lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix alpha into alphanohtml

Browse Source
This commit is contained in:
Alexandre SPANGARO 2020-09-19 03:32:52 +02:00
parent f453e43cca
commit 640dc4a64c
2 changed files with 57 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
htdocs/admin/menus/edit.php
View File

@ -31,6 +31,8 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/menubase.class.php';
// Load translation files required by the page
$langs->loadLangs(array("other","admin"));
$cancel = GETPOST('cancel', 'alphanohtml'); // We click on a Cancel button
if (! $user->admin) accessforbidden();
$dirstandard = array();
@ -64,46 +66,46 @@ if (GETPOST("menu_handler")) $menu_handler=GETPOST("menu_handler");
if ($action == 'update')
{
if (! $_POST['cancel'])
{
$leftmenu=''; $mainmenu='';
if (! empty($_POST['menuIdParent']) && ! is_numeric($_POST['menuIdParent']))
{
$tmp=explode('&', $_POST['menuIdParent']);
foreach($tmp as $s)
{
if (preg_match('/fk_mainmenu=/', $s))
{
$mainmenu=preg_replace('/fk_mainmenu=/', '', $s);
}
if (preg_match('/fk_leftmenu=/', $s))
{
$leftmenu=preg_replace('/fk_leftmenu=/', '', $s);
}
}
}
if (!$cancel)
{
$leftmenu=''; $mainmenu='';
if (GETPOST('menuIdParent', 'alphanohtml') && !is_numeric(GETPOST('menuIdParent', 'alphanohtml')))
{
$tmp=explode('&', GETPOST('menuIdParent', 'alphanohtml'));
foreach ($tmp as $s)
{
if (preg_match('/fk_mainmenu=/', $s))
{
$mainmenu=preg_replace('/fk_mainmenu=/', '', $s);
}
if (preg_match('/fk_leftmenu=/', $s))
{
$leftmenu=preg_replace('/fk_leftmenu=/', '', $s);
}
}
}
$menu = new Menubase($db);
$result=$menu->fetch(GETPOST('menuId', 'int'));
if ($result > 0)
{
$menu->titre=GETPOST('titre', 'alpha');
$menu->titre=GETPOST('titre', 'alphanohtml');
$menu->leftmenu=GETPOST('leftmenu', 'aZ09');
$menu->url=GETPOST('url', 'alpha');
$menu->langs=GETPOST('langs', 'alpha');
$menu->url=GETPOST('url', 'alphanohtml');
$menu->langs=GETPOST('langs', 'alphanohtml');
$menu->position=GETPOST('position', 'int');
$menu->enabled=GETPOST('enabled', 'alpha');
$menu->perms=GETPOST('perms', 'alpha');
$menu->target=GETPOST('target', 'alpha');
$menu->user=GETPOST('user', 'alpha');
$menu->mainmenu=GETPOST('propertymainmenu', 'alpha');
if (is_numeric(GETPOST('menuIdParent', 'alpha')))
$menu->enabled=GETPOST('enabled', 'alphanohtml');
$menu->perms=GETPOST('perms', 'alphanohtml');
$menu->target=GETPOST('target', 'alphanohtml');
$menu->user=GETPOST('user', 'alphanohtml');
$menu->mainmenu=GETPOST('propertymainmenu', 'alphanohtml');
if (is_numeric(GETPOST('menuIdParent', 'alphanohtml')))
{
$menu->fk_menu=GETPOST('menuIdParent', 'alpha');
$menu->fk_menu=GETPOST('menuIdParent', 'alphanohtml');
}
else
{
if (GETPOST('type', 'alpha') == 'top') $menu->fk_menu=0;
if (GETPOST('type', 'alphanohtml') == 'top') $menu->fk_menu=0;
else $menu->fk_menu=-1;
$menu->fk_mainmenu=$mainmenu;
$menu->fk_leftmenu=$leftmenu;
@ -144,9 +146,9 @@ if ($action == 'add')
}
$leftmenu=''; $mainmenu='';
if (GETPOST('menuId', 'alpha', 3) && ! is_numeric(GETPOST('menuId', 'alpha', 3)))
if (GETPOST('menuId', 'alphanohtml', 3) && ! is_numeric(GETPOST('menuId', 'alphanohtml', 3)))
{
$tmp=explode('&', GETPOST('menuId', 'alpha', 3));
$tmp=explode('&', GETPOST('menuId', 'alphanohtml', 3));
foreach($tmp as $s)
{
if (preg_match('/fk_mainmenu=/', $s))
@ -204,23 +206,23 @@ if ($action == 'add')
{
$menu = new Menubase($db);
$menu->menu_handler=preg_replace('/_menu$/', '', GETPOST('menu_handler', 'aZ09'));
$menu->type=GETPOST('type', 'alpha');
$menu->titre=GETPOST('titre', 'alpha');
$menu->url=GETPOST('url', 'alpha');
$menu->langs=GETPOST('langs', 'alpha');
$menu->type=GETPOST('type', 'alphanohtml');
$menu->titre=GETPOST('titre', 'alphanohtml');
$menu->url=GETPOST('url', 'alphanohtml');
$menu->langs=GETPOST('langs', 'alphanohtml');
$menu->position=GETPOST('position', 'int');
$menu->enabled=GETPOST('enabled', 'alpha');
$menu->perms=GETPOST('perms', 'alpha');
$menu->target=GETPOST('target', 'alpha');
$menu->user=GETPOST('user', 'alpha');
$menu->mainmenu=GETPOST('propertymainmenu', 'alpha');
if (is_numeric(GETPOST('menuId', 'alpha', 3)))
$menu->enabled=GETPOST('enabled', 'alphanohtml');
$menu->perms=GETPOST('perms', 'alphanohtml');
$menu->target=GETPOST('target', 'alphanohtml');
$menu->user=GETPOST('user', 'alphanohtml');
$menu->mainmenu=GETPOST('propertymainmenu', 'alphanohtml');
if (is_numeric(GETPOST('menuId', 'alphanohtml', 3)))
{
$menu->fk_menu=GETPOST('menuId', 'alpha', 3);
$menu->fk_menu=GETPOST('menuId', 'alphanohtml', 3);
}
else
{
if (GETPOST('type', 'alpha') == 'top') $menu->fk_menu=0;
if (GETPOST('type', 'alphanohtml') == 'top') $menu->fk_menu=0;
else $menu->fk_menu=-1;
$menu->fk_mainmenu=$mainmenu;
$menu->fk_leftmenu=$leftmenu;
@ -368,7 +370,7 @@ if ($action == 'create')
// Mainmenu code
print '<tr><td class="fieldrequired">'.$langs->trans('MainMenuCode').'</td>';
print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alpha')?GETPOST("propertymainmenu", 'alpha'):'').'"></td>';
print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOSTISSET("propertymainmenu") ? GETPOST("propertymainmenu", 'alphanohtml') : '').'"></td>';
print '<td>';
print $langs->trans("Example").': mytopmenukey';
print '</td></tr>';
@ -381,23 +383,23 @@ if ($action == 'create')
}
else
{
print '<td><input type="text" class="minwidth300" id="menuId" name="menuId" value="'.(GETPOST("menuId", 'int')?GETPOST("menuId", 'int'):'').'"></td>';
print '<td><input type="text" class="minwidth300" id="menuId" name="menuId" value="'.(GETPOSTISSET("menuId") ? GETPOST("menuId", 'int') : '').'"></td>';
}
print '<td>'.$langs->trans('DetailMenuIdParent');
print ', '.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def';
print '</td></tr>';
// Title
print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td><td><input type="text" class="minwidth300" name="titre" value="'.dol_escape_htmltag(GETPOST("titre", 'alpha')).'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>';
print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td><td><input type="text" class="minwidth300" name="titre" value="'.dol_escape_htmltag(GETPOST("titre", 'alphanohtml')).'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>';
// URL
print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td><td><input type="text" class="minwidth500" name="url" value="'.GETPOST("url", 'alpha').'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>';
print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td><td><input type="text" class="minwidth500" name="url" value="'.GETPOST("url", 'alphanohtml').'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>';
// Langs
print '<tr><td>'.$langs->trans('LangFile').'</td><td><input type="text" class="minwidth300" name="langs" value="'.$parent_langs.'"></td><td>'.$langs->trans('DetailLangs').'</td></tr>';
// Position
print '<tr><td>'.$langs->trans('Position').'</td><td><input type="text" class="width100" name="position" value="'.dol_escape_htmltag(isset($_POST["position"])?$_POST["position"]:100).'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>';
print '<tr><td>'.$langs->trans('Position').'</td><td><input type="text" class="width100" name="position" value="'.dol_escape_htmltag(GETPOSTISSET("position") ? GETPOST("position", 'int') : 100).'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>';
// Target
print '<tr><td>'.$langs->trans('Target').'</td><td><select class="flat" name="target">';
@ -406,10 +408,10 @@ if ($action == 'create')
print '</select></td></td><td>'.$langs->trans('DetailTarget').'</td></tr>';
// Enabled
print '<tr><td>'.$langs->trans('Enabled').'</td><td><input type="text" class="minwidth500" name="enabled" value="'.(GETPOSTISSET('enabled')?GETPOST("enabled", 'alpha'):'1').'"></td><td>'.$langs->trans('DetailEnabled').'</td></tr>';
print '<tr><td>'.$langs->trans('Enabled').'</td><td><input type="text" class="minwidth500" name="enabled" value="'.(GETPOSTISSET('enabled')?GETPOST("enabled", 'alphanohtml'):'1').'"></td><td>'.$langs->trans('DetailEnabled').'</td></tr>';
// Perms
print '<tr><td>'.$langs->trans('Rights').'</td><td><input type="text" class="minwidth500" name="perms" value="'.(GETPOSTISSET('perms')?GETPOST('perms', 'alpha'):'1').'"></td><td>'.$langs->trans('DetailRight').'</td></tr>';
print '<tr><td>'.$langs->trans('Rights').'</td><td><input type="text" class="minwidth500" name="perms" value="'.(GETPOSTISSET('perms')?GETPOST('perms', 'alphanohtml'):'1').'"></td><td>'.$langs->trans('DetailRight').'</td></tr>';
print '</table>';
@ -472,7 +474,7 @@ elseif ($action == 'edit')
}
else
{*/
print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alpha')?GETPOST("propertymainmenu", 'alpha'):$menu->mainmenu).'"></td>';
print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alphanohtml')?GETPOST("propertymainmenu", 'alphanohtml'):$menu->mainmenu).'"></td>';
//}
print '<td>';
print $langs->trans("Example").': mytopmenukey';

16
htdocs/core/lib/functions.lib.php
View File

@ -219,12 +219,13 @@ function GETPOSTISSET($paramname)
* 'none'=no check (only for param that should have very rich content)
* 'int'=check it's numeric (integer or float)
* 'intcomma'=check it's integer+comma ('1,2,3,4...')
* 'alpha'=check it's text and sign
* 'alpha'=Same than alphanohtml
* 'alphanohtml'=check there is no html content and no " and no ../
* 'aZ'=check it's a-z only
* 'aZ09'=check it's simple alpha string (recommended for keys)
* 'array'=check it's array
* 'san_alpha'=Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string)
* 'nohtml', 'alphanohtml'=check there is no html content
* 'nohtml'=check there is no html content and no " and no ../
* 'custom'= custom filter specify $filter and $options)
* @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get)
* @param int $filter Filter to apply when $check is set to 'custom'. (See http://php.net/manual/en/filter.filters.php for détails)
@ -489,16 +490,6 @@ function GETPOST($paramname, $check = 'none', $method = 0, $filter = null, $opti
case 'intcomma':
if (preg_match('/[^0-9,-]+/i', $out)) $out='';
break;
case 'alpha':
if (! is_array($out))
{
$out=trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
if (preg_match('/"/', $out)) $out='';
elseif (preg_match('/\.\.\//', $out)) $out='';
}
break;
case 'san_alpha':
$out=filter_var($out, FILTER_SANITIZE_STRING);
break;
@ -529,6 +520,7 @@ function GETPOST($paramname, $check = 'none', $method = 0, $filter = null, $opti
case 'nohtml': // Recommended for most scalar parameters
$out=dol_string_nohtmltag($out, 0);
break;
case 'alpha': // No html and no " and no ../
case 'alphanohtml': // Recommended for search parameters
if (! is_array($out))
{