Merge branch '14.0' of git@github.com:Dolibarr/dolibarr.git into develop

Conflicts:
	htdocs/admin/ihm.php
	htdocs/install/repair.php
	htdocs/user/class/user.class.php

htdocs/install/repair.php

@@ -1178,9 +1178,10 @@ if ($ok && GETPOST('clean_perm_table', 'alpha')) {
 
 	$listofmods = '';
 	foreach ($conf->modules as $key => $val) {
-		$listofmods .= ($listofmods ? ',' : '')."'".$val."'";
+		$listofmods .= ($listofmods ? ',' : '')."'".$db->escape($val)."'";
 	}
-	$sql = "SELECT id, libelle as label, module from ".MAIN_DB_PREFIX."rights_def WHERE module NOT IN (".$db->sanitize($listofmods).") AND id > 100000";
+	$sql = 'SELECT id, libelle as label, module from '.MAIN_DB_PREFIX.'rights_def WHERE module NOT IN ('.$db->sanitize($listofmods, 1).') AND id > 100000';
+
 	$resql = $db->query($sql);
 	if ($resql) {
 		$num = $db->num_rows($resql);

htdocs/user/class/user.class.php

@@ -849,7 +849,7 @@ class User extends CommonObject
 			$sql .= " FROM ".MAIN_DB_PREFIX."rights_def";
 			$sql .= " WHERE entity = ".((int) $entity);
 			if (!empty($whereforadd) && $whereforadd != 'allmodules') {
-				$sql .= " AND (".$whereforadd.")";	// Note: parenthesis are important because wheretoand can contains OR. Also note that $whereforadd is already sanitized
+				$sql .= " AND (".$whereforadd.")";	// Note: parenthesis are important because whereforadd can contains OR. Also note that $whereforadd is already sanitized
 			}
 
 			$result = $this->db->query($sql);
@@ -975,7 +975,7 @@ class User extends CommonObject
 			$sql .= " FROM ".MAIN_DB_PREFIX."rights_def";
 			$sql .= " WHERE entity = ".((int) $entity);
 			if (!empty($wherefordel) && $wherefordel != 'allmodules') {
-				$sql .= " AND ".$wherefordel;
+				$sql .= " AND (".$wherefordel.")";	// Note: parenthesis are important because wherefordel can contains OR. Also note that $wherefordel is already sanitized
 			}
 
 			// avoid admin can remove his own important rights