From 7c2bed2846d33f522f5b9a5e366feda58f11bf96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean=20Traull=C3=A9?= <jtraulle@opencomp.fr>
Date: Fri, 6 Mar 2020 16:22:41 +0000
Subject: [PATCH] Fix #13296

---
 htdocs/core/class/html.form.class.php | 3 ++-
 htdocs/expedition/card.php            | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index 83fd976f627..c422bb91528 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -202,7 +202,7 @@ class Form
 				$ret .= '<input type="hidden" name="'.$paramid.'" value="'.$object->id.'">';
 				if (empty($notabletag)) $ret .= '<table class="nobordernopadding centpercent" cellpadding="0" cellspacing="0">';
 				if (empty($notabletag)) $ret .= '<tr><td>';
-				if (preg_match('/^(string|email)/', $typeofdata))
+				if (preg_match('/^(string|safehtmlstring|email)/', $typeofdata))
 				{
 					$tmp = explode(':', $typeofdata);
 					$ret .= '<input type="text" id="'.$htmlname.'" name="'.$htmlname.'" value="'.($editvalue ? $editvalue : $value).'"'.($tmp[1] ? ' size="'.$tmp[1].'"' : '').'>';
@@ -276,6 +276,7 @@ class Form
 				if (preg_match('/^(email)/', $typeofdata))              $ret .= dol_print_email($value, 0, 0, 0, 0, 1);
 				elseif (preg_match('/^(amount|numeric)/', $typeofdata)) $ret .= ($value != '' ? price($value, '', $langs, 0, -1, -1, $conf->currency) : '');
 				elseif (preg_match('/^text/', $typeofdata) || preg_match('/^note/', $typeofdata))  $ret .= dol_htmlentitiesbr($value);
+				elseif (preg_match('/^safehtmlstring/', $typeofdata)) $ret .= dol_string_onlythesehtmltags($value);
 				elseif ($typeofdata == 'day' || $typeofdata == 'datepicker') $ret .= dol_print_date($value, 'day');
 				elseif ($typeofdata == 'dayhour' || $typeofdata == 'datehourpicker') $ret .= dol_print_date($value, 'dayhour');
 				elseif (preg_match('/^select;/', $typeofdata))
diff --git a/htdocs/expedition/card.php b/htdocs/expedition/card.php
index 66b47ab563f..b137e6cdfa5 100644
--- a/htdocs/expedition/card.php
+++ b/htdocs/expedition/card.php
@@ -1967,7 +1967,7 @@ elseif ($id || $ref)
 
 		// Tracking Number
 		print '<tr><td class="titlefield">'.$form->editfieldkey("TrackingNumber", 'tracking_number', $object->tracking_number, $object, $user->rights->expedition->creer).'</td><td colspan="3">';
-		print $form->editfieldval("TrackingNumber", 'tracking_number', $object->tracking_url, $object, $user->rights->expedition->creer, 'string', $object->tracking_number);
+		print $form->editfieldval("TrackingNumber", 'tracking_number', $object->tracking_url, $object, $user->rights->expedition->creer, 'safehtmlstring', $object->tracking_number);
 		print '</td></tr>';
 
 		// Incoterms

'; - if (preg_match('/^(string\|email)/', $typeofdata)) + if (preg_match('/^(string\|safehtmlstring\|email)/', $typeofdata)) { $tmp = explode(':', $typeofdata); $ret .= ''; @@ -276,6 +276,7 @@ class Form if (preg_match('/^(email)/', $typeofdata)) $ret .= dol_print_email($value, 0, 0, 0, 0, 1); elseif (preg_match('/^(amount\|numeric)/', $typeofdata)) $ret .= ($value != '' ? price($value, '', $langs, 0, -1, -1, $conf->currency) : ''); elseif (preg_match('/^text/', $typeofdata) \|\| preg_match('/^note/', $typeofdata)) $ret .= dol_htmlentitiesbr($value); + elseif (preg_match('/^safehtmlstring/', $typeofdata)) $ret .= dol_string_onlythesehtmltags($value); elseif ($typeofdata == 'day' \|\| $typeofdata == 'datepicker') $ret .= dol_print_date($value, 'day'); elseif ($typeofdata == 'dayhour' \|\| $typeofdata == 'datehourpicker') $ret .= dol_print_date($value, 'dayhour'); elseif (preg_match('/^select;/', $typeofdata)) diff --git a/htdocs/expedition/card.php b/htdocs/expedition/card.php index 66b47ab563f..b137e6cdfa5 100644 --- a/htdocs/expedition/card.php +++ b/htdocs/expedition/card.php @@ -1967,7 +1967,7 @@ elseif ($id \|\| $ref) // Tracking Number print '
'.$form->editfieldkey("TrackingNumber", 'tracking_number', $object->tracking_number, $object, $user->rights->expedition->creer).'	'; - print $form->editfieldval("TrackingNumber", 'tracking_number', $object->tracking_url, $object, $user->rights->expedition->creer, 'string', $object->tracking_number); + print $form->editfieldval("TrackingNumber", 'tracking_number', $object->tracking_url, $object, $user->rights->expedition->creer, 'safehtmlstring', $object->tracking_number); print '