From 831420b8e1bf7ab5445adf76837511110788c364 Mon Sep 17 00:00:00 2001
From: Florian HENRY <florian.henry@open-concept.pro>
Date: Fri, 2 Sep 2022 10:42:27 +0200
Subject: [PATCH 1/3] FIX: bad bookmark save

---
 htdocs/bookmarks/bookmarks.lib.php | 45 +++++++++++++++++++-----------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/htdocs/bookmarks/bookmarks.lib.php b/htdocs/bookmarks/bookmarks.lib.php
index f8daff1cd14..ca0f1486db1 100644
--- a/htdocs/bookmarks/bookmarks.lib.php
+++ b/htdocs/bookmarks/bookmarks.lib.php
@@ -36,28 +36,39 @@ function printDropdownBookmarksList()
 
 	$langs->load("bookmarks");
 
+	$authorized_var=array('page','limit','optioncss','contextpage');
 	$url = $_SERVER["PHP_SELF"];
-
+	$url_param=array();
 	if (!empty($_SERVER["QUERY_STRING"])) {
-		$url .= (dol_escape_htmltag($_SERVER["QUERY_STRING"]) ? '?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]) : '');
-	} else {
-		global $sortfield, $sortorder;
-		$tmpurl = '';
-		// No urlencode, all param $url will be urlencoded later
-		if ($sortfield) {
-			$tmpurl .= ($tmpurl ? '&' : '').'sortfield='.urlencode($sortfield);
-		}
-		if ($sortorder) {
-			$tmpurl .= ($tmpurl ? '&' : '').'sortorder='.urlencode($sortorder);
-		}
-		if (is_array($_POST)) {
-			foreach ($_POST as $key => $val) {
-				if (preg_match('/^search_/', $key) && $val != '') {
-					$tmpurl .= ($tmpurl ? '&' : '').http_build_query(array($key => $val));
+		if (is_array($_GET)) {
+			foreach ($_GET as $key => $val) {
+				if ($val != '') {
+					$url_param[$key]=http_build_query(array($key => $val));
 				}
 			}
 		}
-		$url .= ($tmpurl ? '?'.$tmpurl : '');
+	}
+	global $sortfield, $sortorder;
+	$tmpurl = '';
+	// No urlencode, all param $url will be urlencoded later
+	if ($sortfield) {
+		$tmpurl .= ($tmpurl ? '&' : '').'sortfield='.urlencode($sortfield);
+	}
+	if ($sortorder) {
+		$tmpurl .= ($tmpurl ? '&' : '').'sortorder='.urlencode($sortorder);
+	}
+	if (is_array($_POST)) {
+		foreach ($_POST as $key => $val) {
+			if ((preg_match('/^search_/', $key) || in_array($key, $authorized_var))
+				&& $val != ''
+				&& !array_key_exists($key, $url_param)) {
+				$url_param[$key]=http_build_query(array($key => $val));
+			}
+		}
+	}
+	$url .= ($tmpurl ? '?'.$tmpurl : '');
+	if (!empty($url_param)) {
+		$url .= '&'.implode('&', $url_param);
 	}
 
 	$searchForm = '<!-- form with POST method by default, will be replaced with GET for external link by js -->'."\n";

From 8a44b1ab2bfd964e2e2e6b00558b4bc394d0ee05 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 2 Sep 2022 10:55:15 +0200
Subject: [PATCH 2/3] Update bookmarks.lib.php

---
 htdocs/bookmarks/bookmarks.lib.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/bookmarks/bookmarks.lib.php b/htdocs/bookmarks/bookmarks.lib.php
index ca0f1486db1..72fc0a9b51e 100644
--- a/htdocs/bookmarks/bookmarks.lib.php
+++ b/htdocs/bookmarks/bookmarks.lib.php
@@ -36,7 +36,7 @@ function printDropdownBookmarksList()
 
 	$langs->load("bookmarks");
 
-	$authorized_var=array('page','limit','optioncss','contextpage');
+	$authorized_var=array('limit','optioncss','contextpage');
 	$url = $_SERVER["PHP_SELF"];
 	$url_param=array();
 	if (!empty($_SERVER["QUERY_STRING"])) {

From 9d85eb1b7f828e682de7fe100ba7135d53a32500 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 2 Sep 2022 10:57:47 +0200
Subject: [PATCH 3/3] Update bookmarks.lib.php

---
 htdocs/bookmarks/bookmarks.lib.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/bookmarks/bookmarks.lib.php b/htdocs/bookmarks/bookmarks.lib.php
index 72fc0a9b51e..8eef3396eaa 100644
--- a/htdocs/bookmarks/bookmarks.lib.php
+++ b/htdocs/bookmarks/bookmarks.lib.php
@@ -43,7 +43,7 @@ function printDropdownBookmarksList()
 		if (is_array($_GET)) {
 			foreach ($_GET as $key => $val) {
 				if ($val != '') {
-					$url_param[$key]=http_build_query(array($key => $val));
+					$url_param[$key]=http_build_query(array(dol_escape_htmltag($key) => dol_escape_htmltag($val)));
 				}
 			}
 		}
@@ -62,7 +62,7 @@ function printDropdownBookmarksList()
 			if ((preg_match('/^search_/', $key) || in_array($key, $authorized_var))
 				&& $val != ''
 				&& !array_key_exists($key, $url_param)) {
-				$url_param[$key]=http_build_query(array($key => $val));
+				$url_param[$key]=http_build_query(array(dol_escape_htmltag($key) => dol_escape_htmltag($val)));
 			}
 		}
 	}