From 2d6f7f926c368a7ce6f02da1435c9930f7639347 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 15 Nov 2018 17:34:11 +0100
Subject: [PATCH 1/5] FIX xss injection on user address

---
 htdocs/user/card.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index 6b83bf28ba5..fed2cc5de64 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -193,7 +193,7 @@ if (empty($reshook)) {
 			$birth = dol_mktime(0, 0, 0, GETPOST('birthmonth'), GETPOST('birthday'), GETPOST('birthyear'));
 			$object->birth = $birth;
 			$object->admin = GETPOST("admin", 'alpha');
-			$object->address = GETPOST('address', 'alpha');
+			$object->address = GETPOST('address', 'alphanohtml');
 			$object->zip = GETPOST('zipcode', 'alpha');
 			$object->town = GETPOST('town', 'alpha');
 			$object->country_id = GETPOST('country_id', 'int');
@@ -342,7 +342,7 @@ if (empty($reshook)) {
 				$object->pass = GETPOST("password",'none');
 				$object->api_key = (GETPOST("api_key", 'alpha')) ? GETPOST("api_key", 'alpha') : $object->api_key;
 				if (! empty($user->admin)) $object->admin = GETPOST("admin"); 	// admin flag can only be set/unset by an admin user. A test is also done later when forging sql request
-				$object->address = GETPOST('address', 'alpha');
+				$object->address = GETPOST('address', 'alphanohtml');
 				$object->zip = GETPOST('zipcode', 'alpha');
 				$object->town = GETPOST('town', 'alpha');
 				$object->country_id = GETPOST('country_id', 'int');

From 103dfe2aa79e19a8af5633a320140630dbf72e28 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 15 Nov 2018 17:55:27 +0100
Subject: [PATCH 2/5] FIX go back to create form if error

---
 htdocs/projet/tasks.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/htdocs/projet/tasks.php b/htdocs/projet/tasks.php
index 093d66dd629..b2755fbf011 100644
--- a/htdocs/projet/tasks.php
+++ b/htdocs/projet/tasks.php
@@ -246,7 +246,9 @@ if ($action == 'createtask' && $user->rights->projet->creer)
 			}
 			else
 			{
-			    setEventMessages($task->error,$task->errors,'errors');
+				setEventMessages($task->error,$task->errors,'errors');
+				$action = 'create';
+				$error++;
 			}
 		}
 

From 531b6e8d2bdfe9cac2ca558d10216089f6fd26da Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@capnetworks.com>
Date: Thu, 15 Nov 2018 18:13:07 +0100
Subject: [PATCH 3/5] FIX travis errors

---
 htdocs/emailcollector/class/emailcollector.class.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/htdocs/emailcollector/class/emailcollector.class.php b/htdocs/emailcollector/class/emailcollector.class.php
index fa5b500b40b..f9dfc34ba70 100644
--- a/htdocs/emailcollector/class/emailcollector.class.php
+++ b/htdocs/emailcollector/class/emailcollector.class.php
@@ -702,6 +702,16 @@ class EmailCollector extends CommonObject
 	 *
 	 * @return	int		0=OK, Nb of error if error
 	 */
+
+	/**
+	 * overwitePropertiesOfObject
+	 *
+	 * @param	object	$object			Current object
+	 * @param	string	$actionparam	Action parameters
+	 * @param	string	$messagetext	Body
+	 * @param	string	$subject		Subject
+	 * @return	int						0=OK, Nb of error if error
+	 */
 	private function overwritePropertiesOfObject(&$object, $actionparam, $messagetext, $subject)
 	{
 		$errorforthisaction = 0;

From 7d5c9959bc9bcc760d3b8202a84d420e03cb5049 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 15 Nov 2018 18:20:38 +0100
Subject: [PATCH 4/5] Close #9978 Better way to address the feature. Work in
 most cases, need less code and less sql access.

---
 htdocs/langs/en_US/companies.lang |  2 +-
 htdocs/langs/en_US/projects.lang  |  2 ++
 htdocs/projet/tasks.php           | 20 ++++++++++++++++++--
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/htdocs/langs/en_US/companies.lang b/htdocs/langs/en_US/companies.lang
index e026ac5673d..e5de5614886 100644
--- a/htdocs/langs/en_US/companies.lang
+++ b/htdocs/langs/en_US/companies.lang
@@ -431,4 +431,4 @@ SaleRepresentativeLogin=Login of sales representative
 SaleRepresentativeFirstname=First name of sales representative
 SaleRepresentativeLastname=Last name of sales representative
 ErrorThirdpartiesMerge=There was an error when deleting the third parties. Please check the log. Changes have been reverted.
-NewCustomerSupplierCodeProposed=New customer or vendor code suggested on duplicate code
+NewCustomerSupplierCodeProposed=Customer or vendor code already used, a new code is suggested
diff --git a/htdocs/langs/en_US/projects.lang b/htdocs/langs/en_US/projects.lang
index c83bccd19ad..2655ebbdc05 100644
--- a/htdocs/langs/en_US/projects.lang
+++ b/htdocs/langs/en_US/projects.lang
@@ -184,6 +184,7 @@ ProjectsWithThisUserAsContact=Projects with this user as contact
 TasksWithThisUserAsContact=Tasks assigned to this user
 ResourceNotAssignedToProject=Not assigned to project
 ResourceNotAssignedToTheTask=Not assigned to the task
+NoUserAssignedToTheProject=No users assigned to this project
 TimeSpentBy=Time spent by
 TasksAssignedTo=Tasks assigned to
 AssignTaskToMe=Assign task to me
@@ -232,3 +233,4 @@ DontHaveTheValidateStatus=The project %s must be open to be closed
 RecordsClosed=%s project(s) closed
 SendProjectRef=Information project %s
 ModuleSalaryToDefineHourlyRateMustBeEnabled=Module 'Payment of employee wages' must be enabled to define employee hourly rate to have time spent valorized
+NewTaskRefSuggested=Task ref already used, a new task ref is suggested
\ No newline at end of file
diff --git a/htdocs/projet/tasks.php b/htdocs/projet/tasks.php
index b2755fbf011..2f06f698b14 100644
--- a/htdocs/projet/tasks.php
+++ b/htdocs/projet/tasks.php
@@ -246,7 +246,16 @@ if ($action == 'createtask' && $user->rights->projet->creer)
 			}
 			else
 			{
-				setEventMessages($task->error,$task->errors,'errors');
+				if ($db->lasterrno() == 'DB_ERROR_RECORD_ALREADY_EXISTS')
+				{
+					$langs->load("projects");
+					setEventMessages($langs->trans('NewTaskRefSuggested'),'', 'warnings');
+					$duplicate_code_error = true;
+				}
+				else
+				{
+					setEventMessages($task->error,$task->errors,'errors');
+				}
 				$action = 'create';
 				$error++;
 			}
@@ -464,7 +473,14 @@ if ($action == 'create' && $user->rights->projet->creer && (empty($object->third
 
 	// Ref
 	print '<tr><td class="titlefieldcreate"><span class="fieldrequired">'.$langs->trans("Ref").'</span></td><td>';
-	print ($_POST["ref"]?$_POST["ref"]:$defaultref);
+	if (empty($duplicate_code_error))
+	{
+		print (GETPOSTISSET("ref")?GETPOST("ref",'alpha'):$defaultref);
+	}
+	else
+	{
+		print $defaultref;
+	}
 	print '<input type="hidden" name="taskref" value="'.($_POST["ref"]?$_POST["ref"]:$defaultref).'">';
 	print '</td></tr>';
 

From 03acd7a40ce553c648fe6ccdbf8aba87eb55a650 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@capnetworks.com>
Date: Thu, 15 Nov 2018 18:24:32 +0100
Subject: [PATCH 5/5] FIX travis error again

---
 htdocs/emailcollector/class/emailcollector.class.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/htdocs/emailcollector/class/emailcollector.class.php b/htdocs/emailcollector/class/emailcollector.class.php
index f9dfc34ba70..b5cb47be0ae 100644
--- a/htdocs/emailcollector/class/emailcollector.class.php
+++ b/htdocs/emailcollector/class/emailcollector.class.php
@@ -1050,7 +1050,6 @@ class EmailCollector extends CommonObject
 							}
 						}
 					}
-
 				}
 
 				if (empty($thirdpartyid))		// Try to find thirdparty using email
@@ -1236,7 +1235,6 @@ class EmailCollector extends CommonObject
 					else
 					{
 						dol_syslog("EmailCollector::doCollectOneCollector message ".$imapemail." to ".$connectstringtarget." was set to read", LOG_DEBUG);
-
 					}
 				}
 				else