From d2db5f60a89604f2625bfc8a9111b58fa0e31478 Mon Sep 17 00:00:00 2001 From: phf Date: Wed, 14 Jun 2017 09:42:05 +0200 Subject: [PATCH 01/18] Fix css to apply "pair" and "impair" style --- htdocs/compta/facture.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php index 59e52ac7b5d..9bb97d8ff0b 100644 --- a/htdocs/compta/facture.php +++ b/htdocs/compta/facture.php @@ -3490,7 +3490,7 @@ else if ($id > 0 || ! empty($ref)) if ($object->type == Facture::TYPE_SITUATION && ! empty($conf->global->INVOICE_USE_SITUATION)) { if (count($object->tab_previous_situation_invoice) > 0 || count($object->tab_next_situation_invoice) > 0) - print ''; + print '
'; if (count($object->tab_previous_situation_invoice) > 0) { // List of previous invoices From 333304934102fd3afec2ccf5e2d2ff6e400a7205 Mon Sep 17 00:00:00 2001 From: phf Date: Thu, 15 Jun 2017 11:11:49 +0200 Subject: [PATCH 02/18] Fix total aren't aligned --- htdocs/compta/facture.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php index 9bb97d8ff0b..2d0208d0c2b 100644 --- a/htdocs/compta/facture.php +++ b/htdocs/compta/facture.php @@ -3524,7 +3524,7 @@ else if ($id > 0 || ! empty($ref)) } print ''; - print ''; + print ''; print ''; print ''; print ''; @@ -3564,7 +3564,7 @@ else if ($id > 0 || ! empty($ref)) } print ''; - print ''; + print ''; print ''; print ''; print ''; From 285b5563d66cb0cde3f20ad86e23641a0f4bf4dd Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 17 Jun 2017 18:23:26 +0200 Subject: [PATCH 03/18] Update changelog --- ChangeLog | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/ChangeLog b/ChangeLog index 78793b9d419..c43fd92f676 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,22 @@ English Dolibarr ChangeLog -------------------------------------------------------------- +***** ChangeLog for 5.0.4 compared to 5.0.3 ***** +FIX: #6880 +FIX: #6925 +FIX: #6926 +FIX: Can set supplier invoice to billed. +FIX: Can't create invoice if PO disapproved +FIX: contratligne update +FIX: CVE-2017-7886 +FIX: default param +FIX: Line of invoices not inserted when using POS module and VAT NPR. +FIX: origin & originid on supplierproposal +FIX: Redirect to payment page from member subscription page failed if a unique security key was defined. +FIX: REST api to get project when user has permission to read all. +FIX: situation_progress param default value must be 100 and not 0 +FIX: SQL injection on user/index.php parameter search_statut. +FIX: Warnings ***** ChangeLog for 5.0.3 compared to 5.0.2 ***** FIX: #6677 Expired contracts dashboard box does not show the name of the thirdparty From 787d6946b220453e6337d56e1b6859ac266dcee9 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 18 Jun 2017 12:30:18 +0200 Subject: [PATCH 04/18] Continue work started on module builder --- htdocs/langs/en_US/modulebuilder.lang | 14 +- htdocs/modulebuilder/index.php | 361 ++++++++++++------ .../modulebuilder/template/class/MyObject.txt | 3 +- .../template/class/myobject.class.php | 62 ++- .../modulebuilder/template/modulebuilder.txt | 5 +- 5 files changed, 294 insertions(+), 151 deletions(-) diff --git a/htdocs/langs/en_US/modulebuilder.lang b/htdocs/langs/en_US/modulebuilder.lang index 8d9a31cfdf7..fe636fd4f2d 100644 --- a/htdocs/langs/en_US/modulebuilder.lang +++ b/htdocs/langs/en_US/modulebuilder.lang @@ -1,24 +1,25 @@ # Dolibarr language file - Source file is en_US - loan -ModuleBuilderDesc=This tools give you utilites to build or edit your own module. +ModuleBuilderDesc=This tools give you utilites to build or edit your own module (More information here). EnterNameOfModuleDesc=Enter name of the module/application to create with no spaces. Use uppercase to separate words (For example: MyModule, EcommerceForShop, SyncWithMySystem...) EnterNameOfObjectDesc=Enter name of the object to create with no spaces. Use uppercase to separate words (For example: MyObject, Student, Teacher...) ModuleBuilderDesc2=Path were modules are generated/edited (first alternative directory defined into %s): %s ModuleBuilderDesc3=Generated/editable modules found: %s (they are detected as editable when the file %s exists in root of module directory). NewModule=New module NewObject=New object -ModuleKey=Key for new module -ObjectKey=Key for new object +ModuleKey=Module key +ObjectKey=Object key ModuleInitialized=Module initialized FilesForObjectInitialized=Files for new object initialized ModuleBuilderDescdescription=Enter here all general information that describe your module -ModuleBuilderDescobjects=Define here the new objects you want to manage with your module. A page to list them and a page to create/edit/view a card will be generated. +ModuleBuilderDescobjects=Define here the objects you want to manage with your module. A sql file, a page to list them, to create/edit/view a card and an API will be generated. ModuleBuilderDescmenus=This tab is dedicated to define menu entries provided by your module. ModuleBuilderDescpermissions=This tab is dedicated to define the new permissions you want to provide with your module. ModuleBuilderDesctriggers=This is the view of triggers provided by your module. To include code executed when a triggered business event is launched, just edit this file with your IDE. ModuleBuilderDeschooks=This tab is dedicated to hooks. ModuleBuilderDescwidgets=This tab is dedicated to manage/build widgets. ModuleBuilderDescbuildpackage=You can generate here a "ready to distribute" package file (a normalized .zip file) of your module. Just click on button to build the module package file. -ModuleBuilderDescdangerzone=You can delete your module. WARNING: All files of module will be definetly lost ! +EnterNameOfModuleToDeleteDesc=You can delete your module. WARNING: All files of module will be definitly lost ! +EnterNameOfObjectToDeleteDesc=You can delete an object. WARNING: All files related to object will be definitly lost ! DangerZone=Danger zone BuildPackage=Build package ModuleIsNotActive=This module was not activated yet (go into Home-Setup-Module to make it live) @@ -31,4 +32,5 @@ ClassFile=File for PHP class ApiClassFile=File for PHP API class PageForList=PHP page for list of record PageForCreateEditView=PHP page to create/edit/view a record -PathToModulePackage=Path to zip of module/application package \ No newline at end of file +PathToModulePackage=Path to zip of module/application package +SpaceOrSpecialCharAreNotAllowed=Spaces or special characters are not allowed. \ No newline at end of file diff --git a/htdocs/modulebuilder/index.php b/htdocs/modulebuilder/index.php index d9ae491b654..7aa3440b8a8 100644 --- a/htdocs/modulebuilder/index.php +++ b/htdocs/modulebuilder/index.php @@ -58,41 +58,50 @@ $FILEFLAG='modulebuilder.txt'; if ($dirins && $action == 'initmodule' && $modulename) { - $srcdir = DOL_DOCUMENT_ROOT.'/modulebuilder/template'; - $destdir = $dirins.'/'.strtolower($modulename); - - $arrayreplacement=array( - 'mymodule'=>strtolower($modulename), - 'MyModule'=>$modulename - ); - - $result = dolCopyDir($srcdir, $destdir, 0, 0, $arrayreplacement); - //dol_mkdir($destfile); - if ($result <= 0) + if (preg_match('/\s/', $modulename)) { - if ($result < 0) - { - $error++; - $langs->load("errors"); - setEventMessages($langs->trans("ErrorFailToCopyDir", $srcdir, $destdir), null, 'errors'); - } - else // $result == 0 - { - setEventMessages($langs->trans("AllFilesDidAlreadyExist", $srcdir, $destdir), null, 'warnings'); - } + $error++; + setEventMessages($langs->trans("SpaceOrSpecialCharAreNotAllowed"), null, 'errors'); } - // Delete some files - dol_delete_file($destdir.'/myobject_card.php'); - dol_delete_file($destdir.'/myobject_list.php'); - dol_delete_file($destdir.'/test/phpunit/MyObjectTest.php'); - dol_delete_file($destdir.'/sql/llx_myobject.key.sql'); - dol_delete_file($destdir.'/sql/llx_myobject.sql'); - dol_delete_file($destdir.'/scripts/myobject.php'); - dol_delete_file($destdir.'/img/object_myobject.png'); - dol_delete_file($destdir.'/class/myobject.class.php'); - dol_delete_file($destdir.'/class/api_myobject.class.php'); - dol_delete_file($destdir.'/class/MyObject.txt'); + if (! $error) + { + $srcdir = DOL_DOCUMENT_ROOT.'/modulebuilder/template'; + $destdir = $dirins.'/'.strtolower($modulename); + + $arrayreplacement=array( + 'mymodule'=>strtolower($modulename), + 'MyModule'=>$modulename + ); + + $result = dolCopyDir($srcdir, $destdir, 0, 0, $arrayreplacement); + //dol_mkdir($destfile); + if ($result <= 0) + { + if ($result < 0) + { + $error++; + $langs->load("errors"); + setEventMessages($langs->trans("ErrorFailToCopyDir", $srcdir, $destdir), null, 'errors'); + } + else // $result == 0 + { + setEventMessages($langs->trans("AllFilesDidAlreadyExist", $srcdir, $destdir), null, 'warnings'); + } + } + + // Delete some files + dol_delete_file($destdir.'/myobject_card.php'); + dol_delete_file($destdir.'/myobject_list.php'); + dol_delete_file($destdir.'/test/phpunit/MyObjectTest.php'); + dol_delete_file($destdir.'/sql/llx_myobject.key.sql'); + dol_delete_file($destdir.'/sql/llx_myobject.sql'); + dol_delete_file($destdir.'/scripts/myobject.php'); + dol_delete_file($destdir.'/img/object_myobject.png'); + dol_delete_file($destdir.'/class/myobject.class.php'); + dol_delete_file($destdir.'/class/api_myobject.class.php'); + dol_delete_file($destdir.'/class/MyObject.txt'); + } // Edit PHP files if (! $error) @@ -129,74 +138,86 @@ if ($dirins && $action == 'initmodule' && $modulename) if ($dirins && $action == 'initobject' && $module && $objectname) { - $srcdir = DOL_DOCUMENT_ROOT.'/modulebuilder/template'; - $destdir = $dirins.'/'.strtolower($module); - - $arrayreplacement=array( - 'mymodule'=>strtolower($module), - 'MyModule'=>$module, - 'myobject'=>strtolower($objectname), - 'MyObject'=>$objectname - ); - - - // Delete some files - $filetogenerate = array( - 'myobject_card.php'=>strtolower($objectname).'_card.php', - 'myobject_list.php'=>strtolower($objectname).'_list.php', - 'test/phpunit/MyObjectTest.php'=>'test/phpunit/'.$objectname.'Test.php', - 'sql/llx_myobject.key.sql'=>'sql/llx_'.strtolower($objectname).'.key.sql', - 'sql/llx_myobject.sql'=>'sql/llx_'.strtolower($objectname).'.sql', - 'scripts/myobject.php'=>'scripts/'.strtolower($objectname).'.php', - 'img/object_myobject.png'=>'img/object_'.strtolower($objectname).'.png', - 'class/myobject.class.php'=>'class/'.strtolower($objectname).'.class.php', - 'class/api_myobject.class.php'=>'class/api_'.strtolower($objectname).'.class.php', - 'class/MyObject.txt'=>'class/'.$objectname.'.txt' - ); - - foreach($filetogenerate as $srcfile => $destfile) + if (preg_match('/\s/', $objectname)) { - $result = dol_copy($srcdir.'/'.$srcfile, $destdir.'/'.$destfile); - if ($result <= 0) - { - if ($result < 0) - { - $error++; - $langs->load("errors"); - setEventMessages($langs->trans("ErrorFailToCopyFile", $srcdir.'/'.$srcfile, $destdir.'/'.$destfile), null, 'errors'); - } - else // $result == 0 - { - setEventMessages($langs->trans("FileAlreadyExists", $srcdir.'/'.$srcfile, $destdir.'/'.$destfile), null, 'warnings'); - } - } - else - { - // Copy is ok - } + $error++; + setEventMessages($langs->trans("SpaceOrSpecialCharAreNotAllowed"), null, 'errors'); } - // Edit PHP files - foreach($filetogenerate as $destfile) + if (! $error) { - $phpfileval['fullname'] = $destdir.'/'.$destfile; + $srcdir = DOL_DOCUMENT_ROOT.'/modulebuilder/template'; + $destdir = $dirins.'/'.strtolower($module); - //var_dump($phpfileval['fullname']); $arrayreplacement=array( - 'mymodule'=>strtolower($modulename), - 'MyModule'=>$modulename, - 'MYMODULE'=>strtoupper($modulename), - 'My module'=>$modulename, - 'htdocs/modulebuilder/template/'=>'', + 'mymodule'=>strtolower($module), + 'MyModule'=>$module, 'myobject'=>strtolower($objectname), 'MyObject'=>$objectname ); - $result=dolReplaceInFile($phpfileval['fullname'], $arrayreplacement); - //var_dump($result); - if ($result < 0) + + // Delete some files + $filetogenerate = array( + 'myobject_card.php'=>strtolower($objectname).'_card.php', + 'myobject_list.php'=>strtolower($objectname).'_list.php', + 'test/phpunit/MyObjectTest.php'=>'test/phpunit/'.$objectname.'Test.php', + 'sql/llx_myobject.key.sql'=>'sql/llx_'.strtolower($objectname).'.key.sql', + 'sql/llx_myobject.sql'=>'sql/llx_'.strtolower($objectname).'.sql', + 'scripts/myobject.php'=>'scripts/'.strtolower($objectname).'.php', + 'img/object_myobject.png'=>'img/object_'.strtolower($objectname).'.png', + 'class/myobject.class.php'=>'class/'.strtolower($objectname).'.class.php', + 'class/api_myobject.class.php'=>'class/api_'.strtolower($objectname).'.class.php', + 'class/MyObject.txt'=>'class/'.$objectname.'.txt' + ); + + foreach($filetogenerate as $srcfile => $destfile) { - setEventMessages($langs->trans("ErrorFailToMakeReplacementInto", $phpfileval['fullname']), null, 'errors'); + $result = dol_copy($srcdir.'/'.$srcfile, $destdir.'/'.$destfile); + if ($result <= 0) + { + if ($result < 0) + { + $error++; + $langs->load("errors"); + setEventMessages($langs->trans("ErrorFailToCopyFile", $srcdir.'/'.$srcfile, $destdir.'/'.$destfile), null, 'errors'); + } + else // $result == 0 + { + setEventMessages($langs->trans("FileAlreadyExists", $srcdir.'/'.$srcfile, $destdir.'/'.$destfile), null, 'warnings'); + } + } + else + { + // Copy is ok + } + } + } + + if (! $error) + { + // Edit PHP files + foreach($filetogenerate as $destfile) + { + $phpfileval['fullname'] = $destdir.'/'.$destfile; + + //var_dump($phpfileval['fullname']); + $arrayreplacement=array( + 'mymodule'=>strtolower($modulename), + 'MyModule'=>$modulename, + 'MYMODULE'=>strtoupper($modulename), + 'My module'=>$modulename, + 'htdocs/modulebuilder/template/'=>'', + 'myobject'=>strtolower($objectname), + 'MyObject'=>$objectname + ); + + $result=dolReplaceInFile($phpfileval['fullname'], $arrayreplacement); + //var_dump($result); + if ($result < 0) + { + setEventMessages($langs->trans("ErrorFailToMakeReplacementInto", $phpfileval['fullname']), null, 'errors'); + } } } @@ -206,18 +227,90 @@ if ($dirins && $action == 'initobject' && $module && $objectname) } } - if ($dirins && $action == 'confirm_delete') { - $modulelowercase=strtolower($module); + if (preg_match('/\s/', $module)) + { + $error++; + setEventMessages($langs->trans("SpaceOrSpecialCharAreNotAllowed"), null, 'errors'); + } - // Dir for module - $dir = $dirins.'/'.$modulelowercase; + if (! $error) + { + $modulelowercase=strtolower($module); - dol_delete_dir_recursive($dir); + // Dir for module + $dir = $dirins.'/'.$modulelowercase; - header("Location: ".DOL_URL_ROOT.'/modulebuilder/index.php?module=initmodule'); - exit; + $result = dol_delete_dir_recursive($dir); + + if ($result > 0) + { + setEventMessages($langs->trans("DirDeleted"), null); + } + else + { + setEventMessages($langs->trans("NothingDeleted"), null, 'warnings'); + } + } + + //header("Location: ".DOL_URL_ROOT.'/modulebuilder/index.php?module=initmodule'); + //exit; + $action = ''; + $module = 'deletemodule'; +} + +if ($dirins && $action == 'confirm_deleteobject' && $objectname) +{ + if (preg_match('/\s/', $objectname)) + { + $error++; + setEventMessages($langs->trans("SpaceOrSpecialCharAreNotAllowed"), null, 'errors'); + } + + if (! $error) + { + $modulelowercase=strtolower($module); + $objectlowercase=strtolower($objectname); + + // Dir for module + $dir = $dirins.'/'.$modulelowercase; + + // Delete some files + $filetogenerate = array( + 'myobject_card.php'=>strtolower($objectname).'_card.php', + 'myobject_list.php'=>strtolower($objectname).'_list.php', + 'test/phpunit/MyObjectTest.php'=>'test/phpunit/'.$objectname.'Test.php', + 'sql/llx_myobject.key.sql'=>'sql/llx_'.strtolower($objectname).'.key.sql', + 'sql/llx_myobject.sql'=>'sql/llx_'.strtolower($objectname).'.sql', + 'scripts/myobject.php'=>'scripts/'.strtolower($objectname).'.php', + 'img/object_myobject.png'=>'img/object_'.strtolower($objectname).'.png', + 'class/myobject.class.php'=>'class/'.strtolower($objectname).'.class.php', + 'class/api_myobject.class.php'=>'class/api_'.strtolower($objectname).'.class.php', + 'class/MyObject.txt'=>'class/'.$objectname.'.txt' + ); + + $resultko = 0; + foreach($filetogenerate as $filetodelete) + { + $resulttmp = dol_delete_file($dir.'/'.$filetodelete, 0, 0, 1); + if (! $resulttmp) $resultko++; + } + + if ($resultko == 0) + { + setEventMessages($langs->trans("FilesDeleted"), null); + } + else + { + setEventMessages($langs->trans("ErrorSomeFilesCouldNotBeDeleted"), null, 'warnings'); + } + } + + //header("Location: ".DOL_URL_ROOT.'/modulebuilder/index.php?module=initmodule'); + //exit; + $action = ''; + $tabobj = 'deleteobject'; } if ($dirins && $action == 'generatepackage') @@ -341,7 +434,7 @@ if (!empty($conf->modulebuilder->enabled) && $mainmenu == 'modulebuilder') // En // Show description of content $newdircustom=$dirins; if (empty($newdircustom)) $newdircustom=img_warning(); -print $langs->trans("ModuleBuilderDesc").'
'; +print $langs->trans("ModuleBuilderDesc", 'https://wiki.dolibarr.org/index.php/Module_development#Create_your_module').'
'; print $langs->trans("ModuleBuilderDesc2", 'conf/conf.php', $newdircustom).'
'; $message=''; @@ -381,7 +474,7 @@ print $langs->trans("ModuleBuilderDesc3", count($listofmodules), $FILEFLAG).'
$tmpmodulewithcase) $h++; } +$head[$h][0] = $_SERVER["PHP_SELF"].'?module=deletemodule'; +$head[$h][1] = $langs->trans("DangerZone"); +$head[$h][2] = 'deletemodule'; +$h++; dol_fiche_head($head, $module, $langs->trans("Modules"), -1, 'generic'); @@ -446,6 +543,19 @@ if ($module == 'initmodule') print ''; print ''; } +elseif ($module == 'deletemodule') +{ + print '
'; + print ''; + print ''; + print ''; + + print $langs->trans("EnterNameOfModuleToDeleteDesc").'

'; + + print ''; + print ''; + print ''; +} elseif (! empty($module)) { // Tabs for module @@ -502,11 +612,6 @@ elseif (! empty($module)) $head2[$h][2] = 'buildpackage'; $h++; - $head2[$h][0] = $_SERVER["PHP_SELF"].'?tab=dangerzone&module='.$module; - $head2[$h][1] = $langs->trans("DangerZone"); - $head2[$h][2] = 'dangerzone'; - $h++; - print $modulestatusinfo.'

'; dol_fiche_head($head2, $tab, '', -1, ''); @@ -532,6 +637,7 @@ elseif (! empty($module)) print ''; @@ -608,6 +714,12 @@ elseif (! empty($module)) $h++; } + $head3[$h][0] = $_SERVER["PHP_SELF"].'?tab=objects&module='.$module.'&tabobj=deleteobject'; + $head3[$h][1] = $langs->trans("DangerZone"); + $head3[$h][2] = 'deleteobject'; + $h++; + + dol_fiche_head($head3, $tabobj, '', -1, ''); if ($tabobj == 'newobject') @@ -625,6 +737,21 @@ elseif (! empty($module)) print ''; print ''; } + elseif ($tabobj == 'deleteobject') + { + // New module + print ''; + print ''; + print ''; + print ''; + print ''; + + print $langs->trans("EnterNameOfObjectToDeleteDesc").'

'; + + print ''; + print ''; + print ''; + } else { try { @@ -641,8 +768,9 @@ elseif (! empty($module)) $tmpobjet = new $tabobj($db); $reflector = new ReflectionClass($tabobj); - $properties = $reflector->getProperties(); - $propdefault = $reflector->getDefaultProperties(); + $properties = $reflector->getProperties(); // Can also use get_object_vars + $propdefault = $reflector->getDefaultProperties(); // Can also use get_object_vars + //$propstat = $reflector->getStaticProperties(); print load_fiche_titre($langs->trans("Properties"), '', ''); @@ -655,8 +783,10 @@ elseif (! empty($module)) print '
' . price($total_prev_ht) . '' . price($total_prev_ttc) . ' 
' . price($total_next_ht) . '' . price($total_next_ttc) . ' 
'; print $langs->trans("Numero"); + print ' ('.$langs->trans("SeeHere").')'; print ''; print $moduleobj->numero; print '
'; print ''; - print ''; - print ''; + print ''; + print ''; print ''; print ''; print ''; @@ -676,7 +806,7 @@ elseif (! empty($module)) $propname=$propval->getName(); // Discard generic properties - if (in_array($propname, array('element', 'table_element', 'table_element_line', 'class_element_line', 'ismultientitymanaged'))) continue; + if (in_array($propname, array('element', 'childtables', 'table_element', 'table_element_line', 'class_element_line', 'isnolinkedbythird', 'ismultientitymanaged'))) continue; // Keep or not lines if (in_array($propname, array('fk_element', 'lines'))) continue; @@ -686,11 +816,10 @@ elseif (! empty($module)) print $propname; print ''; print ''; - print ''; print ' diff --git a/htdocs/core/tpl/passwordforgotten.tpl.php b/htdocs/core/tpl/passwordforgotten.tpl.php index b641627b789..c05916d55a7 100644 --- a/htdocs/core/tpl/passwordforgotten.tpl.php +++ b/htdocs/core/tpl/passwordforgotten.tpl.php @@ -28,6 +28,9 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1; // If we force to use jmobile, then we reenable javascript if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1; +$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']); +$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):''; + print top_htmlhead('',$langs->trans('SendNewPassword')); ?> @@ -94,7 +97,7 @@ if (! empty($hookmanager->resArray['options'])) { } ?> -resArray['options'])) {
-
class="button" name="password" value="trans('SendNewPassword'); ?>" tabindex="4" /> +
class="button" name="password" value="trans('SendNewPassword'); ?>" tabindex="4" />
diff --git a/htdocs/ecm/ajax/ecmdatabase.php b/htdocs/ecm/ajax/ecmdatabase.php index ac3a45d5683..6753a4299b0 100644 --- a/htdocs/ecm/ajax/ecmdatabase.php +++ b/htdocs/ecm/ajax/ecmdatabase.php @@ -39,7 +39,7 @@ $element = GETPOST('element', 'alpha'); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (isset($action) && ! empty($action)) diff --git a/htdocs/expensereport/ajax/ajaxprojet.php b/htdocs/expensereport/ajax/ajaxprojet.php index 6b9dd7e062f..423677c5da5 100644 --- a/htdocs/expensereport/ajax/ajaxprojet.php +++ b/htdocs/expensereport/ajax/ajaxprojet.php @@ -46,7 +46,7 @@ require '../../main.inc.php'; //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -//print ''."\n"; +//print ''."\n"; dol_syslog(join(',',$_GET)); diff --git a/htdocs/externalsite/frames.php b/htdocs/externalsite/frames.php index adf9d547073..6005b8e55b6 100644 --- a/htdocs/externalsite/frames.php +++ b/htdocs/externalsite/frames.php @@ -34,8 +34,8 @@ if (empty($conf->global->EXTERNALSITE_URL)) llxFooter(); } -$mainmenu=GETPOST('mainmenu', 'alpha'); -$leftmenu=GETPOST('leftmenu', 'alpha'); +$mainmenu=GETPOST('mainmenu', "aZ09"); +$leftmenu=GETPOST('leftmenu', "aZ09"); $idmenu=GETPOST('idmenu', 'int'); $theme=GETPOST('theme', 'alpha'); $codelang=GETPOST('lang', 'aZ09'); diff --git a/htdocs/fourn/ajax/getSupplierPrices.php b/htdocs/fourn/ajax/getSupplierPrices.php index af3d728dc78..9a8c24c4eba 100644 --- a/htdocs/fourn/ajax/getSupplierPrices.php +++ b/htdocs/fourn/ajax/getSupplierPrices.php @@ -46,7 +46,7 @@ $langs->load('margins'); top_httphead(); -//print ''."\n"; +//print ''."\n"; if ($idprod > 0) { @@ -55,7 +55,7 @@ if ($idprod > 0) $sorttouse = 's.nom, pfp.quantity, pfp.price'; if (GETPOST('bestpricefirst')) $sorttouse = 'pfp.unitprice, s.nom, pfp.quantity, pfp.price'; - + $productSupplierArray = $producttmp->list_product_fournisseur_price($idprod, $sorttouse); // We list all price per supplier, and then firstly with the lower quantity. So we can choose first one with enough quantity into list. if ( is_array($productSupplierArray)) { @@ -63,15 +63,15 @@ if ($idprod > 0) { $price = $productSupplier->fourn_price * (1 - $productSupplier->fourn_remise_percent / 100); $unitprice = $productSupplier->fourn_unitprice * (1 - $productSupplier->fourn_remise_percent / 100); - + $title = $productSupplier->fourn_name.' - '.$productSupplier->fourn_ref.' - '; - + if ($productSupplier->fourn_qty == 1) { $title.= price($price,0,$langs,0,0,-1,$conf->currency)."/"; } $title.= $productSupplier->fourn_qty.' '.($productSupplier->fourn_qty == 1 ? $langs->trans("Unit") : $langs->trans("Units")); - + if ($productSupplier->fourn_qty > 1) { $title.=" - "; @@ -84,19 +84,19 @@ if ($idprod > 0) $title.= price($productSupplier->fourn_unitcharges,0,$langs,0,0,-1,$conf->currency); $price += $productSupplier->fourn_unitcharges; } - + $label = price($price,0,$langs,0,0,-1,$conf->currency)."/".$langs->trans("Unit"); if ($productSupplier->fourn_ref) $label.=' ('.$productSupplier->fourn_ref.')'; - + $prices[] = array("id" => $productSupplier->product_fourn_price_id, "price" => price2num($price,0,'',0), "label" => $label, "title" => $title); // For price field, we must use price2num(), for label or title, price() } } - + // Add price for costprice $price=$producttmp->cost_price; $prices[] = array("id" => 'costprice', "price" => price2num($price), "label" => $langs->trans("CostPrice").': '.price($price,0,$langs,0,0,-1,$conf->currency), "title" => $langs->trans("PMPValueShort").': '.price($price,0,$langs,0,0,-1,$conf->currency)); // For price field, we must use price2num(), for label or title, price() - if(!empty($conf->stock->enabled)) + if(!empty($conf->stock->enabled)) { // Add price for pmp $price=$producttmp->pmp; diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index 1ab8fbd785f..9523d489256 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -66,7 +66,7 @@ $year_end = GETPOST('year_end'); $search_employe = GETPOST('search_employe'); $search_valideur = GETPOST('search_valideur'); $search_statut = GETPOST('select_statut'); -$type = GETPOST('type','int'); +$type = GETPOST('type','int'); // List of fields to search into when doing a "search in all" $fieldstosearchall = array( @@ -82,7 +82,7 @@ $fieldstosearchall = array( * Actions */ -if (GETPOST("button_removefilter_x") || GETPOST("button_removefilter.x") || GETPOST("button_removefilter")) // Both test are required to be compatible with all browsers +if (GETPOST("button_removefilter_x") || GETPOST("button_removefilter.x") || GETPOST("button_removefilter")) // All tests are required to be compatible with all browsers { $search_ref=""; $month_create=""; @@ -168,7 +168,7 @@ if($year_create > 0) { } } else { if($month_create > 0) { - $filter.= " AND date_format(cp.date_create, '%m') = '$month_create'"; + $filter.= " AND date_format(cp.date_create, '%m') = '".$db->escape($month_create)."'"; } } @@ -313,7 +313,7 @@ print ''; // DATE CREATE print '
'; @@ -409,7 +409,7 @@ if (! empty($holiday->holiday)) $userstatic->login=$infos_CP['user_login']; $userstatic->statut=$infos_CP['user_statut']; $userstatic->photo=$infos_CP['user_photo']; - + // Valideur $approbatorstatic->id=$infos_CP['fk_validator']; $approbatorstatic->lastname=$infos_CP['validator_lastname']; @@ -417,7 +417,7 @@ if (! empty($holiday->holiday)) $approbatorstatic->login=$infos_CP['validator_login']; $approbatorstatic->statut=$infos_CP['validator_statut']; $approbatorstatic->photo=$infos_CP['validator_photo']; - + $date = $infos_CP['date_create']; print ''; diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 7e52b454f97..2806f2d06a0 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -97,8 +97,9 @@ function test_sql_and_script_inject($val, $type) $sql_inj += preg_match('/
'.$langs->trans("Property").''.$langs->trans("Description").''.$langs->trans("Property"); + print ' ('.$langs->trans("Example").')'; + print ''.$langs->trans("Comment").''.$langs->trans("Type").''.$langs->trans("DefaultValue").''; - + print $propval->getDocComment(); print ''; - + print gettype($tmpobjet->$propname); print ''; @@ -836,16 +965,6 @@ elseif (! empty($module)) print ''; } - if ($tab == 'dangerzone') - { - print '
'; - print ''; - print ''; - print ''; - print ''; - print '
'; - } - dol_fiche_end(); } } diff --git a/htdocs/modulebuilder/template/class/MyObject.txt b/htdocs/modulebuilder/template/class/MyObject.txt index 37ccaca81ed..e86e7cdf5c6 100644 --- a/htdocs/modulebuilder/template/class/MyObject.txt +++ b/htdocs/modulebuilder/template/class/MyObject.txt @@ -1 +1,2 @@ -# If this file exists, it means the class and file for object MyOjbect was generated by ModuleBuilder. \ No newline at end of file +# DO NOT DELETE THIS FILE MANUALLY +# If this file exists, it means the class and file for object MyOjbect was generated by ModuleBuilder. Use ModuleBuilder if you want to delete object. \ No newline at end of file diff --git a/htdocs/modulebuilder/template/class/myobject.class.php b/htdocs/modulebuilder/template/class/myobject.class.php index 4993f60f83c..c66110fddf6 100644 --- a/htdocs/modulebuilder/template/class/myobject.class.php +++ b/htdocs/modulebuilder/template/class/myobject.class.php @@ -36,43 +36,63 @@ require_once DOL_DOCUMENT_ROOT . '/core/class/commonobject.class.php'; class MyObject extends CommonObject { /** - * @var string Id to identify managed object + * @var string ID to identify managed object */ public $element = 'myobject'; /** * @var string Name of table without prefix where object is stored */ public $table_element = 'myobject'; - /** - * @var array Array with all fields and their property + + /** + * @var array Does this field is linked to a thirdparty ? + */ + protected $isnolinkedbythird=1; + /** + * @var array Does myobject support multicompany module ? 0=No test on entity, 1=Test with field entity, 2=Test with link by societe + */ + protected $ismultientitymanaged = 1; + + + /** + * @var string String with name of icon for myobject */ public $picto = 'myobject'; - /** - * @var array Array with all fields and their property + + /** + * @var int Entity Id + */ + public $entity; + + /** + * @var array Array with all fields and their property */ public $fields; + + + // If this object has a subtable with lines + /** - * @var mixed Sample property 1 + * @var int Name of subtable line */ - public $prop1; + //public $table_element_line = 'myobjectdet'; /** - * @var mixed Sample property 2 + * @var int Field with ID of parent key if this field has a parent */ - public $prop2; - - //... - - protected $ismultientitymanaged = 1; // 0=No test on entity, 1=Test with field entity, 2=Test with link by societe - - public $table_element_line = 'myobjectdet'; - public $class_element_line = 'MyObjectline'; - public $fk_element = 'fk_myobject'; - - /** - * @var MyObjectLine[] Lines + //public $fk_element = 'fk_myobject'; + /** + * @var int Name of subtable class that manage subtable lines */ - public $lines = array(); + //public $class_element_line = 'MyObjectline'; + /** + * @var array Array of child tables (child tables to delete before deleting a record) + */ + //protected $childtables=array('myobjectdet'); + /** + * @var MyObjectLine[] Array of subtable lines + */ + //public $lines = array(); diff --git a/htdocs/modulebuilder/template/modulebuilder.txt b/htdocs/modulebuilder/template/modulebuilder.txt index 5cdb6c6e6e8..24ea0d6eac5 100644 --- a/htdocs/modulebuilder/template/modulebuilder.txt +++ b/htdocs/modulebuilder/template/modulebuilder.txt @@ -1,2 +1,3 @@ -File to flag module built using official module template. -When this file is present into a module directory, you can edit it with the module builder tool. \ No newline at end of file +# DO NOT DELETE THIS FILE MANUALLY +# File to flag module built using official module template. +# When this file is present into a module directory, you can edit it with the module builder tool. Use ModuleBuilder if you want to delete module. \ No newline at end of file From cde0da6e1286febe81523590c3cbb693187ee1af Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 18 Jun 2017 12:48:58 +0200 Subject: [PATCH 05/18] Fix responsive --- htdocs/public/demo/index.php | 2 +- htdocs/public/opensurvey/studs.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/public/demo/index.php b/htdocs/public/demo/index.php index f9bb4db7ecf..60559eb7aed 100644 --- a/htdocs/public/demo/index.php +++ b/htdocs/public/demo/index.php @@ -291,7 +291,7 @@ print ''; print '
'; print '
'; print '
'.$langs->trans("DemoDesc").'

'; -print ''.$langs->trans("ChooseYourDemoProfil").''; +print '
'.$langs->trans("ChooseYourDemoProfil").'
'; print '
'; print '
'; diff --git a/htdocs/public/opensurvey/studs.php b/htdocs/public/opensurvey/studs.php index 8e769452ec1..5f4c7a1fb03 100644 --- a/htdocs/public/opensurvey/studs.php +++ b/htdocs/public/opensurvey/studs.php @@ -113,14 +113,14 @@ if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) // bout } $nom=substr(GETPOST("nom"),0,64); - + // Check if vote already exists $sql = 'SELECT id_users, nom as name'; $sql.= ' FROM '.MAIN_DB_PREFIX.'opensurvey_user_studs'; $sql.= " WHERE id_sondage='".$db->escape($numsondage)."' AND nom = '".$db->escape($nom)."' ORDER BY id_users"; $resql = $db->query($sql); if (! $resql) dol_print_error($db); - + $num_rows = $db->num_rows($resql); if ($num_rows > 0) { @@ -739,7 +739,7 @@ if ($comments) if ($object->allow_comments) { print '
' .$langs->trans("AddACommentForPoll") . "
\n"; - print '
'."\n"; + print '
'."\n"; print $langs->trans("Name") .': '; print '   '."\n"; print '
'."\n"; From abe736c6a6080589fe03d6f7026af0a5b1c7561a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 18 Jun 2017 19:42:59 +0200 Subject: [PATCH 06/18] Escape hml tags --- htdocs/admin/tools/index.php | 2 +- htdocs/bookmarks/bookmarks.lib.php | 2 +- htdocs/core/ajax/ajaxdirpreview.php | 2 +- htdocs/core/ajax/bankconciliate.php | 2 +- htdocs/core/ajax/box.php | 2 +- htdocs/core/ajax/constantonoff.php | 2 +- htdocs/core/ajax/contacts.php | 8 ++++---- htdocs/core/ajax/extraparams.php | 18 +++++++++--------- htdocs/core/ajax/loadinplace.php | 2 +- htdocs/core/ajax/objectonoff.php | 2 +- htdocs/core/ajax/price.php | 2 +- htdocs/core/ajax/row.php | 6 +++--- htdocs/core/ajax/saveinplace.php | 2 +- htdocs/core/ajax/security.php | 6 +++--- htdocs/core/ajax/vatrates.php | 2 +- htdocs/core/ajax/ziptown.php | 2 +- htdocs/core/class/html.formother.class.php | 4 ++-- htdocs/core/lib/functions.lib.php | 7 ++----- htdocs/core/lib/security2.lib.php | 6 +----- htdocs/core/tpl/ajax/fileupload_main.tpl.php | 2 +- htdocs/core/tpl/login.tpl.php | 6 +++++- htdocs/core/tpl/passwordforgotten.tpl.php | 7 +++++-- htdocs/ecm/ajax/ecmdatabase.php | 2 +- htdocs/expensereport/ajax/ajaxprojet.php | 2 +- htdocs/externalsite/frames.php | 4 ++-- htdocs/fourn/ajax/getSupplierPrices.php | 18 +++++++++--------- htdocs/holiday/list.php | 12 ++++++------ htdocs/main.inc.php | 11 ++++++----- htdocs/product/ajax/products.php | 2 +- htdocs/product/stats/card.php | 2 +- htdocs/public/paybox/paymentko.php | 2 +- htdocs/public/paybox/paymentok.php | 2 +- htdocs/public/paypal/paymentko.php | 6 +++--- htdocs/public/paypal/paymentok.php | 2 +- htdocs/societe/ajax/company.php | 4 ++-- htdocs/societe/ajaxcompanies.php | 2 +- htdocs/societe/ajaxcountries.php | 2 +- htdocs/user/passwordforgotten.php | 3 --- 38 files changed, 84 insertions(+), 86 deletions(-) diff --git a/htdocs/admin/tools/index.php b/htdocs/admin/tools/index.php index 8da041d05da..b8dfad44e8f 100644 --- a/htdocs/admin/tools/index.php +++ b/htdocs/admin/tools/index.php @@ -38,7 +38,7 @@ if (! $user->admin) $form = new Form($db); $title=$langs->trans("SystemToolsArea"); -if (GETPOST('leftmenu') == 'admintools') $title=$langs->trans("ModulesSystemTools"); +if (GETPOST('leftmenu',"aZ09") == 'admintools') $title=$langs->trans("ModulesSystemTools"); llxHeader('', $title); diff --git a/htdocs/bookmarks/bookmarks.lib.php b/htdocs/bookmarks/bookmarks.lib.php index 3cee534e797..e6d3125abed 100644 --- a/htdocs/bookmarks/bookmarks.lib.php +++ b/htdocs/bookmarks/bookmarks.lib.php @@ -40,7 +40,7 @@ function printBookmarksList($aDb, $aLangs) $langs->load("bookmarks"); - $url= $_SERVER["PHP_SELF"].(! empty($_SERVER["QUERY_STRING"])?'?'.$_SERVER["QUERY_STRING"]:''); + $url= $_SERVER["PHP_SELF"].(dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):''); $ret = ''; // Menu bookmark diff --git a/htdocs/core/ajax/ajaxdirpreview.php b/htdocs/core/ajax/ajaxdirpreview.php index 28f78e22ef4..bbc7647c802 100644 --- a/htdocs/core/ajax/ajaxdirpreview.php +++ b/htdocs/core/ajax/ajaxdirpreview.php @@ -139,7 +139,7 @@ if (! dol_is_dir($upload_dir)) } print ''."\n"; -print ''."\n"; +//print ''."\n"; $param=($sortfield?'&sortfield='.$sortfield:'').($sortorder?'&sortorder='.$sortorder:''); diff --git a/htdocs/core/ajax/bankconciliate.php b/htdocs/core/ajax/bankconciliate.php index 3a8a3e30687..76ab3045f93 100644 --- a/htdocs/core/ajax/bankconciliate.php +++ b/htdocs/core/ajax/bankconciliate.php @@ -45,7 +45,7 @@ $action=GETPOST('action'); //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -//print ''."\n"; +//print ''."\n"; if (($user->rights->banque->modifier || $user->rights->banque->consolidate) && $action == 'dvnext') { diff --git a/htdocs/core/ajax/box.php b/htdocs/core/ajax/box.php index 63f96a0c513..106822f998b 100644 --- a/htdocs/core/ajax/box.php +++ b/htdocs/core/ajax/box.php @@ -50,7 +50,7 @@ $userid=GETPOST('userid','int'); //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -print ''."\n"; +print ''."\n"; // Add a box if ($boxid > 0 && $zone !='' && $userid > 0) diff --git a/htdocs/core/ajax/constantonoff.php b/htdocs/core/ajax/constantonoff.php index 331a5e87513..f79753260d7 100644 --- a/htdocs/core/ajax/constantonoff.php +++ b/htdocs/core/ajax/constantonoff.php @@ -45,7 +45,7 @@ $name=GETPOST('name','alpha'); //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -print ''."\n"; +//print ''."\n"; // Registering the location of boxes if (! empty($action) && ! empty($name)) diff --git a/htdocs/core/ajax/contacts.php b/htdocs/core/ajax/contacts.php index c3788a8baeb..1c7c7a56e4b 100644 --- a/htdocs/core/ajax/contacts.php +++ b/htdocs/core/ajax/contacts.php @@ -41,20 +41,20 @@ $showempty = GETPOST('showempty','int'); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (! empty($id) && ! empty($action) && ! empty($htmlname)) { $form = new Form($db); - + $return=array(); if (empty($showempty)) $showempty=0; - + $return['value'] = $form->selectcontacts($id,'',$htmlname,$showempty,'','',0,'',true); $return['num'] = $form->num; $return['error'] = $form->error; - + echo json_encode($return); } diff --git a/htdocs/core/ajax/extraparams.php b/htdocs/core/ajax/extraparams.php index 510ef8a1cf8..f8a636e52a5 100644 --- a/htdocs/core/ajax/extraparams.php +++ b/htdocs/core/ajax/extraparams.php @@ -40,17 +40,17 @@ $type = GETPOST('type', 'alpha'); top_httphead(); -print ''."\n"; +print ''."\n"; if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type)) { $value = GETPOST('value','alpha'); $params=array(); - + dol_syslog("AjaxSetExtraParameters id=".$id." element=".$element." htmlelement=".$htmlelement." type=".$type." value=".$value, LOG_DEBUG); - + $classpath = $subelement = $element; - + // For compatibility if ($element == 'order' || $element == 'commande') { $classpath = $subelement = 'commande'; } else if ($element == 'propal') { $classpath = 'comm/propal'; $subelement = 'propal'; } @@ -60,19 +60,19 @@ if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type)) else if ($element == 'deplacement') { $classpath = 'compta/deplacement'; $subelement = 'deplacement'; } else if ($element == 'order_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.commande'; } else if ($element == 'invoice_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.facture'; } - + dol_include_once('/'.$classpath.'/class/'.$subelement.'.class.php'); - + if ($element == 'order_supplier') { $classname = 'CommandeFournisseur'; } else if ($element == 'invoice_supplier') { $classname = 'FactureFournisseur'; } else $classname = ucfirst($subelement); - + $object = new $classname($db); $object->fetch($id); - + $params[$htmlelement] = array($type => $value); $object->extraparams = array_merge($object->extraparams, $params); - + $result=$object->setExtraParameters(); } diff --git a/htdocs/core/ajax/loadinplace.php b/htdocs/core/ajax/loadinplace.php index de3a4e57d19..7e9e541c768 100644 --- a/htdocs/core/ajax/loadinplace.php +++ b/htdocs/core/ajax/loadinplace.php @@ -41,7 +41,7 @@ $fk_element = GETPOST('fk_element','alpha'); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (! empty($field) && ! empty($element) && ! empty($table_element) && ! empty($fk_element)) diff --git a/htdocs/core/ajax/objectonoff.php b/htdocs/core/ajax/objectonoff.php index 6ac5abd3bbb..37173ed9943 100644 --- a/htdocs/core/ajax/objectonoff.php +++ b/htdocs/core/ajax/objectonoff.php @@ -42,7 +42,7 @@ $object = new GenericObject($db); top_httphead(); -print ''."\n"; +print ''."\n"; // Registering new values if (($action == 'set') && ! empty($id)) diff --git a/htdocs/core/ajax/price.php b/htdocs/core/ajax/price.php index 5c891df14d5..d4a101fb497 100644 --- a/htdocs/core/ajax/price.php +++ b/htdocs/core/ajax/price.php @@ -39,7 +39,7 @@ $tva_tx = str_replace('*','',GETPOST('tva_tx','alpha')); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (! empty($output) && isset($amount) && isset($tva_tx)) diff --git a/htdocs/core/ajax/row.php b/htdocs/core/ajax/row.php index 41d411f01fd..827ee92d525 100644 --- a/htdocs/core/ajax/row.php +++ b/htdocs/core/ajax/row.php @@ -17,8 +17,8 @@ /** * \file htdocs/core/ajax/row.php - * \brief File to return Ajax response on Row move. - * This ajax page is called when doing an up or down drag and drop. + * \brief File to return Ajax response on Row move. + * This ajax page is called when doing an up or down drag and drop. */ if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disable token renewal @@ -39,7 +39,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php'; top_httphead(); -print ''."\n"; +print ''."\n"; // Registering the location of boxes if ((isset($_POST['roworder']) && ! empty($_POST['roworder'])) && (isset($_POST['table_element_line']) && ! empty($_POST['table_element_line'])) diff --git a/htdocs/core/ajax/saveinplace.php b/htdocs/core/ajax/saveinplace.php index 48797dd0432..eb04379a778 100644 --- a/htdocs/core/ajax/saveinplace.php +++ b/htdocs/core/ajax/saveinplace.php @@ -54,7 +54,7 @@ savemethodname: top_httphead(); -//print ''."\n"; +//print ''."\n"; //print_r($_POST); // Load original field value diff --git a/htdocs/core/ajax/security.php b/htdocs/core/ajax/security.php index 28a53a87679..cc7335618d0 100644 --- a/htdocs/core/ajax/security.php +++ b/htdocs/core/ajax/security.php @@ -17,8 +17,8 @@ /** * \file htdocs/core/ajax/security.php - * \brief This ajax component is used to generated has keys for security purposes - * like key to use into URL to protect them. + * \brief This ajax component is used to generated has keys for security purposes + * like key to use into URL to protect them. */ if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disables token renewal @@ -38,7 +38,7 @@ require '../../main.inc.php'; //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -//print ''."\n"; +//print ''."\n"; // Registering the location of boxes if (isset($_GET['action']) && ! empty($_GET['action'])) diff --git a/htdocs/core/ajax/vatrates.php b/htdocs/core/ajax/vatrates.php index fc30a13afec..ac9691bfa25 100644 --- a/htdocs/core/ajax/vatrates.php +++ b/htdocs/core/ajax/vatrates.php @@ -41,7 +41,7 @@ $productid = (GETPOST('productid','int')?GETPOST('productid','int'):0); top_httphead(); -//print ''."\n"; +//print ''."\n"; // Load original field value if (! empty($id) && ! empty($action) && ! empty($htmlname)) diff --git a/htdocs/core/ajax/ziptown.php b/htdocs/core/ajax/ziptown.php index 30e0211ece1..9fa475039d9 100644 --- a/htdocs/core/ajax/ziptown.php +++ b/htdocs/core/ajax/ziptown.php @@ -45,7 +45,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php'; //top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header. top_httphead(); -//print ''."\n"; +//print ''."\n"; dol_syslog("GET is ".join(',',$_GET).', MAIN_USE_ZIPTOWN_DICTIONNARY='.(empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)?'':$conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)); //var_dump($_GET); diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index 98720d335b9..1771b6f7a4c 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -1062,7 +1062,7 @@ class FormOther async: false }); // We force reload to be sure to get all boxes into list - window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=delbox\'; + window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=delbox\'; } else { @@ -1084,7 +1084,7 @@ class FormOther url: \''.DOL_URL_ROOT.'/core/ajax/box.php?boxorder=\'+boxorder+\'&boxid=\'+boxid+\'&zone='.$areacode.'&userid='.$user->id.'\', async: false }); - window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=addbox&boxid=\'+boxid; + window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=addbox&boxid=\'+boxid; } });'; if (! count($arrayboxtoactivatelabel)) $selectboxlist.='jQuery("#boxcombo").hide();'; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 97ce3c4f698..f9f9c8557ee 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -289,9 +289,6 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL) case 'intcomma': if (preg_match('/[^0-9,]+/i',$out)) $out=''; break; - case 'intcomma': - if (preg_match('/[^0-9,]+/i',$out)) $out=''; - break; case 'alpha': $out=trim($out); // '"' is dangerous because param in url can close the href= or src= and add javascript functions. @@ -2931,8 +2928,8 @@ function dol_print_error($db='',$error='',$errors=null) $out.="".$langs->trans("Referer").": ".(isset($_SERVER["HTTP_REFERER"])?dol_htmlentities($_SERVER["HTTP_REFERER"],ENT_COMPAT,'UTF-8'):'')."
\n"; $out.="".$langs->trans("MenuManager").": ".(isset($conf->standard_menu)?$conf->standard_menu:'')."
\n"; $out.="
\n"; - $syslog.="url=".$_SERVER["REQUEST_URI"]; - $syslog.=", query_string=".$_SERVER["QUERY_STRING"]; + $syslog.="url=".dol_escape_htmltag($_SERVER["REQUEST_URI"]); + $syslog.=", query_string=".dol_escape_htmltag($_SERVER["QUERY_STRING"]); } else // Mode CLI { diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php index fc05e2c9194..8c16ae8309a 100644 --- a/htdocs/core/lib/security2.lib.php +++ b/htdocs/core/lib/security2.lib.php @@ -144,10 +144,6 @@ function dol_loginfunction($langs,$conf,$mysoc) $dol_url_root = DOL_URL_ROOT; - $php_self = $_SERVER['PHP_SELF']; - $php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:''; - if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home'; - // Title $appli=constant('DOL_APPLICATION_TITLE'); $title=$appli.' '.DOL_VERSION; @@ -422,7 +418,7 @@ function encodedecode_dbpassconf($level=0) fflush($fp); fclose($fp); clearstatcache(); - + // It's config file, so we set read permission for creator only. // Should set permission to web user and groups for users used by batch //@chmod($file, octdec('0600')); diff --git a/htdocs/core/tpl/ajax/fileupload_main.tpl.php b/htdocs/core/tpl/ajax/fileupload_main.tpl.php index b7437af4616..034e9ebc3fc 100644 --- a/htdocs/core/tpl/ajax/fileupload_main.tpl.php +++ b/htdocs/core/tpl/ajax/fileupload_main.tpl.php @@ -45,7 +45,7 @@ $(function () { // Events $('#fileupload').fileupload({ stop: function (e, data) { - location.href=''; + location.href=''; }, destroy: function (e, data) { var that = $(this).data('fileupload'); diff --git a/htdocs/core/tpl/login.tpl.php b/htdocs/core/tpl/login.tpl.php index 3772b44c9fc..608e508d717 100644 --- a/htdocs/core/tpl/login.tpl.php +++ b/htdocs/core/tpl/login.tpl.php @@ -31,6 +31,10 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1; // If we force to use jmobile, then we reenable javascript if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1; +$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']); +$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):''; +if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home'; + // Javascript code on logon page only to detect user tz, dst_observed, dst_first, dst_second $arrayofjs=array( '/includes/jstz/jstz.min.js'.(empty($conf->dol_use_jmobile)?'':'?version='.urlencode(DOL_VERSION)), @@ -80,7 +84,7 @@ $(document).ready(function () {
'; -echo dol_escape_htmltag($title); +echo dol_escape_htmltag($title); if ($disablenofollow) echo ''; ?>
'; -print ''; +print ''; $formother->select_year($year_create,'year_create',1, $min_year, 0); print '