diff --git a/htdocs/admin/supplier_order.php b/htdocs/admin/supplier_order.php
index 15e1a452dff..1b6b6eb9921 100644
--- a/htdocs/admin/supplier_order.php
+++ b/htdocs/admin/supplier_order.php
@@ -54,6 +54,8 @@ $specimenthirdparty->initAsSpecimen();
* Actions
*/
+include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
+
if ($action == 'updateMask')
{
$maskconstorder = GETPOST('maskconstorder', 'alpha');
diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php
index c17f9cc9c1b..3ff54125b8e 100644
--- a/htdocs/comm/action/card.php
+++ b/htdocs/comm/action/card.php
@@ -1479,10 +1479,10 @@ if ($id > 0)
$langs->load("projects");
print ''.$langs->trans("Project").' ';
- $numprojet = $formproject->select_projects(($object->socid > 0 ? $object->socid : -1), $object->fk_project, 'projectid', 0, 0, 1, 0, 0, 0, 0, '', 0);
+ $numprojet = $formproject->select_projects(($object->socid > 0 ? $object->socid : -1), $object->fk_project, 'projectid', 0, 0, 1, 0, 0, 0, 0, '', 0, 0, 'maxwidth500');
if ($numprojet == 0)
{
- print ' '.$langs->trans("AddProject").' '.$langs->trans("Description").' ';
- print dol_htmlentitiesbr($object->note);
+ print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note_private));
print ' ';
- $formactions->form_select_status_action('formaction', $status, 1, 'status', 1, 2, 'minwidth100imp maxwidth125');
- print ajax_combobox('selectstatus');
+ $formactions->form_select_status_action('formaction', $search_status, 1, 'search_status', 1, 2, 'minwidth100imp maxwidth125');
+ print ajax_combobox('selectsearch_status');
print ' ';
}
// Action column
diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php
index b1eb83eebdb..c8fca10fee4 100644
--- a/htdocs/contact/class/contact.class.php
+++ b/htdocs/contact/class/contact.class.php
@@ -1276,9 +1276,16 @@ class Contact extends CommonObject
{
global $conf, $langs, $hookmanager;
- $result = '';
+ $result = ''; $label = '';
- $label = ''.$langs->trans("ShowContact").' ';
+ if (!empty($this->photo) && class_exists('Form'))
+ {
+ $label .= '';
+ $label .= Form::showphoto('contact', $this, 0, 40, 0, '', 'mini', 0); // Important, we must force height so image will have height tags and if image is inside a tooltip, the tooltip manager can calculate height and position correctly the tooltip.
+ $label .= '
';
+ }
+
+ $label .= ''.$langs->trans("ShowContact").' ';
$label .= ''.$langs->trans("Name").': '.$this->getFullName($langs);
//if ($this->civility_id) $label.= '' . $langs->trans("Civility") . ': '.$this->civility_id; // TODO Translate cibilty_id code
if (!empty($this->poste)) $label .= ''.$langs->trans("Poste").': '.$this->poste;
diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php
index 1d0c3839f4f..9903e37cd5e 100644
--- a/htdocs/contact/list.php
+++ b/htdocs/contact/list.php
@@ -290,7 +290,7 @@ $title = (!empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("C
$sql = "SELECT s.rowid as socid, s.nom as name,";
$sql .= " p.rowid, p.lastname as lastname, p.statut, p.firstname, p.zip, p.town, p.poste, p.email, p.no_email,";
-$sql .= " p.socialnetworks,";
+$sql .= " p.socialnetworks, p.photo,";
$sql .= " p.phone as phone_pro, p.phone_mobile, p.phone_perso, p.fax, p.fk_pays, p.priv, p.datec as date_creation, p.tms as date_update,";
$sql .= " co.label as country, co.code as country_code";
// Add fields from extrafields
@@ -786,7 +786,6 @@ while ($i < min($num, $limit))
{
$obj = $db->fetch_object($result);
- print '';
$arraysocialnetworks = (array) json_decode($obj->socialnetworks, true);
$contactstatic->lastname = $obj->lastname;
$contactstatic->firstname = '';
@@ -802,6 +801,9 @@ while ($i < min($num, $limit))
$contactstatic->socialnetworks = $arraysocialnetworks;
$contactstatic->country = $obj->country;
$contactstatic->country_code = $obj->country_code;
+ $contactstatic->photo = $obj->photo;
+
+ print ' ';
// ID
if (!empty($arrayfields['p.rowid']['checked']))
diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php
index 1f77e1905cf..17a153a2dc4 100644
--- a/htdocs/contrat/class/contrat.class.php
+++ b/htdocs/contrat/class/contrat.class.php
@@ -2754,8 +2754,8 @@ class ContratLigne extends CommonObjectLine
/**
* Return label of this contract line status
*
- * @param int $mode 0=libelle long, 1=libelle court, 2=Picto + Libelle court, 3=Picto, 4=Picto + Libelle long, 5=Libelle court + Picto
- * @return string Libelle
+ * @param int $mode 0=long label, 1=short label, 2=Picto + short label, 3=Picto, 4=Picto + long label, 5=Short label + Picto, 6=Long label + Picto
+ * @return string Label of status
*/
public function getLibStatut($mode)
{
@@ -2767,10 +2767,10 @@ class ContratLigne extends CommonObjectLine
* Return label of a contract line status
*
* @param int $status Id status
- * @param int $mode 0=libelle long, 1=libelle court, 2=Picto + Libelle court, 3=Picto, 4=Picto + Libelle long, 5=Libelle court + Picto
+ * @param int $mode 0=long label, 1=short label, 2=Picto + short label, 3=Picto, 4=Picto + long label, 5=Short label + Picto, 6=Long label + Picto
* @param int $expired 0=Not expired, 1=Expired, -1=Both or unknown
* @param string $moreatt More attribute
- * @return string Libelle
+ * @return string Label of status
*/
public static function LibStatut($status, $mode, $expired = -1, $moreatt = '')
{
diff --git a/htdocs/core/actions_setmoduleoptions.inc.php b/htdocs/core/actions_setmoduleoptions.inc.php
index 9ade3c148a4..313375d1aa1 100644
--- a/htdocs/core/actions_setmoduleoptions.inc.php
+++ b/htdocs/core/actions_setmoduleoptions.inc.php
@@ -68,6 +68,7 @@ if ($action == 'setModuleOptions')
{
foreach ($_POST as $key => $val)
{
+ $reg = array();
if (preg_match('/^param(\d*)$/', $key, $reg)) // Works for POST['param'], POST['param1'], POST['param2'], ...
{
$param = GETPOST("param".$reg[1], 'alpha');
diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php
index cd5fcbc2f67..11f2f6b84c7 100644
--- a/htdocs/core/class/commonobject.class.php
+++ b/htdocs/core/class/commonobject.class.php
@@ -337,7 +337,7 @@ abstract class CommonObject
/**
* @deprecated
- * @see $note_public
+ * @see $note_private
*/
public $note;
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index a74872d4a98..8a208e9e51e 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -298,9 +298,13 @@ class Form
$firstline = preg_replace('/[\n\r].*/', '', $firstline);
$tmpcontent = $firstline.((strlen($firstline) != strlen($tmpcontent)) ? '...' : '');
}
- $ret .= $tmpcontent;
+ // We dont use dol_escape_htmltag to get the html formating active, but this need we must also
+ // clean data from some dangerous html
+ $ret .= dol_string_onlythesehtmltags(dol_htmlentitiesbr($tmpcontent));
+ }
+ else {
+ $ret .= dol_escape_htmltag($value);
}
- else $ret .= dol_escape_htmltag($value);
if ($formatfunc && method_exists($object, $formatfunc))
{
diff --git a/htdocs/core/class/utils.class.php b/htdocs/core/class/utils.class.php
index 7904d27d17a..93ac680484f 100644
--- a/htdocs/core/class/utils.class.php
+++ b/htdocs/core/class/utils.class.php
@@ -388,7 +388,9 @@ class Utils
if ($compression == 'none') fclose($handle);
if ($compression == 'gz') gzclose($handle);
if ($compression == 'bz') bzclose($handle);
- if ($ok && preg_match('/^-- MySql/i', $errormsg)) $errormsg = ''; // Pas erreur
+ if ($ok && preg_match('/^-- (MySql|MariaDB)/i', $errormsg)) { // No error
+ $errormsg = '';
+ }
else
{
// Renommer fichier sortie en fichier erreur
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 4c38bb6dc0b..26602874c10 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -5581,22 +5581,27 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto =
/**
* Clean a string to keep only desirable HTML tags.
*
- * @param string $stringtoclean String to clean
- * @return string String cleaned
+ * @param string $stringtoclean String to clean
+ * @param string $cleanalsosomestyles Clean also some tags
+ * @return string String cleaned
*
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_neverthesehtmltags()
*/
-function dol_string_onlythesehtmltags($stringtoclean)
+function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1)
{
$allowed_tags = array(
- "html", "head", "meta", "body", "article", "a", "b", "br", "div", "em", "font", "img", "ins", "hr", "i", "li", "link",
+ "html", "head", "meta", "body", "article", "a", "b", "br", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link",
"ol", "p", "s", "section", "span", "strong", "title",
"table", "tr", "th", "td", "u", "ul"
);
-
$allowed_tags_string = join("><", $allowed_tags);
$allowed_tags_string = preg_replace('/^>/', '', $allowed_tags_string);
$allowed_tags_string = preg_replace('/<$/', '', $allowed_tags_string);
+ $allowed_tags_string = '<'.$allowed_tags_string.'>';
+
+ if ($cleanalsosomestyles) {
+ $stringtoclean = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $stringtoclean); // Note: If hacker try to introduce css comment into string to avoid this, string should be encoded by the dol_htmlentitiesbr so be harmless
+ }
$temp = strip_tags($stringtoclean, $allowed_tags_string);
@@ -5605,14 +5610,16 @@ function dol_string_onlythesehtmltags($stringtoclean)
/**
* Clean a string from some undesirable HTML tags.
+ * Note. Not enough secured as dol_string_onlythesehtmltags().
*
- * @param string $stringtoclean String to clean
- * @param array $disallowed_tags Array of tags not allowed
- * @return string String cleaned
+ * @param string $stringtoclean String to clean
+ * @param array $disallowed_tags Array of tags not allowed
+ * @param string $cleanalsosomestyles Clean also some tags
+ * @return string String cleaned
*
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_onlythesehtmltags()
*/
-function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags = array('textarea'))
+function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags = array('textarea'), $cleanalsosomestyles = 0)
{
$temp = $stringtoclean;
foreach ($disallowed_tags as $tagtoremove)
@@ -5620,6 +5627,11 @@ function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags = array(
$temp = preg_replace('/<\/?'.$tagtoremove.'>/', '', $temp);
$temp = preg_replace('/<\/?'.$tagtoremove.'\s+[^>]*>/', '', $temp);
}
+
+ if ($cleanalsosomestyles) {
+ $temp = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $temp); // Note: If hacker try to introduce css comment into string to avoid this, string should be encoded by the dol_htmlentitiesbr so be harmless
+ }
+
return $temp;
}
diff --git a/htdocs/core/tpl/notes.tpl.php b/htdocs/core/tpl/notes.tpl.php
index 7663af1c48e..e19d28ce793 100644
--- a/htdocs/core/tpl/notes.tpl.php
+++ b/htdocs/core/tpl/notes.tpl.php
@@ -1,7 +1,7 @@
* Copyright (C) 2013 Florian Henry
- * Copyright (C) 2014-2017 Laurent Destailleur
+ * Copyright (C) 2014-2020 Laurent Destailleur
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -78,20 +78,21 @@ print ''."\n
if ($module != 'product') {
// No public note yet on products
print '
'."\n";
- print '
'."\n";
+ print '
'."\n";
print $form->editfieldkey("NotePublic", $note_public, $value_public, $object, $permission, $typeofdata, $moreparam, '', 0);
print '
'."\n";
- print '
'."\n";
+ print '
'."\n";
print $form->editfieldval("NotePublic", $note_public, $value_public, $object, $permission, $typeofdata, '', null, null, $moreparam, 1)."\n";
print '
'."\n";
print '
'."\n";
}
if (empty($user->socid)) {
+ // Private notes (always hidden to external users)
print '
'."\n";
- print '
'."\n";
+ print '
'."\n";
print $form->editfieldkey("NotePrivate", $note_private, $value_private, $object, $permission, $typeofdata, $moreparam, '', 0);
print '
'."\n";
- print '
'."\n";
+ print '
'."\n";
print $form->editfieldval("NotePrivate", $note_private, $value_private, $object, $permission, $typeofdata, '', null, null, $moreparam, 1);
print '
'."\n";
print '
'."\n";
diff --git a/htdocs/fichinter/card.php b/htdocs/fichinter/card.php
index c096a889ab4..5e360739ea4 100644
--- a/htdocs/fichinter/card.php
+++ b/htdocs/fichinter/card.php
@@ -818,10 +818,7 @@ llxHeader('', $langs->trans("Intervention"));
if ($action == 'create')
{
- /*
- * Mode creation
- * Creation d'une nouvelle fiche d'intervention
- */
+ // Create new intervention
$soc = new Societe($db);
@@ -831,11 +828,12 @@ if ($action == 'create')
if ($socid) $res = $soc->fetch($socid);
- if (GETPOST('origin') && GETPOST('originid'))
+ if (GETPOST('origin', 'alphanohtml') && GETPOST('originid', 'int'))
{
// Parse element/subelement (ex: project_task)
- $element = $subelement = GETPOST('origin');
- if (preg_match('/^([^_]+)_([^_]+)/i', GETPOST('origin'), $regs))
+ $regs = array();
+ $element = $subelement = GETPOST('origin', 'alphanohtml');
+ if (preg_match('/^([^_]+)_([^_]+)/i', GETPOST('origin', 'alphanohtml'), $regs))
{
$element = $regs[1];
$subelement = $regs[2];
@@ -843,7 +841,7 @@ if ($action == 'create')
if ($element == 'project')
{
- $projectid = GETPOST('originid');
+ $projectid = GETPOST('originid', 'int');
}
else
{
@@ -941,7 +939,7 @@ if ($action == 'create')
$numprojet = $formproject->select_projects($soc->id, $projectid, 'projectid');
if ($numprojet == 0)
{
- print '
'.$langs->trans("AddProject").' ';
+ print '
';
}
print '
';
}
@@ -954,7 +952,7 @@ if ($action == 'create')
$numcontrat = $formcontract->select_contract($soc->id, GETPOST('contratid', 'int'), 'contratid', 0, 1);
if ($numcontrat == 0)
{
- print ' '.$langs->trans("AddContract").' '.$langs->trans("ToClone").' ';
}
- // Cancel
+ // Cancel - Reopen
if ($permissiontoadd)
{
if ($object->status == $object::STATUS_VALIDATED || $object->status == $object::STATUS_INPROGRESS)
diff --git a/htdocs/mrp/mo_production.php b/htdocs/mrp/mo_production.php
index 8dffd3dad19..a681aa9166f 100644
--- a/htdocs/mrp/mo_production.php
+++ b/htdocs/mrp/mo_production.php
@@ -551,12 +551,25 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
print ''.$langs->trans('ConsumeAndProduceAll').' ';
}
- // Reopen
- if ($object->status == Mo::STATUS_PRODUCED) {
- if ($permissiontoproduce) {
- print ''.$langs->trans('ReOpen').' ';
- } else {
- print ''.$langs->trans('ReOpen').' ';
+ // Cancel - Reopen
+ if ($permissiontoadd)
+ {
+ if ($object->status == $object::STATUS_VALIDATED || $object->status == $object::STATUS_INPROGRESS)
+ {
+ print ''.$langs->trans("Cancel").' '."\n";
+ }
+
+ if ($object->status == $object::STATUS_CANCELED)
+ {
+ print ''.$langs->trans("Re-Open").' '."\n";
+ }
+
+ if ($object->status == $object::STATUS_PRODUCED) {
+ if ($permissiontoproduce) {
+ print ''.$langs->trans('ReOpen').' ';
+ } else {
+ print ''.$langs->trans('ReOpen').' ';
+ }
}
}
}
diff --git a/htdocs/product/stats/contrat.php b/htdocs/product/stats/contrat.php
index a478a542f0f..e5e37e44242 100644
--- a/htdocs/product/stats/contrat.php
+++ b/htdocs/product/stats/contrat.php
@@ -183,9 +183,9 @@ if ($id > 0 || !empty($ref))
print_liste_field_titre("CustomerCode", $_SERVER["PHP_SELF"], "s.code_client", "", "&id=".$product->id, '', $sortfield, $sortorder);
print_liste_field_titre("Date", $_SERVER["PHP_SELF"], "c.date_contrat", "", "&id=".$product->id, 'align="center"', $sortfield, $sortorder);
//print_liste_field_titre("AmountHT"),$_SERVER["PHP_SELF"],"c.amount","","&id=".$product->id,'align="right"',$sortfield,$sortorder);
- print_liste_field_titre($staticcontratligne->LibStatut(0, 3), $_SERVER["PHP_SELF"], "", '', '', 'align="center" width="16"', $sortfield, $sortorder, 'maxwidthsearch ');
- print_liste_field_titre($staticcontratligne->LibStatut(4, 3), $_SERVER["PHP_SELF"], "", '', '', 'align="center" width="16"', $sortfield, $sortorder, 'maxwidthsearch ');
- print_liste_field_titre($staticcontratligne->LibStatut(5, 3), $_SERVER["PHP_SELF"], "", '', '', 'align="center" width="16"', $sortfield, $sortorder, 'maxwidthsearch ');
+ print_liste_field_titre($staticcontratligne->LibStatut($staticcontratligne::STATUS_INITIAL, 3, -1, 'class="nochangebackground"'), $_SERVER["PHP_SELF"], "", '', '', 'align="center" width="16"', $sortfield, $sortorder, 'maxwidthsearch ');
+ print_liste_field_titre($staticcontratligne->LibStatut($staticcontratligne::STATUS_OPEN, 3, -1, 'class="nochangebackground"'), $_SERVER["PHP_SELF"], "", '', '', 'align="center" width="16"', $sortfield, $sortorder, 'maxwidthsearch ');
+ print_liste_field_titre($staticcontratligne->LibStatut($staticcontratligne::STATUS_CLOSED, 3, -1, 'class="nochangebackground"'), $_SERVER["PHP_SELF"], "", '', '', 'align="center" width="16"', $sortfield, $sortorder, 'maxwidthsearch ');
print "\n";
$contracttmp = new Contrat($db);
diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php
index 2c78069c7a0..ff6faad20a6 100644
--- a/htdocs/societe/class/societe.class.php
+++ b/htdocs/societe/class/societe.class.php
@@ -2330,7 +2330,7 @@ class Societe extends CommonObject
if (!empty($this->logo) && class_exists('Form'))
{
$label .= '';
- $label .= Form::showphoto('societe', $this, 0, 40, 0, 'photowithmargin', 'mini', 0); // Important, we must force height so image will have height tags and if image is inside a tooltip, the tooltip manager can calculate height and position correctly the tooltip.
+ $label .= Form::showphoto('societe', $this, 0, 40, 0, '', 'mini', 0); // Important, we must force height so image will have height tags and if image is inside a tooltip, the tooltip manager can calculate height and position correctly the tooltip.
$label .= '
';
}
elseif (!empty($this->logo_squarred) && class_exists('Form'))
diff --git a/htdocs/theme/eldy/global.inc.php b/htdocs/theme/eldy/global.inc.php
index 679f2b7eb29..32483fb252f 100644
--- a/htdocs/theme/eldy/global.inc.php
+++ b/htdocs/theme/eldy/global.inc.php
@@ -23,6 +23,10 @@ body {
trans("DIRECTION").";\n"; ?>
}
+.sensiblehtmlcontent * {
+ position: static !important;
+}
+
.thumbstat { font-weight: bold !important; }
th a { font-weight: !important; }
a.tab { font-weight: 500 !important; }
diff --git a/htdocs/theme/md/style.css.php b/htdocs/theme/md/style.css.php
index be1727d840c..9dee5d21683 100644
--- a/htdocs/theme/md/style.css.php
+++ b/htdocs/theme/md/style.css.php
@@ -247,6 +247,10 @@ body {
trans("DIRECTION").";\n"; ?>
}
+.sensiblehtmlcontent * {
+ position: static !important;
+}
+
.thumbstat { font-weight: bold !important; }
th a { font-weight: !important; }
a.tab { font-weight: 500 !important; }
diff --git a/htdocs/user/group/card.php b/htdocs/user/group/card.php
index cd8607a764b..19c52b6fa7f 100644
--- a/htdocs/user/group/card.php
+++ b/htdocs/user/group/card.php
@@ -386,7 +386,9 @@ else
// Note
print ''.$langs->trans("Description").' ';
- print ''.dol_htmlentitiesbr($object->note).' ';
+ print '';
+ print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note));
+ print ' ';
print "'.$langs->trans("Description").' ';
-print ''.dol_htmlentitiesbr($object->note).' ';
+print '';
+print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note));
+print ' ';
print "'.$langs->trans("Description").' ';
- print ''.dol_htmlentitiesbr($object->note).' ';
+ print '';
+ print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note));
+ print ' ';
print "'.$langs->trans("Note").' ';
- print '';
+ print ' ';
if ($action == 'edit' && $user->rights->user->user->creer)
{
print "