lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GETPOST(..., 'alpha') remove " if found instead of returning ''

Browse Source
This commit is contained in:
Laurent Destailleur 2020-02-19 11:33:45 +01:00
parent 22478e4867
commit ac16857501
2 changed files with 6 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/core/class/html.form.class.php
View File

@ -2431,6 +2431,7 @@ class Form
$outlabel = $objp->label;
$outdesc = $objp->description;
$outbarcode = $objp->barcode;
$outpbq = empty($objp->price_by_qty_rowid) ? '' : $objp->price_by_qty_rowid;
$outtype = $objp->fk_product_type;
$outdurationvalue = $outtype == Product::TYPE_SERVICE ?substr($objp->duration, 0, dol_strlen($objp->duration) - 1) : '';
@ -2664,7 +2665,7 @@ class Form
}
$opt .= "</option>\n";
$optJson = array('key'=>$outkey, 'value'=>$outref, 'label'=>$outval, 'label2'=>$outlabel, 'desc'=>$outdesc, 'type'=>$outtype, 'price_ht'=>price2num($outprice_ht), 'price_ttc'=>price2num($outprice_ttc), 'pricebasetype'=>$outpricebasetype, 'tva_tx'=>$outtva_tx, 'qty'=>$outqty, 'discount'=>$outdiscount, 'duration_value'=>$outdurationvalue, 'duration_unit'=>$outdurationunit);
$optJson = array('key'=>$outkey, 'value'=>$outref, 'label'=>$outval, 'label2'=>$outlabel, 'desc'=>$outdesc, 'type'=>$outtype, 'price_ht'=>price2num($outprice_ht), 'price_ttc'=>price2num($outprice_ttc), 'pricebasetype'=>$outpricebasetype, 'tva_tx'=>$outtva_tx, 'qty'=>$outqty, 'discount'=>$outdiscount, 'duration_value'=>$outdurationvalue, 'duration_unit'=>$outdurationunit, 'pbq'=>$outpbq);
}
// phpcs:disable PEAR.NamingConventions.ValidFunctionName.ScopeNotCamelCaps

12
htdocs/core/lib/functions.lib.php
View File

@ -559,11 +559,9 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
case 'alpha':
if (!is_array($out))
{
$out = trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
if (preg_match('/"/', $out)) $out = '';
elseif (preg_match('/\.\.\//', $out)) $out = '';
$out = str_replace(array('"', '../'), '', trim($out));
}
break;
case 'san_alpha':
@ -593,17 +591,15 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
case 'array':
if (!is_array($out) || empty($out)) $out = array();
break;
case 'nohtml': // Recommended for most scalar parameters
case 'nohtml':
$out = dol_string_nohtmltag($out, 0);
break;
case 'alphanohtml': // Recommended for search parameters
case 'alphanohtml': // Recommended for most scalar parameters and search parameters
if (!is_array($out))
{
$out = trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
if (preg_match('/"/', $out)) $out = '';
elseif (preg_match('/\.\.\//', $out)) $out = '';
$out = str_replace(array('"', '../'), '', trim($out));
$out = dol_string_nohtmltag($out);
}
break;