From 640dc4a64cf5a339d2e54e1bca46d68d325ce600 Mon Sep 17 00:00:00 2001
From: Alexandre SPANGARO <aspangaro.dolibarr@gmail.com>
Date: Sat, 19 Sep 2020 03:32:52 +0200
Subject: [PATCH] Fix alpha into alphanohtml

---
 htdocs/admin/menus/edit.php       | 104 +++++++++++++++---------------
 htdocs/core/lib/functions.lib.php |  16 ++---
 2 files changed, 57 insertions(+), 63 deletions(-)

diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php
index cf42f294d03..6fbc3e4144a 100644
--- a/htdocs/admin/menus/edit.php
+++ b/htdocs/admin/menus/edit.php
@@ -31,6 +31,8 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/menubase.class.php';
 // Load translation files required by the page
 $langs->loadLangs(array("other","admin"));
 
+$cancel = GETPOST('cancel', 'alphanohtml'); // We click on a Cancel button
+
 if (! $user->admin) accessforbidden();
 
 $dirstandard = array();
@@ -64,46 +66,46 @@ if (GETPOST("menu_handler"))    $menu_handler=GETPOST("menu_handler");
 
 if ($action == 'update')
 {
-    if (! $_POST['cancel'])
-    {
-        $leftmenu=''; $mainmenu='';
-        if (! empty($_POST['menuIdParent']) && ! is_numeric($_POST['menuIdParent']))
-        {
-            $tmp=explode('&', $_POST['menuIdParent']);
-            foreach($tmp as $s)
-            {
-                if (preg_match('/fk_mainmenu=/', $s))
-                {
-                    $mainmenu=preg_replace('/fk_mainmenu=/', '', $s);
-                }
-                if (preg_match('/fk_leftmenu=/', $s))
-                {
-                    $leftmenu=preg_replace('/fk_leftmenu=/', '', $s);
-                }
-            }
-        }
+	if (!$cancel)
+	{
+		$leftmenu=''; $mainmenu='';
+		if (GETPOST('menuIdParent', 'alphanohtml') && !is_numeric(GETPOST('menuIdParent', 'alphanohtml')))
+		{
+			$tmp=explode('&', GETPOST('menuIdParent', 'alphanohtml'));
+			foreach ($tmp as $s)
+			{
+				if (preg_match('/fk_mainmenu=/', $s))
+				{
+					$mainmenu=preg_replace('/fk_mainmenu=/', '', $s);
+				}
+				if (preg_match('/fk_leftmenu=/', $s))
+				{
+					$leftmenu=preg_replace('/fk_leftmenu=/', '', $s);
+				}
+			}
+		}
 
         $menu = new Menubase($db);
         $result=$menu->fetch(GETPOST('menuId', 'int'));
         if ($result > 0)
         {
-            $menu->titre=GETPOST('titre', 'alpha');
+            $menu->titre=GETPOST('titre', 'alphanohtml');
             $menu->leftmenu=GETPOST('leftmenu', 'aZ09');
-            $menu->url=GETPOST('url', 'alpha');
-            $menu->langs=GETPOST('langs', 'alpha');
+            $menu->url=GETPOST('url', 'alphanohtml');
+            $menu->langs=GETPOST('langs', 'alphanohtml');
             $menu->position=GETPOST('position', 'int');
-            $menu->enabled=GETPOST('enabled', 'alpha');
-            $menu->perms=GETPOST('perms', 'alpha');
-            $menu->target=GETPOST('target', 'alpha');
-            $menu->user=GETPOST('user', 'alpha');
-            $menu->mainmenu=GETPOST('propertymainmenu', 'alpha');
-            if (is_numeric(GETPOST('menuIdParent', 'alpha')))
+            $menu->enabled=GETPOST('enabled', 'alphanohtml');
+            $menu->perms=GETPOST('perms', 'alphanohtml');
+            $menu->target=GETPOST('target', 'alphanohtml');
+            $menu->user=GETPOST('user', 'alphanohtml');
+            $menu->mainmenu=GETPOST('propertymainmenu', 'alphanohtml');
+            if (is_numeric(GETPOST('menuIdParent', 'alphanohtml')))
             {
-            	$menu->fk_menu=GETPOST('menuIdParent', 'alpha');
+            	$menu->fk_menu=GETPOST('menuIdParent', 'alphanohtml');
             }
             else
             {
-    	       	if (GETPOST('type', 'alpha') == 'top') $menu->fk_menu=0;
+    	       	if (GETPOST('type', 'alphanohtml') == 'top') $menu->fk_menu=0;
     	       	else $menu->fk_menu=-1;
             	$menu->fk_mainmenu=$mainmenu;
             	$menu->fk_leftmenu=$leftmenu;
@@ -144,9 +146,9 @@ if ($action == 'add')
     }
 
     $leftmenu=''; $mainmenu='';
-    if (GETPOST('menuId', 'alpha', 3) && ! is_numeric(GETPOST('menuId', 'alpha', 3)))
+    if (GETPOST('menuId', 'alphanohtml', 3) && ! is_numeric(GETPOST('menuId', 'alphanohtml', 3)))
     {
-	    $tmp=explode('&', GETPOST('menuId', 'alpha', 3));
+	    $tmp=explode('&', GETPOST('menuId', 'alphanohtml', 3));
 	    foreach($tmp as $s)
 	    {
 	    	if (preg_match('/fk_mainmenu=/', $s))
@@ -204,23 +206,23 @@ if ($action == 'add')
     {
         $menu = new Menubase($db);
         $menu->menu_handler=preg_replace('/_menu$/', '', GETPOST('menu_handler', 'aZ09'));
-        $menu->type=GETPOST('type', 'alpha');
-        $menu->titre=GETPOST('titre', 'alpha');
-        $menu->url=GETPOST('url', 'alpha');
-        $menu->langs=GETPOST('langs', 'alpha');
+        $menu->type=GETPOST('type', 'alphanohtml');
+        $menu->titre=GETPOST('titre', 'alphanohtml');
+        $menu->url=GETPOST('url', 'alphanohtml');
+        $menu->langs=GETPOST('langs', 'alphanohtml');
         $menu->position=GETPOST('position', 'int');
-        $menu->enabled=GETPOST('enabled', 'alpha');
-        $menu->perms=GETPOST('perms', 'alpha');
-        $menu->target=GETPOST('target', 'alpha');
-        $menu->user=GETPOST('user', 'alpha');
-        $menu->mainmenu=GETPOST('propertymainmenu', 'alpha');
-        if (is_numeric(GETPOST('menuId', 'alpha', 3)))
+        $menu->enabled=GETPOST('enabled', 'alphanohtml');
+        $menu->perms=GETPOST('perms', 'alphanohtml');
+        $menu->target=GETPOST('target', 'alphanohtml');
+        $menu->user=GETPOST('user', 'alphanohtml');
+        $menu->mainmenu=GETPOST('propertymainmenu', 'alphanohtml');
+        if (is_numeric(GETPOST('menuId', 'alphanohtml', 3)))
         {
-        	$menu->fk_menu=GETPOST('menuId', 'alpha', 3);
+        	$menu->fk_menu=GETPOST('menuId', 'alphanohtml', 3);
         }
         else
         {
-            if (GETPOST('type', 'alpha') == 'top') $menu->fk_menu=0;
+            if (GETPOST('type', 'alphanohtml') == 'top') $menu->fk_menu=0;
             else $menu->fk_menu=-1;
             $menu->fk_mainmenu=$mainmenu;
             $menu->fk_leftmenu=$leftmenu;
@@ -368,7 +370,7 @@ if ($action == 'create')
 
     // Mainmenu code
     print '<tr><td class="fieldrequired">'.$langs->trans('MainMenuCode').'</td>';
-   	print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alpha')?GETPOST("propertymainmenu", 'alpha'):'').'"></td>';
+	print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOSTISSET("propertymainmenu") ? GETPOST("propertymainmenu", 'alphanohtml') : '').'"></td>';
     print '<td>';
     print $langs->trans("Example").': mytopmenukey';
     print '</td></tr>';
@@ -381,23 +383,23 @@ if ($action == 'create')
     }
     else
     {
-        print '<td><input type="text" class="minwidth300" id="menuId" name="menuId" value="'.(GETPOST("menuId", 'int')?GETPOST("menuId", 'int'):'').'"></td>';
+		print '<td><input type="text" class="minwidth300" id="menuId" name="menuId" value="'.(GETPOSTISSET("menuId") ? GETPOST("menuId", 'int') : '').'"></td>';
     }
     print '<td>'.$langs->trans('DetailMenuIdParent');
     print ', '.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def';
     print '</td></tr>';
 
     // Title
-    print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td><td><input type="text" class="minwidth300" name="titre" value="'.dol_escape_htmltag(GETPOST("titre", 'alpha')).'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>';
+    print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td><td><input type="text" class="minwidth300" name="titre" value="'.dol_escape_htmltag(GETPOST("titre", 'alphanohtml')).'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>';
 
     // URL
-    print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td><td><input type="text" class="minwidth500" name="url" value="'.GETPOST("url", 'alpha').'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>';
+    print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td><td><input type="text" class="minwidth500" name="url" value="'.GETPOST("url", 'alphanohtml').'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>';
 
     // Langs
     print '<tr><td>'.$langs->trans('LangFile').'</td><td><input type="text" class="minwidth300" name="langs" value="'.$parent_langs.'"></td><td>'.$langs->trans('DetailLangs').'</td></tr>';
 
     // Position
-    print '<tr><td>'.$langs->trans('Position').'</td><td><input type="text" class="width100" name="position" value="'.dol_escape_htmltag(isset($_POST["position"])?$_POST["position"]:100).'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>';
+	print '<tr><td>'.$langs->trans('Position').'</td><td><input type="text" class="width100" name="position" value="'.dol_escape_htmltag(GETPOSTISSET("position") ? GETPOST("position", 'int') : 100).'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>';
 
     // Target
     print '<tr><td>'.$langs->trans('Target').'</td><td><select class="flat" name="target">';
@@ -406,10 +408,10 @@ if ($action == 'create')
     print '</select></td></td><td>'.$langs->trans('DetailTarget').'</td></tr>';
 
     // Enabled
-    print '<tr><td>'.$langs->trans('Enabled').'</td><td><input type="text" class="minwidth500" name="enabled" value="'.(GETPOSTISSET('enabled')?GETPOST("enabled", 'alpha'):'1').'"></td><td>'.$langs->trans('DetailEnabled').'</td></tr>';
+    print '<tr><td>'.$langs->trans('Enabled').'</td><td><input type="text" class="minwidth500" name="enabled" value="'.(GETPOSTISSET('enabled')?GETPOST("enabled", 'alphanohtml'):'1').'"></td><td>'.$langs->trans('DetailEnabled').'</td></tr>';
 
     // Perms
-    print '<tr><td>'.$langs->trans('Rights').'</td><td><input type="text" class="minwidth500" name="perms" value="'.(GETPOSTISSET('perms')?GETPOST('perms', 'alpha'):'1').'"></td><td>'.$langs->trans('DetailRight').'</td></tr>';
+    print '<tr><td>'.$langs->trans('Rights').'</td><td><input type="text" class="minwidth500" name="perms" value="'.(GETPOSTISSET('perms')?GETPOST('perms', 'alphanohtml'):'1').'"></td><td>'.$langs->trans('DetailRight').'</td></tr>';
 
     print '</table>';
 
@@ -472,7 +474,7 @@ elseif ($action == 'edit')
 	     }
 	     else
 	     {*/
-	    print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alpha')?GETPOST("propertymainmenu", 'alpha'):$menu->mainmenu).'"></td>';
+	    print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alphanohtml')?GETPOST("propertymainmenu", 'alphanohtml'):$menu->mainmenu).'"></td>';
 	    //}
 	    print '<td>';
 	    print $langs->trans("Example").': mytopmenukey';
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index c279b3fb4e5..c2590c33190 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -219,12 +219,13 @@ function GETPOSTISSET($paramname)
  *                               'none'=no check (only for param that should have very rich content)
  *                               'int'=check it's numeric (integer or float)
  *                               'intcomma'=check it's integer+comma ('1,2,3,4...')
- *                               'alpha'=check it's text and sign
+ *                               'alpha'=Same than alphanohtml
+ *                               'alphanohtml'=check there is no html content and no " and no ../
  *                               'aZ'=check it's a-z only
  *                               'aZ09'=check it's simple alpha string (recommended for keys)
  *                               'array'=check it's array
  *                               'san_alpha'=Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string)
- *                               'nohtml', 'alphanohtml'=check there is no html content
+ *                               'nohtml'=check there is no html content and no " and no ../
  *                               'custom'= custom filter specify $filter and $options)
  *  @param	int		$method	     Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get)
  *  @param  int     $filter      Filter to apply when $check is set to 'custom'. (See http://php.net/manual/en/filter.filters.php for détails)
@@ -489,16 +490,6 @@ function GETPOST($paramname, $check = 'none', $method = 0, $filter = null, $opti
 		case 'intcomma':
 			if (preg_match('/[^0-9,-]+/i', $out)) $out='';
 			break;
-		case 'alpha':
-			if (! is_array($out))
-			{
-				$out=trim($out);
-				// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
-				// '../' is dangerous because it allows dir transversals
-				if (preg_match('/"/', $out)) $out='';
-				elseif (preg_match('/\.\.\//', $out)) $out='';
-			}
-			break;
 		case 'san_alpha':
 			$out=filter_var($out, FILTER_SANITIZE_STRING);
 			break;
@@ -529,6 +520,7 @@ function GETPOST($paramname, $check = 'none', $method = 0, $filter = null, $opti
 		case 'nohtml':		// Recommended for most scalar parameters
 			$out=dol_string_nohtmltag($out, 0);
 			break;
+		case 'alpha':		// No html and no " and no ../
 		case 'alphanohtml':	// Recommended for search parameters
 			if (! is_array($out))
 			{