From dbed6bc0da64d23df249189b27d20e7a63d56ad4 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Wed, 21 Jul 2021 01:18:48 +0200
Subject: [PATCH 1/2] Fix #yogosha6678

---
 htdocs/install/check.php | 2 +-
 htdocs/main.inc.php      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/install/check.php b/htdocs/install/check.php
index 35efe1f36b2..99e9e38c958 100644
--- a/htdocs/install/check.php
+++ b/htdocs/install/check.php
@@ -100,7 +100,7 @@ print "<br>\n";
 // Check PHP support for $_GET and $_POST
 if (!isset($_GET["testget"]) && !isset($_POST["testpost"])) {	// We must keep $_GET and $_POST here
 	print '<img src="../theme/eldy/img/warning.png" alt="Warning"> '.$langs->trans("PHPSupportPOSTGETKo");
-	print ' (<a href="'.$_SERVER["PHP_SELF"].'?testget=ok">'.$langs->trans("Recheck").'</a>)';
+	print ' (<a href="'.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?testget=ok">'.$langs->trans("Recheck").'</a>)';
 	print "<br>\n";
 	$checksok = 0;
 } else {
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index a30f02f7fba..cc9ff9e6297 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -80,7 +80,7 @@ function realCharForNumericEntities($matches)
  * Warning: Such a protection can't be enough. It is not reliable as it will always be possible to bypass this. Good protection can
  * only be guaranted by escaping data during output.
  *
- * @param		string		$val		Value brut found int $_GET, $_POST or PHP_SELF
+ * @param		string		$val		Brut value found into $_GET, $_POST or PHP_SELF
  * @param		string		$type		0=POST, 1=GET, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test)
  * @return		int						>0 if there is an injection, 0 if none
  */

From 23f708c0d4e39341cac703e3710330cca3364148 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Wed, 21 Jul 2021 01:27:14 +0200
Subject: [PATCH 2/2] Fix phpcs

---
 htdocs/main.inc.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index cc9ff9e6297..2ceb2175799 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -460,15 +460,15 @@ if (!defined('NOTOKENRENEWAL')) {
 if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) || defined('CSRFCHECK_WITH_TOKEN')) {
 	// Array of action code where CSRFCHECK with token will be forced (so token must be provided on url request)
 	$arrayofactiontoforcetokencheck = array(
-        'activate', 'add', 'addrights', 'addtimespent',
-        'confirm_create_user', 'confirm_create_thirdparty', 'confirm_purge', 'confirm_reject_check', 'confirm_deletedir', 'confirm_deletefile',
-        'delete', 'deletefilter', 'deleteoperation', 'deleteprof', 'deletepayment', 'delrights',
-        'disable',
-        'doprev', 'donext', 'dvprev', 'dvnext',
-        'enable',
-        'install',
-        'setpricelevel',
-        'update'
+		'activate', 'add', 'addrights', 'addtimespent',
+		'confirm_create_user', 'confirm_create_thirdparty', 'confirm_purge', 'confirm_reject_check', 'confirm_deletedir', 'confirm_deletefile',
+		'delete', 'deletefilter', 'deleteoperation', 'deleteprof', 'deletepayment', 'delrights',
+		'disable',
+		'doprev', 'donext', 'dvprev', 'dvnext',
+		'enable',
+		'install',
+		'setpricelevel',
+		'update'
 	);
 	$sensitiveget = false;
 	if (in_array(GETPOST('action', 'aZ09'), $arrayofactiontoforcetokencheck)) {