lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch '5.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source 
Conflicts:
	ChangeLog
	htdocs/admin/tools/index.php
	htdocs/bookmarks/bookmarks.lib.php
	htdocs/compta/facture.php
	htdocs/core/tpl/passwordforgotten.tpl.php
	htdocs/fourn/ajax/getSupplierPrices.php
	htdocs/main.inc.php
	htdocs/product/stats/card.php
	htdocs/public/paypal/paymentko.php
This commit is contained in:
Laurent Destailleur 2017-06-18 21:13:48 +02:00
commit 86a6a83647
50 changed files with 207 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
ChangeLog
View File

@ -31,6 +31,23 @@ Following changes may create regression for some external modules, but were nece
content by doing a print into function, sometimes by returning content into "resprint". This has been fixed to follow
hook specifications so you must return output into "resprint".
***** ChangeLog for 5.0.4 compared to 5.0.3 *****
FIX: #6880
FIX: #6925
FIX: #6926
FIX: Can set supplier invoice to billed.
FIX: Can't create invoice if PO disapproved
FIX: contratligne update
FIX: CVE-2017-7886
FIX: default param
FIX: Line of invoices not inserted when using POS module and VAT NPR.
FIX: origin & originid on supplierproposal
FIX: Redirect to payment page from member subscription page failed if a unique security key was defined.
FIX: REST api to get project when user has permission to read all.
FIX: situation_progress param default value must be 100 and not 0
FIX: SQL injection on user/index.php parameter search_statut.
FIX: Warnings
***** ChangeLog for 5.0.3 compared to 5.0.2 *****
FIX: #6677 Expired contracts dashboard box does not show the name of the thirdparty
FIX: #6813

39
htdocs/accountancy/admin/accountmodel.php
View File

@ -54,6 +54,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
$confirm=GETPOST('confirm','alpha');
$id=GETPOST('id','int');
$rowid=GETPOST('rowid','alpha');
$code=GETPOST('code','alpha');
$acts[0] = "activate";
$acts[1] = "disable";
@ -225,7 +226,7 @@ if ($id == 25)
if (GETPOST('button_removefilter') || GETPOST('button_removefilter.x') || GETPOST('button_removefilter_x'))
{
$search_country_id = '';
$search_country_id = '';
}
// Actions add or modify an entry into a dictionary
@ -459,8 +460,8 @@ if ($action == $acts[0])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -479,8 +480,8 @@ if ($action == $acts[1])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -499,8 +500,8 @@ if ($action == 'activate_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -519,8 +520,8 @@ if ($action == 'disable_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -556,7 +557,7 @@ print "<br>\n";
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);
@ -574,7 +575,7 @@ if ($id)
else $sql.=" WHERE ";
$sql.= " c.rowid = ".$search_country_id;
}
if ($sortfield)
{
// If sort order is "country", we use country_code instead
@ -598,9 +599,9 @@ if ($id)
$fieldlist=explode(',',$tabfield[$id]);
print '<form action="'.$_SERVER['PHP_SELF'].'?id='.$id.'" method="POST">';
print '<form action="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?id='.$id.'" method="POST">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<table class="noborder" width="100%">';
// Form to add a new line
@ -773,7 +774,7 @@ if ($id)
$paramwithsearch = $param;
if ($sortorder) $paramwithsearch.= '&sortorder='.$sortorder;
if ($sortfield) $paramwithsearch.= '&sortfield='.$sortfield;
// There is several pages
if ($num > $listlimit)
{
@ -865,9 +866,9 @@ if ($id)
foreach ($fieldlist as $field => $value)
{
$showfield=1; // By defaut
if ($fieldlist[$field]=='region_id' || $fieldlist[$field]=='country_id') { $showfield=0; }
if ($showfield)
{
if ($value == 'country')
@ -889,7 +890,7 @@ if ($id)
print $searchpicto;
print '</td>';
print '</tr>';
if ($num)
{
// Lines with values
@ -927,7 +928,7 @@ if ($id)
{
foreach ($fieldlist as $field => $value)
{
$showfield=1;
$align="left";
$valuetoshow=$obj->{$fieldlist[$field]};
@ -1169,7 +1170,7 @@ else
$showemptyline=0;
}
$value=$tabname[$i];
print '<tr class="oddeven"><td width="50%">';
if (! empty($tabcond[$i]))

19
htdocs/accountancy/admin/categories_list.php
View File

@ -54,6 +54,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
$confirm=GETPOST('confirm','alpha');
$id=GETPOST('id','int');
$rowid=GETPOST('rowid','alpha');
$code=GETPOST('code','alpha');
// Security access
if (! empty($user->rights->accountancy->chartofaccount))
@ -370,8 +371,8 @@ if ($action == $acts[0])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -390,8 +391,8 @@ if ($action == $acts[1])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -410,8 +411,8 @@ if ($action == 'activate_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -430,8 +431,8 @@ if ($action == 'disable_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -461,7 +462,7 @@ print load_fiche_titre($titre,$linkback,$titlepicto);
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);

11
htdocs/accountancy/admin/journals_list.php
View File

@ -38,6 +38,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
$confirm=GETPOST('confirm','alpha');
$id=GETPOST('id','int');
$rowid=GETPOST('rowid','alpha');
$code=GETPOST('code','alpha');
// Security access
if (! empty($user->rights->accountancy->chartofaccount))
@ -321,8 +322,8 @@ if ($action == $acts[0])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -341,8 +342,8 @@ if ($action == $acts[1])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -375,7 +376,7 @@ print load_fiche_titre($titre,$linkback,$titlepicto);
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);

19
htdocs/admin/dict.php
View File

@ -54,6 +54,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
$confirm=GETPOST('confirm','alpha');
$id=GETPOST('id','int');
$rowid=GETPOST('rowid','alpha');
$code=GETPOST('code','alpha');
$allowed=$user->admin;
if ($id == 7 && ! empty($user->rights->accounting->chartofaccount)) $allowed=1; // Tax page allowed to manager of chart account
@ -816,8 +817,8 @@ if ($action == $acts[0])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".dol_escape_htmltag($_GET["code"])."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".dol_escape_htmltag($code)."'";
}
$result = $db->query($sql);
@ -836,8 +837,8 @@ if ($action == $acts[1])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".dol_escape_htmltag($_GET["code"])."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".dol_escape_htmltag($code)."'";
}
$result = $db->query($sql);
@ -856,8 +857,8 @@ if ($action == 'activate_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".dol_escape_htmltag($_GET["code"])."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".dol_escape_htmltag($code)."'";
}
$result = $db->query($sql);
@ -876,8 +877,8 @@ if ($action == 'disable_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".dol_escape_htmltag($_GET["code"])."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".dol_escape_htmltag($code)."'";
}
$result = $db->query($sql);
@ -938,7 +939,7 @@ if (GETPOST('from')) $paramwithsearch.= '&from='.GETPOST('from','alpha');
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'rowid='.$rowid.'&code='.urlencode($_GET["code"]).$paramwithsearch, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'rowid='.$rowid.'&code='.urlencode($code).$paramwithsearch, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);

10
htdocs/admin/mails_templates.php
View File

@ -346,8 +346,8 @@ if ($action == $acts[0])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -366,8 +366,8 @@ if ($action == $acts[1])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
}
elseif ($_GET["code"]) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'";
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@ -412,7 +412,7 @@ dol_fiche_head($head, 'templates', '', -1);
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);

2
htdocs/admin/tools/index.php
View File

@ -38,7 +38,7 @@ if (! $user->admin)
$form = new Form($db);
$title=$langs->trans("AdminTools");
//if (GETPOST('leftmenu') == 'admintools') $title=$langs->trans("ModulesSystemTools");
//if (GETPOST('leftmenu',"aZ09") == 'admintools') $title=$langs->trans("ModulesSystemTools");
llxHeader('', $title);

18
htdocs/bookmarks/bookmarks.lib.php
View File

@ -40,10 +40,10 @@ function printBookmarksList($aDb, $aLangs)
$langs->load("bookmarks");
$url= $_SERVER["PHP_SELF"].(! empty($_SERVER["QUERY_STRING"])?'?'.$_SERVER["QUERY_STRING"]:'');
$url= $_SERVER["PHP_SELF"].(dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'');
$ret = '';
// Menu bookmark
$ret.= '<div class="menu_top"></div>'."\n";
@ -83,12 +83,12 @@ function printBookmarksList($aDb, $aLangs)
dol_print_error($db);
}
}
$ret.= '</select>';
$ret.= '</form>';
$ret.=ajax_combobox('boxbookmark');
$ret.='<script type="text/javascript">
$(document).ready(function () {';
$ret.=' jQuery("#boxbookmark").change(function() {
@ -97,9 +97,9 @@ function printBookmarksList($aDb, $aLangs)
if (! urltarget) { urltarget=""; }
jQuery("form#actionbookmark").attr("target",urltarget);
jQuery("form#actionbookmark").attr("action",urlselected);
console.log("We change select bookmark. We choose urlselected="+urlselected+" with target="+urltarget);
// Method is POST for internal link, GET for external
if (urlselected.startsWith(\'http\'))
{
@ -107,7 +107,7 @@ function printBookmarksList($aDb, $aLangs)
jQuery("form#actionbookmark").attr("method",newmethod);
console.log("We change method to newmethod="+newmethod);
}
jQuery("#actionbookmark").submit();
});';
$ret.='})</script>';

34
htdocs/comm/action/index.php
View File

@ -423,8 +423,8 @@ else // If javascript off
$newparam=$param; // newparam is for birthday links
$newparam=preg_replace('/showbirthday=[0-1]/i','showbirthday='.(empty($showbirthday)?1:0),$newparam);
if (! preg_match('/showbirthday=/i',$newparam)) $newparam.='&showbirthday=1';
$link='<a href="'.$_SERVER['PHP_SELF'];
$link.='?'.$newparam;
$link='<a href="'.dol_escape_htmltag($_SERVER['PHP_SELF']);
$link.='?'.dol_escape_htmltag($newparam);
$link.='">';
if (empty($showbirthday)) $link.=$langs->trans("AgendaShowBirthdayEvents");
else $link.=$langs->trans("AgendaHideBirthdayEvents");
@ -1070,7 +1070,7 @@ if (empty($action) || $action == 'show_month') // View by month
}
echo "</table>\n";
echo '<form id="move_event" action="" method="POST"><input type="hidden" name="action" value="mupdate">';
echo '<input type="hidden" name="backtopage" value="'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'].'">';
echo '<input type="hidden" name="backtopage" value="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']).'">';
echo '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
echo '<input type="hidden" name="newdate" id="newdate">' ;
echo '</form>';
@ -1124,7 +1124,7 @@ elseif ($action == 'show_week') // View by week
echo "</table>\n";
echo '<form id="move_event" action="" method="POST"><input type="hidden" name="action" value="mupdate">';
echo '<input type="hidden" name="backtopage" value="'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'].'">';
echo '<input type="hidden" name="backtopage" value="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']).'">';
echo '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
echo '<input type="hidden" name="newdate" id="newdate">' ;
echo '</form>';
@ -1188,7 +1188,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
global $cachethirdparties, $cachecontacts, $cacheusers, $colorindexused;
$dateint = sprintf("%04d",$year).sprintf("%02d",$month).sprintf("%02d",$day);
print "\n";
// Line with title of day
@ -1247,7 +1247,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
if (in_array($user->id, $keysofuserassigned))
{
$nummytasks++; $cssclass='family_mytasks';
if (empty($cacheusers[$event->userownerid]))
{
$newuser=new User($db);
@ -1255,7 +1255,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
$cacheusers[$event->userownerid]=$newuser;
}
//var_dump($cacheusers[$event->userownerid]->color);
// We decide to choose color of owner of event (event->userownerid is user id of owner, event->userassigned contains all users assigned to event)
if (! empty($cacheusers[$event->userownerid]->color)) $color=$cacheusers[$event->userownerid]->color;
}
@ -1277,10 +1277,10 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
}
else
{
$numother++;
$numother++;
$color=($event->icalcolor?$event->icalcolor:-1);
$cssclass=(! empty($event->icalname)?'family_ext'.md5($event->icalname):'family_other');
if (empty($cacheusers[$event->userownerid]))
{
$newuser=new User($db);
@ -1288,7 +1288,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
$cacheusers[$event->userownerid]=$newuser;
}
//var_dump($cacheusers[$event->userownerid]->color);
// We decide to choose color of owner of event (event->userownerid is user id of owner, event->userassigned contains all users assigned to event)
if (! empty($cacheusers[$event->userownerid]->color)) $color=$cacheusers[$event->userownerid]->color;
}
@ -1364,9 +1364,9 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
print '">';
print '<tr>';
print '<td class="tdoverflow nobottom centpercent '.($nowrapontd?'nowrap ':'').'cal_event'.($event->type_code == 'BIRTHDAY'?' cal_event_birthday':'').'">';
$daterange='';
if ($event->type_code == 'BIRTHDAY') // It's a birthday
{
print $event->getNomUrl(1,$maxnbofchar,'cal_event','birthday','contact');
@ -1426,9 +1426,9 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
// Show title
$titletoshow = $daterange;
$titletoshow.=($titletoshow?' ':'').$event->libelle;
if ($event->type_code == 'ICALEVENT') print $titletoshow;
else
else
{
$savlabel=$event->libelle;
$event->libelle=$titletoshow;
@ -1449,11 +1449,11 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
$newuser->fetch($tmpid);
$cacheusers[$tmpid]=$newuser;
}
$listofusertoshow.=$cacheusers[$tmpid]->getNomUrl(-3, '', 0, 0, 0, 0, '', 'valigntextbottom');
}
print $listofusertoshow;
if ($event->type_code == 'ICALEVENT') print '<br>('.dol_trunc($event->icalname,$maxnbofchar).')';
// If action related to company / contact
@ -1506,7 +1506,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
if ($event->type_code != 'BIRTHDAY' && $event->type_code != 'ICALEVENT')
{
$withstatus=1;
if ($event->percentage >= 0) $withstatus=2;
if ($event->percentage >= 0) $withstatus=2;
}
print '<td class="nobottom right nowrap cal_event_right'.($withstatus >= 2 ?' cal_event_right_status':'').'">';
if ($withstatus) print $event->getLibStatut(3,1);

2
htdocs/comm/action/pertype.php
View File

@ -572,7 +572,7 @@ $newparam=preg_replace('/showbirthday_=/i','showbirthday=',$newparam); // Restor
$newparam.='&viewweek=1';
echo '<form id="move_event" action="" method="POST"><input type="hidden" name="action" value="mupdate">';
echo '<input type="hidden" name="backtopage" value="'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'].'">';
echo '<input type="hidden" name="backtopage" value="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']).'">';
echo '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
echo '<input type="hidden" name="newdate" id="newdate">' ;
echo '</form>';

6
htdocs/comm/action/peruser.php
View File

@ -86,12 +86,12 @@ $status=GETPOST("status");
$type=GETPOST("type");
$maxprint=(isset($_GET["maxprint"])?GETPOST("maxprint"):$conf->global->AGENDA_MAX_EVENTS_DAY_VIEW);
// Set actioncode (this code must be same for setting actioncode into peruser, listacton and index)
if (GETPOST('actioncode','array'))
if (GETPOST('actioncode','array'))
{
$actioncode=GETPOST('actioncode','array',3);
if (! count($actioncode)) $actioncode='0';
}
else
else
{
$actioncode=GETPOST("actioncode","alpha",3)?GETPOST("actioncode","alpha",3):(GETPOST("actioncode")=='0'?'0':(empty($conf->global->AGENDA_DEFAULT_FILTER_TYPE)?'':$conf->global->AGENDA_DEFAULT_FILTER_TYPE));
}
@ -579,7 +579,7 @@ $newparam=preg_replace('/showbirthday_=/i','showbirthday=',$newparam); // Restor
$newparam.='&viewweek=1';
echo '<form id="move_event" action="" method="POST"><input type="hidden" name="action" value="mupdate">';
echo '<input type="hidden" name="backtopage" value="'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'].'">';
echo '<input type="hidden" name="backtopage" value="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']).'">';
echo '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
echo '<input type="hidden" name="newdate" id="newdate">' ;
echo '</form>';

12
htdocs/compta/facture/card.php
View File

@ -3587,15 +3587,14 @@ else if ($id > 0 || ! empty($ref))
if ($object->type == Facture::TYPE_SITUATION && ! empty($conf->global->INVOICE_USE_SITUATION))
{
if (count($object->tab_previous_situation_invoice) > 0 || count($object->tab_next_situation_invoice) > 0)
print '<table class="nobordernopadding paymenttable" width="100%">';
print '<table class="noborder situationstable" width="100%">';
if (count($object->tab_previous_situation_invoice) > 0) {
// List of previous invoices
print '<tr class="liste_titre">';
print '<td>' . $langs->trans('ListOfPreviousSituationInvoices') . '</td>';
print '<td></td>';
if (! empty($conf->banque->enabled))
print '<td align="right"></td>';
if (! empty($conf->banque->enabled)) print '<td align="right"></td>';
print '<td align="right">' . $langs->trans('AmountHT') . '</td>';
print '<td align="right">' . $langs->trans('AmountTTC') . '</td>';
print '<td width="18">&nbsp;</td>';
@ -3609,8 +3608,7 @@ else if ($id > 0 || ! empty($ref))
print '<tr class="oddeven">';
print '<td>' . $prev_invoice->getNomUrl(1) . '</td>';
print '<td></td>';
if (! empty($conf->banque->enabled))
print '<td align="right"></td>';
if (! empty($conf->banque->enabled)) print '<td align="right"></td>';
print '<td align="right">' . price($prev_invoice->total_ht) . '</td>';
print '<td align="right">' . price($prev_invoice->total_ttc) . '</td>';
print '<td align="right">' . $prev_invoice->getLibStatut(3, $totalpaye) . '</td>';
@ -3619,7 +3617,9 @@ else if ($id > 0 || ! empty($ref))
}
print '<tr class="oddeven">';
print '<td colspan="2" align="right"></td>';
print '<td></td>';
print '<td></td>';
if (! empty($conf->banque->enabled)) print '<td></td>';
print '<td align="right"><b>' . price($total_prev_ht) . '</b></td>';
print '<td align="right"><b>' . price($total_prev_ttc) . '</b></td>';
print '<td width="18">&nbsp;</td>';

2
htdocs/core/ajax/ajaxdirpreview.php
View File

@ -139,7 +139,7 @@ if (! dol_is_dir($upload_dir))
}
print '<!-- ajaxdirpreview type='.$type.' -->'."\n";
print '<!-- Page called with mode='.(isset($mode)?$mode:'').' type='.$type.' module='.$module.' url='.$url.' '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Page called with mode='.dol_escape_htmltag(isset($mode)?$mode:'').' type='.dol_escape_htmltag($type).' module='.dol_escape_htmltag($module).' url='.dol_escape_htmltag($url).' '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
$param=($sortfield?'&sortfield='.$sortfield:'').($sortorder?'&sortorder='.$sortorder:'');

2
htdocs/core/ajax/bankconciliate.php
View File

@ -45,7 +45,7 @@ $action=GETPOST('action','aZ09');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
if (($user->rights->banque->modifier || $user->rights->banque->consolidate) && $action == 'dvnext')
{

2
htdocs/core/ajax/box.php
View File

@ -50,7 +50,7 @@ $userid=GETPOST('userid','int');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Add a box
if ($boxid > 0 && $zone !='' && $userid > 0)

2
htdocs/core/ajax/constantonoff.php
View File

@ -45,7 +45,7 @@ $name=GETPOST('name','alpha');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering the location of boxes
if (! empty($action) && ! empty($name))

8
htdocs/core/ajax/contacts.php
View File

@ -41,20 +41,20 @@ $showempty = GETPOST('showempty','int');
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (! empty($id) && ! empty($action) && ! empty($htmlname))
{
$form = new Form($db);
$return=array();
if (empty($showempty)) $showempty=0;
$return['value'] = $form->selectcontacts($id,'',$htmlname,$showempty,'','',0,'',true);
$return['num'] = $form->num;
$return['error'] = $form->error;
echo json_encode($return);
}

18
htdocs/core/ajax/extraparams.php
View File

@ -40,17 +40,17 @@ $type = GETPOST('type', 'alpha');
top_httphead();
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type))
{
$value = GETPOST('value','alpha');
$params=array();
dol_syslog("AjaxSetExtraParameters id=".$id." element=".$element." htmlelement=".$htmlelement." type=".$type." value=".$value, LOG_DEBUG);
$classpath = $subelement = $element;
// For compatibility
if ($element == 'order' || $element == 'commande') { $classpath = $subelement = 'commande'; }
else if ($element == 'propal') { $classpath = 'comm/propal'; $subelement = 'propal'; }
@ -60,19 +60,19 @@ if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type))
else if ($element == 'deplacement') { $classpath = 'compta/deplacement'; $subelement = 'deplacement'; }
else if ($element == 'order_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.commande'; }
else if ($element == 'invoice_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.facture'; }
dol_include_once('/'.$classpath.'/class/'.$subelement.'.class.php');
if ($element == 'order_supplier') { $classname = 'CommandeFournisseur'; }
else if ($element == 'invoice_supplier') { $classname = 'FactureFournisseur'; }
else $classname = ucfirst($subelement);
$object = new $classname($db);
$object->fetch($id);
$params[$htmlelement] = array($type => $value);
$object->extraparams = array_merge($object->extraparams, $params);
$result=$object->setExtraParameters();
}

2
htdocs/core/ajax/loadinplace.php
View File

@ -41,7 +41,7 @@ $fk_element = GETPOST('fk_element','alpha');
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (! empty($field) && ! empty($element) && ! empty($table_element) && ! empty($fk_element))

2
htdocs/core/ajax/objectonoff.php
View File

@ -42,7 +42,7 @@ $object = new GenericObject($db);
top_httphead();
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering new values
if (($action == 'set') && ! empty($id))

2
htdocs/core/ajax/price.php
View File

@ -39,7 +39,7 @@ $tva_tx = str_replace('*','',GETPOST('tva_tx','alpha'));
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (! empty($output) && isset($amount) && isset($tva_tx))

6
htdocs/core/ajax/row.php
View File

@ -18,8 +18,8 @@
/**
* \file htdocs/core/ajax/row.php
* \brief File to return Ajax response on Row move.
* This ajax page is called when doing an up or down drag and drop.
* \brief File to return Ajax response on Row move.
* This ajax page is called when doing an up or down drag and drop.
*/
if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disable token renewal
@ -40,7 +40,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php';
top_httphead();
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering the location of boxes
if ((isset($_POST['roworder']) && ! empty($_POST['roworder'])) && (isset($_POST['table_element_line']) && ! empty($_POST['table_element_line']))

2
htdocs/core/ajax/saveinplace.php
View File

@ -54,7 +54,7 @@ savemethodname:
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
//print_r($_POST);
// Load original field value

6
htdocs/core/ajax/security.php
View File

@ -17,8 +17,8 @@
/**
* \file htdocs/core/ajax/security.php
* \brief This ajax component is used to generated has keys for security purposes
* like key to use into URL to protect them.
* \brief This ajax component is used to generated has keys for security purposes
* like key to use into URL to protect them.
*/
if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disables token renewal
@ -38,7 +38,7 @@ require '../../main.inc.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering the location of boxes
if (isset($_GET['action']) && ! empty($_GET['action']))

2
htdocs/core/ajax/vatrates.php
View File

@ -41,7 +41,7 @@ $productid = (GETPOST('productid','int')?GETPOST('productid','int'):0);
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (! empty($id) && ! empty($action) && ! empty($htmlname))

2
htdocs/core/ajax/ziptown.php
View File

@ -45,7 +45,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog("GET is ".join(',',$_GET).', MAIN_USE_ZIPTOWN_DICTIONNARY='.(empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)?'':$conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY));
//var_dump($_GET);

4
htdocs/core/class/html.formother.class.php
View File

@ -1062,7 +1062,7 @@ class FormOther
async: false
});
// We force reload to be sure to get all boxes into list
window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=delbox\';
window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=delbox\';
}
else
{
@ -1084,7 +1084,7 @@ class FormOther
url: \''.DOL_URL_ROOT.'/core/ajax/box.php?boxorder=\'+boxorder+\'&boxid=\'+boxid+\'&zone='.$areacode.'&userid='.$user->id.'\',
async: false
});
window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=addbox&boxid=\'+boxid;
window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=addbox&boxid=\'+boxid;
}
});';
if (! count($arrayboxtoactivatelabel)) $selectboxlist.='jQuery("#boxcombo").hide();';

7
htdocs/core/lib/functions.lib.php
View File

@ -411,9 +411,6 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)
case 'intcomma':
if (preg_match('/[^0-9,]+/i',$out)) $out='';
break;
case 'intcomma':
if (preg_match('/[^0-9,]+/i',$out)) $out='';
break;
case 'alpha':
$out=trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
@ -3168,8 +3165,8 @@ function dol_print_error($db='',$error='',$errors=null)
$out.="<b>".$langs->trans("Referer").":</b> ".(isset($_SERVER["HTTP_REFERER"])?dol_htmlentities($_SERVER["HTTP_REFERER"],ENT_COMPAT,'UTF-8'):'')."<br>\n";
$out.="<b>".$langs->trans("MenuManager").":</b> ".(isset($conf->standard_menu)?$conf->standard_menu:'')."<br>\n";
$out.="<br>\n";
$syslog.="url=".$_SERVER["REQUEST_URI"];
$syslog.=", query_string=".$_SERVER["QUERY_STRING"];
$syslog.="url=".dol_escape_htmltag($_SERVER["REQUEST_URI"]);
$syslog.=", query_string=".dol_escape_htmltag($_SERVER["QUERY_STRING"]);
}
else // Mode CLI
{

4
htdocs/core/lib/security2.lib.php
View File

@ -144,10 +144,6 @@ function dol_loginfunction($langs,$conf,$mysoc)
$dol_url_root = DOL_URL_ROOT;
$php_self = $_SERVER['PHP_SELF'];
$php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
// Title
$appli=constant('DOL_APPLICATION_TITLE');
$title=$appli.' '.constant('DOL_VERSION');

2
htdocs/core/tpl/ajax/fileupload_main.tpl.php
View File

@ -45,7 +45,7 @@ $(function () {
// Events
$('#fileupload').fileupload({
stop: function (e, data) {
location.href='<?php echo $_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"]; ?>';
location.href='<?php echo dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]); ?>';
},
destroy: function (e, data) {
var that = $(this).data('fileupload');

2
htdocs/core/tpl/ajaxrow.tpl.php
View File

@ -63,7 +63,7 @@ $(document).ready(function(){
function() {
console.log("tableDND end of ajax call");
if (reloadpage == 1) {
location.href = '<?php echo $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']; ?>';
location.href = '<?php echo dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']); ?>';
} else {
$("#<?php echo $tagidfortablednd; ?> .drag").each(
function( intIndex ) {

6
htdocs/core/tpl/login.tpl.php
View File

@ -31,6 +31,10 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
// If we force to use jmobile, then we reenable javascript
if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']);
$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
// Javascript code on logon page only to detect user tz, dst_observed, dst_first, dst_second
$arrayofjs=array(
'/includes/jstz/jstz.min.js'.(empty($conf->dol_use_jmobile)?'':'?version='.urlencode(DOL_VERSION)),
@ -82,7 +86,7 @@ $(document).ready(function () {
<div class="login_table_title center" title="<?php echo dol_escape_htmltag($title); ?>">
<?php
if ($disablenofollow) echo '<a class="login_table_title" href="https://www.dolibarr.org" target="_blank">';
echo dol_escape_htmltag($title);
echo dol_escape_htmltag($title);
if ($disablenofollow) echo '</a>';
?>
</div>

7
htdocs/core/tpl/passwordforgotten.tpl.php
View File

@ -28,6 +28,9 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
// If we force to use jmobile, then we reenable javascript
if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
$php_self = $_SERVER['PHP_SELF'];
$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
print top_htmlhead('',$langs->trans('SendNewPassword'));
?>
<!-- BEGIN PHP TEMPLATE PASSWORDFORGOTTEN.TPL.PHP -->
@ -56,7 +59,7 @@ $(document).ready(function () {
<div class="login_table_title center" title="<?php echo dol_escape_htmltag($title); ?>">
<?php
if ($disablenofollow) echo '<a class="login_table_title" href="https://www.dolibarr.org" target="_blank">';
echo dol_escape_htmltag($title);
echo dol_escape_htmltag($title);
if ($disablenofollow) echo '</a>';
?>
</div>
@ -96,7 +99,7 @@ if (! empty($hookmanager->resArray['options'])) {
}
?>
<?php if ($captcha) {
<?php if ($captcha) {
// Add a variable param to force not using cache (jmobile)
$php_self = preg_replace('/[&\?]time=(\d+)/','',$php_self); // Remove param time
if (preg_match('/\?/',$php_self)) $php_self.='&time='.dol_print_date(dol_now(),'dayhourlog');

2
htdocs/ecm/ajax/ecmdatabase.php
View File

@ -39,7 +39,7 @@ $element = GETPOST('element', 'alpha');
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (isset($action) && ! empty($action))

2
htdocs/expensereport/ajax/ajaxprojet.php
View File

@ -46,7 +46,7 @@ require '../../main.inc.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',',$_GET));

4
htdocs/externalsite/frames.php
View File

@ -34,8 +34,8 @@ if (empty($conf->global->EXTERNALSITE_URL))
llxFooter();
}
$mainmenu=GETPOST('mainmenu', 'alpha');
$leftmenu=GETPOST('leftmenu', 'alpha');
$mainmenu=GETPOST('mainmenu', "aZ09");
$leftmenu=GETPOST('leftmenu', "aZ09");
$idmenu=GETPOST('idmenu', 'int');
$theme=GETPOST('theme', 'alpha');
$codelang=GETPOST('lang', 'aZ09');

18
htdocs/fourn/ajax/getSupplierPrices.php
View File

@ -46,7 +46,7 @@ $langs->load('margins');
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
if ($idprod > 0)
{
@ -55,7 +55,7 @@ if ($idprod > 0)
$sorttouse = 's.nom, pfp.quantity, pfp.price';
if (GETPOST('bestpricefirst')) $sorttouse = 'pfp.unitprice, s.nom, pfp.quantity, pfp.price';
$productSupplierArray = $producttmp->list_product_fournisseur_price($idprod, $sorttouse); // We list all price per supplier, and then firstly with the lower quantity. So we can choose first one with enough quantity into list.
if ( is_array($productSupplierArray))
{
@ -63,34 +63,34 @@ if ($idprod > 0)
{
$price = $productSupplier->fourn_price * (1 - $productSupplier->fourn_remise_percent / 100);
$unitprice = $productSupplier->fourn_unitprice * (1 - $productSupplier->fourn_remise_percent / 100);
$title = $productSupplier->fourn_name.' - '.$productSupplier->fourn_ref.' - ';
if ($productSupplier->fourn_qty == 1)
{
$title.= price($price,0,$langs,0,0,-1,$conf->currency)."/";
}
$title.= $productSupplier->fourn_qty.' '.($productSupplier->fourn_qty == 1 ? $langs->trans("Unit") : $langs->trans("Units"));
if ($productSupplier->fourn_qty > 1)
{
$title.=" - ";
$title.= price($unitprice,0,$langs,0,0,-1,$conf->currency)."/".$langs->trans("Unit");
$price = $unitprice;
}
$label = price($price,0,$langs,0,0,-1,$conf->currency)."/".$langs->trans("Unit");
if ($productSupplier->fourn_ref) $label.=' ('.$productSupplier->fourn_ref.')';
$prices[] = array("id" => $productSupplier->product_fourn_price_id, "price" => price2num($price,0,'',0), "label" => $label, "title" => $title); // For price field, we must use price2num(), for label or title, price()
}
}
// Add price for costprice
$price=$producttmp->cost_price;
$prices[] = array("id" => 'costprice', "price" => price2num($price), "label" => $langs->trans("CostPrice").': '.price($price,0,$langs,0,0,-1,$conf->currency), "title" => $langs->trans("PMPValueShort").': '.price($price,0,$langs,0,0,-1,$conf->currency)); // For price field, we must use price2num(), for label or title, price()
if(!empty($conf->stock->enabled))
if(!empty($conf->stock->enabled))
{
// Add price for pmp
$price=$producttmp->pmp;

4
htdocs/holiday/list.php
View File

@ -168,7 +168,7 @@ if($year_create > 0) {
}
} else {
if($month_create > 0) {
$filter.= " AND date_format(cp.date_create, '%m') = '$month_create'";
$filter.= " AND date_format(cp.date_create, '%m') = '".$db->escape($month_create)."'";
}
}
@ -302,7 +302,7 @@ print '</td>';
// DATE CREATE
print '<td class="liste_titre" align="center">';
print '<input class="flat" type="text" size="1" maxlength="2" name="month_create" value="'.$month_create.'">';
print '<input class="flat" type="text" size="1" maxlength="2" name="month_create" value="'.dol_escape_htmltag($month_create).'">';
$formother->select_year($year_create,'year_create',1, $min_year, 0);
print '</td>';

11
htdocs/main.inc.php
View File

@ -97,8 +97,9 @@ function test_sql_and_script_inject($val, $type)
$sql_inj += preg_match('/<script/i', $val);
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
$sql_inj += preg_match('/base[\s]+href/si', $val);
$sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
$sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='>' onerror = alert(1)>
$sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
$sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)>
// $sql_inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
if ($type == 1)
{
$sql_inj += preg_match('/javascript:/i', $val);
@ -1486,14 +1487,14 @@ function top_menu($head, $title='', $target='', $disablejs=0, $disablehead=0, $a
// Link to print main content area
if (empty($conf->global->MAIN_PRINT_DISABLELINK) && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER) && empty($conf->browser->phone))
{
$qs=$_SERVER["QUERY_STRING"];
$qs=dol_escape_htmltag($_SERVER["QUERY_STRING"]);
foreach($_POST as $key=>$value) {
if($key!=='action' && !is_array($value))$qs.='&'.$key.'='.urlencode($value);
if ($key!=='action' && !is_array($value)) $qs.='&'.$key.'='.urlencode($value);
}
$qs.=(($qs && $morequerystring)?'&':'').$morequerystring;
$text ='<a href="'.$_SERVER["PHP_SELF"].'?'.$qs.($qs?'&':'').'optioncss=print" target="_blank">';
$text ='<a href="'.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.$qs.($qs?'&':'').'optioncss=print" target="_blank">';
//$text.= img_picto(":".$langs->trans("PrintContentArea"), 'printer_top.png', 'class="printer"');
$text.='<span class="fa fa-print atoplogin"></span>';
$text.='</a>';

2
htdocs/product/ajax/products.php
View File

@ -57,7 +57,7 @@ $warehouseStatus = GETPOST('warehousestatus', 'alpha');
* View
*/
// print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
// print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',', $_GET));
// print_r($_GET);

2
htdocs/public/paybox/paymentko.php
View File

@ -66,7 +66,7 @@ $paymentmethod='paybox';
* View
*/
dol_syslog("Callback url when a PayBox payment was canceled. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paybox');
dol_syslog("Callback url when a PayBox payment was canceled. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paybox');
$tracepost = "";
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";

2
htdocs/public/paybox/paymentok.php
View File

@ -76,7 +76,7 @@ $paymentmethod='paybox';
* View
*/
dol_syslog("Callback url when a PayBox payment was done. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paybox');
dol_syslog("Callback url when a PayBox payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paybox');
$tracepost = "";
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";

18
htdocs/public/paypal/paymentko.php
View File

@ -76,7 +76,7 @@ $paymentmethod='paypal';
* View
*/
dol_syslog("Callback url when a PayPal payment was canceled. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paypal');
dol_syslog("Callback url when a PayPal payment was canceled. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paypal');
$tracepost = "";
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
@ -94,23 +94,23 @@ if (! empty($_SESSION['ipaddress'])) // To avoid to make action twice
$FinalPaymentAmt = $_SESSION["Payment_Amount"];
// From env
$ipaddress = $_SESSION['ipaddress'];
// Appel des triggers
include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php';
$interface=new Interfaces($db);
$result=$interface->run_triggers('PAYPAL_PAYMENT_KO',$object,$user,$langs,$conf);
if ($result < 0) { $error++; $errors=$interface->errors; }
// Fin appel triggers
// Send an email
$sendemail = '';
if (! empty($conf->global->PAYPAL_PAYONLINE_SENDEMAIL)) $sendemail=$conf->global->PAYPAL_PAYONLINE_SENDEMAIL;
if ($sendemail)
{
$sendto=$sendemail;
$from=$conf->global->MAILING_EMAIL_FROM;
// Define link to login card
$appli=constant('DOL_APPLICATION_TITLE');
if (! empty($conf->global->MAIN_APPLICATION_TITLE))
@ -123,7 +123,7 @@ if (! empty($_SESSION['ipaddress'])) // To avoid to make action twice
else $appli.=" ".DOL_VERSION;
}
else $appli.=" ".DOL_VERSION;
$urlback=$_SERVER["REQUEST_URI"];
$topic='['.$appli.'] '.$langs->transnoentitiesnoconv("NewOnlinePaymentFailed");
$content="";
@ -133,10 +133,10 @@ if (! empty($_SESSION['ipaddress'])) // To avoid to make action twice
$content.=$langs->transnoentitiesnoconv("OnlinePaymentSystem").': '.$paymentmethod."<br>\n";
$content.=$langs->transnoentitiesnoconv("ReturnURLAfterPayment").': '.$urlback."\n";
$content.="tag=".$fulltag."\ntoken=".$onlinetoken." paymentType=".$paymentType." currencycodeType=".$currencyCodeType." payerId=".$payerID." ipaddress=".$ipaddress." FinalPaymentAmt=".$FinalPaymentAmt;
require_once DOL_DOCUMENT_ROOT.'/core/class/CMailFile.class.php';
$mailfile = new CMailFile($topic, $sendto, $from, $content);
$result=$mailfile->sendfile();
if ($result)
{
@ -147,7 +147,7 @@ if (! empty($_SESSION['ipaddress'])) // To avoid to make action twice
dol_syslog("Failed to send EMail to ".$sendto, LOG_ERR, 0, '_paypal');
}
}
unset($_SESSION['ipaddress']);
}

2
htdocs/public/paypal/paymentok.php
View File

@ -106,7 +106,7 @@ $paymentmethod='paypal';
* View
*/
dol_syslog("Callback url when a PayPal payment was done. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paypal');
dol_syslog("Callback url when a PayPal payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paypal');
$tracepost = "";
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";

4
htdocs/societe/ajax/company.php
View File

@ -43,7 +43,7 @@ $id=GETPOST('id', 'int');
* View
*/
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',', $_GET));
//print_r($_GET);
@ -62,7 +62,7 @@ if (! empty($action) && $action == 'fetch' && ! empty($id))
$outlabel = '';
$outdesc = '';
$outtype = $object->type;
$outjson = array('ref' => $outref,'name' => $outname,'desc' => $outdesc,'type' => $outtype);
}

2
htdocs/societe/ajaxcompanies.php
View File

@ -44,7 +44,7 @@ require '../main.inc.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',',$_GET));

2
htdocs/societe/ajaxcountries.php
View File

@ -45,7 +45,7 @@ $country=GETPOST('country', 'alpha');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',',$_POST));

3
htdocs/user/passwordforgotten.php
View File

@ -152,9 +152,6 @@ if ($action == 'buildnewpassword' && $username)
* View
*/
$php_self = $_SERVER['PHP_SELF'];
$php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
$dol_url_root = DOL_URL_ROOT;
// Title

2
htdocs/variants/list.php
View File

@ -88,7 +88,7 @@ $forcereloadpage=empty($conf->global->MAIN_FORCE_RELOAD_PAGE)?0:1;
},
function() {
if (reloadpage == 1) {
location.href = '<?php echo $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']; ?>';
location.href = '<?php echo dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']); ?>';
} else {
$("#tablelines .drag").each(
function( intIndex ) {

23
test/phpunit/CodingPhpTest.php
View File

@ -144,24 +144,24 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase
include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
foreach($filesarray as $key => $file)
foreach($filesarray as $key => $file)
{
if (preg_match('/\/htdocs\/includes\//', $file['fullname'])) continue;
if (preg_match('/\/htdocs\/custom\//', $file['fullname'])) continue;
if (preg_match('/\/htdocs\/dolimed/', $file['fullname'])) continue;
if (preg_match('/\/htdocs\/nltechno/', $file['fullname'])) continue;
if (preg_match('/\/htdocs\/teclib/', $file['fullname'])) continue;
print 'Check php file '.$file['fullname']."\n";
$filecontent=file_get_contents($file['fullname']);
$ok=true;
$matches=array();
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
foreach($matches as $key => $val)
{
if ($val[1] != 'db->' && $val[1] != 'esca')
if ($val[1] != 'db->' && $val[1] != 'esca')
{
$ok=false;
break;
@ -171,9 +171,22 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['fullname'].' ('.$val[0].'). Bad.');
//exit;
$ok=true;
$matches=array();
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
preg_match_all('/(...................)\$_SERVER\[\'PHP_SELF\'\]/', $filecontent, $matches, PREG_SET_ORDER);
foreach($matches as $key => $val)
{
if ($val[1] != 'dol_escape_htmltag(')
{
$ok=false;
break;
}
}
$this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag around in file '.$file['fullname'].' ('.$val[1].'$_SERVER[\'QUERY_STRING\']). Bad.');
}
return;
}
}