lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX XSS

Browse Source
This commit is contained in:
Laurent Destailleur 2019-09-18 14:15:20 +02:00
parent 2da5071642
commit 7b512587aa
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
htdocs/admin/mails_templates.php
View File

@ -50,7 +50,7 @@ $confirm = GETPOST('confirm','alpha'); // Result of a confirmation
$id = GETPOST('id','int');
$rowid = GETPOST('rowid','alpha');
$search_label=GETPOST('search_label','alpha');
$search_label=GETPOST('search_label', 'alphanohtml'); // Must allow value like 'Abc Def' or '(MyTemplateName)'
$search_type_template=GETPOST('search_type_template','alpha');
$search_lang=GETPOST('search_lang','alpha');
$search_fk_user=GETPOST('search_fk_user','intcomma');
@ -262,6 +262,7 @@ if (empty($reshook))
{
//var_dump($i.' - '.$listfieldvalue[$i].' - '.$_POST[$listfieldvalue[$i]].' - '.$value);
$keycode=$listfieldvalue[$i];
if ($value == 'label') $_POST[$keycode] = dol_escape_htmltag($_POST[$keycode]);
if ($value == 'lang') $keycode='langcode';
if ($value == 'entity') $_POST[$keycode] = $conf->entity;
if ($i) $sql.=",";
@ -666,8 +667,6 @@ if ($resql)
print '<tr class="liste_titre">';
foreach ($fieldlist as $field => $value)
{
// Determine le nom du champ par rapport aux noms possibles
// dans les dictionnaires de donnees
$showfield=1; // By defaut
$align="left";
$sortable=1;
@ -694,7 +693,7 @@ if ($resql)
if ($fieldlist[$field]=='content') { $valuetoshow=$langs->trans("Content"); $showfield=0;}
if ($fieldlist[$field]=='content_lines') { $valuetoshow=$langs->trans("ContentLines"); $showfield=0; }
// Affiche nom du champ
// Show fields
if ($showfield)
{
if (! empty($tabhelp[$id][$value]))
@ -812,6 +811,10 @@ if ($resql)
$showfield=1;
$align="left";
$valuetoshow=$obj->{$fieldlist[$field]};
if ($value == 'label' || $value == 'topic')
{
$valuetoshow = dol_escape_htmltag($valuetoshow);
}
if ($value == 'type_template')
{
$valuetoshow = isset($elementList[$valuetoshow])?$elementList[$valuetoshow]:$valuetoshow;