lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix php sanitazing

Browse Source
This commit is contained in:
Laurent Destailleur 2017-06-18 21:53:06 +02:00
parent 0ef507ae7f
commit 8debefa8ad
2 changed files with 24 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
htdocs/don/card.php
View File

@ -50,7 +50,7 @@ $cancel=GETPOST('cancel');
$amount=GETPOST('amount');
$donation_date=dol_mktime(12, 0, 0, GETPOST('remonth'), GETPOST('reday'), GETPOST('reyear'));
$projectid = (GETPOST('projectid') ? GETPOST('projectid', 'int') : 0);
$object = new Don($db);
$extrafields = new ExtraFields($db);
@ -316,17 +316,17 @@ if ($action == 'create')
print '</td>';
// Amount
print "<tr>".'<td class="fieldrequired">'.$langs->trans("Amount").'</td><td><input type="text" name="amount" value="'.GETPOST("amount").'" size="10"> '.$langs->trans("Currency".$conf->currency).'</td></tr>';
print "<tr>".'<td class="fieldrequired">'.$langs->trans("Amount").'</td><td><input type="text" name="amount" value="'.dol_escape_htmltag(GETPOST("amount")).'" size="10"> '.$langs->trans("Currency".$conf->currency).'</td></tr>';
print '<tr><td class="fieldrequired">'.$langs->trans("PublicDonation")."</td><td>";
print $form->selectyesno("public",isset($_POST["public"])?$_POST["public"]:1,1);
print "</td></tr>\n";
print "<tr>".'<td>'.$langs->trans("Company").'</td><td><input type="text" name="societe" value="'.GETPOST("societe").'" size="40"></td></tr>';
print "<tr>".'<td>'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" value="'.GETPOST("lastname").'" size="40"></td></tr>';
print "<tr>".'<td>'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" value="'.GETPOST("firstname").'" size="40"></td></tr>';
print "<tr>".'<td>'.$langs->trans("Company").'</td><td><input type="text" name="societe" value="'.dol_escape_htmltag(GETPOST("societe")).'" size="40"></td></tr>';
print "<tr>".'<td>'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" value="'.dol_escape_htmltag(GETPOST("lastname")).'" size="40"></td></tr>';
print "<tr>".'<td>'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" value="'.dol_escape_htmltag(GETPOST("firstname")).'" size="40"></td></tr>';
print "<tr>".'<td>'.$langs->trans("Address").'</td><td>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="3">'.GETPOST("address").'</textarea></td></tr>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="3">'.dol_escape_htmltag(GETPOST("address")).'</textarea></td></tr>';
// Zip / Town
print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
@ -341,7 +341,7 @@ if ($action == 'create')
if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1);
print '</td></tr>';
print "<tr>".'<td>'.$langs->trans("EMail").'</td><td><input type="text" name="email" value="'.GETPOST("email").'" size="40"></td></tr>';
print "<tr>".'<td>'.$langs->trans("EMail").'</td><td><input type="text" name="email" value="'.dol_escape_htmltag(GETPOST("email")).'" size="40"></td></tr>';
// Public note
print '<tr>';
@ -384,9 +384,9 @@ if ($action == 'create')
dol_fiche_end();
print '<div class="center">';
print '<input type="submit" class="button" name="save" value="'.$langs->trans("Save").'">';
print '<input type="submit" class="button" name="save" value="'.dol_escape_htmltag($langs->trans("Save")).'">';
print '&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;';
print '<input type="button" class="button" value="' . $langs->trans("Cancel") . '" onClick="javascript:history.go(-1)">';
print '<input type="button" class="button" value="'.dol_escape_htmltag($langs->trans("Cancel")).'" onClick="javascript:history.go(-1)">';
print '</div>';
print "</form>\n";
@ -438,7 +438,7 @@ if (! empty($id) && $action == 'edit')
// Amount
if ($object->statut == 0)
{
print "<tr>".'<td class="fieldrequired">'.$langs->trans("Amount").'</td><td><input type="text" name="amount" size="10" value="'.$object->amount.'"> '.$langs->trans("Currency".$conf->currency).'</td></tr>';
print "<tr>".'<td class="fieldrequired">'.$langs->trans("Amount").'</td><td><input type="text" name="amount" size="10" value="'.dol_escape_htmltag($object->amount).'"> '.$langs->trans("Currency".$conf->currency).'</td></tr>';
}
else
{
@ -453,11 +453,11 @@ if (! empty($id) && $action == 'edit')
print "</tr>\n";
$langs->load("companies");
print '<tr><td>'.$langs->trans("Company").'</td><td><input type="text" name="societe" size="40" value="'.$object->societe.'"></td></tr>';
print '<tr><td>'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" size="40" value="'.$object->lastname.'"></td></tr>';
print '<tr><td>'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" size="40" value="'.$object->firstname.'"></td></tr>';
print '<tr><td>'.$langs->trans("Company").'</td><td><input type="text" name="societe" size="40" value="'.dol_escape_htmltag($object->societe).'"></td></tr>';
print '<tr><td>'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" size="40" value="'.dol_escape_htmltag($object->lastname).'"></td></tr>';
print '<tr><td>'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" size="40" value="'.dol_escape_htmltag($object->firstname).'"></td></tr>';
print '<tr><td>'.$langs->trans("Address").'</td><td>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="'.ROWS_3.'">'.$object->address.'</textarea></td></tr>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="'.ROWS_3.'">'.dol_escape_htmltag($object->address).'</textarea></td></tr>';
// Zip / Town
print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
@ -472,7 +472,7 @@ if (! empty($id) && $action == 'edit')
if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1);
print '</td></tr>';
print "<tr>".'<td>'.$langs->trans("EMail").'</td><td><input type="text" name="email" size="40" value="'.$object->email.'"></td></tr>';
print "<tr>".'<td>'.$langs->trans("EMail").'</td><td><input type="text" name="email" size="40" value="'.dol_escape_htmltag($object->email).'"></td></tr>';
print "<tr><td>".$langs->trans("PaymentMode")."</td><td>\n";
@ -544,9 +544,9 @@ if (! empty($id) && $action != 'edit')
// Print form confirm
print $formconfirm;
$linkback = '<a href="'.DOL_URL_ROOT.'/don/list.php'.(! empty($socid)?'?socid='.$socid:'').'">'.$langs->trans("BackToList").'</a>';
$morehtmlref='<div class="refidno">';
// Project
if (! empty($conf->projet->enabled))
@ -581,8 +581,8 @@ if (! empty($id) && $action != 'edit')
}
}
$morehtmlref.='</div>';
dol_banner_tab($object, 'rowid', $linkback, 1, 'rowid', 'ref', $morehtmlref);
@ -592,13 +592,6 @@ if (! empty($id) && $action != 'edit')
print '<table class="border" width="100%">';
// Ref
/*
print '<tr><td class="titlefield">'.$langs->trans("Ref").'</td><td colspan="2">';
print $form->showrefnav($object, 'rowid', $linkback, 1, 'rowid', 'ref', '');
print '</td>';
print '</tr>';
*/
// Date
print '<tr><td class="titlefield">'.$langs->trans("Date").'</td><td colspan="2">';
print dol_print_date($object->date,"day");
@ -615,52 +608,12 @@ if (! empty($id) && $action != 'edit')
print '<tr><td>'.$langs->trans("Company").'</td><td colspan="2">'.$object->societe.'</td></tr>';
print '<tr><td>'.$langs->trans("Lastname").'</td><td colspan="2">'.$object->lastname.'</td></tr>';
print '<tr><td>'.$langs->trans("Firstname").'</td><td colspan="2">'.$object->firstname.'</td></tr>';
/*print '<tr><td>'.$langs->trans("Address").'</td><td>'.dol_nl2br($object->address).'</td>';
// Zip / Town
print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
print $object->zip.($object->zip && $object->town?' / ':'').$object->town.'</td></tr>';
// Country
print '<tr><td>'.$langs->trans('Country').'</td><td>';
if (! empty($object->country_code))
{
$img=picto_from_langcode($object->country_code);
print ($img?$img.' ':'');
print $object->country;
}
else
{
print $object->country_olddata;
}
print '</td></tr>';
// EMail
print "<tr>".'<td>'.$langs->trans("EMail").'</td><td>'.dol_print_email($object->email).'</td></tr>';
*/
// Payment mode
print "<tr><td>".$langs->trans("PaymentMode")."</td><td>";
$form->form_modes_reglement(null, $object->modepaymentid,'none');
print "</td></tr>\n";
//print "<tr>".'<td>'.$langs->trans("Status").'</td><td>'.$object->getLibStatut(4).'</td></tr>';
// Project
/*
if (! empty($conf->projet->enabled))
{
print '<tr>';
print '<td>'.$langs->trans("Project").'</td>';
print '<td>';
$projettmp=new Project($db);
$projettmp->id=$object->fk_projet;
$projettmp->ref=$object->project;
if(! empty($object->fk_projet)) print $projettmp->getNomUrl(1);
print '</td>';
print '</tr>';
}*/
// Other attributes
$cols = 2;
include DOL_DOCUMENT_ROOT . '/core/tpl/extrafields_view.tpl.php';

8
htdocs/holiday/list.php
View File

@ -138,7 +138,7 @@ if($year_start > 0) {
}
} else {
if($month_start > 0) {
$filter.= " AND date_format(cp.date_debut, '%m') = '$month_start'";
$filter.= " AND date_format(cp.date_debut, '%m') = '".$db->escape($month_start)."'";
}
}
@ -153,7 +153,7 @@ if($year_end > 0) {
}
} else {
if($month_end > 0) {
$filter.= " AND date_format(cp.date_fin, '%m') = '$month_end'";
$filter.= " AND date_format(cp.date_fin, '%m') = '".$db->escape($month_end)."'";
}
}
@ -368,13 +368,13 @@ print '<td class="liste_titre">&nbsp;</td>';
// DATE DEBUT
print '<td class="liste_titre" align="center">';
print '<input class="flat" type="text" size="1" maxlength="2" name="month_start" value="'.$month_start.'">';
print '<input class="flat" type="text" size="1" maxlength="2" name="month_start" value="'.dol_escape_htmltag($month_start).'">';
$formother->select_year($year_start,'year_start',1, $min_year, $max_year);
print '</td>';
// DATE FIN
print '<td class="liste_titre" align="center">';
print '<input class="flat" type="text" size="1" maxlength="2" name="month_end" value="'.$month_end.'">';
print '<input class="flat" type="text" size="1" maxlength="2" name="month_end" value="'.dol_escape_htmltag($month_end).'">';
$formother->select_year($year_end,'year_end',1, $min_year, $max_year);
print '</td>';