diff --git a/htdocs/api/class/api.class.php b/htdocs/api/class/api.class.php index fa21c37649f..32d691400d6 100644 --- a/htdocs/api/class/api.class.php +++ b/htdocs/api/class/api.class.php @@ -88,9 +88,9 @@ class DolibarrApi // phpcs:enable // TODO Use type detected in $object->fields if (in_array($field, array('note', 'note_private', 'note_public', 'desc', 'description'))) { - return checkVal($value, 'restricthtml'); + return sanitizeVal($value, 'restricthtml'); } else { - return checkVal($value, 'alphanohtml'); + return sanitizeVal($value, 'alphanohtml'); } } diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index a3d2dc3e57f..fca780cadef 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -913,7 +913,7 @@ class Categorie extends CommonObject $categories = array(); - $type = checkVal($type, 'aZ09'); + $type = sanitizeVal($type, 'aZ09'); $sub_type = $type; $subcol_name = "fk_".$type; diff --git a/htdocs/comm/propal/class/api_proposals.class.php b/htdocs/comm/propal/class/api_proposals.class.php index 59a03f78bb2..882189c86b3 100644 --- a/htdocs/comm/propal/class/api_proposals.class.php +++ b/htdocs/comm/propal/class/api_proposals.class.php @@ -343,8 +343,8 @@ class Proposals extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->propal->addline( $request_data->desc, @@ -488,8 +488,8 @@ class Proposals extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $propalline = new PropaleLigne($this->db); $result = $propalline->fetch($lineid); diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php index fb912139d5f..e73fee8941f 100644 --- a/htdocs/commande/class/api_orders.class.php +++ b/htdocs/commande/class/api_orders.class.php @@ -335,8 +335,8 @@ class Orders extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->commande->addline( $request_data->desc, @@ -403,8 +403,8 @@ class Orders extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->commande->updateline( $lineid, diff --git a/htdocs/compta/bank/class/api_bankaccounts.class.php b/htdocs/compta/bank/class/api_bankaccounts.class.php index 23d4c2eefbb..8e38d1ffe78 100644 --- a/htdocs/compta/bank/class/api_bankaccounts.class.php +++ b/htdocs/compta/bank/class/api_bankaccounts.class.php @@ -250,7 +250,7 @@ class BankAccounts extends DolibarrApi } // Clean data - $description = checkVal($description, 'alphanohtml'); + $description = sanitizeVal($description, 'alphanohtml'); /** @@ -498,13 +498,13 @@ class BankAccounts extends DolibarrApi throw new RestException(404, 'account not found'); } - $type = checkVal($type); - $label = checkVal($label); - $cheque_number = checkVal($cheque_number); - $cheque_writer = checkVal($cheque_writer); - $cheque_bank = checkVal($cheque_bank); - $accountancycode = checkVal($accountancycode); - $num_releve = checkVal($num_releve); + $type = sanitizeVal($type); + $label = sanitizeVal($label); + $cheque_number = sanitizeVal($cheque_number); + $cheque_writer = sanitizeVal($cheque_writer); + $cheque_bank = sanitizeVal($cheque_bank); + $accountancycode = sanitizeVal($accountancycode); + $num_releve = sanitizeVal($num_releve); $result = $account->addline( $date, @@ -557,9 +557,9 @@ class BankAccounts extends DolibarrApi throw new RestException(404, 'account line not found'); } - $url = checkVal($url); - $label = checkVal($label); - $type = checkVal($type); + $url = sanitizeVal($url); + $label = sanitizeVal($label); + $type = sanitizeVal($type); $result = $account->add_url_line($line_id, $url_id, $url, $label, $type); if ($result < 0) { diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php index 551edb05731..19fda9ee253 100644 --- a/htdocs/compta/facture/class/api_invoices.class.php +++ b/htdocs/compta/facture/class/api_invoices.class.php @@ -423,8 +423,8 @@ class Invoices extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->invoice->updateline( $lineid, @@ -712,8 +712,8 @@ class Invoices extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); // Reset fk_parent_line for no child products and special product if (($request_data->product_type != 9 && empty($request_data->fk_parent_line)) || $request_data->product_type == 9) { diff --git a/htdocs/contrat/class/api_contracts.class.php b/htdocs/contrat/class/api_contracts.class.php index 5e534f3e43c..ea228550cae 100644 --- a/htdocs/contrat/class/api_contracts.class.php +++ b/htdocs/contrat/class/api_contracts.class.php @@ -278,8 +278,8 @@ class Contracts extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->price_base_type = checkVal($request_data->price_base_type); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->price_base_type = sanitizeVal($request_data->price_base_type); $updateRes = $this->contract->addline( $request_data->desc, @@ -336,8 +336,8 @@ class Contracts extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->price_base_type = checkVal($request_data->price_base_type); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->price_base_type = sanitizeVal($request_data->price_base_type); $updateRes = $this->contract->updateline( $lineid, diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 9c268d31980..9d5a9eae857 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -683,11 +683,11 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null $tmpcheck = 'alphanohtml'; } foreach ($out as $outkey => $outval) { - $out[$outkey] = checkVal($outval, $tmpcheck, $filter, $options); + $out[$outkey] = sanitizeVal($outval, $tmpcheck, $filter, $options); } } } else { - $out = checkVal($out, $check, $filter, $options); + $out = sanitizeVal($out, $check, $filter, $options); } // Sanitizing for special parameters. @@ -736,9 +736,11 @@ function GETPOSTINT($paramname, $method = 0) return (int) GETPOST($paramname, 'int', $method, null, null, 0); } + /** - * Return a value after checking on a rule. A sanitization may also have been done. + * Return a sanitized or empty value after checking value against a rule. * + * @deprecated * @param string|array $out Value to check/clear. * @param string $check Type of check/sanitizing * @param int $filter Filter to apply when $check is set to 'custom'. (See http://php.net/manual/en/filter.filters.php for détails) @@ -746,6 +748,20 @@ function GETPOSTINT($paramname, $method = 0) * @return string|array Value sanitized (string or array). It may be '' if format check fails. */ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options = null) +{ + return sanitizeVal($out, $check, $filter, $options); +} + +/** + * Return a sanitized or empty value after checking value against a rule. + * + * @param string|array $out Value to check/clear. + * @param string $check Type of check/sanitizing + * @param int $filter Filter to apply when $check is set to 'custom'. (See http://php.net/manual/en/filter.filters.php for détails) + * @param mixed $options Options to pass to filter_var when $check is set to 'custom' + * @return string|array Value sanitized (string or array). It may be '' if format check fails. + */ +function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options = null) { global $conf; diff --git a/htdocs/expedition/class/api_shipments.class.php b/htdocs/expedition/class/api_shipments.class.php index 402fbdc04d1..357683ef35a 100644 --- a/htdocs/expedition/class/api_shipments.class.php +++ b/htdocs/expedition/class/api_shipments.class.php @@ -279,8 +279,8 @@ class Shipments extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->shipment->addline( $request_data->desc, @@ -347,8 +347,8 @@ class Shipments extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->shipment->updateline( $lineid, diff --git a/htdocs/expensereport/class/api_expensereports.class.php b/htdocs/expensereport/class/api_expensereports.class.php index 37319a3ec71..876b08f18f0 100644 --- a/htdocs/expensereport/class/api_expensereports.class.php +++ b/htdocs/expensereport/class/api_expensereports.class.php @@ -251,8 +251,8 @@ class ExpenseReports extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->expensereport->addline( $request_data->desc, @@ -319,8 +319,8 @@ class ExpenseReports extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->expensereport->updateline( $lineid, diff --git a/htdocs/exports/class/export.class.php b/htdocs/exports/class/export.class.php index c87f03f3110..a836be7d9d4 100644 --- a/htdocs/exports/class/export.class.php +++ b/htdocs/exports/class/export.class.php @@ -302,7 +302,7 @@ class Export public function build_filterQuery($TypeField, $NameField, $ValueField) { // phpcs:enable - $NameField = checkVal($NameField, 'aZ09'); + $NameField = sanitizeVal($NameField, 'aZ09'); $szFilterQuery = ''; //print $TypeField." ".$NameField." ".$ValueField; diff --git a/htdocs/fourn/class/api_supplier_invoices.class.php b/htdocs/fourn/class/api_supplier_invoices.class.php index 35e783729ff..d08409a279b 100644 --- a/htdocs/fourn/class/api_supplier_invoices.class.php +++ b/htdocs/fourn/class/api_supplier_invoices.class.php @@ -558,8 +558,8 @@ class SupplierInvoices extends DolibarrApi $request_data = (object) $request_data; - $request_data->description = checkVal($request_data->description, 'restricthtml'); - $request_data->ref_supplier = checkVal($request_data->ref_supplier); + $request_data->description = sanitizeVal($request_data->description, 'restricthtml'); + $request_data->ref_supplier = sanitizeVal($request_data->ref_supplier); $updateRes = $this->invoice->addline( $request_data->description, @@ -625,8 +625,8 @@ class SupplierInvoices extends DolibarrApi $request_data = (object) $request_data; - $request_data->description = checkVal($request_data->description, 'restricthtml'); - $request_data->ref_supplier = checkVal($request_data->ref_supplier); + $request_data->description = sanitizeVal($request_data->description, 'restricthtml'); + $request_data->ref_supplier = sanitizeVal($request_data->ref_supplier); $updateRes = $this->invoice->updateline( $lineid, diff --git a/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php b/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php index 5d26fa90137..e52c677318e 100644 --- a/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php +++ b/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php @@ -218,7 +218,7 @@ class KnowledgeManagement extends DolibarrApi } // Clean data - // $this->knowledgerecord->abc = checkVal($this->knowledgerecord->abc, 'alphanohtml'); + // $this->knowledgerecord->abc = sanitizeVal($this->knowledgerecord->abc, 'alphanohtml'); if ($this->knowledgerecord->create(DolibarrApiAccess::$user)<0) { throw new RestException(500, "Error creating KnowledgeRecord", array_merge(array($this->knowledgerecord->error), $this->knowledgerecord->errors)); @@ -260,7 +260,7 @@ class KnowledgeManagement extends DolibarrApi } // Clean data - // $this->knowledgerecord->abc = checkVal($this->knowledgerecord->abc, 'alphanohtml'); + // $this->knowledgerecord->abc = sanitizeVal($this->knowledgerecord->abc, 'alphanohtml'); if ($this->knowledgerecord->update(DolibarrApiAccess::$user, false) > 0) { return $this->get($id); diff --git a/htdocs/modulebuilder/template/class/api_mymodule.class.php b/htdocs/modulebuilder/template/class/api_mymodule.class.php index 4cb50c8de2f..5299ff04caa 100644 --- a/htdocs/modulebuilder/template/class/api_mymodule.class.php +++ b/htdocs/modulebuilder/template/class/api_mymodule.class.php @@ -218,7 +218,7 @@ class MyModuleApi extends DolibarrApi } // Clean data - // $this->myobject->abc = checkVal($this->myobject->abc, 'alphanohtml'); + // $this->myobject->abc = sanitizeVal($this->myobject->abc, 'alphanohtml'); if ($this->myobject->create(DolibarrApiAccess::$user)<0) { throw new RestException(500, "Error creating MyObject", array_merge(array($this->myobject->error), $this->myobject->errors)); @@ -260,7 +260,7 @@ class MyModuleApi extends DolibarrApi } // Clean data - // $this->myobject->abc = checkVal($this->myobject->abc, 'alphanohtml'); + // $this->myobject->abc = sanitizeVal($this->myobject->abc, 'alphanohtml'); if ($this->myobject->update(DolibarrApiAccess::$user, false) > 0) { return $this->get($id); diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index e44aef221f6..4c5f0810edd 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -779,9 +779,9 @@ class Products extends DolibarrApi } // Clean data - $ref_fourn = checkVal($ref_fourn, 'alphanohtml'); - $desc_fourn = checkVal($desc_fourn, 'restricthtml'); - $barcode = checkVal($barcode, 'alphanohtml'); + $ref_fourn = sanitizeVal($ref_fourn, 'alphanohtml'); + $desc_fourn = sanitizeVal($desc_fourn, 'restricthtml'); + $barcode = sanitizeVal($barcode, 'alphanohtml'); $result = $this->productsupplier->update_buyprice($qty, $buyprice, DolibarrApiAccess::$user, $price_base_type, $fourn, $availability, $ref_fourn, $tva_tx, $charges, $remise_percent, $remise, $newnpr, $delivery_time_days, $supplier_reputation, $localtaxes_array, $newdefaultvatcode, $multicurrency_buyprice, $multicurrency_price_base_type, $multicurrency_tx, $multicurrency_code, $desc_fourn, $barcode, $fk_barcode_type); diff --git a/htdocs/projet/class/api_projects.class.php b/htdocs/projet/class/api_projects.class.php index 59576b961d4..6a522346210 100644 --- a/htdocs/projet/class/api_projects.class.php +++ b/htdocs/projet/class/api_projects.class.php @@ -333,7 +333,7 @@ class Projects extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); $updateRes = $this->project->addline( $request_data->desc, @@ -400,7 +400,7 @@ class Projects extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); $updateRes = $this->project->updateline( $lineid, diff --git a/htdocs/projet/class/api_tasks.class.php b/htdocs/projet/class/api_tasks.class.php index cafb60f2865..0eaf8654421 100644 --- a/htdocs/projet/class/api_tasks.class.php +++ b/htdocs/projet/class/api_tasks.class.php @@ -333,7 +333,7 @@ class Tasks extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); $updateRes = $this->project->addline( $request_data->desc, @@ -400,7 +400,7 @@ class Tasks extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); $updateRes = $this->project->updateline( $lineid, diff --git a/htdocs/recruitment/class/api_recruitment.class.php b/htdocs/recruitment/class/api_recruitment.class.php index e0c2cb5da11..26e6c58fa4a 100644 --- a/htdocs/recruitment/class/api_recruitment.class.php +++ b/htdocs/recruitment/class/api_recruitment.class.php @@ -359,7 +359,7 @@ class Recruitment extends DolibarrApi } // Clean data - // $this->jobposition->abc = checkVal($this->jobposition->abc, 'alphanohtml'); + // $this->jobposition->abc = sanitizeVal($this->jobposition->abc, 'alphanohtml'); if ($this->jobposition->create(DolibarrApiAccess::$user)<0) { throw new RestException(500, "Error creating jobposition", array_merge(array($this->jobposition->error), $this->jobposition->errors)); @@ -391,7 +391,7 @@ class Recruitment extends DolibarrApi } // Clean data - // $this->jobposition->abc = checkVal($this->jobposition->abc, 'alphanohtml'); + // $this->jobposition->abc = sanitizeVal($this->jobposition->abc, 'alphanohtml'); if ($this->candidature->create(DolibarrApiAccess::$user)<0) { throw new RestException(500, "Error creating candidature", array_merge(array($this->candidature->error), $this->candidature->errors)); @@ -433,7 +433,7 @@ class Recruitment extends DolibarrApi } // Clean data - // $this->jobposition->abc = checkVal($this->jobposition->abc, 'alphanohtml'); + // $this->jobposition->abc = sanitizeVal($this->jobposition->abc, 'alphanohtml'); if ($this->jobposition->update(DolibarrApiAccess::$user, false) > 0) { return $this->get($id); @@ -476,7 +476,7 @@ class Recruitment extends DolibarrApi } // Clean data - // $this->jobposition->abc = checkVal($this->jobposition->abc, 'alphanohtml'); + // $this->jobposition->abc = sanitizeVal($this->jobposition->abc, 'alphanohtml'); if ($this->candidature->update(DolibarrApiAccess::$user, false) > 0) { return $this->get($id);