Escape hml tags
This commit is contained in:
Laurent Destailleur
parent
c01bd37a82
commit
abe736c6a6
@ -38,7 +38,7 @@ if (! $user->admin)
|
||||
$form = new Form($db);
|
||||
|
||||
$title=$langs->trans("SystemToolsArea");
|
||||
if (GETPOST('leftmenu') == 'admintools') $title=$langs->trans("ModulesSystemTools");
|
||||
if (GETPOST('leftmenu',"aZ09") == 'admintools') $title=$langs->trans("ModulesSystemTools");
|
||||
|
||||
llxHeader('', $title);
|
||||
|
||||
|
||||
@ -40,7 +40,7 @@ function printBookmarksList($aDb, $aLangs)
|
||||
|
||||
$langs->load("bookmarks");
|
||||
|
||||
$url= $_SERVER["PHP_SELF"].(! empty($_SERVER["QUERY_STRING"])?'?'.$_SERVER["QUERY_STRING"]:'');
|
||||
$url= $_SERVER["PHP_SELF"].(dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'');
|
||||
|
||||
$ret = '';
|
||||
// Menu bookmark
|
||||
|
||||
@ -139,7 +139,7 @@ if (! dol_is_dir($upload_dir))
|
||||
}
|
||||
|
||||
print '<!-- ajaxdirpreview type='.$type.' -->'."\n";
|
||||
print '<!-- Page called with mode='.(isset($mode)?$mode:'').' type='.$type.' module='.$module.' url='.$url.' '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Page called with mode='.dol_escape_htmltag(isset($mode)?$mode:'').' type='.dol_escape_htmltag($type).' module='.dol_escape_htmltag($module).' url='.dol_escape_htmltag($url).' '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
$param=($sortfield?'&sortfield='.$sortfield:'').($sortorder?'&sortorder='.$sortorder:'');
|
||||
|
||||
|
||||
@ -45,7 +45,7 @@ $action=GETPOST('action');
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
if (($user->rights->banque->modifier || $user->rights->banque->consolidate) && $action == 'dvnext')
|
||||
{
|
||||
|
||||
@ -50,7 +50,7 @@ $userid=GETPOST('userid','int');
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Add a box
|
||||
if ($boxid > 0 && $zone !='' && $userid > 0)
|
||||
|
||||
@ -45,7 +45,7 @@ $name=GETPOST('name','alpha');
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Registering the location of boxes
|
||||
if (! empty($action) && ! empty($name))
|
||||
|
||||
@ -41,20 +41,20 @@ $showempty = GETPOST('showempty','int');
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Load original field value
|
||||
if (! empty($id) && ! empty($action) && ! empty($htmlname))
|
||||
{
|
||||
$form = new Form($db);
|
||||
|
||||
|
||||
$return=array();
|
||||
if (empty($showempty)) $showempty=0;
|
||||
|
||||
|
||||
$return['value'] = $form->selectcontacts($id,'',$htmlname,$showempty,'','',0,'',true);
|
||||
$return['num'] = $form->num;
|
||||
$return['error'] = $form->error;
|
||||
|
||||
|
||||
echo json_encode($return);
|
||||
}
|
||||
|
||||
|
||||
@ -40,17 +40,17 @@ $type = GETPOST('type', 'alpha');
|
||||
|
||||
top_httphead();
|
||||
|
||||
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type))
|
||||
{
|
||||
$value = GETPOST('value','alpha');
|
||||
$params=array();
|
||||
|
||||
|
||||
dol_syslog("AjaxSetExtraParameters id=".$id." element=".$element." htmlelement=".$htmlelement." type=".$type." value=".$value, LOG_DEBUG);
|
||||
|
||||
|
||||
$classpath = $subelement = $element;
|
||||
|
||||
|
||||
// For compatibility
|
||||
if ($element == 'order' || $element == 'commande') { $classpath = $subelement = 'commande'; }
|
||||
else if ($element == 'propal') { $classpath = 'comm/propal'; $subelement = 'propal'; }
|
||||
@ -60,19 +60,19 @@ if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type))
|
||||
else if ($element == 'deplacement') { $classpath = 'compta/deplacement'; $subelement = 'deplacement'; }
|
||||
else if ($element == 'order_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.commande'; }
|
||||
else if ($element == 'invoice_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.facture'; }
|
||||
|
||||
|
||||
dol_include_once('/'.$classpath.'/class/'.$subelement.'.class.php');
|
||||
|
||||
|
||||
if ($element == 'order_supplier') { $classname = 'CommandeFournisseur'; }
|
||||
else if ($element == 'invoice_supplier') { $classname = 'FactureFournisseur'; }
|
||||
else $classname = ucfirst($subelement);
|
||||
|
||||
|
||||
$object = new $classname($db);
|
||||
$object->fetch($id);
|
||||
|
||||
|
||||
$params[$htmlelement] = array($type => $value);
|
||||
$object->extraparams = array_merge($object->extraparams, $params);
|
||||
|
||||
|
||||
$result=$object->setExtraParameters();
|
||||
}
|
||||
|
||||
|
||||
@ -41,7 +41,7 @@ $fk_element = GETPOST('fk_element','alpha');
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Load original field value
|
||||
if (! empty($field) && ! empty($element) && ! empty($table_element) && ! empty($fk_element))
|
||||
|
||||
@ -42,7 +42,7 @@ $object = new GenericObject($db);
|
||||
|
||||
top_httphead();
|
||||
|
||||
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Registering new values
|
||||
if (($action == 'set') && ! empty($id))
|
||||
|
||||
@ -39,7 +39,7 @@ $tva_tx = str_replace('*','',GETPOST('tva_tx','alpha'));
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Load original field value
|
||||
if (! empty($output) && isset($amount) && isset($tva_tx))
|
||||
|
||||
@ -17,8 +17,8 @@
|
||||
|
||||
/**
|
||||
* \file htdocs/core/ajax/row.php
|
||||
* \brief File to return Ajax response on Row move.
|
||||
* This ajax page is called when doing an up or down drag and drop.
|
||||
* \brief File to return Ajax response on Row move.
|
||||
* This ajax page is called when doing an up or down drag and drop.
|
||||
*/
|
||||
|
||||
if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disable token renewal
|
||||
@ -39,7 +39,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php';
|
||||
|
||||
top_httphead();
|
||||
|
||||
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Registering the location of boxes
|
||||
if ((isset($_POST['roworder']) && ! empty($_POST['roworder'])) && (isset($_POST['table_element_line']) && ! empty($_POST['table_element_line']))
|
||||
|
||||
@ -54,7 +54,7 @@ savemethodname:
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
//print_r($_POST);
|
||||
|
||||
// Load original field value
|
||||
|
||||
@ -17,8 +17,8 @@
|
||||
|
||||
/**
|
||||
* \file htdocs/core/ajax/security.php
|
||||
* \brief This ajax component is used to generated has keys for security purposes
|
||||
* like key to use into URL to protect them.
|
||||
* \brief This ajax component is used to generated has keys for security purposes
|
||||
* like key to use into URL to protect them.
|
||||
*/
|
||||
|
||||
if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disables token renewal
|
||||
@ -38,7 +38,7 @@ require '../../main.inc.php';
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Registering the location of boxes
|
||||
if (isset($_GET['action']) && ! empty($_GET['action']))
|
||||
|
||||
@ -41,7 +41,7 @@ $productid = (GETPOST('productid','int')?GETPOST('productid','int'):0);
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Load original field value
|
||||
if (! empty($id) && ! empty($action) && ! empty($htmlname))
|
||||
|
||||
@ -45,7 +45,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
dol_syslog("GET is ".join(',',$_GET).', MAIN_USE_ZIPTOWN_DICTIONNARY='.(empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)?'':$conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY));
|
||||
//var_dump($_GET);
|
||||
|
||||
@ -1062,7 +1062,7 @@ class FormOther
|
||||
async: false
|
||||
});
|
||||
// We force reload to be sure to get all boxes into list
|
||||
window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=delbox\';
|
||||
window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=delbox\';
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -1084,7 +1084,7 @@ class FormOther
|
||||
url: \''.DOL_URL_ROOT.'/core/ajax/box.php?boxorder=\'+boxorder+\'&boxid=\'+boxid+\'&zone='.$areacode.'&userid='.$user->id.'\',
|
||||
async: false
|
||||
});
|
||||
window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=addbox&boxid=\'+boxid;
|
||||
window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=addbox&boxid=\'+boxid;
|
||||
}
|
||||
});';
|
||||
if (! count($arrayboxtoactivatelabel)) $selectboxlist.='jQuery("#boxcombo").hide();';
|
||||
|
||||
@ -289,9 +289,6 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL)
|
||||
case 'intcomma':
|
||||
if (preg_match('/[^0-9,]+/i',$out)) $out='';
|
||||
break;
|
||||
case 'intcomma':
|
||||
if (preg_match('/[^0-9,]+/i',$out)) $out='';
|
||||
break;
|
||||
case 'alpha':
|
||||
$out=trim($out);
|
||||
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
|
||||
@ -2931,8 +2928,8 @@ function dol_print_error($db='',$error='',$errors=null)
|
||||
$out.="<b>".$langs->trans("Referer").":</b> ".(isset($_SERVER["HTTP_REFERER"])?dol_htmlentities($_SERVER["HTTP_REFERER"],ENT_COMPAT,'UTF-8'):'')."<br>\n";
|
||||
$out.="<b>".$langs->trans("MenuManager").":</b> ".(isset($conf->standard_menu)?$conf->standard_menu:'')."<br>\n";
|
||||
$out.="<br>\n";
|
||||
$syslog.="url=".$_SERVER["REQUEST_URI"];
|
||||
$syslog.=", query_string=".$_SERVER["QUERY_STRING"];
|
||||
$syslog.="url=".dol_escape_htmltag($_SERVER["REQUEST_URI"]);
|
||||
$syslog.=", query_string=".dol_escape_htmltag($_SERVER["QUERY_STRING"]);
|
||||
}
|
||||
else // Mode CLI
|
||||
{
|
||||
|
||||
@ -144,10 +144,6 @@ function dol_loginfunction($langs,$conf,$mysoc)
|
||||
|
||||
$dol_url_root = DOL_URL_ROOT;
|
||||
|
||||
$php_self = $_SERVER['PHP_SELF'];
|
||||
$php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
|
||||
if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
|
||||
|
||||
// Title
|
||||
$appli=constant('DOL_APPLICATION_TITLE');
|
||||
$title=$appli.' '.DOL_VERSION;
|
||||
@ -422,7 +418,7 @@ function encodedecode_dbpassconf($level=0)
|
||||
fflush($fp);
|
||||
fclose($fp);
|
||||
clearstatcache();
|
||||
|
||||
|
||||
// It's config file, so we set read permission for creator only.
|
||||
// Should set permission to web user and groups for users used by batch
|
||||
//@chmod($file, octdec('0600'));
|
||||
|
||||
@ -45,7 +45,7 @@ $(function () {
|
||||
// Events
|
||||
$('#fileupload').fileupload({
|
||||
stop: function (e, data) {
|
||||
location.href='<?php echo $_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"]; ?>';
|
||||
location.href='<?php echo dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]); ?>';
|
||||
},
|
||||
destroy: function (e, data) {
|
||||
var that = $(this).data('fileupload');
|
||||
|
||||
@ -31,6 +31,10 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
|
||||
// If we force to use jmobile, then we reenable javascript
|
||||
if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
|
||||
|
||||
$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']);
|
||||
$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
|
||||
if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
|
||||
|
||||
// Javascript code on logon page only to detect user tz, dst_observed, dst_first, dst_second
|
||||
$arrayofjs=array(
|
||||
'/includes/jstz/jstz.min.js'.(empty($conf->dol_use_jmobile)?'':'?version='.urlencode(DOL_VERSION)),
|
||||
@ -80,7 +84,7 @@ $(document).ready(function () {
|
||||
<tr class="vmenu"><td class="center">
|
||||
<?php
|
||||
if ($disablenofollow) echo '<a class="login_table_title" href="https://www.dolibarr.org" target="_blank">';
|
||||
echo dol_escape_htmltag($title);
|
||||
echo dol_escape_htmltag($title);
|
||||
if ($disablenofollow) echo '</a>';
|
||||
?>
|
||||
</td></tr>
|
||||
|
||||
@ -28,6 +28,9 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
|
||||
// If we force to use jmobile, then we reenable javascript
|
||||
if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
|
||||
|
||||
$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']);
|
||||
$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
|
||||
|
||||
print top_htmlhead('',$langs->trans('SendNewPassword'));
|
||||
?>
|
||||
<!-- BEGIN PHP TEMPLATE PASSWORDFORGOTTEN.TPL.PHP -->
|
||||
@ -94,7 +97,7 @@ if (! empty($hookmanager->resArray['options'])) {
|
||||
}
|
||||
?>
|
||||
|
||||
<?php if ($captcha) {
|
||||
<?php if ($captcha) {
|
||||
// Add a variable param to force not using cache (jmobile)
|
||||
$php_self = preg_replace('/[&\?]time=(\d+)/','',$php_self); // Remove param time
|
||||
if (preg_match('/\?/',$php_self)) $php_self.='&time='.dol_print_date(dol_now(),'dayhourlog');
|
||||
@ -129,7 +132,7 @@ if (! empty($hookmanager->resArray['options'])) {
|
||||
<div id="login_line2" style="clear: both">
|
||||
|
||||
<!-- Button Send password -->
|
||||
<br><input id="password" type="submit" <?php echo $disabled; ?> class="button" name="password" value="<?php echo $langs->trans('SendNewPassword'); ?>" tabindex="4" />
|
||||
<br><input type="submit" <?php echo $disabled; ?> class="button" name="password" value="<?php echo $langs->trans('SendNewPassword'); ?>" tabindex="4" />
|
||||
|
||||
<br>
|
||||
<div align="center" style="margin-top: 8px;">
|
||||
|
||||
@ -39,7 +39,7 @@ $element = GETPOST('element', 'alpha');
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Load original field value
|
||||
if (isset($action) && ! empty($action))
|
||||
|
||||
@ -46,7 +46,7 @@ require '../../main.inc.php';
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
dol_syslog(join(',',$_GET));
|
||||
|
||||
|
||||
@ -34,8 +34,8 @@ if (empty($conf->global->EXTERNALSITE_URL))
|
||||
llxFooter();
|
||||
}
|
||||
|
||||
$mainmenu=GETPOST('mainmenu', 'alpha');
|
||||
$leftmenu=GETPOST('leftmenu', 'alpha');
|
||||
$mainmenu=GETPOST('mainmenu', "aZ09");
|
||||
$leftmenu=GETPOST('leftmenu', "aZ09");
|
||||
$idmenu=GETPOST('idmenu', 'int');
|
||||
$theme=GETPOST('theme', 'alpha');
|
||||
$codelang=GETPOST('lang', 'aZ09');
|
||||
|
||||
@ -46,7 +46,7 @@ $langs->load('margins');
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
if ($idprod > 0)
|
||||
{
|
||||
@ -55,7 +55,7 @@ if ($idprod > 0)
|
||||
|
||||
$sorttouse = 's.nom, pfp.quantity, pfp.price';
|
||||
if (GETPOST('bestpricefirst')) $sorttouse = 'pfp.unitprice, s.nom, pfp.quantity, pfp.price';
|
||||
|
||||
|
||||
$productSupplierArray = $producttmp->list_product_fournisseur_price($idprod, $sorttouse); // We list all price per supplier, and then firstly with the lower quantity. So we can choose first one with enough quantity into list.
|
||||
if ( is_array($productSupplierArray))
|
||||
{
|
||||
@ -63,15 +63,15 @@ if ($idprod > 0)
|
||||
{
|
||||
$price = $productSupplier->fourn_price * (1 - $productSupplier->fourn_remise_percent / 100);
|
||||
$unitprice = $productSupplier->fourn_unitprice * (1 - $productSupplier->fourn_remise_percent / 100);
|
||||
|
||||
|
||||
$title = $productSupplier->fourn_name.' - '.$productSupplier->fourn_ref.' - ';
|
||||
|
||||
|
||||
if ($productSupplier->fourn_qty == 1)
|
||||
{
|
||||
$title.= price($price,0,$langs,0,0,-1,$conf->currency)."/";
|
||||
}
|
||||
$title.= $productSupplier->fourn_qty.' '.($productSupplier->fourn_qty == 1 ? $langs->trans("Unit") : $langs->trans("Units"));
|
||||
|
||||
|
||||
if ($productSupplier->fourn_qty > 1)
|
||||
{
|
||||
$title.=" - ";
|
||||
@ -84,19 +84,19 @@ if ($idprod > 0)
|
||||
$title.= price($productSupplier->fourn_unitcharges,0,$langs,0,0,-1,$conf->currency);
|
||||
$price += $productSupplier->fourn_unitcharges;
|
||||
}
|
||||
|
||||
|
||||
$label = price($price,0,$langs,0,0,-1,$conf->currency)."/".$langs->trans("Unit");
|
||||
if ($productSupplier->fourn_ref) $label.=' ('.$productSupplier->fourn_ref.')';
|
||||
|
||||
|
||||
$prices[] = array("id" => $productSupplier->product_fourn_price_id, "price" => price2num($price,0,'',0), "label" => $label, "title" => $title); // For price field, we must use price2num(), for label or title, price()
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Add price for costprice
|
||||
$price=$producttmp->cost_price;
|
||||
$prices[] = array("id" => 'costprice', "price" => price2num($price), "label" => $langs->trans("CostPrice").': '.price($price,0,$langs,0,0,-1,$conf->currency), "title" => $langs->trans("PMPValueShort").': '.price($price,0,$langs,0,0,-1,$conf->currency)); // For price field, we must use price2num(), for label or title, price()
|
||||
|
||||
if(!empty($conf->stock->enabled))
|
||||
if(!empty($conf->stock->enabled))
|
||||
{
|
||||
// Add price for pmp
|
||||
$price=$producttmp->pmp;
|
||||
|
||||
@ -66,7 +66,7 @@ $year_end = GETPOST('year_end');
|
||||
$search_employe = GETPOST('search_employe');
|
||||
$search_valideur = GETPOST('search_valideur');
|
||||
$search_statut = GETPOST('select_statut');
|
||||
$type = GETPOST('type','int');
|
||||
$type = GETPOST('type','int');
|
||||
|
||||
// List of fields to search into when doing a "search in all"
|
||||
$fieldstosearchall = array(
|
||||
@ -82,7 +82,7 @@ $fieldstosearchall = array(
|
||||
* Actions
|
||||
*/
|
||||
|
||||
if (GETPOST("button_removefilter_x") || GETPOST("button_removefilter.x") || GETPOST("button_removefilter")) // Both test are required to be compatible with all browsers
|
||||
if (GETPOST("button_removefilter_x") || GETPOST("button_removefilter.x") || GETPOST("button_removefilter")) // All tests are required to be compatible with all browsers
|
||||
{
|
||||
$search_ref="";
|
||||
$month_create="";
|
||||
@ -168,7 +168,7 @@ if($year_create > 0) {
|
||||
}
|
||||
} else {
|
||||
if($month_create > 0) {
|
||||
$filter.= " AND date_format(cp.date_create, '%m') = '$month_create'";
|
||||
$filter.= " AND date_format(cp.date_create, '%m') = '".$db->escape($month_create)."'";
|
||||
}
|
||||
}
|
||||
|
||||
@ -313,7 +313,7 @@ print '</td>';
|
||||
|
||||
// DATE CREATE
|
||||
print '<td class="liste_titre" align="center">';
|
||||
print '<input class="flat" type="text" size="1" maxlength="2" name="month_create" value="'.$month_create.'">';
|
||||
print '<input class="flat" type="text" size="1" maxlength="2" name="month_create" value="'.dol_escape_htmltag($month_create).'">';
|
||||
$formother->select_year($year_create,'year_create',1, $min_year, 0);
|
||||
print '</td>';
|
||||
|
||||
@ -409,7 +409,7 @@ if (! empty($holiday->holiday))
|
||||
$userstatic->login=$infos_CP['user_login'];
|
||||
$userstatic->statut=$infos_CP['user_statut'];
|
||||
$userstatic->photo=$infos_CP['user_photo'];
|
||||
|
||||
|
||||
// Valideur
|
||||
$approbatorstatic->id=$infos_CP['fk_validator'];
|
||||
$approbatorstatic->lastname=$infos_CP['validator_lastname'];
|
||||
@ -417,7 +417,7 @@ if (! empty($holiday->holiday))
|
||||
$approbatorstatic->login=$infos_CP['validator_login'];
|
||||
$approbatorstatic->statut=$infos_CP['validator_statut'];
|
||||
$approbatorstatic->photo=$infos_CP['validator_photo'];
|
||||
|
||||
|
||||
$date = $infos_CP['date_create'];
|
||||
|
||||
print '<tr '.$bc[$var].'>';
|
||||
|
||||
@ -97,8 +97,9 @@ function test_sql_and_script_inject($val, $type)
|
||||
$sql_inj += preg_match('/<script/i', $val);
|
||||
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
|
||||
$sql_inj += preg_match('/base[\s]+href/si', $val);
|
||||
$sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
|
||||
$sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='>' onerror = alert(1)>
|
||||
$sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
|
||||
$sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)>
|
||||
// $sql_inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
|
||||
if ($type == 1)
|
||||
{
|
||||
$sql_inj += preg_match('/javascript:/i', $val);
|
||||
@ -1477,14 +1478,14 @@ function top_menu($head, $title='', $target='', $disablejs=0, $disablehead=0, $a
|
||||
// Link to print main content area
|
||||
if (empty($conf->global->MAIN_PRINT_DISABLELINK) && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER) && empty($conf->browser->phone))
|
||||
{
|
||||
$qs=$_SERVER["QUERY_STRING"];
|
||||
$qs=dol_escape_htmltag($_SERVER["QUERY_STRING"]);
|
||||
|
||||
foreach($_POST as $key=>$value) {
|
||||
if($key!=='action' && !is_array($value))$qs.='&'.$key.'='.urlencode($value);
|
||||
if ($key!=='action' && !is_array($value)) $qs.='&'.$key.'='.urlencode($value);
|
||||
}
|
||||
|
||||
$qs.=(($qs && $morequerystring)?'&':'').$morequerystring;
|
||||
$text ='<a href="'.$_SERVER["PHP_SELF"].'?'.$qs.($qs?'&':'').'optioncss=print" target="_blank">';
|
||||
$text ='<a href="'.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.$qs.($qs?'&':'').'optioncss=print" target="_blank">';
|
||||
$text.= img_picto(":".$langs->trans("PrintContentArea"), 'printer_top.png', 'class="printer"');
|
||||
$text.='</a>';
|
||||
$toprightmenu.=@Form::textwithtooltip('',$langs->trans("PrintContentArea"),2,1,$text,'login_block_elem',2);
|
||||
|
||||
@ -57,7 +57,7 @@ $warehouseStatus = GETPOST('warehousestatus', 'alpha');
|
||||
* View
|
||||
*/
|
||||
|
||||
// print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
// print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
dol_syslog(join(',', $_GET));
|
||||
// print_r($_GET);
|
||||
|
||||
@ -69,7 +69,7 @@ if (! empty($id) || ! empty($ref) || GETPOST('id') == 'all')
|
||||
{
|
||||
llxHeader("",$langs->trans("ProductStatistics"));
|
||||
|
||||
$type = GETPOST('type');
|
||||
$type = GETPOST('type', 'intcomma');
|
||||
|
||||
$helpurl='';
|
||||
if ($type == '0')
|
||||
|
||||
@ -62,7 +62,7 @@ $langs->load("paypal");
|
||||
* View
|
||||
*/
|
||||
|
||||
dol_syslog("Callback url when a PayBox payment was canceled. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paybox');
|
||||
dol_syslog("Callback url when a PayBox payment was canceled. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paybox');
|
||||
|
||||
$tracepost = "";
|
||||
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
|
||||
|
||||
@ -70,7 +70,7 @@ if (empty($PAYBOXFULLTAG)) $PAYBOXFULLTAG=GETPOST('fulltag');
|
||||
* View
|
||||
*/
|
||||
|
||||
dol_syslog("Callback url when a PayBox payment was done. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paybox');
|
||||
dol_syslog("Callback url when a PayBox payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paybox');
|
||||
|
||||
$tracepost = "";
|
||||
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
|
||||
|
||||
@ -70,7 +70,7 @@ if (empty($PAYPALFULLTAG)) $PAYPALFULLTAG=GETPOST('fulltag');
|
||||
* View
|
||||
*/
|
||||
|
||||
dol_syslog("Callback url when a PayPal payment was canceled. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paypal');
|
||||
dol_syslog("Callback url when a PayPal payment was canceled. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paypal');
|
||||
|
||||
$tracepost = "";
|
||||
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
|
||||
@ -90,8 +90,8 @@ if (! empty($conf->global->PAYPAL_PAYONLINE_SENDEMAIL))
|
||||
$FinalPaymentAmt = $_SESSION["Payment_Amount"];
|
||||
// From env
|
||||
$ipaddress = $_SESSION['ipaddress'];
|
||||
|
||||
|
||||
|
||||
|
||||
$sendto=$conf->global->PAYPAL_PAYONLINE_SENDEMAIL;
|
||||
$from=$conf->global->MAILING_EMAIL_FROM;
|
||||
|
||||
|
||||
@ -100,7 +100,7 @@ if (empty($PAYPALFULLTAG)) $PAYPALFULLTAG=GETPOST('fulltag');
|
||||
* View
|
||||
*/
|
||||
|
||||
dol_syslog("Callback url when a PayPal payment was done. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paypal');
|
||||
dol_syslog("Callback url when a PayPal payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paypal');
|
||||
|
||||
$tracepost = "";
|
||||
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
|
||||
|
||||
@ -43,7 +43,7 @@ $id=GETPOST('id', 'int');
|
||||
* View
|
||||
*/
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
dol_syslog(join(',', $_GET));
|
||||
//print_r($_GET);
|
||||
@ -62,7 +62,7 @@ if (! empty($action) && $action == 'fetch' && ! empty($id))
|
||||
$outlabel = '';
|
||||
$outdesc = '';
|
||||
$outtype = $object->type;
|
||||
|
||||
|
||||
$outjson = array('ref' => $outref,'name' => $outname,'desc' => $outdesc,'type' => $outtype);
|
||||
}
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ require '../main.inc.php';
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
dol_syslog(join(',',$_GET));
|
||||
|
||||
|
||||
@ -45,7 +45,7 @@ $country=GETPOST('country', 'alpha');
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
dol_syslog(join(',',$_POST));
|
||||
|
||||
|
||||
@ -152,9 +152,6 @@ if ($action == 'buildnewpassword' && $username)
|
||||
* View
|
||||
*/
|
||||
|
||||
$php_self = $_SERVER['PHP_SELF'];
|
||||
$php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
|
||||
|
||||
$dol_url_root = DOL_URL_ROOT;
|
||||
|
||||
// Title
|
||||
|
||||
Loading…
Reference in New Issue
Block a user