From 2aee62ea28726d0247147fd3e145a936222cfdb5 Mon Sep 17 00:00:00 2001 From: Florian Mortgat Date: Mon, 7 Oct 2019 17:32:52 +0200 Subject: [PATCH 1/2] FIX: $from and $sendto variables are unescaped in the sending error message This causes addresses like Tom not to be shown in the message. --- htdocs/core/actions_sendmails.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/actions_sendmails.inc.php b/htdocs/core/actions_sendmails.inc.php index 17f1a70d555..088c30aaf31 100644 --- a/htdocs/core/actions_sendmails.inc.php +++ b/htdocs/core/actions_sendmails.inc.php @@ -460,7 +460,7 @@ if (($action == 'send' || $action == 'relance') && ! $_POST['addfile'] && ! $_PO $mesg='
'; if ($mailfile->error) { - $mesg.=$langs->trans('ErrorFailedToSendMail',$from,$sendto); + $mesg.=$langs->transnoentities('ErrorFailedToSendMail',dol_escape_htmltag($from),dol_escape_htmltag($sendto)); $mesg.='
'.$mailfile->error; } else From 6a8e8907efc528598cec19f395a8f97e53399d19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?= Date: Tue, 15 Oct 2019 17:55:07 +0200 Subject: [PATCH 2/2] Update list.php --- htdocs/comm/propal/list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index 893a3935cba..511166991bf 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -267,7 +267,7 @@ $sql.= ' p.rowid, p.entity, p.note_private, p.total_ht, p.tva as total_vat, p.to $sql.= ' p.datec as date_creation, p.tms as date_update,'; $sql.= " pr.rowid as project_id, pr.ref as project_ref, pr.title as project_label,"; $sql.= ' u.login'; -if (! $user->rights->societe->client->voir && ! $socid) $sql .= ", sc.fk_soc, sc.fk_user,"; +if (! $user->rights->societe->client->voir && ! $socid) $sql .= ", sc.fk_soc, sc.fk_user"; if ($search_categ_cus) $sql .= ", cc.fk_categorie, cc.fk_soc"; // Add fields from extrafields foreach ($extrafields->attribute_label as $key => $val) $sql.=($extrafields->attribute_type[$key] != 'separate' ? ", ef.".$key.' as options_'.$key : '');