lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch '15.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source
This commit is contained in:
Laurent Destailleur 2022-01-19 16:50:11 +01:00
commit d06f570c23
29 changed files with 113 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
htdocs/adherents/partnership.php
View File

@ -22,27 +22,6 @@
* \brief Page to create/edit/view partnership
*/
//if (! defined('NOREQUIREDB')) define('NOREQUIREDB', '1'); // Do not create database handler $db
//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER', '1'); // Do not load object $user
//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC', '1'); // Do not load object $mysoc
//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1'); // Do not load object $langs
//if (! defined('NOSCANGETFORINJECTION')) define('NOSCANGETFORINJECTION', '1'); // Do not check injection attack on GET parameters
//if (! defined('NOSCANPOSTFORINJECTION')) define('NOSCANPOSTFORINJECTION', '1'); // Do not check injection attack on POST parameters
//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK', '1'); // Do not check CSRF attack (test on referer + on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on).
//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1'); // Do not roll the Anti CSRF token (used if MAIN_SECURITY_CSRF_WITH_TOKEN is on)
//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK', '1'); // Do not check style html tag into posted data
//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU', '1'); // If there is no need to load and show top and left menu
//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); // Do not load ajax.lib.php library
//if (! defined("NOLOGIN")) define("NOLOGIN", '1'); // If this page is public (can be called outside logged session). This include the NOIPCHECK too.
//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
//if (! defined("FORCECSP")) define('FORCECSP', 'none'); // Disable all Content Security Policies
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
// Load Dolibarr environment
require '../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php';

2
htdocs/admin/const.php
View File

@ -37,8 +37,6 @@ if (!$user->admin) {
$rowid = GETPOST('rowid', 'int');
$entity = GETPOST('entity', 'int');
$action = GETPOST('action', 'aZ09');
$update = GETPOST('update', 'alpha');
$delete = GETPOST('delete', 'none'); // Do not use alpha here
$debug = GETPOST('debug', 'int');
$consts = GETPOST('const', 'array');
$constname = GETPOST('constname', 'alphanohtml');

2
htdocs/admin/defaultvalues.php
View File

@ -64,7 +64,7 @@ if (!$sortorder) {
$defaulturl = GETPOST('defaulturl', 'alphanohtml');
$defaultkey = GETPOST('defaultkey', 'alphanohtml');
$defaultvalue = GETPOST('defaultvalue', 'none');
$defaultvalue = GETPOST('defaultvalue', 'restricthtml');
$defaulturl = preg_replace('/^\//', '', $defaulturl);

12
htdocs/comm/mailing/card.php
View File

@ -493,9 +493,9 @@ if (empty($reshook)) {
if ($action == 'add') {
$mesgs = array();
$object->email_from = (string) GETPOST("from", "none"); // Must allow 'name <email>'
$object->email_replyto = (string) GETPOST("replyto", "none"); // Must allow 'name <email>'
$object->email_errorsto = (string) GETPOST("errorsto", "none"); // Must allow 'name <email>'
$object->email_from = (string) GETPOST("from", 'alphawithlgt'); // Must allow 'name <email>'
$object->email_replyto = (string) GETPOST("replyto", 'alphawithlgt'); // Must allow 'name <email>'
$object->email_errorsto = (string) GETPOST("errorsto", 'alphawithlgt'); // Must allow 'name <email>'
$object->title = (string) GETPOST("title");
$object->sujet = (string) GETPOST("sujet");
$object->body = (string) GETPOST("bodyemail", 'restricthtml');
@ -531,11 +531,11 @@ if (empty($reshook)) {
if ($action == 'settitle') {
$object->title = trim(GETPOST('title', 'alpha'));
} elseif ($action == 'setemail_from') {
$object->email_from = trim(GETPOST('email_from', 'none')); // Must allow 'name <email>'
$object->email_from = trim(GETPOST('email_from', 'alphawithlgt')); // Must allow 'name <email>'
} elseif ($action == 'setemail_replyto') {
$object->email_replyto = trim(GETPOST('email_replyto', 'none')); // Must allow 'name <email>'
$object->email_replyto = trim(GETPOST('email_replyto', 'alphawithlgt')); // Must allow 'name <email>'
} elseif ($action == 'setemail_errorsto') {
$object->email_errorsto = trim(GETPOST('email_errorsto', 'none')); // Must allow 'name <email>'
$object->email_errorsto = trim(GETPOST('email_errorsto', 'alphawithlgt')); // Must allow 'name <email>'
} elseif ($action == 'settitle' && empty($object->title)) {
$mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTitle"));
} elseif ($action == 'setfrom' && empty($object->email_from)) {

6
htdocs/compta/facture/class/facture.class.php
View File

@ -527,9 +527,9 @@ class Facture extends CommonInvoice
// Fields coming from GUI (priority on template). TODO Value of template should be used as default value on GUI so we can use here always value from GUI
$this->fk_project = GETPOST('projectid', 'int') > 0 ? ((int) GETPOST('projectid', 'int')) : $_facrec->fk_project;
$this->note_public = GETPOST('note_public', 'none') ? GETPOST('note_public', 'restricthtml') : $_facrec->note_public;
$this->note_private = GETPOST('note_private', 'none') ? GETPOST('note_private', 'restricthtml') : $_facrec->note_private;
$this->model_pdf = GETPOST('model', 'alpha') ? GETPOST('model', 'alpha') : $_facrec->model_pdf;
$this->note_public = GETPOSTISSET('note_public') ? GETPOST('note_public', 'restricthtml') : $_facrec->note_public;
$this->note_private = GETPOSTISSET('note_private') ? GETPOST('note_private', 'restricthtml') : $_facrec->note_private;
$this->model_pdf = GETPOSTISSET('model') ? GETPOST('model', 'alpha') : $_facrec->model_pdf;
$this->cond_reglement_id = GETPOST('cond_reglement_id', 'int') > 0 ? ((int) GETPOST('cond_reglement_id', 'int')) : $_facrec->cond_reglement_id;
$this->mode_reglement_id = GETPOST('mode_reglement_id', 'int') > 0 ? ((int) GETPOST('mode_reglement_id', 'int')) : $_facrec->mode_reglement_id;
$this->fk_account = GETPOST('fk_account') > 0 ? ((int) GETPOST('fk_account')) : $_facrec->fk_account;

5
htdocs/compta/tva/card.php
View File

@ -196,7 +196,8 @@ if ($action == 'add' && !$cancel) {
}
$object->amount = $amount;
$object->label = GETPOST("label", 'alpha');
$object->note = GETPOST("note", 'none');
$object->note = GETPOST("note", 'restricthtml');
$object->note_private = GETPOST("note", 'restricthtml');
if (empty($object->datep)) {
setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("DatePayment")), null, 'errors');
@ -236,7 +237,7 @@ if ($action == 'add' && !$cancel) {
$paiement->amounts = array($object->id=>$amount); // Tableau de montant
$paiement->paiementtype = GETPOST("type_payment", 'alphanohtml');
$paiement->num_payment = GETPOST("num_payment", 'alphanohtml');
$paiement->note = GETPOST("note", 'none');
$paiement->note = GETPOST("note", 'restricthtml');
if (!$error) {
$paymentid = $paiement->create($user, (int) GETPOST('closepaidtva'));

2
htdocs/core/customreports.php
View File

@ -56,7 +56,7 @@ if (!defined('USE_CUSTOM_REPORT_AS_INCLUDE')) {
}
$search_yaxis = GETPOST('search_yaxis', 'array');
$search_graph = GETPOST('search_graph', 'none');
$search_graph = GETPOST('search_graph', 'restricthtml');
// Load variable for pagination
$limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;

2
htdocs/core/lib/functions.lib.php
View File

@ -641,7 +641,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
}
// Check rule
if (preg_match('/^array/', $check)) { // If 'array' or 'array:restricthtml' or 'array:aZ09'
if (preg_match('/^array/', $check)) { // If 'array' or 'array:restricthtml' or 'array:aZ09' or 'array:intcomma'
if (!is_array($out) || empty($out)) {
$out = array();
} else {

13
htdocs/core/lib/geturl.lib.php
View File

@ -214,11 +214,14 @@ function getURLContent($url, $postorget = 'GET', $param = '', $followlocation =
}
}
// Common check (local and external)
if (in_array($iptocheck, array('100.100.100.200'))) {
$info['http_code'] = 400;
$info['content'] = 'Error bad hostname IP (Used by Alibaba metadata). Must be an external URL.';
break;
// Common check on ip (local and external)
$arrayofmetadataserver = array('100.100.100.200' => 'Alibaba', '192.0.0.192'=> 'Oracle');
foreach ($arrayofmetadataserver as $ipofmetadataserver => $nameofmetadataserver) {
if ($iptocheck == $ipofmetadataserver) {
$info['http_code'] = 400;
$info['content'] = 'Error bad hostname IP (Used by '.$nameofmetadataserver.' metadata server). This IP is forbidden.';
break 2; // exit the foreach and the do...
}
}
// Set CURLOPT_CONNECT_TO so curl will not try another resolution that may give a different result. Possible only on PHP v7+

2
htdocs/core/tpl/admin_extrafields_add.tpl.php
View File

@ -185,7 +185,7 @@ $listofexamplesforlink = 'Societe:societe/class/societe.class.php<br>Contact:con
<?php } else { ?>
<td><?php echo $form->textwithpicto($langs->trans("ComputedFormula"), $langs->trans("ComputedFormulaDesc")).$form->textwithpicto($langs->trans("Computedpersistent"), $langs->trans("ComputedpersistentDesc"), 1, 'warning'); ?></td>
<?php } ?>
<td class="valeur"><textarea name="computed_value" id="computed_value" class="quatrevingtpercent" rows="<?php echo ROWS_4 ?>"><?php echo (GETPOST('computed_value', 'none') ?GETPOST('computed_value', 'none') : ''); ?></textarea></td>
<td class="valeur"><textarea name="computed_value" id="computed_value" class="quatrevingtpercent" rows="<?php echo ROWS_4 ?>"><?php echo (GETPOSTISSET('computed_value') ? GETPOST('computed_value', 'restricthtml') : ''); ?></textarea></td>
</tr>
<!-- Default Value (at sql setup level) -->
<tr class="extra_default_value"><td><?php echo $langs->trans("DefaultValue").' ('.$langs->trans("Database").')'; ?></td><td class="valeur"><input id="default_value" type="text" name="default_value" size="5" value="<?php echo (GETPOST('default_value', 'alpha') ?GETPOST('default_value', 'alpha') : ''); ?>"></td></tr>

1
htdocs/eventorganization/conferenceorboothattendee_note.php
View File

@ -39,7 +39,6 @@
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
//if (! defined("FORCECSP")) define('FORCECSP', 'none'); // Disable all Content Security Policies
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification

4
htdocs/externalsite/admin/index.php
View File

@ -57,7 +57,7 @@ if ($action == 'update') {
$label = GETPOST('EXTERNALSITE_LABEL', 'alphanohtml');
// exturl can be an url or a HTML string
$exturl = GETPOST('EXTERNALSITE_URL', 'none');
$exturl = GETPOST('EXTERNALSITE_URL', 'restricthtml');
$exturl = dol_string_onlythesehtmltags($exturl, 1, 1, 0, 1);
$exturl = dol_string_onlythesehtmlattributes($exturl);
@ -110,7 +110,7 @@ print '<tr class="oddeven">';
print '<td class="fieldrequired">'.$langs->trans("ExternalSiteURL")."</td>";
print '<td><textarea class="flat minwidth500" name="EXTERNALSITE_URL">';
$exturl = GETPOST('EXTERNALSITE_URL', 'none');
$exturl = GETPOST('EXTERNALSITE_URL', 'restricthtml');
$exturl = dol_string_onlythesehtmltags($exturl, 1, 1, 0, 1);
$exturl = dol_string_onlythesehtmlattributes($exturl);

1
htdocs/hrm/position.php
View File

@ -42,7 +42,6 @@
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
//if (! defined("FORCECSP")) define('FORCECSP', 'none'); // Disable all Content Security Policies
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification

2
htdocs/main.inc.php
View File

@ -661,7 +661,7 @@ if (!defined('NOLOGIN')) {
// Verification security graphic code
if ($test && GETPOST("username", "alpha", 2) && !empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA) && !isset($_SESSION['dol_bypass_antispam'])) {
$sessionkey = 'dol_antispam_value';
$ok = (array_key_exists($sessionkey, $_SESSION) === true && (strtolower($_SESSION[$sessionkey]) === strtolower(GETPOST('code', 'none'))));
$ok = (array_key_exists($sessionkey, $_SESSION) === true && (strtolower($_SESSION[$sessionkey]) === strtolower(GETPOST('code', 'restricthtml'))));
// Check code
if (!$ok) {

2
htdocs/modulebuilder/index.php
View File

@ -767,7 +767,7 @@ if ($dirins && $action == 'addlanguage' && !empty($module)) {
// remove/delete File
if ($dirins && $action == 'confirm_removefile' && !empty($module)) {
$relativefilename = dol_sanitizePathName(GETPOST('file', 'none'));
$relativefilename = dol_sanitizePathName(GETPOST('file', 'restricthtml'));
if ($relativefilename) {
$dirnametodelete = dirname($relativefilename);
$filetodelete = $dirins.'/'.$relativefilename;

1
htdocs/modulebuilder/template/scripts/mymodule.php
View File

@ -40,7 +40,6 @@
//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value
//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler
//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', 1); // The main.inc.php does not make a redirect if not logged, instead show simple error message
//if (! defined("FORCECSP")) define('FORCECSP', 'none'); // Disable all Content Security Policies
//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
//if (! defined('NOBROWSERNOTIF')) define('NOBROWSERNOTIF', '1'); // Disable browser notification
if (!defined('NOSESSION')) define('NOSESSION', '1'); // On CLI mode, no need to use web sessions

2
htdocs/public/onlinesign/newonlinesign.php
View File

@ -448,10 +448,8 @@ if ($action == "dosign" && empty($cancel)) {
$("#clearsignature").on("click",function(){
$("#signature").jSignature("clear");
$("#signbutton").attr("disabled",true);
/* $("#clearsignature").css("display","none"); */
});
/* $("#clearsignature").css("display","none"); */
$("#signbutton").attr("disabled",true);
});
</script>';

2
htdocs/public/ticket/create_ticket.php
View File

@ -173,7 +173,7 @@ if (empty($reshook) && $action == 'create_ticket' && GETPOST('save', 'alpha')) {
// Check Captcha code if is enabled
if (!empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA)) {
$sessionkey = 'dol_antispam_value';
$ok = (array_key_exists($sessionkey, $_SESSION) === true && (strtolower($_SESSION[$sessionkey]) === strtolower(GETPOST('code', 'none'))));
$ok = (array_key_exists($sessionkey, $_SESSION) === true && (strtolower($_SESSION[$sessionkey]) === strtolower(GETPOST('code', 'restricthtml'))));
if (!$ok) {
$error++;
array_push($object->errors, $langs->trans("ErrorBadValueForCode"));

2
htdocs/salaries/card.php
View File

@ -277,7 +277,7 @@ if ($action == 'add' && empty($cancel)) {
$paiement->amounts = array($object->id=>$amount); // Tableau de montant
$paiement->paiementtype = $type_payment;
$paiement->num_payment = GETPOST("num_payment", 'alphanohtml');
$paiement->note = GETPOST("note", 'none');
$paiement->note = GETPOST("note", 'restricthtml');
if (!$error) {
$paymentid = $paiement->create($user, (int) GETPOST('closepaidsalary'));

4
htdocs/salaries/paiement_salary.php
View File

@ -110,8 +110,8 @@ if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'y
$paiement->amounts = $amounts; // Tableau de montant
$paiement->paiementtype = GETPOST("paiementtype", 'alphanohtml');
$paiement->num_payment = GETPOST("num_payment", 'alphanohtml');
$paiement->note = GETPOST("note", 'none');
$paiement->note_private = GETPOST("note", 'none');
$paiement->note = GETPOST("note", 'restricthtml');
$paiement->note_private = GETPOST("note", 'restricthtml');
if (!$error) {
$paymentid = $paiement->create($user, (GETPOST('closepaidsalary') == 'on' ? 1 : 0));

23
htdocs/theme/eldy/global.inc.php
View File

@ -1888,7 +1888,7 @@ div.blockvmenulogo
margin-left: 11px;
margin-right: 9px;
padding: 0;
height: <?php echo $disableimages ? '20' : '35'; ?>px;
height: <?php echo $disableimages ? '18' : '35'; ?>px;
/* width: 100px; */
max-width: 100px;
vertical-align: middle;
@ -4936,6 +4936,11 @@ tr.visible {
/* Module website */
/* ============================================================================== */
.websiteformtoolbar {
position: sticky;
top: <?php echo $disableimages ? '32px' : '52px'; ?>;
}
.exampleapachesetup {
overflow-y: auto;
height: 100px;
@ -4988,7 +4993,13 @@ span[phptag] {
/* display: inline-block; */
padding-<?php echo $right; ?>: 10px;
vertical-align: middle;
/* line-height: 28px; */
line-height: 28px;
}
.websiteselectionsection {
font-size: 0.85em;
}
.websiteselection span {
vertical-align: middle;
}
.websitetools {
float: right;
@ -5000,7 +5011,7 @@ span[phptag] {
}
.websiteinputurl {
display: inline-block;
vertical-align: top;
vertical-align: middle;
line-height: 28px;
}
.websiteiframenoborder {
@ -5035,6 +5046,10 @@ span.websitebuttonsitepreviewdisabled img, a.websitebuttonsitepreviewdisabled im
line-height: 1em;
}
.websitebar input.bordertransp {
line-height: normal !important;
}
#divbodywebsite section p {
margin: unset;
}
@ -7340,7 +7355,7 @@ div.clipboardCPValue.hidewithsize {
.websiteselectionsection {
border-left: unset;
boerder-right: unset;
border-right: unset;
padding-left: 5px;
}

1
htdocs/theme/md/btn.inc.php
View File

@ -234,6 +234,7 @@ span.butActionNewRefused>span.fa, span.butActionNewRefused>span.fa:hover
background: var(--butactiondeletebg);
/* border: 1px solid #633; */
color: #633;
vertical-align: middle;
}
.butActionDelete:hover {

2
htdocs/theme/md/main_menu_fa_icons.inc.php
View File

@ -11,7 +11,7 @@
font-variant: normal;
text-rendering: auto;
line-height: 26px;
font-size: 1.5em;
font-size: 1.3em;
-webkit-font-smoothing: antialiased;
text-align:center;
text-decoration:none;

18
htdocs/theme/md/style.css.php
View File

@ -3041,11 +3041,11 @@ div.blockvmenulogo
border-bottom: 0 !important;
}
.menulogocontainer {
margin: <?php echo $disableimages ? '0' : '6'; ?>px;
margin: <?php echo $disableimages ? '-1' : '6'; ?>px;
margin-left: 12px;
margin-right: 6px;
padding: 0;
height: <?php echo $disableimages ? '20' : '32'; ?>px;
height: <?php echo $disableimages ? '18' : '32'; ?>px;
/* width: 100px; */
max-width: 100px;
vertical-align: middle;
@ -4862,6 +4862,11 @@ tr.visible {
/* Module website */
/* ============================================================================== */
.websiteformtoolbar {
position: sticky;
top: <?php echo $disableimages ? '36px' : '50px'; ?>;
}
.exampleapachesetup {
overflow-y: auto;
max-height: 100px;
@ -4891,7 +4896,10 @@ span[phptag] {
border-bottom: 1px solid #ccc;
background: #eee;
display: inline-block;
padding: 4px 0 4px 0;
padding: 5px 5px 5px 5px;
}
.centpercent.websitebar {
width: calc(100% - 10px);
}
.websitebar .buttonDelete, .websitebar .button {
text-shadow: none;
@ -4908,7 +4916,7 @@ span[phptag] {
}
.websiteselection {
/* display: inline-block; */
padding-left: 10px;
padding-<?php echo $right; ?>: 10px;
vertical-align: middle;
}
.websitetools {
@ -7126,7 +7134,7 @@ div.clipboardCPValue.hidewithsize {
.websiteselectionsection {
border-left: unset;
boerder-right: unset;
border-right: unset;
padding-left: 5px;
}

2
htdocs/user/card.php
View File

@ -404,7 +404,7 @@ if (empty($reshook)) {
$object->firstname = GETPOST("firstname", 'alphanohtml');
$object->login = GETPOST("login", 'alphanohtml');
$object->gender = GETPOST("gender", 'aZ09');
$object->pass = GETPOST("password", 'none');
$object->pass = GETPOST("password", 'none'); // We can keep 'none' for password fields
$object->api_key = (GETPOST("api_key", 'alphanohtml')) ? GETPOST("api_key", 'alphanohtml') : $object->api_key;
if (!empty($user->admin)) {
$object->admin = GETPOST("admin", "int"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request

2
htdocs/viewimage.php
View File

@ -290,7 +290,7 @@ if ($modulepart == 'barcode') {
if (in_array($encoding, array('EAN8', 'EAN13'))) {
$code = GETPOST("code", 'alphanohtml');
} else {
$code = GETPOST("code", 'none'); // This can be rich content (qrcode, datamatrix, ...)
$code = GETPOST("code", 'restricthtml'); // This can be rich content (qrcode, datamatrix, ...)
}
if (empty($generator) || empty($encoding)) {

36
htdocs/website/index.php
View File

@ -2508,7 +2508,7 @@ llxHeader($moreheadcss.$moreheadjs, $langs->trans("WebsiteSetup"), $helpurl, '',
print "\n";
print '<!-- Open form for all page -->'."\n";
print '<form action="'.$_SERVER["PHP_SELF"].($action == 'file_manager' ? '?uploadform=1': '').'" method="POST" enctype="multipart/form-data">';
print '<form action="'.$_SERVER["PHP_SELF"].($action == 'file_manager' ? '?uploadform=1': '').'" method="POST" enctype="multipart/form-data" class="websiteformtoolbar">';
print '<input type="hidden" name="token" value="'.newToken().'">';
print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
@ -2669,7 +2669,7 @@ if (!GETPOST('hide_websitemenu')) {
print ' &nbsp; ';
//print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("EditCss")).'" name="editcss">';
print '<a href="'.$_SERVER["PHP_SELF"].'?website='.$object->ref.'&pageid='.$pageid.'&action=editcss&token='.newToken().'" class="button bordertransp"'.$disabled.'>'.dol_escape_htmltag($langs->trans($conf->dol_optimize_smallscreen ? "Properties" : "EditCss")).'</a>';
print '<a href="'.$_SERVER["PHP_SELF"].'?website='.$object->ref.'&pageid='.$pageid.'&action=editcss&token='.newToken().'" class="button bordertransp" title="'.dol_escape_htmltag($langs->trans("EditCss")).'"'.$disabled.'><span class="fa fa-cog paddingrightonly"></span><span class="hideonsmartphone">'.dol_escape_htmltag($langs->trans("EditCss")).'</span></a>';
$importlabel = $langs->trans("ImportSite");
$exportlabel = $langs->trans("ExportSite");
@ -2692,24 +2692,24 @@ if (!GETPOST('hide_websitemenu')) {
print '<input type="submit" class="buttonDelete bordertransp" name="deletesite" value="'.$langs->trans("Delete").'"'.($atleastonepage ? ' disabled="disabled"' : '').'>';
// Regenerate all pages
print '<a href="'.$_SERVER["PHP_SELF"].'?action=regeneratesite&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("RegenerateWebsiteContent")).'"><span class="fa fa-cogs"><span></a>';
print '<a href="'.$_SERVER["PHP_SELF"].'?action=regeneratesite&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("RegenerateWebsiteContent")).'"><span class="far fa-hdd"></span></a>';
// Generate site map
print '<a href="'.$_SERVER["PHP_SELF"].'?action=confirmgeneratesitemaps&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("GenerateSitemaps")).'"><span class="fa fa-sitemap"><span></a>';
print '<a href="'.$_SERVER["PHP_SELF"].'?action=confirmgeneratesitemaps&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("GenerateSitemaps")).'"><span class="fa fa-sitemap"></span></a>';
print '<a href="'.$_SERVER["PHP_SELF"].'?action=replacesite&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("ReplaceWebsiteContent")).'"><span class="fa fa-search"><span></a>';
print '<a href="'.$_SERVER["PHP_SELF"].'?action=replacesite&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("ReplaceWebsiteContent")).'"><span class="fa fa-search"></span></a>';
}
print '</span>';
if ($websitekey && $websitekey != '-1' && ($action == 'preview' || $action == 'createfromclone' || $action == 'createpagefromclone' || $action == 'deletesite')) {
print '<span class="websiteselection">';
//print '<a href="'.$_SERVER["PHP_SELF"].'?action=file_manager&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("MediaFiles")).'"><span class="fa fa-image"><span></a>';
print dolButtonToOpenUrlInDialogPopup('file_manager', $langs->transnoentitiesnoconv("MediaFiles"), '<span class="fa fa-image"><span>', '/website/index.php?action=file_manager&website='.$website->ref, $disabled);
//print '<a href="'.$_SERVER["PHP_SELF"].'?action=file_manager&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("MediaFiles")).'"><span class="fa fa-image"></span></a>';
print dolButtonToOpenUrlInDialogPopup('file_manager', $langs->transnoentitiesnoconv("MediaFiles"), '<span class="fa fa-image"></span>', '/website/index.php?action=file_manager&website='.$website->ref, $disabled);
if (!empty($conf->categorie->enabled)) {
//print '<a href="'.DOL_URL_ROOT.'/categories/index.php?leftmenu=website&dol_hide_leftmenu=1&nosearch=1&type=website_page&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("Categories")).'"><span class="fa fa-tags"><span></a>';
print dolButtonToOpenUrlInDialogPopup('categories', $langs->transnoentitiesnoconv("Categories"), '<span class="fa fa-tags"><span>', '/categories/index.php?leftmenu=website&nosearch=1&type=website_page&website='.$website->ref, $disabled);
//print '<a href="'.DOL_URL_ROOT.'/categories/index.php?leftmenu=website&dol_hide_leftmenu=1&nosearch=1&type=website_page&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("Categories")).'"><span class="fa fa-tags"></span></a>';
print dolButtonToOpenUrlInDialogPopup('categories', $langs->transnoentitiesnoconv("Categories"), '<span class="fa fa-tags"></span>', '/categories/index.php?leftmenu=website&nosearch=1&type=website_page&website='.$website->ref, $disabled);
}
print '</span>';
@ -2808,7 +2808,7 @@ if (!GETPOST('hide_websitemenu')) {
print '</span>';
print '<span class="websiteselection hideonsmartphoneimp">';
print '<a href="'.$_SERVER["PHP_SELF"].'?action=createcontainer&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("AddPage")).'"><span class="fa fa-plus-circle valignmiddle btnTitle-icon"><span></a>';
print '<a href="'.$_SERVER["PHP_SELF"].'?action=createcontainer&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("AddPage")).'"><span class="fa fa-plus-circle valignmiddle btnTitle-icon"></span></a>';
print '</span>';
//print '<span class="websiteselection">';
@ -2846,9 +2846,10 @@ if (!GETPOST('hide_websitemenu')) {
print $langs->trans("New");
}
//print '<input type="submit" class="button" name="refreshpage" value="'.$langs->trans("Load").'"'.($atleastonepage?'':' disabled="disabled"').'>';
print '<input type="image" class="valignmiddle" src="'.img_picto('', 'refresh', '', 0, 1).'" name="refreshpage" value="'.$langs->trans("Load").'"'.(($atleastonepage && $action != 'editsource') ? '' : ' disabled="disabled"').'>';
print '<span class="websiteselection">';
print '<input type="image" class="valignmiddle" src="'.img_picto('', 'refresh', '', 0, 1).'" name="refreshpage" value="'.$langs->trans("Load").'"'.(($atleastonepage && $action != 'editsource') ? '' : ' disabled="disabled"').'>';
// Print nav arrows
$pagepreviousid = 0;
@ -2887,6 +2888,8 @@ if (!GETPOST('hide_websitemenu')) {
print '<span class="valignmiddle opacitymedium">'.img_next($langs->trans("Next")).'</span>';
}
print '</span>';
$websitepage = new WebSitePage($db);
if ($pageid > 0 && ($action == 'preview' || $action == 'createfromclone' || $action == 'createpagefromclone')) {
$websitepage->fetch($pageid);
@ -2962,13 +2965,16 @@ if (!GETPOST('hide_websitemenu')) {
print $formconfirm;
}
print '<span class="websiteselection">';
print ' &nbsp; ';
//print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("EditPageMeta")).'" name="editmeta">';
print '<a href="'.$_SERVER["PHP_SELF"].'?website='.$object->ref.'&pageid='.$pageid.'&action=editmeta&token='.newToken().'" class="button bordertransp"'.$disabled.'>'.dol_escape_htmltag($langs->trans($conf->dol_optimize_smallscreen ? "Properties" : "EditPageMeta")).'</a>';
print '<a href="'.$_SERVER["PHP_SELF"].'?website='.$object->ref.'&pageid='.$pageid.'&action=editmeta&token='.newToken().'" class="button bordertransp" title="'.dol_escape_htmltag($langs->trans("EditPageMeta")).'"'.$disabled.'><span class="fa fa-cog paddingrightonly"></span><span class="hideonsmartphone">'.dol_escape_htmltag($langs->trans("EditPageMeta")).'</span></a>';
//print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("EditHTMLSource")).'" name="editsource">';
print '<a href="'.$_SERVER["PHP_SELF"].'?website='.$object->ref.'&pageid='.$pageid.'&action=editsource&token='.newToken().'" class="button bordertransp"'.$disabled.'>'.dol_escape_htmltag($langs->trans($conf->dol_optimize_smallscreen ? "HTML" : "EditHTMLSource")).'</a>';
print '</span>';
print '<!-- button EditInLine and ShowSubcontainers -->'."\n";
print '<div class="websiteselectionsection inline-block">';
@ -3055,11 +3061,11 @@ if (!GETPOST('hide_websitemenu')) {
//$disabled=' disabled="disabled"';
//print '<span class="button bordertransp disabled"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'"><span class="fa fa-home"></span></span>';
//print '<input type="submit" class="button bordertransp" disabled="disabled" value="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'" name="setashome">';
print '<a href="#" class="button bordertransp disabled" disabled="disabled" title="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'"><span class="fa fa-home valignmiddle btnTitle-icon"><span></a>';
print '<a href="#" class="button bordertransp disabled" disabled="disabled" title="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'"><span class="fa fa-home valignmiddle btnTitle-icon"></span></a>';
} else {
//$disabled='';
//print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'" name="setashome">';
print '<a href="'.$_SERVER["PHP_SELF"].'?action=setashome&token='.newToken().'&website='.$website->ref.'&pageid='.$pageid.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'"><span class="fa fa-home valignmiddle btnTitle-icon"><span></a>';
print '<a href="'.$_SERVER["PHP_SELF"].'?action=setashome&token='.newToken().'&website='.$website->ref.'&pageid='.$pageid.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'"><span class="fa fa-home valignmiddle btnTitle-icon"></span></a>';
}
print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("ClonePage")).'" name="createpagefromclone">';
print '<input type="submit" class="buttonDelete bordertransp" name="delete" value="'.$langs->trans("Delete").'"'.($atleastonepage ? '' : ' disabled="disabled"').'>';

19
test/phpunit/CodingPhpTest.php
View File

@ -437,6 +437,25 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
$this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag neither dol_string_nohtmltag around it, in file '.$file['relativename'].'. Bad.');
// Check GETPOST(... 'none');
$ok=true;
$matches=array();
preg_match_all('/GETPOST\s*\(([^\)]+),\s*["\']none["\']/i', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
var_dump($val);
if (!in_array($val[1], array(
"'replacestring'", "'htmlheader'", "'WEBSITE_HTML_HEADER'", "'WEBSITE_CSS_INLINE'", "'WEBSITE_JS_INLINE'", "'WEBSITE_MANIFEST_JSON'", "'PAGE_CONTENT'", "'WEBSITE_README'",
"'search_status'", '"mysqldump"', '"postgresqldump"', "'db_pass_root'", "'db_pass'", '"pass"', '"pass1"', '"pass2"', '"password"', "'password'", '"MAIN_MAIL_SMTPS_PW"'))) {
$ok=false;
break;
}
//if ($reg[0] != 'db') $ok=false;
}
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
$this->assertTrue($ok, 'Found a GETPOST that use \'none\' as a parameter in file '.$file['relativename'].' and param is not an allowed parameter for using none - Bad.');
//exit;
// Test that first param of print_liste_field_titre is a translation key and not the translated value
$ok=true;
$matches=array();

5
test/phpunit/SecurityTest.php
View File

@ -791,6 +791,11 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$this->assertEquals(400, $tmp['http_code'], 'Should GET url to '.$url.' that resolves to a local URL'); // Test we receive an error because localtest.me is not an external URL
*/
$url = 'http://192.0.0.192';
$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL but on an IP in blacklist
print __METHOD__." url=".$url." tmp['http_code'] = ".$tmp['http_code']."\n";
$this->assertEquals(400, $tmp['http_code'], 'Access should be refused and was not'); // Test we receive an error because ip is in blacklist
return 0;
}