From 57bb6506a3e3303cd9a325c572ed37930755e5da Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 5 Nov 2020 14:33:41 +0100
Subject: [PATCH] Fix POST moved into GETPOST

---
 htdocs/projet/tasks.php      |  1 +
 htdocs/projet/tasks/task.php | 16 ++++++++--------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/htdocs/projet/tasks.php b/htdocs/projet/tasks.php
index 4d3cab8f16a..e67a0f1583d 100644
--- a/htdocs/projet/tasks.php
+++ b/htdocs/projet/tasks.php
@@ -649,6 +649,7 @@ if ($action == 'create' && $user->rights->projet->creer && (empty($object->third
 	// We need all tasks (even not limited to a user because a task to user can have a parent that is not affected to him).
 	$filteronthirdpartyid = $socid;
 	$tasksarray = $taskstatic->getTasksArray(0, 0, $object->id, $filteronthirdpartyid, 0, '', -1, $morewherefilter, 0, 0, $extrafields, 1, $search_array_options);
+
 	// We load also tasks limited to a particular user
 	$tmpuser = new User($db);
 	if ($search_user_id > 0) $tmpuser->fetch($search_user_id);
diff --git a/htdocs/projet/tasks/task.php b/htdocs/projet/tasks/task.php
index b2c382cdcac..f965b2317bd 100644
--- a/htdocs/projet/tasks/task.php
+++ b/htdocs/projet/tasks/task.php
@@ -93,13 +93,13 @@ if ($action == 'update' && !$_POST["cancel"] && $user->rights->projet->creer)
 		if (empty($task_parent)) $task_parent = 0; // If task_parent is ''
 
 		$object->ref = $taskref ? $taskref : GETPOST("ref", 'alpha', 2);
-		$object->label = $_POST["label"];
-		$object->description = $_POST['description'];
+		$object->label = GETPOST("label", "alphanohtml");
+		$object->description = GETPOST('description', "alphanohtml");
 		$object->fk_task_parent = $task_parent;
 		$object->planned_workload = $planned_workload;
-		$object->date_start = dol_mktime($_POST['dateohour'], $_POST['dateomin'], 0, $_POST['dateomonth'], $_POST['dateoday'], $_POST['dateoyear']);
-		$object->date_end = dol_mktime($_POST['dateehour'], $_POST['dateemin'], 0, $_POST['dateemonth'], $_POST['dateeday'], $_POST['dateeyear']);
-		$object->progress = $_POST['progress'];
+		$object->date_start = dol_mktime(GETPOST('dateohour', 'int'), GETPOST('dateomin', 'int'), 0, GETPOST('dateomonth', 'int'), GETPOST('dateoday', 'int'), GETPOST('dateoyear', 'int'));
+		$object->date_end = dol_mktime(GETPOST('dateehour', 'int'), GETPOST('dateemin', 'int'), 0, GETPOST('dateemonth', 'int'), GETPOST('dateeday', 'int'), GETPOST('dateeyear', 'int'));
+		$object->progress = price2num(GETPOST('progress', 'alphanohtml'));
 
 		// Fill array 'array_options' with data from add form
 		$ret = $extrafields->setOptionalsFromPost(null, $object);
@@ -182,7 +182,7 @@ if ($action == 'remove_file' && $user->rights->projet->creer)
 	{
 		$langs->load("other");
 		$upload_dir = $conf->projet->dir_output;
-		$file = $upload_dir.'/'.GETPOST('file');
+		$file = $upload_dir.'/'.dol_sanitizeFileName(GETPOST('file'));
 
 		$ret = dol_delete_file($file);
 		if ($ret) setEventMessages($langs->trans("FileWasRemoved", GETPOST('urlfile')), null, 'mesgs');
@@ -190,11 +190,11 @@ if ($action == 'remove_file' && $user->rights->projet->creer)
 	}
 }
 
+
 /*
  * View
  */
 
-
 llxHeader('', $langs->trans("Task"));
 
 $form = new Form($db);
@@ -214,7 +214,7 @@ if ($id > 0 || !empty($ref))
 
 		$object->project = clone $projectstatic;
 
-		$userWrite = $projectstatic->restrictedProjectArea($user, 'write');
+		//$userWrite = $projectstatic->restrictedProjectArea($user, 'write');
 
 		if (!empty($withproject))
 		{