowid', 'ref', '');
print '</td>';
print '</tr>';
*/
// Date
print '<tr><td class="titlefield">'.$langs->trans("Date").'</td><td colspan="2">';
print dol_print_date($object->date,"day");
@ -617,52 +610,12 @@ if (! empty($id) && $action != 'edit')
print '<tr><td>'.$langs->trans("Company").'</td><td colspan="2">'.$object->societe.'</td></tr>';
print '<tr><td>'.$langs->trans("Lastname").'</td><td colspan="2">'.$object->lastname.'</td></tr>';
print '<tr><td>'.$langs->trans("Firstname").'</td><td colspan="2">'.$object->firstname.'</td></tr>';
/*print '<tr><td>'.$langs->trans("Address").'</td><td>'.dol_nl2br($object->address).'</td>';
// Zip / Town
print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
print $object->zip.($object->zip && $object->town?' / ':'').$object->town.'</td></tr>';
// Country
print '<tr><td>'.$langs->trans('Country').'</td><td>';
if (! empty($object->country_code))
{
$img=picto_from_langcode($object->country_code);
print ($img?$img.' ':'');
print $object->country;
}
else
{
print $object->country_olddata;
}
print '</td></tr>';
// EMail
print "<tr>".'<td>'.$langs->trans("EMail").'</td><td>'.dol_print_email($object->email).'</td></tr>';
*/
// Payment mode
print "<tr><td>".$langs->trans("PaymentMode")."</td><td>";
$form->form_modes_reglement(null, $object->modepaymentid,'none');
print "</td></tr>\n";
//print "<tr>".'<td>'.$langs->trans("Status").'</td><td>'.$object->getLibStatut(4).'</td></tr>';
// Project
/*
if (! empty($conf->projet->enabled))
{
print '<tr>';
print '<td>'.$langs->trans("Project").'</td>';
print '<td>';
$projettmp=new Project($db);
$projettmp->id=$object->fk_projet;
$projettmp->ref=$object->project;
if(! empty($object->fk_projet)) print $projettmp->getNomUrl(1);
print '</td>';
print '</tr>';
}*/
// Other attributes
$cols = 2;
include DOL_DOCUMENT_ROOT . '/core/tpl/extrafields_view.tpl.php';

2
htdocs/ecm/ajax/ecmdatabase.php
View File

@ -39,7 +39,7 @@ $element = GETPOST('element', 'alpha');
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (isset($action) && ! empty($action))

2
htdocs/expensereport/ajax/ajaxprojet.php
View File

@ -46,7 +46,7 @@ require '../../main.inc.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',',$_GET));

4
htdocs/externalsite/frames.php
View File

@ -34,8 +34,8 @@ if (empty($conf->global->EXTERNALSITE_URL))
llxFooter();
}
$mainmenu=GETPOST('mainmenu', 'alpha');
$leftmenu=GETPOST('leftmenu', 'alpha');
$mainmenu=GETPOST('mainmenu', "aZ09");
$leftmenu=GETPOST('leftmenu', "aZ09");
$idmenu=GETPOST('idmenu', 'int');
$theme=GETPOST('theme', 'alpha');
$codelang=GETPOST('lang', 'aZ09');

18
htdocs/fourn/ajax/getSupplierPrices.php
View File

@ -46,7 +46,7 @@ $langs->load('margins');
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
if ($idprod > 0)
{
@ -55,7 +55,7 @@ if ($idprod > 0)
$sorttouse = 's.nom, pfp.quantity, pfp.price';
if (GETPOST('bestpricefirst')) $sorttouse = 'pfp.unitprice, s.nom, pfp.quantity, pfp.price';
$productSupplierArray = $producttmp->list_product_fournisseur_price($idprod, $sorttouse); // We list all price per supplier, and then firstly with the lower quantity. So we can choose first one with enough quantity into list.
if ( is_array($productSupplierArray))
{
@ -63,34 +63,34 @@ if ($idprod > 0)
{
$price = $productSupplier->fourn_price * (1 - $productSupplier->fourn_remise_percent / 100);
$unitprice = $productSupplier->fourn_unitprice * (1 - $productSupplier->fourn_remise_percent / 100);
$title = $productSupplier->fourn_name.' - '.$productSupplier->fourn_ref.' - ';
if ($productSupplier->fourn_qty == 1)
{
$title.= price($price,0,$langs,0,0,-1,$conf->currency)."/";
}
$title.= $productSupplier->fourn_qty.' '.($productSupplier->fourn_qty == 1 ? $langs->trans("Unit") : $langs->trans("Units"));
if ($productSupplier->fourn_qty > 1)
{
$title.=" - ";
$title.= price($unitprice,0,$langs,0,0,-1,$conf->currency)."/".$langs->trans("Unit");
$price = $unitprice;
}
$label = price($price,0,$langs,0,0,-1,$conf->currency)."/".$langs->trans("Unit");
if ($productSupplier->fourn_ref) $label.=' ('.$productSupplier->fourn_ref.')';
$prices[] = array("id" => $productSupplier->product_fourn_price_id, "price" => price2num($price,0,'',0), "label" => $label, "title" => $title); // For price field, we must use price2num(), for label or title, price()
}
}
// Add price for costprice
$price=$producttmp->cost_price;
$prices[] = array("id" => 'costprice', "price" => price2num($price), "label" => $langs->trans("CostPrice").': '.price($price,0,$langs,0,0,-1,$conf->currency), "title" => $langs->trans("PMPValueShort").': '.price($price,0,$langs,0,0,-1,$conf->currency)); // For price field, we must use price2num(), for label or title, price()
if(!empty($conf->stock->enabled))
if(!empty($conf->stock->enabled))
{
// Add price for pmp
$price=$producttmp->pmp;

12
htdocs/holiday/list.php
View File

@ -138,7 +138,7 @@ if($year_start > 0) {
}
} else {
if($month_start > 0) {
$filter.= " AND date_format(cp.date_debut, '%m') = '$month_start'";
$filter.= " AND date_format(cp.date_debut, '%m') = '".$db->escape($month_start)."'";
}
}
@ -153,7 +153,7 @@ if($year_end > 0) {
}
} else {
if($month_end > 0) {
$filter.= " AND date_format(cp.date_fin, '%m') = '$month_end'";
$filter.= " AND date_format(cp.date_fin, '%m') = '".$db->escape($month_end)."'";
}
}
@ -168,7 +168,7 @@ if($year_create > 0) {
}
} else {
if($month_create > 0) {
$filter.= " AND date_format(cp.date_create, '%m') = '$month_create'";
$filter.= " AND date_format(cp.date_create, '%m') = '".$db->escape($month_create)."'";
}
}
@ -302,7 +302,7 @@ print '</td>';
// DATE CREATE
print '<td class="liste_titre" align="center">';
print '<input class="flat" type="text" size="1" maxlength="2" name="month_create" value="'.$month_create.'">';
print '<input class="flat" type="text" size="1" maxlength="2" name="month_create" value="'.dol_escape_htmltag($month_create).'">';
$formother->select_year($year_create,'year_create',1, $min_year, 0);
print '</td>';
@ -357,13 +357,13 @@ print '<td class="liste_titre">&nbsp;</td>';
// DATE DEBUT
print '<td class="liste_titre" align="center">';
print '<input class="flat" type="text" size="1" maxlength="2" name="month_start" value="'.$month_start.'">';
print '<input class="flat" type="text" size="1" maxlength="2" name="month_start" value="'.dol_escape_htmltag($month_start).'">';
$formother->select_year($year_start,'year_start',1, $min_year, $max_year);
print '</td>';
// DATE FIN
print '<td class="liste_titre" align="center">';
print '<input class="flat" type="text" size="1" maxlength="2" name="month_end" value="'.$month_end.'">';
print '<input class="flat" type="text" size="1" maxlength="2" name="month_end" value="'.dol_escape_htmltag($month_end).'">';
$formother->select_year($year_end,'year_end',1, $min_year, $max_year);
print '</td>';

15
htdocs/install/mysql/migration/3.5.0-3.6.0.sql
View File

@ -62,6 +62,21 @@ ALTER TABLE llx_societe MODIFY COLUMN fk_currency varchar(3) NULL;
ALTER TABLE llx_bookmark ADD COLUMN entity integer DEFAULT 1 NOT NULL;
ALTER TABLE llx_bookmark MODIFY COLUMN url varchar(255) NOT NULL;
ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN tms timestamp DEFAULT '2001-01-01 00:00:00';
-- Clean corrupted values for tms
-- VMYSQL4.1 SET sql_mode = 'ALLOW_INVALID_DATES';
-- VMYSQL4.1 update llx_opensurvey_sondage set tms = date_fin where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL;
-- VMYSQL4.1 SET sql_mode = 'NO_ZERO_DATE';
-- VMYSQL4.1 update llx_opensurvey_sondage set tms = date_fin where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL;
-- Remove default not null on date_fin
-- VMYSQL4.3 ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN date_fin DATETIME NULL DEFAULT NULL;
-- VPGSQL8.2 ALTER TABLE llx_opensurvey_sondage ALTER COLUMN date_fin DROP NOT NULL;
ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN tms timestamp DEFAULT CURRENT_TIMESTAMP;
ALTER TABLE llx_opensurvey_sondage ADD COLUMN entity integer DEFAULT 1 NOT NULL;
ALTER TABLE llx_opensurvey_sondage ADD COLUMN allow_comments tinyint NOT NULL DEFAULT 1;
-- ALTER TABLE llx_opensurvey_sondage DROP COLUMN survey_link_visible;

14
htdocs/install/mysql/migration/5.0.0-6.0.0.sql
View File

@ -25,6 +25,8 @@
-- -- VMYSQL4.1 DELETE FROM llx_usergroup_user WHERE fk_usergroup NOT IN (SELECT rowid from llx_usergroup);
ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN tms timestamp DEFAULT '2001-01-01 00:00:00';
-- Clean corrupted values for tms
-- VMYSQL4.1 SET sql_mode = 'ALLOW_INVALID_DATES';
-- VMYSQL4.1 update llx_opensurvey_sondage set tms = date_fin where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL;
@ -34,12 +36,6 @@
-- VMYSQL4.3 ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN date_fin DATETIME NULL DEFAULT NULL;
-- VPGSQL8.2 ALTER TABLE llx_opensurvey_sondage ALTER COLUMN date_fin DROP NOT NULL;
ALTER TABLE llx_extrafields ADD COLUMN fieldcomputed text;
ALTER TABLE llx_extrafields ADD COLUMN fielddefault varchar(255);
ALTER TABLE llx_c_typent MODIFY COLUMN libelle varchar(64);
ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN tms timestamp DEFAULT CURRENT_TIMESTAMP;
ALTER TABLE llx_opensurvey_sondage ADD COLUMN fk_user_creat integer NOT NULL DEFAULT 0;
@ -50,6 +46,12 @@ ALTER TABLE llx_opensurvey_sondage ADD COLUMN allow_spy tinyint NOT NULL DEFAULT
ALTER TABLE llx_opensurvey_sondage ADD COLUMN sujet TEXT;
ALTER TABLE llx_extrafields ADD COLUMN fieldcomputed text;
ALTER TABLE llx_extrafields ADD COLUMN fielddefault varchar(255);
ALTER TABLE llx_c_typent MODIFY COLUMN libelle varchar(64);
create table llx_notify_def_object
(
id integer AUTO_INCREMENT PRIMARY KEY,

10
htdocs/install/mysql/migration/repair.sql
View File

@ -339,6 +339,16 @@ drop table tmp_c_shipment_mode;
-- VMYSQL4.1 update llx_expensereport_det as ed set date = (select date_debut from llx_expensereport as e where ed.fk_expensereport = e.rowid) where DATE(STR_TO_DATE(date, '%Y-%m-%d')) < '1000-00-00';
-- VMYSQL4.1 SET sql_mode = 'NO_ZERO_DATE';
-- VMYSQL4.1 SET sql_mode = 'ALLOW_INVALID_DATES';
-- VMYSQL4.1 update llx_bank set tms = datec where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL;
-- VMYSQL4.1 SET sql_mode = 'NO_ZERO_DATE';
-- VMYSQL4.1 update llx_bank set tms = datec where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL;
-- VMYSQL4.1 SET sql_mode = 'ALLOW_INVALID_DATES';
-- VMYSQL4.1 update llx_opensurvey_sondage set tms = date_fin where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL;
-- VMYSQL4.1 SET sql_mode = 'NO_ZERO_DATE';
-- VMYSQL4.1 update llx_opensurvey_sondage set tms = date_fin where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL;
-- Backport a change of value into the hourly rate.
-- update llx_projet_task_time as ptt set ptt.thm = (SELECT thm from llx_user as u where ptt.fk_user = u.rowid) where (ptt.thm is null)

14
htdocs/langs/en_US/modulebuilder.lang
View File

@ -1,24 +1,25 @@
# Dolibarr language file - Source file is en_US - loan
ModuleBuilderDesc=This tools give you utilites to build or edit your own module.
ModuleBuilderDesc=This tools give you utilites to build or edit your own module (<a href="%s" target="_blank">More information here</a>).
EnterNameOfModuleDesc=Enter name of the module/application to create with no spaces. Use uppercase to separate words (For example: MyModule, EcommerceForShop, SyncWithMySystem...)
EnterNameOfObjectDesc=Enter name of the object to create with no spaces. Use uppercase to separate words (For example: MyObject, Student, Teacher...)
ModuleBuilderDesc2=Path were modules are generated/edited (first alternative directory defined into %s): <strong>%s</strong>
ModuleBuilderDesc3=Generated/editable modules found: <strong>%s</strong> (they are detected as editable when the file <strong>%s</strong> exists in root of module directory).
NewModule=New module
NewObject=New object
ModuleKey=Key for new module
ObjectKey=Key for new object
ModuleKey=Module key
ObjectKey=Object key
ModuleInitialized=Module initialized
FilesForObjectInitialized=Files for new object initialized
ModuleBuilderDescdescription=Enter here all general information that describe your module
ModuleBuilderDescobjects=Define here the new objects you want to manage with your module. A page to list them and a page to create/edit/view a card will be generated.
ModuleBuilderDescobjects=Define here the objects you want to manage with your module. A sql file, a page to list them, to create/edit/view a card and an API will be generated.
ModuleBuilderDescmenus=This tab is dedicated to define menu entries provided by your module.
ModuleBuilderDescpermissions=This tab is dedicated to define the new permissions you want to provide with your module.
ModuleBuilderDesctriggers=This is the view of triggers provided by your module. To include code executed when a triggered business event is launched, just edit this file with your IDE.
ModuleBuilderDeschooks=This tab is dedicated to hooks.
ModuleBuilderDescwidgets=This tab is dedicated to manage/build widgets.
ModuleBuilderDescbuildpackage=You can generate here a "ready to distribute" package file (a normalized .zip file) of your module. Just click on button to build the module package file.
ModuleBuilderDescdangerzone=You can delete your module. WARNING: All files of module will be definetly lost !
EnterNameOfModuleToDeleteDesc=You can delete your module. WARNING: All files of module will be definitly lost !
EnterNameOfObjectToDeleteDesc=You can delete an object. WARNING: All files related to object will be definitly lost !
DangerZone=Danger zone
BuildPackage=Build package
ModuleIsNotActive=This module was not activated yet (go into Home-Setup-Module to make it live)
@ -31,4 +32,5 @@ ClassFile=File for PHP class
ApiClassFile=File for PHP API class
PageForList=PHP page for list of record
PageForCreateEditView=PHP page to create/edit/view a record
PathToModulePackage=Path to zip of module/application package
PathToModulePackage=Path to zip of module/application package
SpaceOrSpecialCharAreNotAllowed=Spaces or special characters are not allowed.

11
htdocs/main.inc.php
View File

@ -97,8 +97,9 @@ function test_sql_and_script_inject($val, $type)
$sql_inj += preg_match('/<script/i', $val);
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
$sql_inj += preg_match('/base[\s]+href/si', $val);
$sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
$sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='>' onerror = alert(1)>
$sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
$sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)>
$sql_inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
if ($type == 1)
{
$sql_inj += preg_match('/javascript:/i', $val);
@ -1486,14 +1487,14 @@ function top_menu($head, $title='', $target='', $disablejs=0, $disablehead=0, $a
// Link to print main content area
if (empty($conf->global->MAIN_PRINT_DISABLELINK) && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER) && empty($conf->browser->phone))
{
$qs=$_SERVER["QUERY_STRING"];
$qs=dol_escape_htmltag($_SERVER["QUERY_STRING"]);
foreach($_POST as $key=>$value) {
if($key!=='action' && !is_array($value))$qs.='&'.$key.'='.urlencode($value);
if ($key!=='action' && !is_array($value)) $qs.='&'.$key.'='.urlencode($value);
}
$qs.=(($qs && $morequerystring)?'&':'').$morequerystring;
$text ='<a href="'.$_SERVER["PHP_SELF"].'?'.$qs.($qs?'&':'').'optioncss=print" target="_blank">';
$text ='<a href="'.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.$qs.($qs?'&':'').'optioncss=print" target="_blank">';
//$text.= img_picto(":".$langs->trans("PrintContentArea"), 'printer_top.png', 'class="printer"');
$text.='<span class="fa fa-print atoplogin"></span>';
$text.='</a>';

363
htdocs/modulebuilder/index.php
View File

@ -58,41 +58,50 @@ $FILEFLAG='modulebuilder.txt';
if ($dirins && $action == 'initmodule' && $modulename)
{
$srcdir = DOL_DOCUMENT_ROOT.'/modulebuilder/template';
$destdir = $dirins.'/'.strtolower($modulename);
$arrayreplacement=array(
'mymodule'=>strtolower($modulename),
'MyModule'=>$modulename
);
$result = dolCopyDir($srcdir, $destdir, 0, 0, $arrayreplacement);
//dol_mkdir($destfile);
if ($result <= 0)
if (preg_match('/\s/', $modulename))
{
if ($result < 0)
{
$error++;
$langs->load("errors");
setEventMessages($langs->trans("ErrorFailToCopyDir", $srcdir, $destdir), null, 'errors');
}
else // $result == 0
{
setEventMessages($langs->trans("AllFilesDidAlreadyExist", $srcdir, $destdir), null, 'warnings');
}
$error++;
setEventMessages($langs->trans("SpaceOrSpecialCharAreNotAllowed"), null, 'errors');
}
// Delete some files
dol_delete_file($destdir.'/myobject_card.php');
dol_delete_file($destdir.'/myobject_list.php');
dol_delete_file($destdir.'/test/phpunit/MyObjectTest.php');
dol_delete_file($destdir.'/sql/llx_myobject.key.sql');
dol_delete_file($destdir.'/sql/llx_myobject.sql');
dol_delete_file($destdir.'/scripts/myobject.php');
dol_delete_file($destdir.'/img/object_myobject.png');
dol_delete_file($destdir.'/class/myobject.class.php');
dol_delete_file($destdir.'/class/api_myobject.class.php');
dol_delete_file($destdir.'/class/MyObject.txt');
if (! $error)
{
$srcdir = DOL_DOCUMENT_ROOT.'/modulebuilder/template';
$destdir = $dirins.'/'.strtolower($modulename);
$arrayreplacement=array(
'mymodule'=>strtolower($modulename),
'MyModule'=>$modulename
);
$result = dolCopyDir($srcdir, $destdir, 0, 0, $arrayreplacement);
//dol_mkdir($destfile);
if ($result <= 0)
{
if ($result < 0)
{
$error++;
$langs->load("errors");
setEventMessages($langs->trans("ErrorFailToCopyDir", $srcdir, $destdir), null, 'errors');
}
else // $result == 0
{
setEventMessages($langs->trans("AllFilesDidAlreadyExist", $srcdir, $destdir), null, 'warnings');
}
}
// Delete some files
dol_delete_file($destdir.'/myobject_card.php');
dol_delete_file($destdir.'/myobject_list.php');
dol_delete_file($destdir.'/test/phpunit/MyObjectTest.php');
dol_delete_file($destdir.'/sql/llx_myobject.key.sql');
dol_delete_file($destdir.'/sql/llx_myobject.sql');
dol_delete_file($destdir.'/scripts/myobject.php');
dol_delete_file($destdir.'/img/object_myobject.png');
dol_delete_file($destdir.'/class/myobject.class.php');
dol_delete_file($destdir.'/class/api_myobject.class.php');
dol_delete_file($destdir.'/class/MyObject.txt');
}
// Edit PHP files
if (! $error)
@ -129,74 +138,86 @@ if ($dirins && $action == 'initmodule' && $modulename)
if ($dirins && $action == 'initobject' && $module && $objectname)
{
$srcdir = DOL_DOCUMENT_ROOT.'/modulebuilder/template';
$destdir = $dirins.'/'.strtolower($module);
$arrayreplacement=array(
'mymodule'=>strtolower($module),
'MyModule'=>$module,
'myobject'=>strtolower($objectname),
'MyObject'=>$objectname
);
// Delete some files
$filetogenerate = array(
'myobject_card.php'=>strtolower($objectname).'_card.php',
'myobject_list.php'=>strtolower($objectname).'_list.php',
'test/phpunit/MyObjectTest.php'=>'test/phpunit/'.$objectname.'Test.php',
'sql/llx_myobject.key.sql'=>'sql/llx_'.strtolower($objectname).'.key.sql',
'sql/llx_myobject.sql'=>'sql/llx_'.strtolower($objectname).'.sql',
'scripts/myobject.php'=>'scripts/'.strtolower($objectname).'.php',
'img/object_myobject.png'=>'img/object_'.strtolower($objectname).'.png',
'class/myobject.class.php'=>'class/'.strtolower($objectname).'.class.php',
'class/api_myobject.class.php'=>'class/api_'.strtolower($objectname).'.class.php',
'class/MyObject.txt'=>'class/'.$objectname.'.txt'
);
foreach($filetogenerate as $srcfile => $destfile)
if (preg_match('/\s/', $objectname))
{
$result = dol_copy($srcdir.'/'.$srcfile, $destdir.'/'.$destfile);
if ($result <= 0)
{
if ($result < 0)
{
$error++;
$langs->load("errors");
setEventMessages($langs->trans("ErrorFailToCopyFile", $srcdir.'/'.$srcfile, $destdir.'/'.$destfile), null, 'errors');
}
else // $result == 0
{
setEventMessages($langs->trans("FileAlreadyExists", $srcdir.'/'.$srcfile, $destdir.'/'.$destfile), null, 'warnings');
}
}
else
{
// Copy is ok
}
$error++;
setEventMessages($langs->trans("SpaceOrSpecialCharAreNotAllowed"), null, 'errors');
}
// Edit PHP files
foreach($filetogenerate as $destfile)
if (! $error)
{
$phpfileval['fullname'] = $destdir.'/'.$destfile;
$srcdir = DOL_DOCUMENT_ROOT.'/modulebuilder/template';
$destdir = $dirins.'/'.strtolower($module);
//var_dump($phpfileval['fullname']);
$arrayreplacement=array(
'mymodule'=>strtolower($modulename),
'MyModule'=>$modulename,
'MYMODULE'=>strtoupper($modulename),
'My module'=>$modulename,
'htdocs/modulebuilder/template/'=>'',
'mymodule'=>strtolower($module),
'MyModule'=>$module,
'myobject'=>strtolower($objectname),
'MyObject'=>$objectname
);
$result=dolReplaceInFile($phpfileval['fullname'], $arrayreplacement);
//var_dump($result);
if ($result < 0)
// Delete some files
$filetogenerate = array(
'myobject_card.php'=>strtolower($objectname).'_card.php',
'myobject_list.php'=>strtolower($objectname).'_list.php',
'test/phpunit/MyObjectTest.php'=>'test/phpunit/'.$objectname.'Test.php',
'sql/llx_myobject.key.sql'=>'sql/llx_'.strtolower($objectname).'.key.sql',
'sql/llx_myobject.sql'=>'sql/llx_'.strtolower($objectname).'.sql',
'scripts/myobject.php'=>'scripts/'.strtolower($objectname).'.php',
'img/object_myobject.png'=>'img/object_'.strtolower($objectname).'.png',
'class/myobject.class.php'=>'class/'.strtolower($objectname).'.class.php',
'class/api_myobject.class.php'=>'class/api_'.strtolower($objectname).'.class.php',
'class/MyObject.txt'=>'class/'.$objectname.'.txt'
);
foreach($filetogenerate as $srcfile => $destfile)
{
setEventMessages($langs->trans("ErrorFailToMakeReplacementInto", $phpfileval['fullname']), null, 'errors');
$result = dol_copy($srcdir.'/'.$srcfile, $destdir.'/'.$destfile);
if ($result <= 0)
{
if ($result < 0)
{
$error++;
$langs->load("errors");
setEventMessages($langs->trans("ErrorFailToCopyFile", $srcdir.'/'.$srcfile, $destdir.'/'.$destfile), null, 'errors');
}
else // $result == 0
{
setEventMessages($langs->trans("FileAlreadyExists", $srcdir.'/'.$srcfile, $destdir.'/'.$destfile), null, 'warnings');
}
}
else
{
// Copy is ok
}
}
}
if (! $error)
{
// Edit PHP files
foreach($filetogenerate as $destfile)
{
$phpfileval['fullname'] = $destdir.'/'.$destfile;
//var_dump($phpfileval['fullname']);
$arrayreplacement=array(
'mymodule'=>strtolower($modulename),
'MyModule'=>$modulename,
'MYMODULE'=>strtoupper($modulename),
'My module'=>$modulename,
'htdocs/modulebuilder/template/'=>'',
'myobject'=>strtolower($objectname),
'MyObject'=>$objectname
);
$result=dolReplaceInFile($phpfileval['fullname'], $arrayreplacement);
//var_dump($result);
if ($result < 0)
{
setEventMessages($langs->trans("ErrorFailToMakeReplacementInto", $phpfileval['fullname']), null, 'errors');
}
}
}
@ -206,18 +227,90 @@ if ($dirins && $action == 'initobject' && $module && $objectname)
}
}
if ($dirins && $action == 'confirm_delete')
{
$modulelowercase=strtolower($module);
if (preg_match('/\s/', $module))
{
$error++;
setEventMessages($langs->trans("SpaceOrSpecialCharAreNotAllowed"), null, 'errors');
}
// Dir for module
$dir = $dirins.'/'.$modulelowercase;
if (! $error)
{
$modulelowercase=strtolower($module);
dol_delete_dir_recursive($dir);
// Dir for module
$dir = $dirins.'/'.$modulelowercase;
header("Location: ".DOL_URL_ROOT.'/modulebuilder/index.php?module=initmodule');
exit;
$result = dol_delete_dir_recursive($dir);
if ($result > 0)
{
setEventMessages($langs->trans("DirDeleted"), null);
}
else
{
setEventMessages($langs->trans("NothingDeleted"), null, 'warnings');
}
}
//header("Location: ".DOL_URL_ROOT.'/modulebuilder/index.php?module=initmodule');
//exit;
$action = '';
$module = 'deletemodule';
}
if ($dirins && $action == 'confirm_deleteobject' && $objectname)
{
if (preg_match('/\s/', $objectname))
{
$error++;
setEventMessages($langs->trans("SpaceOrSpecialCharAreNotAllowed"), null, 'errors');
}
if (! $error)
{
$modulelowercase=strtolower($module);
$objectlowercase=strtolower($objectname);
// Dir for module
$dir = $dirins.'/'.$modulelowercase;
// Delete some files
$filetogenerate = array(
'myobject_card.php'=>strtolower($objectname).'_card.php',
'myobject_list.php'=>strtolower($objectname).'_list.php',
'test/phpunit/MyObjectTest.php'=>'test/phpunit/'.$objectname.'Test.php',
'sql/llx_myobject.key.sql'=>'sql/llx_'.strtolower($objectname).'.key.sql',
'sql/llx_myobject.sql'=>'sql/llx_'.strtolower($objectname).'.sql',
'scripts/myobject.php'=>'scripts/'.strtolower($objectname).'.php',
'img/object_myobject.png'=>'img/object_'.strtolower($objectname).'.png',
'class/myobject.class.php'=>'class/'.strtolower($objectname).'.class.php',
'class/api_myobject.class.php'=>'class/api_'.strtolower($objectname).'.class.php',
'class/MyObject.txt'=>'class/'.$objectname.'.txt'
);
$resultko = 0;
foreach($filetogenerate as $filetodelete)
{
$resulttmp = dol_delete_file($dir.'/'.$filetodelete, 0, 0, 1);
if (! $resulttmp) $resultko++;
}
if ($resultko == 0)
{
setEventMessages($langs->trans("FilesDeleted"), null);
}
else
{
setEventMessages($langs->trans("ErrorSomeFilesCouldNotBeDeleted"), null, 'warnings');
}
}
//header("Location: ".DOL_URL_ROOT.'/modulebuilder/index.php?module=initmodule');
//exit;
$action = '';
$tabobj = 'deleteobject';
}
if ($dirins && $action == 'generatepackage')
@ -341,7 +434,7 @@ if (!empty($conf->modulebuilder->enabled) && $mainmenu == 'modulebuilder') // En
// Show description of content
$newdircustom=$dirins;
if (empty($newdircustom)) $newdircustom=img_warning();
print $langs->trans("ModuleBuilderDesc").'<br>';
print $langs->trans("ModuleBuilderDesc", 'https://wiki.dolibarr.org/index.php/Module_development#Create_your_module').'<br>';
print $langs->trans("ModuleBuilderDesc2", 'conf/conf.php', $newdircustom).'<br>';
$message='';
@ -381,7 +474,7 @@ print $langs->trans("ModuleBuilderDesc3", count($listofmodules), $FILEFLAG).'<br
$error=0;
$moduleobj = null;
if (! empty($module) && $module != 'initmodule')
if (! empty($module) && $module != 'initmodule' && $module != 'deletemodule')
{
$modulelowercase=strtolower($module);
@ -428,6 +521,10 @@ foreach($listofmodules as $tmpmodule => $tmpmodulewithcase)
$h++;
}
$head[$h][0] = $_SERVER["PHP_SELF"].'?module=deletemodule';
$head[$h][1] = $langs->trans("DangerZone");
$head[$h][2] = 'deletemodule';
$h++;
dol_fiche_head($head, $module, $langs->trans("Modules"), -1, 'generic');
@ -446,6 +543,19 @@ if ($module == 'initmodule')
print '<input type="submit" class="button" name="create" value="'.dol_escape_htmltag($langs->trans("Create")).'"'.($dirins?'':' disabled="disabled"').'>';
print '</form>';
}
elseif ($module == 'deletemodule')
{
print '<form name="delete">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="confirm_delete">';
print '<input type="hidden" name="module" value="deletemodule">';
print $langs->trans("EnterNameOfModuleToDeleteDesc").'<br><br>';
print '<input type="text" name="module" placeholder="'.dol_escape_htmltag($langs->trans("ModuleKey")).'" value="">';
print '<input type="submit" class="buttonDelete" value="'.$langs->trans("Delete").'"'.($dirins?'':' disabled="disabled"').'>';
print '</form>';
}
elseif (! empty($module))
{
// Tabs for module
@ -502,11 +612,6 @@ elseif (! empty($module))
$head2[$h][2] = 'buildpackage';
$h++;
$head2[$h][0] = $_SERVER["PHP_SELF"].'?tab=dangerzone&module='.$module;
$head2[$h][1] = $langs->trans("DangerZone");
$head2[$h][2] = 'dangerzone';
$h++;
print $modulestatusinfo.'<br><br>';
dol_fiche_head($head2, $tab, '', -1, '');
@ -532,6 +637,7 @@ elseif (! empty($module))
print '<tr><td>';
print $langs->trans("Numero");
print ' (<a href="https://wiki.dolibarr.org/index.php/List_of_modules_id" target="_blank">'.$langs->trans("SeeHere").'</a>)';
print '</td><td>';
print $moduleobj->numero;
print '</td></tr>';
@ -597,7 +703,7 @@ elseif (! empty($module))
$head3[$h][2] = 'newobject';
$h++;
$listofobject = dol_dir_list($dir , 'files', 0, '\.txt$');
$listofobject = dol_dir_list($dir, 'files', 0, '\.txt$');
foreach($listofobject as $fileobj)
{
$objectname = preg_replace('/\.txt$/', '', $fileobj['name']);
@ -608,6 +714,12 @@ elseif (! empty($module))
$h++;
}
$head3[$h][0] = $_SERVER["PHP_SELF"].'?tab=objects&module='.$module.'&tabobj=deleteobject';
$head3[$h][1] = $langs->trans("DangerZone");
$head3[$h][2] = 'deleteobject';
$h++;
dol_fiche_head($head3, $tabobj, '', -1, '');
if ($tabobj == 'newobject')
@ -625,6 +737,21 @@ elseif (! empty($module))
print '<input type="submit" class="button" name="create" value="'.dol_escape_htmltag($langs->trans("Create")).'"'.($dirins?'':' disabled="disabled"').'>';
print '</form>';
}
elseif ($tabobj == 'deleteobject')
{
// New module
print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="confirm_deleteobject">';
print '<input type="hidden" name="tab" value="objects">';
print '<input type="hidden" name="module" value="'.dol_escape_htmltag($module).'">';
print $langs->trans("EnterNameOfObjectToDeleteDesc").'<br><br>';
print '<input type="text" name="objectname" value="'.dol_escape_htmltag($modulename).'" placeholder="'.dol_escape_htmltag($langs->trans("ObjectKey")).'">';
print '<input type="submit" class="buttonDelete" name="delete" value="'.dol_escape_htmltag($langs->trans("Delete")).'"'.($dirins?'':' disabled="disabled"').'>';
print '</form>';
}
else
{
try {
@ -641,8 +768,9 @@ elseif (! empty($module))
$tmpobjet = new $tabobj($db);
$reflector = new ReflectionClass($tabobj);
$properties = $reflector->getProperties();
$propdefault = $reflector->getDefaultProperties();
$properties = $reflector->getProperties(); // Can also use get_object_vars
$propdefault = $reflector->getDefaultProperties(); // Can also use get_object_vars
//$propstat = $reflector->getStaticProperties();
print load_fiche_titre($langs->trans("Properties"), '', '');
@ -655,8 +783,10 @@ elseif (! empty($module))
print '<table class="noborder">';
print '<tr class="liste_titre">';
print '<td>'.$langs->trans("Property").'</td>';
print '<td>'.$langs->trans("Description").'</td>';
print '<td>'.$langs->trans("Property");
print ' (<a href="https://wiki.dolibarr.org/index.php/Language_and_development_rules#Table_and_fields_structures" target="_blank">'.$langs->trans("Example").'</a>)';
print '</td>';
print '<td>'.$langs->trans("Comment").'</td>';
print '<td>'.$langs->trans("Type").'</td>';
print '<td>'.$langs->trans("DefaultValue").'</td>';
print '<td></td>';
@ -676,7 +806,7 @@ elseif (! empty($module))
$propname=$propval->getName();
// Discard generic properties
if (in_array($propname, array('element', 'table_element', 'table_element_line', 'class_element_line', 'ismultientitymanaged'))) continue;
if (in_array($propname, array('element', 'childtables', 'table_element', 'table_element_line', 'class_element_line', 'isnolinkedbythird', 'ismultientitymanaged'))) continue;
// Keep or not lines
if (in_array($propname, array('fk_element', 'lines'))) continue;
@ -686,11 +816,10 @@ elseif (! empty($module))
print $propname;
print '</td>';
print '<td>';
print $propval->getDocComment();
print '</td>';
print '<td>';
print gettype($tmpobjet->$propname);
print '</td>';
print '<td>';
@ -836,16 +965,6 @@ elseif (! empty($module))
print '</form>';
}
if ($tab == 'dangerzone')
{
print '<form name="delete">';
print '<input type="hidden" name="action" value="confirm_delete">';
print '<input type="hidden" name="tab" value="'.dol_escape_htmltag($tab).'">';
print '<input type="hidden" name="module" value="'.dol_escape_htmltag($module).'">';
print '<input type="submit" class="buttonDelete" value="'.$langs->trans("Delete").'"'.($dirins?'':' disabled="disabled"').'>';
print '</form>';
}
dol_fiche_end();
}
}

3
htdocs/modulebuilder/template/class/MyObject.txt
View File

@ -1 +1,2 @@
# If this file exists, it means the class and file for object MyOjbect was generated by ModuleBuilder.
# DO NOT DELETE THIS FILE MANUALLY
# If this file exists, it means the class and file for object MyOjbect was generated by ModuleBuilder. Use ModuleBuilder if you want to delete object.

62
htdocs/modulebuilder/template/class/myobject.class.php
View File

@ -36,43 +36,63 @@ require_once DOL_DOCUMENT_ROOT . '/core/class/commonobject.class.php';
class MyObject extends CommonObject
{
/**
* @var string Id to identify managed object
* @var string ID to identify managed object
*/
public $element = 'myobject';
/**
* @var string Name of table without prefix where object is stored
*/
public $table_element = 'myobject';
/**
* @var array Array with all fields and their property
/**
* @var array Does this field is linked to a thirdparty ?
*/
protected $isnolinkedbythird=1;
/**
* @var array Does myobject support multicompany module ? 0=No test on entity, 1=Test with field entity, 2=Test with link by societe
*/
protected $ismultientitymanaged = 1;
/**
* @var string String with name of icon for myobject
*/
public $picto = 'myobject';
/**
* @var array Array with all fields and their property
/**
* @var int Entity Id
*/
public $entity;
/**
* @var array Array with all fields and their property
*/
public $fields;
// If this object has a subtable with lines
/**
* @var mixed Sample property 1
* @var int Name of subtable line
*/
public $prop1;
//public $table_element_line = 'myobjectdet';
/**
* @var mixed Sample property 2
* @var int Field with ID of parent key if this field has a parent
*/
public $prop2;
//...
protected $ismultientitymanaged = 1; // 0=No test on entity, 1=Test with field entity, 2=Test with link by societe
public $table_element_line = 'myobjectdet';
public $class_element_line = 'MyObjectline';
public $fk_element = 'fk_myobject';
/**
* @var MyObjectLine[] Lines
//public $fk_element = 'fk_myobject';
/**
* @var int Name of subtable class that manage subtable lines
*/
public $lines = array();
//public $class_element_line = 'MyObjectline';
/**
* @var array Array of child tables (child tables to delete before deleting a record)
*/
//protected $childtables=array('myobjectdet');
/**
* @var MyObjectLine[] Array of subtable lines
*/
//public $lines = array();

5
htdocs/modulebuilder/template/modulebuilder.txt
View File

@ -1,2 +1,3 @@
File to flag module built using official module template.
When this file is present into a module directory, you can edit it with the module builder tool.
# DO NOT DELETE THIS FILE MANUALLY
# File to flag module built using official module template.
# When this file is present into a module directory, you can edit it with the module builder tool. Use ModuleBuilder if you want to delete module.

2
htdocs/product/ajax/products.php
View File

@ -57,7 +57,7 @@ $warehouseStatus = GETPOST('warehousestatus', 'alpha');
* View
*/
// print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
// print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',', $_GET));
// print_r($_GET);

2
htdocs/public/demo/index.php
View File

@ -291,7 +291,7 @@ print '</div>';
print '<div class="demobantext" style="max-width: 1024px;">';
print '<div style="font-size: 20px; padding: 40px;">';
print '<div style="text-align: justify;">'.$langs->trans("DemoDesc").'</div><br>';
print '<font color="#555577"><b>'.$langs->trans("ChooseYourDemoProfil").'</b></font>';
print '<div class="titre"><font style="font-size: 20px">'.$langs->trans("ChooseYourDemoProfil").'</font></div>';
print '</div>';
print '</div>';

6
htdocs/public/opensurvey/studs.php
View File

@ -113,14 +113,14 @@ if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) // bout
}
$nom=substr(GETPOST("nom"),0,64);
// Check if vote already exists
$sql = 'SELECT id_users, nom as name';
$sql.= ' FROM '.MAIN_DB_PREFIX.'opensurvey_user_studs';
$sql.= " WHERE id_sondage='".$db->escape($numsondage)."' AND nom = '".$db->escape($nom)."' ORDER BY id_users";
$resql = $db->query($sql);
if (! $resql) dol_print_error($db);
$num_rows = $db->num_rows($resql);
if ($num_rows > 0)
{
@ -739,7 +739,7 @@ if ($comments)
if ($object->allow_comments) {
print '<div class="addcomment">' .$langs->trans("AddACommentForPoll") . "<br>\n";
print '<textarea name="comment" rows="2" cols="60"></textarea><br>'."\n";
print '<textarea name="comment" rows="'.ROWS_2.'" class="quatrevingtpercent"></textarea><br>'."\n";
print $langs->trans("Name") .': ';
print '<input type="text" name="commentuser" maxlength="64" /> &nbsp; '."\n";
print '<input type="submit" class="button" name="ajoutcomment" value="'.dol_escape_htmltag($langs->trans("AddComment")).'"><br>'."\n";

2
htdocs/public/paybox/paymentko.php
View File

@ -66,7 +66,7 @@ $paymentmethod='paybox';
* View
*/
dol_syslog("Callback url when a PayBox payment was canceled. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paybox');
dol_syslog("Callback url when a PayBox payment was canceled. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paybox');
$tracepost = "";
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";

2
htdocs/public/paybox/paymentok.php
View File

@ -76,7 +76,7 @@ $paymentmethod='paybox';
* View
*/
dol_syslog("Callback url when a PayBox payment was done. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paybox');
dol_syslog("Callback url when a PayBox payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paybox');
$tracepost = "";
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";

18
htdocs/public/paypal/paymentko.php
View File

@ -76,7 +76,7 @@ $paymentmethod='paypal';
* View
*/
dol_syslog("Callback url when a PayPal payment was canceled. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paypal');
dol_syslog("Callback url when a PayPal payment was canceled. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paypal');
$tracepost = "";
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
@ -94,23 +94,23 @@ if (! empty($_SESSION['ipaddress'])) // To avoid to make action twice
$FinalPaymentAmt = $_SESSION["Payment_Amount"];
// From env
$ipaddress = $_SESSION['ipaddress'];
// Appel des triggers
include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php';
$interface=new Interfaces($db);
$result=$interface->run_triggers('PAYPAL_PAYMENT_KO',$object,$user,$langs,$conf);
if ($result < 0) { $error++; $errors=$interface->errors; }
// Fin appel triggers
// Send an email
$sendemail = '';
if (! empty($conf->global->PAYPAL_PAYONLINE_SENDEMAIL)) $sendemail=$conf->global->PAYPAL_PAYONLINE_SENDEMAIL;
if ($sendemail)
{
$sendto=$sendemail;
$from=$conf->global->MAILING_EMAIL_FROM;
// Define link to login card
$appli=constant('DOL_APPLICATION_TITLE');
if (! empty($conf->global->MAIN_APPLICATION_TITLE))
@ -123,7 +123,7 @@ if (! empty($_SESSION['ipaddress'])) // To avoid to make action twice
else $appli.=" ".DOL_VERSION;
}
else $appli.=" ".DOL_VERSION;
$urlback=$_SERVER["REQUEST_URI"];
$topic='['.$appli.'] '.$langs->transnoentitiesnoconv("NewOnlinePaymentFailed");
$content="";
@ -133,10 +133,10 @@ if (! empty($_SESSION['ipaddress'])) // To avoid to make action twice
$content.=$langs->transnoentitiesnoconv("OnlinePaymentSystem").': '.$paymentmethod."<br>\n";
$content.=$langs->transnoentitiesnoconv("ReturnURLAfterPayment").': '.$urlback."\n";
$content.="tag=".$fulltag."\ntoken=".$onlinetoken." paymentType=".$paymentType." currencycodeType=".$currencyCodeType." payerId=".$payerID." ipaddress=".$ipaddress." FinalPaymentAmt=".$FinalPaymentAmt;
require_once DOL_DOCUMENT_ROOT.'/core/class/CMailFile.class.php';
$mailfile = new CMailFile($topic, $sendto, $from, $content);
$result=$mailfile->sendfile();
if ($result)
{
@ -147,7 +147,7 @@ if (! empty($_SESSION['ipaddress'])) // To avoid to make action twice
dol_syslog("Failed to send EMail to ".$sendto, LOG_ERR, 0, '_paypal');
}
}
unset($_SESSION['ipaddress']);
}

2
htdocs/public/paypal/paymentok.php
View File

@ -106,7 +106,7 @@ $paymentmethod='paypal';
* View
*/
dol_syslog("Callback url when a PayPal payment was done. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paypal');
dol_syslog("Callback url when a PayPal payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paypal');
$tracepost = "";
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";

4
htdocs/societe/ajax/company.php
View File

@ -43,7 +43,7 @@ $id=GETPOST('id', 'int');
* View
*/
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',', $_GET));
//print_r($_GET);
@ -62,7 +62,7 @@ if (! empty($action) && $action == 'fetch' && ! empty($id))
$outlabel = '';
$outdesc = '';
$outtype = $object->type;
$outjson = array('ref' => $outref,'name' => $outname,'desc' => $outdesc,'type' => $outtype);
}

2
htdocs/societe/ajaxcompanies.php
View File

@ -44,7 +44,7 @@ require '../main.inc.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',',$_GET));

2
htdocs/societe/ajaxcountries.php
View File

@ -45,7 +45,7 @@ $country=GETPOST('country', 'alpha');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',',$_POST));

3
htdocs/user/passwordforgotten.php
View File

@ -152,9 +152,6 @@ if ($action == 'buildnewpassword' && $username)
* View
*/
$php_self = $_SERVER['PHP_SELF'];
$php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
$dol_url_root = DOL_URL_ROOT;
// Title

2
htdocs/variants/list.php
View File

@ -88,7 +88,7 @@ $forcereloadpage=empty($conf->global->MAIN_FORCE_RELOAD_PAGE)?0:1;
},
function() {
if (reloadpage == 1) {
location.href = '<?php echo $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']; ?>';
location.href = '<?php echo dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']); ?>';
} else {
$("#tablelines .drag").each(
function( intIndex ) {

40
test/phpunit/CodingPhpTest.php
View File

@ -144,24 +144,24 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase
include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
foreach($filesarray as $key => $file)
foreach($filesarray as $key => $file)
{
if (preg_match('/\/htdocs\/includes\//', $file['fullname'])) continue;
if (preg_match('/\/htdocs\/custom\//', $file['fullname'])) continue;
if (preg_match('/\/htdocs\/dolimed/', $file['fullname'])) continue;
if (preg_match('/\/htdocs\/nltechno/', $file['fullname'])) continue;
if (preg_match('/\/htdocs\/teclib/', $file['fullname'])) continue;
print 'Check php file '.$file['fullname']."\n";
$filecontent=file_get_contents($file['fullname']);
$ok=true;
$matches=array();
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
foreach($matches as $key => $val)
{
if ($val[1] != 'db->' && $val[1] != 'esca')
if ($val[1] != 'db->' && $val[1] != 'esca')
{
$ok=false;
break;
@ -171,9 +171,39 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['fullname'].' ('.$val[0].'). Bad.');
//exit;
// Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.
$ok=true;
$matches=array();
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
preg_match_all('/(...................)\$_SERVER\[\'QUERY_STRING\'\]/', $filecontent, $matches, PREG_SET_ORDER);
foreach($matches as $key => $val)
{
if ($val[1] != 'dol_escape_htmltag(')
{
$ok=false;
break;
}
}
$this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag around in file '.$file['fullname'].' ('.$val[1].'$_SERVER[\'QUERY_STRING\']). Bad.');
// Test that output of $_SERVER\[\'PHP_SELF\'\] is escaped (not done for the moment, did not found a way to forge value of $_SERVER['PHP_SELF'] by extern access).
/*$ok=true;
$matches=array();
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
preg_match_all('/(...................)\$_SERVER\[\'PHP_SELF\'\]/', $filecontent, $matches, PREG_SET_ORDER);
foreach($matches as $key => $val)
{
if ($val[1] != 'dol_escape_htmltag(')
{
$ok=false;
break;
}
}
$this->assertTrue($ok, 'Found a $_SERVER[\'PHP_SELF\'] without dol_escape_htmltag around in file '.$file['fullname'].' ('.$val[1].'$_SERVER[\'PHP_SELF\']). Bad.');
*/
}
return;
}
}