diff --git a/ChangeLog b/ChangeLog index 766efb9c02a..ace6c60c0c0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,23 @@ Following changes may create regression for some external modules, but were nece content by doing a print into function, sometimes by returning content into "resprint". This has been fixed to follow hook specifications so you must return output into "resprint". +***** ChangeLog for 5.0.4 compared to 5.0.3 ***** +FIX: #6880 +FIX: #6925 +FIX: #6926 +FIX: Can set supplier invoice to billed. +FIX: Can't create invoice if PO disapproved +FIX: contratligne update +FIX: CVE-2017-7886 +FIX: default param +FIX: Line of invoices not inserted when using POS module and VAT NPR. +FIX: origin & originid on supplierproposal +FIX: Redirect to payment page from member subscription page failed if a unique security key was defined. +FIX: REST api to get project when user has permission to read all. +FIX: situation_progress param default value must be 100 and not 0 +FIX: SQL injection on user/index.php parameter search_statut. +FIX: Warnings + ***** ChangeLog for 5.0.3 compared to 5.0.2 ***** FIX: #6677 Expired contracts dashboard box does not show the name of the thirdparty FIX: #6813 diff --git a/build/debian/source/lintian-overrides b/build/debian/source/lintian-overrides index c878035b482..e64eae84887 100644 --- a/build/debian/source/lintian-overrides +++ b/build/debian/source/lintian-overrides @@ -10,6 +10,8 @@ source-is-missing htdocs/includes/ckeditor/ckeditor/lang/*.js source-is-missing htdocs/includes/ckeditor/ckeditor/plugins/*/dialogs/*.js source-is-missing htdocs/includes/ckeditor/ckeditor/plugins/*/filter/*.js source-is-missing htdocs/includes/ckeditor/ckeditor/plugins/templates/templates/default.js -source-is-missing htdocs/includes/mobiledetect/mobiledetectlib/Mobile_Detect.json source-is-missing htdocs/includes/restler/framework/Luracast/Restler/explorer/lib/*.js +# Those are false positives, the files are their own sources since +# they are data files +source-is-missing htdocs/includes/mobiledetect/mobiledetectlib/Mobile_Detect.json diff --git a/dev/initdemo/initdemo.sh b/dev/initdemo/initdemo.sh index 940f0b59467..ddba2ea6fd9 100755 --- a/dev/initdemo/initdemo.sh +++ b/dev/initdemo/initdemo.sh @@ -155,7 +155,7 @@ fi #echo "mysql -P$port -u$admin $passwd $base < $mydir/$dumpfile" #mysql -P$port -u$admin $passwd $base < $mydir/$dumpfile #echo "drop old table" -echo "drop table llx_accounting_account;" | mysql -P$port -u$admin $passwd $base +echo "drop table if exists llx_accounting_account;" | mysql -P$port -u$admin $passwd $base echo "mysql -P$port -u$admin -p***** $base < $mydir/$dumpfile" mysql -P$port -u$admin $passwd $base < $mydir/$dumpfile export res=$? diff --git a/dev/initdemo/mysqldump_dolibarr_3.5.0.sql b/dev/initdemo/mysqldump_dolibarr_3.5.0.sql index dba6263dde3..28b05e920d8 100644 --- a/dev/initdemo/mysqldump_dolibarr_3.5.0.sql +++ b/dev/initdemo/mysqldump_dolibarr_3.5.0.sql @@ -528,7 +528,7 @@ CREATE TABLE `llx_bank` ( LOCK TABLES `llx_bank` WRITE; /*!40000 ALTER TABLE `llx_bank` DISABLE KEYS */; -INSERT INTO `llx_bank` VALUES (1,'2010-07-08 23:56:14','2013-03-07 21:28:51','2010-07-08','2010-07-08',2000.00000000,'(Initial balance)',1,NULL,1,'SOLD','201210',NULL,1,NULL,0,NULL,NULL,NULL),(2,'2010-07-09 00:00:24','0000-00-00 00:00:00','2010-07-09','2010-07-09',500.00000000,'(Initial balance)',2,NULL,NULL,'SOLD',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(3,'2010-07-10 13:33:42','0000-00-00 00:00:00','2010-07-10','2010-07-10',0.00000000,'(Solde initial)',3,NULL,NULL,'SOLD',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(4,'2010-07-10 14:59:41','0000-00-00 00:00:00','2010-07-10','2010-07-10',0.02000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,'Client salon invidivdu',NULL),(5,'2011-07-18 20:50:24','0000-00-00 00:00:00','2011-07-08','2011-07-08',20.00000000,'(CustomerInvoicePayment)',1,1,NULL,'CB','201107',NULL,1,NULL,0,NULL,NULL,NULL),(6,'2011-07-18 20:50:47','0000-00-00 00:00:00','2011-07-08','2011-07-08',10.00000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(8,'2011-08-01 03:34:11','2013-03-07 21:28:51','2011-08-01','2011-08-01',5.63000000,'(CustomerInvoicePayment)',1,1,1,'CB','201210',NULL,1,NULL,0,NULL,NULL,NULL),(12,'2011-08-05 23:11:37','2013-03-07 21:33:57','2011-08-05','2011-08-05',-10.00000000,'(SocialContributionPayment)',1,1,1,'VIR','201210',NULL,1,NULL,0,NULL,NULL,NULL),(13,'2011-08-06 20:33:54','0000-00-00 00:00:00','2011-08-06','2011-08-06',5.98000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(14,'2011-08-08 02:53:40','0000-00-00 00:00:00','2011-08-08','2011-08-08',26.10000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(15,'2011-08-08 02:55:58','2013-03-07 21:39:20','2011-08-08','2011-08-08',26.96000000,'(CustomerInvoicePayment)',1,1,1,'TIP','201211',NULL,1,NULL,0,NULL,NULL,NULL),(16,'2012-12-09 15:28:44','2012-12-09 14:28:44','2012-12-09','2012-12-09',2.00000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(17,'2012-12-09 15:28:53','2012-12-09 14:33:07','2012-12-09','2012-12-09',-2.00000000,'(CustomerInvoicePaymentBack)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(18,'2012-12-09 17:35:55','2012-12-09 16:35:55','2012-12-09','2012-12-09',-2.00000000,'(CustomerInvoicePaymentBack)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(19,'2012-12-09 17:37:02','2012-12-09 16:37:02','2012-12-09','2012-12-09',2.00000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(20,'2012-12-09 18:35:07','2012-12-09 17:35:07','2012-12-09','2012-12-09',-2.00000000,'(CustomerInvoicePaymentBack)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(21,'2012-12-12 18:54:33','2013-03-07 21:28:51','2012-12-12','2012-12-12',1.00000000,'(CustomerInvoicePayment)',1,1,1,'TIP','201210',NULL,1,NULL,0,NULL,NULL,NULL),(22,'2013-03-06 16:48:16','2013-03-06 15:48:16','2013-03-06','2013-03-06',20.00000000,'(SubscriptionPayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(23,'2013-03-20 14:30:11','2013-03-20 13:30:11','2013-03-20','2013-03-20',10.00000000,'(SubscriptionPayment)',1,1,NULL,'VIR',NULL,NULL,0,NULL,0,NULL,NULL,NULL); +INSERT INTO `llx_bank` VALUES (1,'2010-07-08 23:56:14','2013-03-07 21:28:51','2010-07-08','2010-07-08',2000.00000000,'(Initial balance)',1,NULL,1,'SOLD','201210',NULL,1,NULL,0,NULL,NULL,NULL),(2,'2010-07-09 00:00:24','2010-07-09 00:00:24','2010-07-09','2010-07-09',500.00000000,'(Initial balance)',2,NULL,NULL,'SOLD',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(3,'2010-07-10 13:33:42','2010-07-10 13:33:42','2010-07-10','2010-07-10',0.00000000,'(Solde initial)',3,NULL,NULL,'SOLD',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(4,'2010-07-10 14:59:41','2010-07-10 14:59:41','2010-07-10','2010-07-10',0.02000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,'Client salon invidivdu',NULL),(5,'2011-07-18 20:50:24','2011-07-18 20:50:24','2011-07-08','2011-07-08',20.00000000,'(CustomerInvoicePayment)',1,1,NULL,'CB','201107',NULL,1,NULL,0,NULL,NULL,NULL),(6,'2011-07-18 20:50:47','2011-07-18 20:50:47','2011-07-08','2011-07-08',10.00000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(8,'2011-08-01 03:34:11','2013-03-07 21:28:51','2011-08-01','2011-08-01',5.63000000,'(CustomerInvoicePayment)',1,1,1,'CB','201210',NULL,1,NULL,0,NULL,NULL,NULL),(12,'2011-08-05 23:11:37','2013-03-07 21:33:57','2011-08-05','2011-08-05',-10.00000000,'(SocialContributionPayment)',1,1,1,'VIR','201210',NULL,1,NULL,0,NULL,NULL,NULL),(13,'2011-08-06 20:33:54','2011-08-06 20:33:54','2011-08-06','2011-08-06',5.98000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(14,'2011-08-08 02:53:40','2011-08-08 02:53:40','2011-08-08','2011-08-08',26.10000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(15,'2011-08-08 02:55:58','2013-03-07 21:39:20','2011-08-08','2011-08-08',26.96000000,'(CustomerInvoicePayment)',1,1,1,'TIP','201211',NULL,1,NULL,0,NULL,NULL,NULL),(16,'2012-12-09 15:28:44','2012-12-09 14:28:44','2012-12-09','2012-12-09',2.00000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(17,'2012-12-09 15:28:53','2012-12-09 14:33:07','2012-12-09','2012-12-09',-2.00000000,'(CustomerInvoicePaymentBack)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(18,'2012-12-09 17:35:55','2012-12-09 16:35:55','2012-12-09','2012-12-09',-2.00000000,'(CustomerInvoicePaymentBack)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(19,'2012-12-09 17:37:02','2012-12-09 16:37:02','2012-12-09','2012-12-09',2.00000000,'(CustomerInvoicePayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(20,'2012-12-09 18:35:07','2012-12-09 17:35:07','2012-12-09','2012-12-09',-2.00000000,'(CustomerInvoicePaymentBack)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(21,'2012-12-12 18:54:33','2013-03-07 21:28:51','2012-12-12','2012-12-12',1.00000000,'(CustomerInvoicePayment)',1,1,1,'TIP','201210',NULL,1,NULL,0,NULL,NULL,NULL),(22,'2013-03-06 16:48:16','2013-03-06 15:48:16','2013-03-06','2013-03-06',20.00000000,'(SubscriptionPayment)',3,1,NULL,'LIQ',NULL,NULL,0,NULL,0,NULL,NULL,NULL),(23,'2013-03-20 14:30:11','2013-03-20 13:30:11','2013-03-20','2013-03-20',10.00000000,'(SubscriptionPayment)',1,1,NULL,'VIR',NULL,NULL,0,NULL,0,NULL,NULL,NULL); /*!40000 ALTER TABLE `llx_bank` ENABLE KEYS */; UNLOCK TABLES; @@ -4844,7 +4844,7 @@ CREATE TABLE `llx_opensurvey_sondage` ( LOCK TABLES `llx_opensurvey_sondage` WRITE; /*!40000 ALTER TABLE `llx_opensurvey_sondage` DISABLE KEYS */; -INSERT INTO `llx_opensurvey_sondage` VALUES ('m4467s2mtk6khmxc','m4467s2mtk6khmxci2ysw682','fdffdshfghfj jhgjgh','aaa@aaa.com','fdfds','fdffds','2013-03-06 23:00:00','D+','1',1,'dolibarr','0000-00-00 00:00:00'); +INSERT INTO `llx_opensurvey_sondage` VALUES ('m4467s2mtk6khmxc','m4467s2mtk6khmxci2ysw682','fdffdshfghfj jhgjgh','aaa@aaa.com','fdfds','fdffds','2013-03-06 23:00:00','D+','1',1,'dolibarr','2000-01-01 00:00:00'); /*!40000 ALTER TABLE `llx_opensurvey_sondage` ENABLE KEYS */; UNLOCK TABLES; diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php index e22e993796f..736338d1b88 100644 --- a/htdocs/accountancy/admin/accountmodel.php +++ b/htdocs/accountancy/admin/accountmodel.php @@ -54,6 +54,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view'; $confirm=GETPOST('confirm','alpha'); $id=GETPOST('id','int'); $rowid=GETPOST('rowid','alpha'); +$code=GETPOST('code','alpha'); $acts[0] = "activate"; $acts[1] = "disable"; @@ -225,7 +226,7 @@ if ($id == 25) if (GETPOST('button_removefilter') || GETPOST('button_removefilter.x') || GETPOST('button_removefilter_x')) { - $search_country_id = ''; + $search_country_id = ''; } // Actions add or modify an entry into a dictionary @@ -459,8 +460,8 @@ if ($action == $acts[0]) if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'"; } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'"; + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'"; } $result = $db->query($sql); @@ -479,8 +480,8 @@ if ($action == $acts[1]) if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'"; } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'"; + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'"; } $result = $db->query($sql); @@ -499,8 +500,8 @@ if ($action == 'activate_favorite') if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'"; } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$_GET["code"]."'"; + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'"; } $result = $db->query($sql); @@ -519,8 +520,8 @@ if ($action == 'disable_favorite') if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'"; } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$_GET["code"]."'"; + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'"; } $result = $db->query($sql); @@ -556,7 +557,7 @@ print "
\n"; // Confirmation de la suppression de la ligne if ($action == 'delete') { - print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); + print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); } //var_dump($elementList); @@ -574,7 +575,7 @@ if ($id) else $sql.=" WHERE "; $sql.= " c.rowid = ".$search_country_id; } - + if ($sortfield) { // If sort order is "country", we use country_code instead @@ -600,7 +601,7 @@ if ($id) print '
'; print ''; - + print ''; // Form to add a new line @@ -773,7 +774,7 @@ if ($id) $paramwithsearch = $param; if ($sortorder) $paramwithsearch.= '&sortorder='.$sortorder; if ($sortfield) $paramwithsearch.= '&sortfield='.$sortfield; - + // There is several pages if ($num > $listlimit) { @@ -865,9 +866,9 @@ if ($id) foreach ($fieldlist as $field => $value) { $showfield=1; // By defaut - + if ($fieldlist[$field]=='region_id' || $fieldlist[$field]=='country_id') { $showfield=0; } - + if ($showfield) { if ($value == 'country') @@ -889,7 +890,7 @@ if ($id) print $searchpicto; print ''; print ''; - + if ($num) { // Lines with values @@ -927,7 +928,7 @@ if ($id) { foreach ($fieldlist as $field => $value) { - + $showfield=1; $align="left"; $valuetoshow=$obj->{$fieldlist[$field]}; @@ -1169,7 +1170,7 @@ else $showemptyline=0; } - + $value=$tabname[$i]; print '
'; if (! empty($tabcond[$i])) diff --git a/htdocs/accountancy/admin/categories_list.php b/htdocs/accountancy/admin/categories_list.php index b10015baa6c..c3edbdfb48c 100644 --- a/htdocs/accountancy/admin/categories_list.php +++ b/htdocs/accountancy/admin/categories_list.php @@ -54,6 +54,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view'; $confirm=GETPOST('confirm','alpha'); $id=GETPOST('id','int'); $rowid=GETPOST('rowid','alpha'); +$code=GETPOST('code','alpha'); // Security access if (! empty($user->rights->accountancy->chartofaccount)) @@ -370,8 +371,8 @@ if ($action == $acts[0]) if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'"; } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'"; + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'"; } $result = $db->query($sql); @@ -390,8 +391,8 @@ if ($action == $acts[1]) if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'"; } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'"; + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'"; } $result = $db->query($sql); @@ -410,8 +411,8 @@ if ($action == 'activate_favorite') if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'"; } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$_GET["code"]."'"; + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'"; } $result = $db->query($sql); @@ -430,8 +431,8 @@ if ($action == 'disable_favorite') if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'"; } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$_GET["code"]."'"; + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'"; } $result = $db->query($sql); @@ -461,7 +462,7 @@ print load_fiche_titre($titre,$linkback,$titlepicto); // Confirmation de la suppression de la ligne if ($action == 'delete') { - print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); + print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); } //var_dump($elementList); diff --git a/htdocs/accountancy/admin/journals_list.php b/htdocs/accountancy/admin/journals_list.php index dd1982d057c..3dc932dbab5 100644 --- a/htdocs/accountancy/admin/journals_list.php +++ b/htdocs/accountancy/admin/journals_list.php @@ -38,6 +38,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view'; $confirm=GETPOST('confirm','alpha'); $id=GETPOST('id','int'); $rowid=GETPOST('rowid','alpha'); +$code=GETPOST('code','alpha'); // Security access if (! empty($user->rights->accountancy->chartofaccount)) @@ -321,8 +322,8 @@ if ($action == $acts[0]) if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'"; } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'"; + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'"; } $result = $db->query($sql); @@ -341,8 +342,8 @@ if ($action == $acts[1]) if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'"; } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'"; + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'"; } $result = $db->query($sql); @@ -375,7 +376,7 @@ print load_fiche_titre($titre,$linkback,$titlepicto); // Confirmation de la suppression de la ligne if ($action == 'delete') { - print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); + print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); } //var_dump($elementList); diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index dea160f10bb..881020a81be 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -55,6 +55,7 @@ $confirm=GETPOST('confirm','alpha'); $id=GETPOST('id','int'); $rowid=GETPOST('rowid','alpha'); $entity=GETPOST('entity','int'); +$code=GETPOST('code','alpha'); $allowed=$user->admin; if ($id == 7 && ! empty($user->rights->accounting->chartofaccount)) $allowed=1; // Tax page allowed to manager of chart account @@ -818,8 +819,8 @@ if ($action == $acts[0]) if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : ''); } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".dol_escape_htmltag(GETPOST('code'))."'".($entity != '' ? " AND entity = " . (int) $entity : ''); + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : ''); } $result = $db->query($sql); @@ -838,8 +839,8 @@ if ($action == $acts[1]) if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : ''); } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".dol_escape_htmltag(GETPOST('code'))."'".($entity != '' ? " AND entity = " . (int) $entity : ''); + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : ''); } $result = $db->query($sql); @@ -858,8 +859,8 @@ if ($action == 'activate_favorite') if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : ''); } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".dol_escape_htmltag(GETPOST('code'))."'".($entity != '' ? " AND entity = " . (int) $entity : ''); + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : ''); } $result = $db->query($sql); @@ -878,8 +879,8 @@ if ($action == 'disable_favorite') if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : ''); } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".dol_escape_htmltag(GETPOST('code'))."'".($entity != '' ? " AND entity = " . (int) $entity : ''); + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : ''); } $result = $db->query($sql); @@ -941,7 +942,7 @@ if (GETPOST('from')) $paramwithsearch.= '&from='.GETPOST('from','alpha'); // Confirmation de la suppression de la ligne if ($action == 'delete') { - print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'rowid='.$rowid.'&code='.urlencode(GETPOST('code')).$paramwithsearch, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); + print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'rowid='.$rowid.'&code='.urlencode($code).$paramwithsearch, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); } //var_dump($elementList); diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php index b25e3a6a2ee..cc35aed19be 100644 --- a/htdocs/admin/mails_templates.php +++ b/htdocs/admin/mails_templates.php @@ -346,8 +346,8 @@ if ($action == $acts[0]) if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'"; } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'"; + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'"; } $result = $db->query($sql); @@ -366,8 +366,8 @@ if ($action == $acts[1]) if ($rowid) { $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'"; } - elseif ($_GET["code"]) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'"; + elseif ($code) { + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'"; } $result = $db->query($sql); @@ -412,7 +412,7 @@ dol_fiche_head($head, 'templates', '', -1); // Confirmation de la suppression de la ligne if ($action == 'delete') { - print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); + print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1); } //var_dump($elementList); diff --git a/htdocs/admin/tools/index.php b/htdocs/admin/tools/index.php index 6f773c5b35e..98a490550ca 100644 --- a/htdocs/admin/tools/index.php +++ b/htdocs/admin/tools/index.php @@ -38,7 +38,7 @@ if (! $user->admin) $form = new Form($db); $title=$langs->trans("AdminTools"); -//if (GETPOST('leftmenu') == 'admintools') $title=$langs->trans("ModulesSystemTools"); +//if (GETPOST('leftmenu',"aZ09") == 'admintools') $title=$langs->trans("ModulesSystemTools"); llxHeader('', $title); diff --git a/htdocs/bookmarks/bookmarks.lib.php b/htdocs/bookmarks/bookmarks.lib.php index 05bd454eeea..b6a022db898 100644 --- a/htdocs/bookmarks/bookmarks.lib.php +++ b/htdocs/bookmarks/bookmarks.lib.php @@ -40,10 +40,10 @@ function printBookmarksList($aDb, $aLangs) $langs->load("bookmarks"); - $url= $_SERVER["PHP_SELF"].(! empty($_SERVER["QUERY_STRING"])?'?'.$_SERVER["QUERY_STRING"]:''); - + $url= $_SERVER["PHP_SELF"].(dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):''); + $ret = ''; - + // Menu bookmark $ret.= '
'."\n"; @@ -83,12 +83,12 @@ function printBookmarksList($aDb, $aLangs) dol_print_error($db); } } - + $ret.= ''; $ret.= ''; - + $ret.=ajax_combobox('boxbookmark'); - + $ret.=''; diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php index 7d150efe140..76a53924ad5 100644 --- a/htdocs/comm/action/index.php +++ b/htdocs/comm/action/index.php @@ -423,8 +423,8 @@ else // If javascript off $newparam=$param; // newparam is for birthday links $newparam=preg_replace('/showbirthday=[0-1]/i','showbirthday='.(empty($showbirthday)?1:0),$newparam); if (! preg_match('/showbirthday=/i',$newparam)) $newparam.='&showbirthday=1'; - $link='trans("AgendaShowBirthdayEvents"); else $link.=$langs->trans("AgendaHideBirthdayEvents"); @@ -1070,7 +1070,7 @@ if (empty($action) || $action == 'show_month') // View by month } echo "
\n"; echo '
'; - echo ''; + echo ''; echo ''; echo '' ; echo '
'; @@ -1124,7 +1124,7 @@ elseif ($action == 'show_week') // View by week echo "\n"; echo '
'; - echo ''; + echo ''; echo ''; echo '' ; echo '
'; @@ -1188,7 +1188,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa global $cachethirdparties, $cachecontacts, $cacheusers, $colorindexused; $dateint = sprintf("%04d",$year).sprintf("%02d",$month).sprintf("%02d",$day); - + print "\n"; // Line with title of day @@ -1247,7 +1247,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa if (in_array($user->id, $keysofuserassigned)) { $nummytasks++; $cssclass='family_mytasks'; - + if (empty($cacheusers[$event->userownerid])) { $newuser=new User($db); @@ -1255,7 +1255,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa $cacheusers[$event->userownerid]=$newuser; } //var_dump($cacheusers[$event->userownerid]->color); - + // We decide to choose color of owner of event (event->userownerid is user id of owner, event->userassigned contains all users assigned to event) if (! empty($cacheusers[$event->userownerid]->color)) $color=$cacheusers[$event->userownerid]->color; } @@ -1277,10 +1277,10 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa } else { - $numother++; + $numother++; $color=($event->icalcolor?$event->icalcolor:-1); $cssclass=(! empty($event->icalname)?'family_ext'.md5($event->icalname):'family_other'); - + if (empty($cacheusers[$event->userownerid])) { $newuser=new User($db); @@ -1288,7 +1288,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa $cacheusers[$event->userownerid]=$newuser; } //var_dump($cacheusers[$event->userownerid]->color); - + // We decide to choose color of owner of event (event->userownerid is user id of owner, event->userassigned contains all users assigned to event) if (! empty($cacheusers[$event->userownerid]->color)) $color=$cacheusers[$event->userownerid]->color; } @@ -1364,9 +1364,9 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa print '">'; print ''; print ''; - + $daterange=''; - + if ($event->type_code == 'BIRTHDAY') // It's a birthday { print $event->getNomUrl(1,$maxnbofchar,'cal_event','birthday','contact'); @@ -1426,9 +1426,9 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa // Show title $titletoshow = $daterange; $titletoshow.=($titletoshow?' ':'').$event->libelle; - + if ($event->type_code == 'ICALEVENT') print $titletoshow; - else + else { $savlabel=$event->libelle; $event->libelle=$titletoshow; @@ -1449,11 +1449,11 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa $newuser->fetch($tmpid); $cacheusers[$tmpid]=$newuser; } - + $listofusertoshow.=$cacheusers[$tmpid]->getNomUrl(-3, '', 0, 0, 0, 0, '', 'valigntextbottom'); } print $listofusertoshow; - + if ($event->type_code == 'ICALEVENT') print '
('.dol_trunc($event->icalname,$maxnbofchar).')'; // If action related to company / contact @@ -1506,7 +1506,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa if ($event->type_code != 'BIRTHDAY' && $event->type_code != 'ICALEVENT') { $withstatus=1; - if ($event->percentage >= 0) $withstatus=2; + if ($event->percentage >= 0) $withstatus=2; } print ''; if ($withstatus) print $event->getLibStatut(3,1); diff --git a/htdocs/comm/action/pertype.php b/htdocs/comm/action/pertype.php index 23d434742a0..cd96a4fa8ad 100644 --- a/htdocs/comm/action/pertype.php +++ b/htdocs/comm/action/pertype.php @@ -572,7 +572,7 @@ $newparam=preg_replace('/showbirthday_=/i','showbirthday=',$newparam); // Restor $newparam.='&viewweek=1'; echo '
'; -echo ''; +echo ''; echo ''; echo '' ; echo '
'; diff --git a/htdocs/comm/action/peruser.php b/htdocs/comm/action/peruser.php index 2f1e3735cd2..42fb67c8bde 100644 --- a/htdocs/comm/action/peruser.php +++ b/htdocs/comm/action/peruser.php @@ -86,12 +86,12 @@ $status=GETPOST("status"); $type=GETPOST("type"); $maxprint=(isset($_GET["maxprint"])?GETPOST("maxprint"):$conf->global->AGENDA_MAX_EVENTS_DAY_VIEW); // Set actioncode (this code must be same for setting actioncode into peruser, listacton and index) -if (GETPOST('actioncode','array')) +if (GETPOST('actioncode','array')) { $actioncode=GETPOST('actioncode','array',3); if (! count($actioncode)) $actioncode='0'; } -else +else { $actioncode=GETPOST("actioncode","alpha",3)?GETPOST("actioncode","alpha",3):(GETPOST("actioncode")=='0'?'0':(empty($conf->global->AGENDA_DEFAULT_FILTER_TYPE)?'':$conf->global->AGENDA_DEFAULT_FILTER_TYPE)); } @@ -579,7 +579,7 @@ $newparam=preg_replace('/showbirthday_=/i','showbirthday=',$newparam); // Restor $newparam.='&viewweek=1'; echo '
'; -echo ''; +echo ''; echo ''; echo '' ; echo '
'; diff --git a/htdocs/comm/propal/document.php b/htdocs/comm/propal/document.php index 6cc40873060..0c68a292109 100644 --- a/htdocs/comm/propal/document.php +++ b/htdocs/comm/propal/document.php @@ -1,6 +1,6 @@ - * Copyright (C) 2004-2009 Laurent Destailleur + * Copyright (C) 2004-2017 Laurent Destailleur * Copyright (C) 2005 Marc Barilley / Ocebo * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2013 Cédric Salvador @@ -63,17 +63,18 @@ if (! $sortfield) $sortfield="name"; $object = new Propal($db); $object->fetch($id,$ref); -if ($object->id > 0) -{ - $object->fetch_thirdparty(); - $upload_dir = $conf->propal->dir_output.'/'.dol_sanitizeFileName($object->ref); - include_once DOL_DOCUMENT_ROOT . '/core/actions_linkedfiles.inc.php'; -} + /* * Actions */ +if ($object->id > 0) +{ + $object->fetch_thirdparty(); + $upload_dir = $conf->propal->dir_output.'/'.dol_sanitizeFileName($object->ref); + include_once DOL_DOCUMENT_ROOT . '/core/actions_linkedfiles.inc.php'; +} /* @@ -101,10 +102,10 @@ if ($object->id > 0) // Proposal card - + $linkback = '' . $langs->trans("BackToList") . ''; - - + + $morehtmlref='
'; // Ref customer $morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', 0, 1); @@ -145,24 +146,24 @@ if ($object->id > 0) } } $morehtmlref.='
'; - + dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); - - + + print '
'; print '
'; - + print ''; - + // Files infos print ''; print ''; - + print "
'.$langs->trans("NbOfAttachedFiles").''.count($filearray).'
'.$langs->trans("TotalSizeOfAttachedFiles").''.$totalsize.' '.$langs->trans("bytes").'
\n"; - + print '
'; - - + + dol_fiche_end(); $modulepart = 'propal'; diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index 47a35ff47a1..a8e3d23565f 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -275,25 +275,25 @@ if (! $user->rights->societe->client->voir && ! $socid) //restriction $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; } if ($search_town) $sql.= natural_search('s.town', $search_town); -if ($search_zip) $sql.= natural_search("s.zip",$search_zip); -if ($search_state) $sql.= natural_search("state.nom",$search_state); -if ($search_country) $sql .= " AND s.fk_pays IN (".$search_country.')'; -if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')'; -if ($search_ref) $sql .= natural_search('p.ref', $search_ref); +if ($search_zip) $sql.= natural_search("s.zip", $search_zip); +if ($search_state) $sql.= natural_search("state.nom", $search_state); +if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')'; +if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')'; +if ($search_ref) $sql .= natural_search('p.ref', $search_ref); if ($search_refcustomer) $sql .= natural_search('p.ref_client', $search_refcustomer); -if ($search_societe) $sql .= natural_search('s.nom', $search_societe); -if ($search_login) $sql.= " AND u.login LIKE '%".$db->escape(trim($search_login))."%'"; +if ($search_societe) $sql .= natural_search('s.nom', $search_societe); +if ($search_login) $sql .= natural_search("u.login", $search_login); if ($search_montant_ht != '') $sql.= natural_search("p.total_ht", $search_montant_ht, 1); if ($search_montant_vat != '') $sql.= natural_search("p.tva", $search_montant_vat, 1); if ($search_montant_ttc != '') $sql.= natural_search("p.total", $search_montant_ttc, 1); if ($sall) { $sql .= natural_search(array_keys($fieldstosearchall), $sall); } -if ($search_product_category > 0) $sql.=" AND cp.fk_categorie = ".$search_product_category; +if ($search_product_category > 0) $sql.=" AND cp.fk_categorie = ".$db->escape($search_product_category); if ($socid > 0) $sql.= ' AND s.rowid = '.$socid; if ($viewstatut != '' && $viewstatut != '-1') { - $sql.= ' AND p.fk_statut IN ('.$viewstatut.')'; + $sql.= ' AND p.fk_statut IN ('.$db->escape($viewstatut).')'; } if ($month > 0) { @@ -302,16 +302,16 @@ if ($month > 0) else if ($year > 0 && ! empty($day)) $sql.= " AND p.datep BETWEEN '".$db->idate(dol_mktime(0, 0, 0, $month, $day, $year))."' AND '".$db->idate(dol_mktime(23, 59, 59, $month, $day, $year))."'"; else - $sql.= " AND date_format(p.datep, '%m') = '".$month."'"; + $sql.= " AND date_format(p.datep, '%m') = '".$db->escape($month)."'"; } else if ($year > 0) { $sql.= " AND p.datep BETWEEN '".$db->idate(dol_get_first_day($year,1,false))."' AND '".$db->idate(dol_get_last_day($year,12,false))."'"; } -if ($search_sale > 0) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$search_sale; +if ($search_sale > 0) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$db->escape($search_sale); if ($search_user > 0) { - $sql.= " AND c.fk_c_type_contact = tc.rowid AND tc.element='propal' AND tc.source='internal' AND c.element_id = p.rowid AND c.fk_socpeople = ".$search_user; + $sql.= " AND c.fk_c_type_contact = tc.rowid AND tc.element='propal' AND tc.source='internal' AND c.element_id = p.rowid AND c.fk_socpeople = ".$db->escape($search_user); } // Add where from extra fields foreach ($search_array_options as $key => $val) @@ -365,23 +365,24 @@ if ($resql) $arrayofselected=is_array($toselect)?$toselect:array(); - $param='&viewstatut='.$viewstatut; - if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.$contextpage; - if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.$limit; - if ($sall) $param.='&sall='.$sall; - if ($month) $param.='&month='.$month; - if ($year) $param.='&year='.$year; - if ($search_ref) $param.='&search_ref=' .$search_ref; - if ($search_refcustomer) $param.='&search_refcustomer=' .$search_refcustomer; - if ($search_societe) $param.='&search_societe=' .$search_societe; - if ($search_user > 0) $param.='&search_user='.$search_user; - if ($search_sale > 0) $param.='&search_sale='.$search_sale; - if ($search_montant_ht) $param.='&search_montant_ht='.$search_montant_ht; - if ($search_login) $param.='&search_login='.$search_login; - if ($search_town) $param.='&search_town='.$search_town; - if ($search_zip) $param.='&search_zip='.$search_zip; - if ($socid > 0) $param.='&socid='.$socid; - if ($optioncss != '') $param.='&optioncss='.$optioncss; + $param='&viewstatut='.urlencode($viewstatut); + if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.urlencode($contextpage); + if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.urlencode($limit); + if ($sall) $param.='&sall='.urlencode($sall); + if ($month) $param.='&month='.urlencode($month); + if ($year) $param.='&year='.urlencode($year); + if ($search_ref) $param.='&search_ref='.urlencode($search_ref); + if ($search_refcustomer) $param.='&search_refcustomer='.urlencode($search_refcustomer); + if ($search_societe) $param.='&search_societe='.urlencode($search_societe); + if ($search_user > 0) $param.='&search_user='.urlencode($search_user); + if ($search_sale > 0) $param.='&search_sale='.urlencode($search_sale); + if ($search_montant_ht) $param.='&search_montant_ht='.urlencode($search_montant_ht); + if ($search_login) $param.='&search_login='.urlencode($search_login); + if ($search_town) $param.='&search_town='.urlencode($search_town); + if ($search_zip) $param.='&search_zip='.urlencode($search_zip); + if ($socid > 0) $param.='&socid='.urlencode($socid); + if ($optioncss != '') $param.='&optioncss='.urlencode($optioncss); + // Add $param from extra fields foreach ($search_array_options as $key => $val) { diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index 2c83cc68286..adf883075bf 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -3590,15 +3590,14 @@ else if ($id > 0 || ! empty($ref)) if ($object->type == Facture::TYPE_SITUATION && ! empty($conf->global->INVOICE_USE_SITUATION)) { if (count($object->tab_previous_situation_invoice) > 0 || count($object->tab_next_situation_invoice) > 0) - print ''; + print '
'; if (count($object->tab_previous_situation_invoice) > 0) { // List of previous invoices print ''; print ''; print ''; - if (! empty($conf->banque->enabled)) - print ''; + if (! empty($conf->banque->enabled)) print ''; print ''; print ''; print ''; @@ -3612,8 +3611,7 @@ else if ($id > 0 || ! empty($ref)) print ''; print ''; print ''; - if (! empty($conf->banque->enabled)) - print ''; + if (! empty($conf->banque->enabled)) print ''; print ''; print ''; print ''; @@ -3622,7 +3620,9 @@ else if ($id > 0 || ! empty($ref)) } print ''; - print ''; + print ''; + print ''; + if (! empty($conf->banque->enabled)) print ''; print ''; print ''; print ''; diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php index 018baab0cc0..f21c41d828d 100644 --- a/htdocs/core/actions_linkedfiles.inc.php +++ b/htdocs/core/actions_linkedfiles.inc.php @@ -73,7 +73,7 @@ if ($action == 'confirm_deletefile' && $confirm == 'yes') $ret = dol_delete_file($file, 0, 0, 0, $object); if (! empty($fileold)) dol_delete_file($fileold, 0, 0, 0, $object); // Delete file using old path - + // Si elle existe, on efface la vignette if (preg_match('/(\.jpg|\.jpeg|\.bmp|\.gif|\.png|\.tiff)$/i',$file,$regs)) { @@ -152,19 +152,28 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave')) { $filenamefrom=dol_sanitizeFileName(GETPOST('renamefilefrom')); $filenameto=dol_sanitizeFileName(GETPOST('renamefileto')); + + // Security: + // Disallow file with some extensions. We rename them. + // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code. + if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED)) + { + $filenameto.= '.noexe'; + } + if ($filenamefrom && $filenameto) { $srcpath = $upload_dir.'/'.$filenamefrom; $destpath = $upload_dir.'/'.$filenameto; - + $result = dol_move($srcpath, $destpath); - if ($result) + if ($result) { $object->addThumbs($destpath); - + // TODO Add revert function of addThumbs //$object->delThumbs($srcpath); - + setEventMessages($langs->trans("FileRenamed"), null); } else diff --git a/htdocs/core/ajax/ajaxdirpreview.php b/htdocs/core/ajax/ajaxdirpreview.php index a21f0d107cd..e0623788963 100644 --- a/htdocs/core/ajax/ajaxdirpreview.php +++ b/htdocs/core/ajax/ajaxdirpreview.php @@ -139,7 +139,7 @@ if (! dol_is_dir($upload_dir)) } print ''."\n"; -print ''."\n"; +//print ''."\n"; $param=($sortfield?'&sortfield='.$sortfield:'').($sortorder?'&sortorder='.$sortorder:''); diff --git a/htdocs/core/ajax/bankconciliate.php b/htdocs/core/ajax/bankconciliate.php index 24318be6cf8..65620c5429c 100644 --- a/htdocs/core/ajax/bankconciliate.php +++ b/htdocs/core/ajax/bankconciliate.php @@ -45,7 +45,7 @@ $action=GETPOST('action','aZ09'); //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -//print ''."\n"; +//print ''."\n"; if (($user->rights->banque->modifier || $user->rights->banque->consolidate) && $action == 'dvnext') { diff --git a/htdocs/core/ajax/box.php b/htdocs/core/ajax/box.php index 7826747769b..612f38bb05b 100644 --- a/htdocs/core/ajax/box.php +++ b/htdocs/core/ajax/box.php @@ -50,7 +50,7 @@ $userid=GETPOST('userid','int'); //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -print ''."\n"; +print ''."\n"; // Add a box if ($boxid > 0 && $zone !='' && $userid > 0) diff --git a/htdocs/core/ajax/constantonoff.php b/htdocs/core/ajax/constantonoff.php index 331a5e87513..f79753260d7 100644 --- a/htdocs/core/ajax/constantonoff.php +++ b/htdocs/core/ajax/constantonoff.php @@ -45,7 +45,7 @@ $name=GETPOST('name','alpha'); //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -print ''."\n"; +//print ''."\n"; // Registering the location of boxes if (! empty($action) && ! empty($name)) diff --git a/htdocs/core/ajax/contacts.php b/htdocs/core/ajax/contacts.php index c3788a8baeb..1c7c7a56e4b 100644 --- a/htdocs/core/ajax/contacts.php +++ b/htdocs/core/ajax/contacts.php @@ -41,20 +41,20 @@ $showempty = GETPOST('showempty','int'); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (! empty($id) && ! empty($action) && ! empty($htmlname)) { $form = new Form($db); - + $return=array(); if (empty($showempty)) $showempty=0; - + $return['value'] = $form->selectcontacts($id,'',$htmlname,$showempty,'','',0,'',true); $return['num'] = $form->num; $return['error'] = $form->error; - + echo json_encode($return); } diff --git a/htdocs/core/ajax/extraparams.php b/htdocs/core/ajax/extraparams.php index 510ef8a1cf8..f8a636e52a5 100644 --- a/htdocs/core/ajax/extraparams.php +++ b/htdocs/core/ajax/extraparams.php @@ -40,17 +40,17 @@ $type = GETPOST('type', 'alpha'); top_httphead(); -print ''."\n"; +print ''."\n"; if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type)) { $value = GETPOST('value','alpha'); $params=array(); - + dol_syslog("AjaxSetExtraParameters id=".$id." element=".$element." htmlelement=".$htmlelement." type=".$type." value=".$value, LOG_DEBUG); - + $classpath = $subelement = $element; - + // For compatibility if ($element == 'order' || $element == 'commande') { $classpath = $subelement = 'commande'; } else if ($element == 'propal') { $classpath = 'comm/propal'; $subelement = 'propal'; } @@ -60,19 +60,19 @@ if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type)) else if ($element == 'deplacement') { $classpath = 'compta/deplacement'; $subelement = 'deplacement'; } else if ($element == 'order_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.commande'; } else if ($element == 'invoice_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.facture'; } - + dol_include_once('/'.$classpath.'/class/'.$subelement.'.class.php'); - + if ($element == 'order_supplier') { $classname = 'CommandeFournisseur'; } else if ($element == 'invoice_supplier') { $classname = 'FactureFournisseur'; } else $classname = ucfirst($subelement); - + $object = new $classname($db); $object->fetch($id); - + $params[$htmlelement] = array($type => $value); $object->extraparams = array_merge($object->extraparams, $params); - + $result=$object->setExtraParameters(); } diff --git a/htdocs/core/ajax/loadinplace.php b/htdocs/core/ajax/loadinplace.php index de3a4e57d19..7e9e541c768 100644 --- a/htdocs/core/ajax/loadinplace.php +++ b/htdocs/core/ajax/loadinplace.php @@ -41,7 +41,7 @@ $fk_element = GETPOST('fk_element','alpha'); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (! empty($field) && ! empty($element) && ! empty($table_element) && ! empty($fk_element)) diff --git a/htdocs/core/ajax/objectonoff.php b/htdocs/core/ajax/objectonoff.php index 6ac5abd3bbb..37173ed9943 100644 --- a/htdocs/core/ajax/objectonoff.php +++ b/htdocs/core/ajax/objectonoff.php @@ -42,7 +42,7 @@ $object = new GenericObject($db); top_httphead(); -print ''."\n"; +print ''."\n"; // Registering new values if (($action == 'set') && ! empty($id)) diff --git a/htdocs/core/ajax/price.php b/htdocs/core/ajax/price.php index 5c891df14d5..d4a101fb497 100644 --- a/htdocs/core/ajax/price.php +++ b/htdocs/core/ajax/price.php @@ -39,7 +39,7 @@ $tva_tx = str_replace('*','',GETPOST('tva_tx','alpha')); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (! empty($output) && isset($amount) && isset($tva_tx)) diff --git a/htdocs/core/ajax/row.php b/htdocs/core/ajax/row.php index 331b4ceaac8..6e358bdbd88 100644 --- a/htdocs/core/ajax/row.php +++ b/htdocs/core/ajax/row.php @@ -18,8 +18,8 @@ /** * \file htdocs/core/ajax/row.php - * \brief File to return Ajax response on Row move. - * This ajax page is called when doing an up or down drag and drop. + * \brief File to return Ajax response on Row move. + * This ajax page is called when doing an up or down drag and drop. */ if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disable token renewal @@ -40,7 +40,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php'; top_httphead(); -print ''."\n"; +print ''."\n"; // Registering the location of boxes if ((isset($_POST['roworder']) && ! empty($_POST['roworder'])) && (isset($_POST['table_element_line']) && ! empty($_POST['table_element_line'])) diff --git a/htdocs/core/ajax/saveinplace.php b/htdocs/core/ajax/saveinplace.php index 48797dd0432..eb04379a778 100644 --- a/htdocs/core/ajax/saveinplace.php +++ b/htdocs/core/ajax/saveinplace.php @@ -54,7 +54,7 @@ savemethodname: top_httphead(); -//print ''."\n"; +//print ''."\n"; //print_r($_POST); // Load original field value diff --git a/htdocs/core/ajax/security.php b/htdocs/core/ajax/security.php index 28a53a87679..cc7335618d0 100644 --- a/htdocs/core/ajax/security.php +++ b/htdocs/core/ajax/security.php @@ -17,8 +17,8 @@ /** * \file htdocs/core/ajax/security.php - * \brief This ajax component is used to generated has keys for security purposes - * like key to use into URL to protect them. + * \brief This ajax component is used to generated has keys for security purposes + * like key to use into URL to protect them. */ if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disables token renewal @@ -38,7 +38,7 @@ require '../../main.inc.php'; //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -//print ''."\n"; +//print ''."\n"; // Registering the location of boxes if (isset($_GET['action']) && ! empty($_GET['action'])) diff --git a/htdocs/core/ajax/vatrates.php b/htdocs/core/ajax/vatrates.php index fc30a13afec..ac9691bfa25 100644 --- a/htdocs/core/ajax/vatrates.php +++ b/htdocs/core/ajax/vatrates.php @@ -41,7 +41,7 @@ $productid = (GETPOST('productid','int')?GETPOST('productid','int'):0); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (! empty($id) && ! empty($action) && ! empty($htmlname)) diff --git a/htdocs/core/ajax/ziptown.php b/htdocs/core/ajax/ziptown.php index 30e0211ece1..9fa475039d9 100644 --- a/htdocs/core/ajax/ziptown.php +++ b/htdocs/core/ajax/ziptown.php @@ -45,7 +45,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php'; //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -//print ''."\n"; +//print ''."\n"; dol_syslog("GET is ".join(',',$_GET).', MAIN_USE_ZIPTOWN_DICTIONNARY='.(empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)?'':$conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)); //var_dump($_GET); diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index 5af4024f9c2..1908d04c312 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -1062,7 +1062,7 @@ class FormOther async: false }); // We force reload to be sure to get all boxes into list - window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=delbox\'; + window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=delbox\'; } else { @@ -1084,7 +1084,7 @@ class FormOther url: \''.DOL_URL_ROOT.'/core/ajax/box.php?boxorder=\'+boxorder+\'&boxid=\'+boxid+\'&zone='.$areacode.'&userid='.$user->id.'\', async: false }); - window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=addbox&boxid=\'+boxid; + window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=addbox&boxid=\'+boxid; } });'; if (! count($arrayboxtoactivatelabel)) $selectboxlist.='jQuery("#boxcombo").hide();'; diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 21fb1be7c0d..7f2be7f5a3d 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -910,8 +910,8 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable } // Security: - // Disallow file with some extensions. We renamed them. - // Car si on a mis le rep documents dans un rep de la racine web (pas bien), cela permet d'executer du code a la demande. + // Disallow file with some extensions. We rename them. + // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code. if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED)) { $file_name.= '.noexe'; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 3f71c83f552..a84482d45cf 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -414,9 +414,6 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL) case 'intcomma': if (preg_match('/[^0-9,]+/i',$out)) $out=''; break; - case 'intcomma': - if (preg_match('/[^0-9,]+/i',$out)) $out=''; - break; case 'alpha': $out=trim($out); // '"' is dangerous because param in url can close the href= or src= and add javascript functions. @@ -3171,8 +3168,8 @@ function dol_print_error($db='',$error='',$errors=null) $out.="".$langs->trans("Referer").": ".(isset($_SERVER["HTTP_REFERER"])?dol_htmlentities($_SERVER["HTTP_REFERER"],ENT_COMPAT,'UTF-8'):'')."
\n"; $out.="".$langs->trans("MenuManager").": ".(isset($conf->standard_menu)?$conf->standard_menu:'')."
\n"; $out.="
\n"; - $syslog.="url=".$_SERVER["REQUEST_URI"]; - $syslog.=", query_string=".$_SERVER["QUERY_STRING"]; + $syslog.="url=".dol_escape_htmltag($_SERVER["REQUEST_URI"]); + $syslog.=", query_string=".dol_escape_htmltag($_SERVER["QUERY_STRING"]); } else // Mode CLI { diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php index d20b9612b5f..248c3bde43e 100644 --- a/htdocs/core/lib/security2.lib.php +++ b/htdocs/core/lib/security2.lib.php @@ -144,10 +144,6 @@ function dol_loginfunction($langs,$conf,$mysoc) $dol_url_root = DOL_URL_ROOT; - $php_self = $_SERVER['PHP_SELF']; - $php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:''; - if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home'; - // Title $appli=constant('DOL_APPLICATION_TITLE'); $title=$appli.' '.constant('DOL_VERSION'); diff --git a/htdocs/core/tpl/ajax/fileupload_main.tpl.php b/htdocs/core/tpl/ajax/fileupload_main.tpl.php index b7437af4616..034e9ebc3fc 100644 --- a/htdocs/core/tpl/ajax/fileupload_main.tpl.php +++ b/htdocs/core/tpl/ajax/fileupload_main.tpl.php @@ -45,7 +45,7 @@ $(function () { // Events $('#fileupload').fileupload({ stop: function (e, data) { - location.href=''; + location.href=''; }, destroy: function (e, data) { var that = $(this).data('fileupload'); diff --git a/htdocs/core/tpl/ajaxrow.tpl.php b/htdocs/core/tpl/ajaxrow.tpl.php index 96be9b49196..a5d8ab039b8 100644 --- a/htdocs/core/tpl/ajaxrow.tpl.php +++ b/htdocs/core/tpl/ajaxrow.tpl.php @@ -63,7 +63,7 @@ $(document).ready(function(){ function() { console.log("tableDND end of ajax call"); if (reloadpage == 1) { - location.href = ''; + location.href = ''; } else { $("# .drag").each( function( intIndex ) { diff --git a/htdocs/core/tpl/login.tpl.php b/htdocs/core/tpl/login.tpl.php index 81e3936d300..9cddb8d183d 100644 --- a/htdocs/core/tpl/login.tpl.php +++ b/htdocs/core/tpl/login.tpl.php @@ -31,6 +31,10 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1; // If we force to use jmobile, then we reenable javascript if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1; +$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']); +$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):''; +if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home'; + // Javascript code on logon page only to detect user tz, dst_observed, dst_first, dst_second $arrayofjs=array( '/includes/jstz/jstz.min.js'.(empty($conf->dol_use_jmobile)?'':'?version='.urlencode(DOL_VERSION)), @@ -82,7 +86,7 @@ $(document).ready(function () { diff --git a/htdocs/core/tpl/passwordforgotten.tpl.php b/htdocs/core/tpl/passwordforgotten.tpl.php index ad29cbfcd3d..96e8b467a02 100644 --- a/htdocs/core/tpl/passwordforgotten.tpl.php +++ b/htdocs/core/tpl/passwordforgotten.tpl.php @@ -28,6 +28,9 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1; // If we force to use jmobile, then we reenable javascript if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1; +$php_self = $_SERVER['PHP_SELF']; +$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):''; + print top_htmlhead('',$langs->trans('SendNewPassword')); ?> @@ -56,7 +59,7 @@ $(document).ready(function () { @@ -96,7 +99,7 @@ if (! empty($hookmanager->resArray['options'])) { } ?> -'; // Amount - print "".''; + print "".''; print '\n"; - print "".''; - print "".''; - print "".''; + print "".''; + print "".''; + print "".''; print "".''; + print ''; // Zip / Town print ''; - print "".''; + print "".''; // Public note print ''; @@ -385,9 +385,9 @@ if ($action == 'create') dol_fiche_end(); print '
'; - print ''; + print ''; print '     '; - print ''; + print ''; print '
'; print "\n"; @@ -439,7 +439,7 @@ if (! empty($id) && $action == 'edit') // Amount if ($object->statut == 0) { - print "".''; + print "".''; } else { @@ -454,11 +454,11 @@ if (! empty($id) && $action == 'edit') print "\n"; $langs->load("companies"); - print ''; - print ''; - print ''; + print ''; + print ''; + print ''; print ''; + print ''; // Zip / Town print ''; - print "".''; + print "".''; print "
' . $langs->trans('ListOfPreviousSituationInvoices') . '' . $langs->trans('AmountHT') . '' . $langs->trans('AmountTTC') . ' 
' . $prev_invoice->getNomUrl(1) . '' . price($prev_invoice->total_ht) . '' . price($prev_invoice->total_ttc) . '' . $prev_invoice->getLibStatut(3, $totalpaye) . '
' . price($total_prev_ht) . '' . price($total_prev_ttc) . ' 
'.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).'
'.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).'
'.$langs->trans("PublicDonation").""; print $form->selectyesno("public",isset($_POST["public"])?$_POST["public"]:1,1); print "
'.$langs->trans("Company").'
'.$langs->trans("Lastname").'
'.$langs->trans("Firstname").'
'.$langs->trans("Company").'
'.$langs->trans("Lastname").'
'.$langs->trans("Firstname").'
'.$langs->trans("Address").''; - print '
'.$langs->trans("Zip").' / '.$langs->trans("Town").''; @@ -341,7 +341,7 @@ if ($action == 'create') if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1); print '
'.$langs->trans("EMail").'
'.$langs->trans("EMail").'
'.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).'
'.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).'
'.$langs->trans("Company").'
'.$langs->trans("Lastname").'
'.$langs->trans("Firstname").'
'.$langs->trans("Company").'
'.$langs->trans("Lastname").'
'.$langs->trans("Firstname").'
'.$langs->trans("Address").''; - print '
'.$langs->trans("Zip").' / '.$langs->trans("Town").''; @@ -473,7 +473,7 @@ if (! empty($id) && $action == 'edit') if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1); print '
'.$langs->trans("EMail").'
'.$langs->trans("EMail").'
".$langs->trans("PaymentMode")."\n"; @@ -594,13 +594,6 @@ if (! empty($id) && $action != 'edit') print ''; - // Ref - /* - print ''; - print ''; - */ // Date print ''; print ''; print ''; - /*print ''; - - // Zip / Town - print ''; - - // Country - print ''; - - // EMail - print "".''; - */ // Payment mode print "\n"; - //print "".''; - - // Project - /* - if (! empty($conf->projet->enabled)) - { - print ''; - print ''; - print ''; - print ''; - }*/ - // Other attributes $cols = 2; include DOL_DOCUMENT_ROOT . '/core/tpl/extrafields_view.tpl.php'; diff --git a/htdocs/ecm/ajax/ecmdatabase.php b/htdocs/ecm/ajax/ecmdatabase.php index ac3a45d5683..6753a4299b0 100644 --- a/htdocs/ecm/ajax/ecmdatabase.php +++ b/htdocs/ecm/ajax/ecmdatabase.php @@ -39,7 +39,7 @@ $element = GETPOST('element', 'alpha'); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (isset($action) && ! empty($action)) diff --git a/htdocs/expensereport/ajax/ajaxprojet.php b/htdocs/expensereport/ajax/ajaxprojet.php index 6b9dd7e062f..423677c5da5 100644 --- a/htdocs/expensereport/ajax/ajaxprojet.php +++ b/htdocs/expensereport/ajax/ajaxprojet.php @@ -46,7 +46,7 @@ require '../../main.inc.php'; //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -//print ''."\n"; +//print ''."\n"; dol_syslog(join(',',$_GET)); diff --git a/htdocs/externalsite/frames.php b/htdocs/externalsite/frames.php index adf9d547073..6005b8e55b6 100644 --- a/htdocs/externalsite/frames.php +++ b/htdocs/externalsite/frames.php @@ -34,8 +34,8 @@ if (empty($conf->global->EXTERNALSITE_URL)) llxFooter(); } -$mainmenu=GETPOST('mainmenu', 'alpha'); -$leftmenu=GETPOST('leftmenu', 'alpha'); +$mainmenu=GETPOST('mainmenu', "aZ09"); +$leftmenu=GETPOST('leftmenu', "aZ09"); $idmenu=GETPOST('idmenu', 'int'); $theme=GETPOST('theme', 'alpha'); $codelang=GETPOST('lang', 'aZ09'); diff --git a/htdocs/fourn/ajax/getSupplierPrices.php b/htdocs/fourn/ajax/getSupplierPrices.php index 817f83f7ab6..a3990333d46 100644 --- a/htdocs/fourn/ajax/getSupplierPrices.php +++ b/htdocs/fourn/ajax/getSupplierPrices.php @@ -46,7 +46,7 @@ $langs->load('margins'); top_httphead(); -//print ''."\n"; +//print ''."\n"; if ($idprod > 0) { @@ -55,7 +55,7 @@ if ($idprod > 0) $sorttouse = 's.nom, pfp.quantity, pfp.price'; if (GETPOST('bestpricefirst')) $sorttouse = 'pfp.unitprice, s.nom, pfp.quantity, pfp.price'; - + $productSupplierArray = $producttmp->list_product_fournisseur_price($idprod, $sorttouse); // We list all price per supplier, and then firstly with the lower quantity. So we can choose first one with enough quantity into list. if ( is_array($productSupplierArray)) { @@ -63,34 +63,34 @@ if ($idprod > 0) { $price = $productSupplier->fourn_price * (1 - $productSupplier->fourn_remise_percent / 100); $unitprice = $productSupplier->fourn_unitprice * (1 - $productSupplier->fourn_remise_percent / 100); - + $title = $productSupplier->fourn_name.' - '.$productSupplier->fourn_ref.' - '; - + if ($productSupplier->fourn_qty == 1) { $title.= price($price,0,$langs,0,0,-1,$conf->currency)."/"; } $title.= $productSupplier->fourn_qty.' '.($productSupplier->fourn_qty == 1 ? $langs->trans("Unit") : $langs->trans("Units")); - + if ($productSupplier->fourn_qty > 1) { $title.=" - "; $title.= price($unitprice,0,$langs,0,0,-1,$conf->currency)."/".$langs->trans("Unit"); $price = $unitprice; } - + $label = price($price,0,$langs,0,0,-1,$conf->currency)."/".$langs->trans("Unit"); if ($productSupplier->fourn_ref) $label.=' ('.$productSupplier->fourn_ref.')'; - + $prices[] = array("id" => $productSupplier->product_fourn_price_id, "price" => price2num($price,0,'',0), "label" => $label, "title" => $title); // For price field, we must use price2num(), for label or title, price() } } - + // Add price for costprice $price=$producttmp->cost_price; $prices[] = array("id" => 'costprice', "price" => price2num($price), "label" => $langs->trans("CostPrice").': '.price($price,0,$langs,0,0,-1,$conf->currency), "title" => $langs->trans("PMPValueShort").': '.price($price,0,$langs,0,0,-1,$conf->currency)); // For price field, we must use price2num(), for label or title, price() - if(!empty($conf->stock->enabled)) + if(!empty($conf->stock->enabled)) { // Add price for pmp $price=$producttmp->pmp; diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index fa77287cbf4..2b917927067 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -138,7 +138,7 @@ if($year_start > 0) { } } else { if($month_start > 0) { - $filter.= " AND date_format(cp.date_debut, '%m') = '$month_start'"; + $filter.= " AND date_format(cp.date_debut, '%m') = '".$db->escape($month_start)."'"; } } @@ -153,7 +153,7 @@ if($year_end > 0) { } } else { if($month_end > 0) { - $filter.= " AND date_format(cp.date_fin, '%m') = '$month_end'"; + $filter.= " AND date_format(cp.date_fin, '%m') = '".$db->escape($month_end)."'"; } } @@ -168,7 +168,7 @@ if($year_create > 0) { } } else { if($month_create > 0) { - $filter.= " AND date_format(cp.date_create, '%m') = '$month_create'"; + $filter.= " AND date_format(cp.date_create, '%m') = '".$db->escape($month_create)."'"; } } @@ -302,7 +302,7 @@ print ''; // DATE CREATE print ''; @@ -357,13 +357,13 @@ print ''; // DATE DEBUT print ''; // DATE FIN print ''; diff --git a/htdocs/install/mysql/migration/3.5.0-3.6.0.sql b/htdocs/install/mysql/migration/3.5.0-3.6.0.sql index 2dc967e2546..1d7ad10d938 100755 --- a/htdocs/install/mysql/migration/3.5.0-3.6.0.sql +++ b/htdocs/install/mysql/migration/3.5.0-3.6.0.sql @@ -62,6 +62,21 @@ ALTER TABLE llx_societe MODIFY COLUMN fk_currency varchar(3) NULL; ALTER TABLE llx_bookmark ADD COLUMN entity integer DEFAULT 1 NOT NULL; ALTER TABLE llx_bookmark MODIFY COLUMN url varchar(255) NOT NULL; + +ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN tms timestamp DEFAULT '2001-01-01 00:00:00'; + +-- Clean corrupted values for tms +-- VMYSQL4.1 SET sql_mode = 'ALLOW_INVALID_DATES'; +-- VMYSQL4.1 update llx_opensurvey_sondage set tms = date_fin where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL; +-- VMYSQL4.1 SET sql_mode = 'NO_ZERO_DATE'; +-- VMYSQL4.1 update llx_opensurvey_sondage set tms = date_fin where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL; +-- Remove default not null on date_fin +-- VMYSQL4.3 ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN date_fin DATETIME NULL DEFAULT NULL; +-- VPGSQL8.2 ALTER TABLE llx_opensurvey_sondage ALTER COLUMN date_fin DROP NOT NULL; + +ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN tms timestamp DEFAULT CURRENT_TIMESTAMP; + + ALTER TABLE llx_opensurvey_sondage ADD COLUMN entity integer DEFAULT 1 NOT NULL; ALTER TABLE llx_opensurvey_sondage ADD COLUMN allow_comments tinyint NOT NULL DEFAULT 1; -- ALTER TABLE llx_opensurvey_sondage DROP COLUMN survey_link_visible; diff --git a/htdocs/install/mysql/migration/5.0.0-6.0.0.sql b/htdocs/install/mysql/migration/5.0.0-6.0.0.sql index e0393b25ac6..5c766bc9b04 100644 --- a/htdocs/install/mysql/migration/5.0.0-6.0.0.sql +++ b/htdocs/install/mysql/migration/5.0.0-6.0.0.sql @@ -25,6 +25,8 @@ -- -- VMYSQL4.1 DELETE FROM llx_usergroup_user WHERE fk_usergroup NOT IN (SELECT rowid from llx_usergroup); +ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN tms timestamp DEFAULT '2001-01-01 00:00:00'; + -- Clean corrupted values for tms -- VMYSQL4.1 SET sql_mode = 'ALLOW_INVALID_DATES'; -- VMYSQL4.1 update llx_opensurvey_sondage set tms = date_fin where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL; @@ -34,12 +36,6 @@ -- VMYSQL4.3 ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN date_fin DATETIME NULL DEFAULT NULL; -- VPGSQL8.2 ALTER TABLE llx_opensurvey_sondage ALTER COLUMN date_fin DROP NOT NULL; - -ALTER TABLE llx_extrafields ADD COLUMN fieldcomputed text; -ALTER TABLE llx_extrafields ADD COLUMN fielddefault varchar(255); - -ALTER TABLE llx_c_typent MODIFY COLUMN libelle varchar(64); - ALTER TABLE llx_opensurvey_sondage MODIFY COLUMN tms timestamp DEFAULT CURRENT_TIMESTAMP; ALTER TABLE llx_opensurvey_sondage ADD COLUMN fk_user_creat integer NOT NULL DEFAULT 0; @@ -50,6 +46,12 @@ ALTER TABLE llx_opensurvey_sondage ADD COLUMN allow_spy tinyint NOT NULL DEFAULT ALTER TABLE llx_opensurvey_sondage ADD COLUMN sujet TEXT; +ALTER TABLE llx_extrafields ADD COLUMN fieldcomputed text; +ALTER TABLE llx_extrafields ADD COLUMN fielddefault varchar(255); + +ALTER TABLE llx_c_typent MODIFY COLUMN libelle varchar(64); + + create table llx_notify_def_object ( id integer AUTO_INCREMENT PRIMARY KEY, diff --git a/htdocs/install/mysql/migration/repair.sql b/htdocs/install/mysql/migration/repair.sql index 991212c7d22..567bd3aef85 100755 --- a/htdocs/install/mysql/migration/repair.sql +++ b/htdocs/install/mysql/migration/repair.sql @@ -339,6 +339,16 @@ drop table tmp_c_shipment_mode; -- VMYSQL4.1 update llx_expensereport_det as ed set date = (select date_debut from llx_expensereport as e where ed.fk_expensereport = e.rowid) where DATE(STR_TO_DATE(date, '%Y-%m-%d')) < '1000-00-00'; -- VMYSQL4.1 SET sql_mode = 'NO_ZERO_DATE'; +-- VMYSQL4.1 SET sql_mode = 'ALLOW_INVALID_DATES'; +-- VMYSQL4.1 update llx_bank set tms = datec where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL; +-- VMYSQL4.1 SET sql_mode = 'NO_ZERO_DATE'; +-- VMYSQL4.1 update llx_bank set tms = datec where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL; + +-- VMYSQL4.1 SET sql_mode = 'ALLOW_INVALID_DATES'; +-- VMYSQL4.1 update llx_opensurvey_sondage set tms = date_fin where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL; +-- VMYSQL4.1 SET sql_mode = 'NO_ZERO_DATE'; +-- VMYSQL4.1 update llx_opensurvey_sondage set tms = date_fin where DATE(STR_TO_DATE(tms, '%Y-%m-%d')) IS NULL; + -- Backport a change of value into the hourly rate. -- update llx_projet_task_time as ptt set ptt.thm = (SELECT thm from llx_user as u where ptt.fk_user = u.rowid) where (ptt.thm is null) diff --git a/htdocs/langs/en_US/modulebuilder.lang b/htdocs/langs/en_US/modulebuilder.lang index 8d9a31cfdf7..fe636fd4f2d 100644 --- a/htdocs/langs/en_US/modulebuilder.lang +++ b/htdocs/langs/en_US/modulebuilder.lang @@ -1,24 +1,25 @@ # Dolibarr language file - Source file is en_US - loan -ModuleBuilderDesc=This tools give you utilites to build or edit your own module. +ModuleBuilderDesc=This tools give you utilites to build or edit your own module (More information here). EnterNameOfModuleDesc=Enter name of the module/application to create with no spaces. Use uppercase to separate words (For example: MyModule, EcommerceForShop, SyncWithMySystem...) EnterNameOfObjectDesc=Enter name of the object to create with no spaces. Use uppercase to separate words (For example: MyObject, Student, Teacher...) ModuleBuilderDesc2=Path were modules are generated/edited (first alternative directory defined into %s): %s ModuleBuilderDesc3=Generated/editable modules found: %s (they are detected as editable when the file %s exists in root of module directory). NewModule=New module NewObject=New object -ModuleKey=Key for new module -ObjectKey=Key for new object +ModuleKey=Module key +ObjectKey=Object key ModuleInitialized=Module initialized FilesForObjectInitialized=Files for new object initialized ModuleBuilderDescdescription=Enter here all general information that describe your module -ModuleBuilderDescobjects=Define here the new objects you want to manage with your module. A page to list them and a page to create/edit/view a card will be generated. +ModuleBuilderDescobjects=Define here the objects you want to manage with your module. A sql file, a page to list them, to create/edit/view a card and an API will be generated. ModuleBuilderDescmenus=This tab is dedicated to define menu entries provided by your module. ModuleBuilderDescpermissions=This tab is dedicated to define the new permissions you want to provide with your module. ModuleBuilderDesctriggers=This is the view of triggers provided by your module. To include code executed when a triggered business event is launched, just edit this file with your IDE. ModuleBuilderDeschooks=This tab is dedicated to hooks. ModuleBuilderDescwidgets=This tab is dedicated to manage/build widgets. ModuleBuilderDescbuildpackage=You can generate here a "ready to distribute" package file (a normalized .zip file) of your module. Just click on button to build the module package file. -ModuleBuilderDescdangerzone=You can delete your module. WARNING: All files of module will be definetly lost ! +EnterNameOfModuleToDeleteDesc=You can delete your module. WARNING: All files of module will be definitly lost ! +EnterNameOfObjectToDeleteDesc=You can delete an object. WARNING: All files related to object will be definitly lost ! DangerZone=Danger zone BuildPackage=Build package ModuleIsNotActive=This module was not activated yet (go into Home-Setup-Module to make it live) @@ -31,4 +32,5 @@ ClassFile=File for PHP class ApiClassFile=File for PHP API class PageForList=PHP page for list of record PageForCreateEditView=PHP page to create/edit/view a record -PathToModulePackage=Path to zip of module/application package \ No newline at end of file +PathToModulePackage=Path to zip of module/application package +SpaceOrSpecialCharAreNotAllowed=Spaces or special characters are not allowed. \ No newline at end of file diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 33b155bb64c..022aa4d5e44 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -97,8 +97,9 @@ function test_sql_and_script_inject($val, $type) $sql_inj += preg_match('/
'.$langs->trans("Ref").''; - print $form->showrefnav($object, 'rowid', $linkback, 1, 'rowid', 'ref', ''); - print '
'.$langs->trans("Date").''; print dol_print_date($object->date,"day"); @@ -617,52 +610,12 @@ if (! empty($id) && $action != 'edit') print '
'.$langs->trans("Company").''.$object->societe.'
'.$langs->trans("Lastname").''.$object->lastname.'
'.$langs->trans("Firstname").''.$object->firstname.'
'.$langs->trans("Address").''.dol_nl2br($object->address).'
'.$langs->trans("Zip").' / '.$langs->trans("Town").''; - print $object->zip.($object->zip && $object->town?' / ':'').$object->town.'
'.$langs->trans('Country').''; - if (! empty($object->country_code)) - { - $img=picto_from_langcode($object->country_code); - print ($img?$img.' ':''); - print $object->country; - } - else - { - print $object->country_olddata; - } - print '
'.$langs->trans("EMail").''.dol_print_email($object->email).'
".$langs->trans("PaymentMode").""; $form->form_modes_reglement(null, $object->modepaymentid,'none'); print "
'.$langs->trans("Status").''.$object->getLibStatut(4).'
'.$langs->trans("Project").''; - $projettmp=new Project($db); - $projettmp->id=$object->fk_projet; - $projettmp->ref=$object->project; - if(! empty($object->fk_projet)) print $projettmp->getNomUrl(1); - print '
'; -print ''; +print ''; $formother->select_year($year_create,'year_create',1, $min_year, 0); print ' '; -print ''; +print ''; $formother->select_year($year_start,'year_start',1, $min_year, $max_year); print ''; -print ''; +print ''; $formother->select_year($year_end,'year_end',1, $min_year, $max_year); print '