Fix: ajout d'un jeton al�atoire dans les requetes POST

htdocs/categories/categorie.php

@@ -284,6 +284,7 @@ function formCategory($db,$object,$type,$typeid)
 	print '<br>';
 	print_fiche_titre($title,'','');
 	print '<form method="post" action="'.DOL_URL_ROOT.'/categories/categorie.php?'.$nameId.'='.$object->id.'">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="typeid" value="'.$typeid.'">';
 	print '<table class="noborder" width="100%">';
 	print '<tr class="liste_titre"><td>';

htdocs/categories/edit.php

@@ -114,6 +114,7 @@ print '<tr><td class="notopnoleft" valign="top" width="30%">';
 
 print "\n";
 print '<form method="post" action="'.$_SERVER['PHP_SELF'].'">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="update">';
 print '<input type="hidden" name="id" value="'.$categorie->id.'">';
 print '<input type="hidden" name="type" value="'.$type.'">';

htdocs/categories/fiche.php

@@ -179,6 +179,7 @@ if ($user->rights->categorie->creer)
 			print '</div>';
 		}
 		print '<form action="'.$_SERVER['PHP_SELF'].'?type='.$_GET['type'].'" method="post">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="action" value="add">';
 		print '<input type="hidden" name="addcat" value="addcat">';
 		//print '<input type="hidden" name="id" value="'.$_GET['id'].'">';			Mis dans origin

htdocs/categories/index.php

@@ -62,6 +62,7 @@ print '<tr><td valign="top" width="30%" class="notopnoleft">';
  * Zone recherche produit/service
  */
 print '<form method="post" action="index.php?type='.$type.'">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="type" value="'.$type.'">';
 print '<table class="noborder" width="100%">';
 print '<tr class="liste_titre">';

htdocs/comm/action/fiche.php

@@ -438,6 +438,7 @@ if ($_GET["action"] == 'create')
 	}
 
 	print '<form name="formaction" action="fiche.php" method="post">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="action" value="add_action">';
 	if (! empty($_REQUEST["backtopage"])) print '<input type="hidden" name="backtopage" value="'.($_REQUEST["backtopage"] != 1 ? $_REQUEST["backtopage"] : $_SERVER["HTTP_REFERER"]).'">';
 
@@ -651,6 +652,7 @@ if ($_GET["id"])
 	{
 		// Fiche action en mode edition
 		print '<form name="formaction" action="fiche.php" method="post">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="action" value="update">';
 		print '<input type="hidden" name="id" value="'.$_REQUEST["id"].'">';
 		if (! empty($_REQUEST["backtopage"])) print '<input type="hidden" name="from" value="'.($_REQUEST["from"] ? $_REQUEST["from"] : $_SERVER["HTTP_REFERER"]).'">';

htdocs/comm/action/index.php

@@ -161,6 +161,7 @@ print_fiche_titre($title,$nav);
 if ($canedit)
 {
 	print '<form name="listactionsfilter" action="'.$_SERVER["PHP_SELF"].'" method="POST">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="status" value="'.$status.'">';
 	print '<input type="hidden" name="time" value="'.$_REQUEST["time"].'">';
 	print '<input type="hidden" name="year" value="'.$year.'">';

htdocs/comm/action/listactions.php

@@ -177,6 +177,7 @@ if ($resql)
 	if ($canedit)
 	{
 		print '<form name="listactionsfilter" action="'.$_SERVER["PHP_SELF"].'" method="POST">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="status" value="'.$status.'">';
 		print '<input type="hidden" name="time" value="'.$_REQUEST["time"].'">';
 		print '<table class="border" width="100%">';

htdocs/comm/adresse_livraison.php

@@ -214,6 +214,7 @@ if ($_GET["action"] == 'create' || $_POST["action"] == 'create')
         }
 
         print '<form action="adresse_livraison.php" method="post" name="formsoc">';
+        print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
         print '<input type="hidden" name="socid" value="'.$socid.'">';
         print '<input type="hidden" name="origin" value="'.$origin.'">';
         print '<input type="hidden" name="originid" value="'.$originid.'">';
@@ -318,6 +319,7 @@ elseif ($_GET["action"] == 'edit' || $_POST["action"] == 'edit')
         }
 
         print '<form action="adresse_livraison.php?socid='.$livraison->socid.'" method="post" name="formsoc">';
+        print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
         print '<input type="hidden" name="action" value="update">';
         print '<input type="hidden" name="socid" value="'.$livraison->socid.'">';
         print '<input type="hidden" name="origin" value="'.$origin.'">';

htdocs/comm/index.php

@@ -104,6 +104,7 @@ if ($conf->propal->enabled && $user->rights->propale->lire)
 {
 	$var=false;
 	print '<form method="post" action="'.DOL_URL_ROOT.'/comm/propal.php">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<table class="noborder" width="100%">';
 	print '<tr class="liste_titre"><td colspan="3">'.$langs->trans("SearchAProposal").'</td></tr>';
 	print '<tr '.$bc[$var].'>';
@@ -122,6 +123,7 @@ if ($conf->contrat->enabled && $user->rights->contrat->lire)
 {
 	$var=false;
 	print '<form method="post" action="'.DOL_URL_ROOT.'/contrat/liste.php">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<table class="noborder" width="100%">';
 	print '<tr class="liste_titre"><td colspan="3">'.$langs->trans("SearchAContract").'</td></tr>';
 	print '<tr '.$bc[$var].'>';

htdocs/comm/mailing/cibles.php

@@ -240,7 +240,7 @@ if ($mil->fetch($_REQUEST["id"]) >= 0)
 									if (! $conf->$key->enabled || (! $user->admin && $obj->require_admin))
 									{
 										$qualified=0;
-										//print "Les pr<EFBFBD>requis d'activation du module mailing ne sont pas respect<63>s. Il ne sera pas actif";
+										//print "Les prerequis d'activation du module mailing ne sont pas respectes. Il ne sera pas actif";
 										break;
 									}
 								}
@@ -251,7 +251,11 @@ if ($mil->fetch($_REQUEST["id"]) >= 0)
 									$var = !$var;
 									print '<tr '.$bc[$var].'>';
 
-									if ($mil->statut == 0) print '<form name="'.$modulename.'" action="cibles.php?action=add&rowid='.$mil->id.'&module='.$modulename.'" method="POST" enctype="multipart/form-data">';
+									if ($mil->statut == 0)
+									{
+										print '<form name="'.$modulename.'" action="cibles.php?action=add&rowid='.$mil->id.'&module='.$modulename.'" method="POST" enctype="multipart/form-data">';
+										print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
+									}
 
 									print '<td>';
 									if (! $obj->picto) $obj->picto='generic';
@@ -309,6 +313,7 @@ if ($mil->fetch($_REQUEST["id"]) >= 0)
 		print '<br>';
 
 		print '<form action="cibles.php?action=clear&rowid='.$mil->id.'" method="POST">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print_titre($langs->trans("ToClearAllRecipientsClickHere"));
 		print '<table class="noborder" width="100%">';
 		print '<tr class="liste_titre">';
@@ -324,6 +329,7 @@ if ($mil->fetch($_REQUEST["id"]) >= 0)
 	// List of selected targets
 	print "\n<!-- Liste destinataires selectionnes -->\n";
 	print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="sortfield" value="'.$sortfield.'">';
 	print '<input type="hidden" name="sortorder" value="'.$sortorder.'">';
 	print '<input type="hidden" name="id" value="'.$mil->id.'">';

htdocs/comm/mailing/fiche.php

@@ -466,6 +466,7 @@ if ($_GET["action"] == 'create')
 {
 	// EMailing in creation mode
 	print '<form action="fiche.php" method="post">'."\n";
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="action" value="add">';
 
 	print_fiche_titre($langs->trans("NewMailing"));
@@ -737,6 +738,7 @@ else
 			 * Mailing en mode edition
 			 */
 			print '<form action="fiche.php" method="post">'."\n";
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			print '<input type="hidden" name="action" value="update">';
 			print '<input type="hidden" name="id" value="'.$mil->id.'">';
 			print '<table class="border" width="100%">';

htdocs/comm/mailing/index.php

@@ -50,6 +50,7 @@ print '<tr><td valign="top" width="30%" class="notopnoleft">';
 // Recherche emails
 $var=false;
 print '<form method="post" action="'.DOL_URL_ROOT.'/comm/mailing/liste.php">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<table class="noborder" width="100%">';
 print '<tr class="liste_titre"><td colspan="3">'.$langs->trans("SearchAMailing").'</td></tr>';
 print '<tr '.$bc[$var].'><td nowrap>';

htdocs/comm/multiprix.php

@@ -86,6 +86,7 @@ if ($_socid > 0)
 
 
 	print '<form method="POST" action="multiprix.php?id='.$objsoc->id.'">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="action" value="setpricelevel">';
 	print '<table width="100%" border="0">';
 	print '<tr><td valign="top">';

htdocs/comm/propal.php

@@ -974,6 +974,7 @@ if ($id > 0 || ! empty($ref))
 	if ($user->rights->propale->creer && $_GET['action'] == 'refclient')
 	{
 		print '<form action="propal.php?propalid='.$propal->id.'" method="post">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="action" value="set_ref_client">';
 		print '<input type="text" class="flat" size="20" name="ref_client" value="'.$propal->ref_client.'">';
 		print ' <input type="submit" class="button" value="'.$langs->trans('Modify').'">';
@@ -1034,6 +1035,7 @@ if ($id > 0 || ! empty($ref))
 	if ($propal->brouillon && $_GET['action'] == 'editdate')
 	{
 		print '<form name="editdate" action="'.$_SERVER["PHP_SELF"].'?propalid='.$propal->id.'" method="post">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="action" value="setdate">';
 		$html->select_date($propal->date,'re','','',0,"editdate");
 		print '<input type="submit" class="button" value="'.$langs->trans('Modify').'">';
@@ -1071,6 +1073,7 @@ if ($id > 0 || ! empty($ref))
 	if ($propal->brouillon && $_GET['action'] == 'editecheance')
 	{
 		print '<form name="editecheance" action="'.$_SERVER["PHP_SELF"].'?propalid='.$propal->id.'" method="post">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="action" value="setecheance">';
 		$html->select_date($propal->fin_validite,'ech','','','',"editecheance");
 		print '<input type="submit" class="button" value="'.$langs->trans('Modify').'">';
@@ -1103,6 +1106,7 @@ if ($id > 0 || ! empty($ref))
 	if ($_GET['action'] == 'editdate_livraison')
 	{
 		print '<form name="editdate_livraison" action="'.$_SERVER["PHP_SELF"].'?propalid='.$propal->id.'" method="post">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="action" value="setdate_livraison">';
 		$html->select_date($propal->date_livraison,'liv_','','','',"editdate_livraison");
 		print '<input type="submit" class="button" value="'.$langs->trans('Modify').'">';
@@ -1359,6 +1363,7 @@ if ($id > 0 || ! empty($ref))
 				if ($conf->global->PRODUIT_USE_MARKUP && $conf->use_javascript_ajax)
 				{
 					$formMarkup = '<form id="formMarkup" action="'.$_SERVER["PHP_SELF"].'?propalid='.$propal->id.'" method="post">'."\n";
+					$formMarkup.= '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">'."\n";
 					$formMarkup.= '<table class="border" width="100%">'."\n";
 					if ($objp->fk_product > 0)
 					{
@@ -1494,6 +1499,7 @@ if ($id > 0 || ! empty($ref))
 			if ($propal->statut == 0 && $_GET["action"] == 'editline' && $user->rights->propale->creer && $_GET["lineid"] == $objp->rowid)
 			{
 				print '<form action="'.$_SERVER["PHP_SELF"].'?propalid='.$propal->id.'#'.$objp->rowid.'" method="post">';
+				print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 				print '<input type="hidden" name="action" value="updateligne">';
 				print '<input type="hidden" name="propalid" value="'.$propal->id.'">';
 				print '<input type="hidden" name="lineid" value="'.$_GET["lineid"].'">';
@@ -1594,6 +1600,7 @@ if ($id > 0 || ! empty($ref))
 
 		// Add free products/services form
 		print '<form action="'.$_SERVER["PHP_SELF"].'?propalid='.$propal->id.'#add" method="post">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="propalid" value="'.$propal->id.'">';
 		print '<input type="hidden" name="action" value="addligne">';
 
@@ -1658,6 +1665,7 @@ if ($id > 0 || ! empty($ref))
 			print '<td colspan="4">&nbsp;</td>';
 			print '</tr>';
 			print '<form id="addpredefinedproduct" action="'.$_SERVER["PHP_SELF"].'?propalid='.$propal->id.'#add" method="post">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			print '<input type="hidden" name="propalid" value="'.$propal->id.'">';
 			print '<input type="hidden" name="action" value="addligne">';
 
@@ -1710,6 +1718,7 @@ if ($id > 0 || ! empty($ref))
 		 * Formulaire cloture (signe ou non)
 		 */
 		$form_close = '<form action="'.$_SERVER["PHP_SELF"].'?propalid='.$propal->id.'" method="post">';
+		$form_close.= '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		$form_close.= '<table class="border" width="100%">';
 		$form_close.= '<tr><td width="150" align="left">'.$langs->trans('Note').'</td><td align="left"><textarea cols="70" rows="'.ROWS_3.'" wrap="soft" name="note">';
 		$form_close.= $propal->note;

htdocs/comm/propal/contact.php

@@ -229,6 +229,7 @@ if ($id > 0)
 			$var = false;
 
 			print '<form action="contact.php?propalid='.$id.'" method="post">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			print '<input type="hidden" name="action" value="addcontact">';
 			print '<input type="hidden" name="source" value="internal">';
 			print '<input type="hidden" name="propalid" value="'.$id.'">';
@@ -258,6 +259,7 @@ if ($id > 0)
 			print '</form>';
 
 			print '<form action="contact.php?propalid='.$id.'" method="post">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			print '<input type="hidden" name="action" value="addcontact">';
 			print '<input type="hidden" name="source" value="external">';
 			print '<input type="hidden" name="propalid" value="'.$id.'">';

htdocs/comm/propal/note.php

@@ -154,6 +154,7 @@ if ($_GET['propalid'])
 		  if ($_GET["action"] == 'edit')
 		  {
 		  	print '<form method="post" action="note.php?propalid='.$propal->id.'">';
+		  	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		    print '<input type="hidden" name="action" value="update_public">';
 		    print '<textarea name="note_public" cols="80" rows="8">'.$propal->note_public."</textarea><br>";
 		    print '<input type="submit" class="button" value="'.$langs->trans("Save").'">';
@@ -173,6 +174,7 @@ if ($_GET['propalid'])
 			  if ($_GET["action"] == 'edit')
 			  {
 			  	print '<form method="post" action="note.php?propalid='.$propal->id.'">';
+			  	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			    print '<input type="hidden" name="action" value="update">';
 			    print '<textarea name="note" cols="80" rows="8">'.$propal->note."</textarea><br>";
 			    print '<input type="submit" class="button" value="'.$langs->trans("Save").'">';

htdocs/comm/prospect/index.php

@@ -55,6 +55,7 @@ if ($conf->propal->enabled)
   $var=false;
   print '<table class="noborder" width="100%">';
   print '<form method="post" action="'.DOL_URL_ROOT.'/comm/propal.php">';
+  print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
   print '<tr class="liste_titre"><td colspan="3">'.$langs->trans("SearchAProposal").'</td></tr>';
   print '<tr '.$bc[$var].'><td>';
   print $langs->trans("Ref").':</td><td><input type="text" class="flat" name="sf_ref" size="18"></td><td rowspan="2"><input type="submit" value="'.$langs->trans("Search").'" class="button"></td></tr>';

htdocs/comm/remise.php

@@ -96,6 +96,7 @@ if ($_socid > 0)
      *
      */
     print '<form method="POST" action="remise.php?id='.$objsoc->id.'">';
+    print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<input type="hidden" name="action" value="setremise">';
     print '<table width="100%" border="0">';
     print '<tr><td valign="top">';

htdocs/comm/remx.php

@@ -127,6 +127,7 @@ if ($_socid > 0)
 
 
     print '<form method="POST" action="remx.php?id='.$objsoc->id.'">';
+    print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<input type="hidden" name="action" value="setremise">';
 
     print '<table class="border" width="100%">';

htdocs/commande/contact.php

@@ -228,6 +228,7 @@ if ($id > 0 || ! empty($ref))
 			$var = false;
 
 			print '<form action="contact.php?id='.$id.'" method="post">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			print '<input type="hidden" name="action" value="addcontact">';
 			print '<input type="hidden" name="source" value="internal">';
 			print '<input type="hidden" name="id" value="'.$id.'">';
@@ -256,6 +257,7 @@ if ($id > 0 || ! empty($ref))
 			print '</form>';
 
 			print '<form action="contact.php?id='.$id.'" method="post">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			print '<input type="hidden" name="action" value="addcontact">';
 			print '<input type="hidden" name="source" value="external">';
 			print '<input type="hidden" name="id" value="'.$id.'">';