From 10c973f38f98e08587f2d7735f584e12ce22ebed Mon Sep 17 00:00:00 2001 From: John Botella Date: Wed, 15 Jan 2020 14:36:44 +0100 Subject: [PATCH 01/11] Fix complex export model loading --- htdocs/exports/export.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/exports/export.php b/htdocs/exports/export.php index c404fc2b264..9122c93bae4 100644 --- a/htdocs/exports/export.php +++ b/htdocs/exports/export.php @@ -373,7 +373,7 @@ if ($step == 2 && $action == 'select_model') $result = $objexport->fetch($exportmodelid); if ($result > 0) { - $fieldsarray=explode(',', $objexport->hexa); + $fieldsarray=preg_split("/,(?! [^(]*\))/", $objexport->hexa); $i=1; foreach($fieldsarray as $val) { From 3cdb84b192bd5ea8c4f6c66eabc2f19215dee08e Mon Sep 17 00:00:00 2001 From: atm-ph Date: Thu, 16 Jan 2020 09:50:57 +0100 Subject: [PATCH 02/11] Fix note started with balise --- htdocs/core/lib/functions.lib.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 3f7d9b8af09..63759ba71ed 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -5756,9 +5756,9 @@ function dol_textishtml($msg, $option = 0) elseif (preg_match('//i', $msg)) return true; elseif (preg_match('//i', $msg)) return true; - elseif (preg_match('/<(br|div|font|li|p|span|strong|table)>/i', $msg)) return true; - elseif (preg_match('/<(br|div|font|li|p|span|strong|table)\s+[^<>\/]*>/i', $msg)) return true; - elseif (preg_match('/<(br|div|font|li|p|span|strong|table)\s+[^<>\/]*\/>/i', $msg)) return true; + elseif (preg_match('/<(br|div|font|li|p|span|strong|table|s)>/i', $msg)) return true; + elseif (preg_match('/<(br|div|font|li|p|span|strong|table|s)\s+[^<>\/]*>/i', $msg)) return true; + elseif (preg_match('/<(br|div|font|li|p|span|strong|table|s)\s+[^<>\/]*\/>/i', $msg)) return true; elseif (preg_match('/]*src[^<>]*>/i', $msg)) return true; // must accept elseif (preg_match('/]*href[^<>]*>/i', $msg)) return true; // must accept elseif (preg_match('//i', $msg)) return true; From 60d4f63205a0c8d03bfdf96825f0a5b1894f5ab3 Mon Sep 17 00:00:00 2001 From: VESSILLER Date: Fri, 17 Jan 2020 13:56:01 +0100 Subject: [PATCH 03/11] FIX send expense report mail in HTML format --- htdocs/expensereport/card.php | 18 +++++++++++++----- htdocs/langs/fr_FR/trips.lang | 2 +- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php index b95dad0f200..44179745267 100644 --- a/htdocs/expensereport/card.php +++ b/htdocs/expensereport/card.php @@ -390,6 +390,7 @@ if (empty($reshook)) // CONTENT $link = $urlwithroot.'/expensereport/card.php?id='.$object->id; + $link = '' . $link . ''; $message = $langs->transnoentities("ExpenseReportWaitingForApprovalMessage", $expediteur->getFullName($langs), get_date_range($object->date_debut, $object->date_fin, '', $langs), $link); // Rebuild pdf @@ -509,6 +510,7 @@ if (empty($reshook)) // CONTENT $link = $urlwithroot.'/expensereport/card.php?id='.$object->id; + $link = '' . $link . ''; $dateRefusEx = explode(" ", $object->date_refuse); $message = $langs->transnoentities("ExpenseReportWaitingForReApprovalMessage", $dateRefusEx[0], $object->detail_refuse, $expediteur->getFullName($langs), $link); @@ -634,6 +636,7 @@ if (empty($reshook)) // CONTENT $link = $urlwithroot.'/expensereport/card.php?id='.$object->id; + $link = '' . $link . ''; $message = $langs->transnoentities("ExpenseReportApprovedMessage", $object->ref, $destinataire->getFullName($langs), $expediteur->getFullName($langs), $link); // Rebuilt pdf @@ -704,7 +707,8 @@ if (empty($reshook)) $object = new ExpenseReport($db); $object->fetch($id); - $result = $object->setDeny($user, GETPOST('detail_refuse', 'alpha')); + $detailRefuse = GETPOST('detail_refuse', 'alpha'); + $result = $object->setDeny($user, $detailRefuse); if ($result > 0) { @@ -752,7 +756,8 @@ if (empty($reshook)) // CONTENT $link = $urlwithroot.'/expensereport/card.php?id='.$object->id; - $message = $langs->transnoentities("ExpenseReportRefusedMessage", $object->ref, $destinataire->getFullName($langs), $expediteur->getFullName($langs), $_POST['detail_refuse'], $link); + $link = '' . $link . ''; + $message = $langs->transnoentities("ExpenseReportRefusedMessage", $object->ref, $destinataire->getFullName($langs), $expediteur->getFullName($langs), $detailRefuse, $link); // Rebuilt pdf /* @@ -832,7 +837,8 @@ if (empty($reshook)) if ($user->id == $object->fk_user_valid || $user->id == $object->fk_user_author) { - $result = $object->set_cancel($user, GETPOST('detail_cancel', 'alpha')); + $detailCancel = GETPOST('detail_cancel', 'alpha'); + $result = $object->set_cancel($user, $detailCancel); if ($result > 0) { @@ -880,7 +886,8 @@ if (empty($reshook)) // CONTENT $link = $urlwithroot.'/expensereport/card.php?id='.$object->id; - $message = $langs->transnoentities("ExpenseReportCanceledMessage", $object->ref, $destinataire->getFullName($langs), $expediteur->getFullName($langs), GETPOST('detail_cancel', 'alpha'), $link); + $link = '' . $link . ''; + $message = $langs->transnoentities("ExpenseReportCanceledMessage", $object->ref, $destinataire->getFullName($langs), $expediteur->getFullName($langs), $detailCancel, $link); // Rebuilt pdf /* @@ -1105,6 +1112,7 @@ if (empty($reshook)) // CONTENT $link = $urlwithroot.'/expensereport/card.php?id='.$object->id; + $link = '' . $link . ''; $message = $langs->transnoentities("ExpenseReportPaidMessage", $object->ref, $destinataire->getFullName($langs), $expediteur->getFullName($langs), $link); // Generate pdf before attachment @@ -1736,7 +1744,7 @@ else if ($action == 'cancel') { $array_input = array('text'=>$langs->trans("ConfirmCancelTrip"), array('type'=>"text",'label'=>''.$langs->trans("Comment").'','name'=>"detail_cancel",'value'=>"")); - $formconfirm=$form->formconfirm($_SEVER["PHP_SELF"]."?id=".$id, $langs->trans("Cancel"), "", "confirm_cancel", $array_input, "", 1); + $formconfirm=$form->formconfirm($_SERVER["PHP_SELF"]."?id=".$id, $langs->trans("Cancel"), "", "confirm_cancel", $array_input, "", 1); } if ($action == 'setdraft') diff --git a/htdocs/langs/fr_FR/trips.lang b/htdocs/langs/fr_FR/trips.lang index cffe2cc14e8..efb5b645a3d 100644 --- a/htdocs/langs/fr_FR/trips.lang +++ b/htdocs/langs/fr_FR/trips.lang @@ -29,7 +29,7 @@ ExpenseReportApprovedMessage=La note de frais %s a été approuvée.
- Utilis ExpenseReportRefused=Une note de frais a été refusée ExpenseReportRefusedMessage=La note de frais %s a été refusée.
- Utilisateur : %s
- Refusée par : %s
- Motif du refus : %s
Cliquez ici pour afficher la note de frais: %s ExpenseReportCanceled=Une note de frais a été annulée -ExpenseReportCanceledMessage=La note de frais %s a été annulée.
- Utilisateur : %s
- Annulée par : %s
- Motif de l'annulation :%s
Cliquez ici pour afficher la note de frais %s +ExpenseReportCanceledMessage=La note de frais %s a été annulée.
- Utilisateur : %s
- Annulée par : %s
- Motif de l'annulation : %s
Cliquez ici pour afficher la note de frais %s ExpenseReportPaid=Une note de frais a été réglée ExpenseReportPaidMessage=La note de frais %s a été réglée.
- Utilisateur : %s
- Réglée par : %s
Cliquez ici pour afficher la note de frais %s TripId=Id note de frais From 83d1b673bbd6c48d90fdab0d3bcc26d243e9c52b Mon Sep 17 00:00:00 2001 From: andreubisquerra Date: Thu, 16 Jan 2020 08:25:36 +0100 Subject: [PATCH 04/11] Visible receipt printer settings without stock module in TakePOS --- htdocs/takepos/admin/terminal.php | 53 ++++++++++++++++--------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/htdocs/takepos/admin/terminal.php b/htdocs/takepos/admin/terminal.php index d2769d77afb..b30cb4e7032 100644 --- a/htdocs/takepos/admin/terminal.php +++ b/htdocs/takepos/admin/terminal.php @@ -207,33 +207,34 @@ if (!empty($conf->stock->enabled)) print ''.$langs->trans("StockDecreaseForPointOfSaleDisabled").''; } print ''; - if ($conf->receiptprinter->enabled) { - // Select printer to use with terminal - require_once DOL_DOCUMENT_ROOT.'/core/class/dolreceiptprinter.class.php'; - $printer = new dolReceiptPrinter($db); - $printer->listprinters(); - $printers = array(); - foreach ($printer->listprinters as $key => $value) { - $printers[$value['rowid']] = $value['name']; - } - print ''.$langs->trans("TakeposTerminalPrinterToUse").''; - print ''; - print $form->selectarray('TAKEPOS_PRINTER_TO_USE'.$terminal, $printers, (empty($conf->global->{'TAKEPOS_PRINTER_TO_USE'.$terminal}) ? '0' : $conf->global->{'TAKEPOS_PRINTER_TO_USE'.$terminal}), 1); - print ''; - $printer->listPrintersTemplates(); - $templates = array(); - foreach ($printer->listprinterstemplates as $key => $value) { - $templates[$value['rowid']] = $value['name']; - } - print ''.$langs->trans("TakeposTerminalTemplateToUseForInvoicesTicket").''; - print ''; - print $form->selectarray('TAKEPOS_TEMPLATE_TO_USE_FOR_INVOICES'.$terminal, $templates, (empty($conf->global->{'TAKEPOS_TEMPLATE_TO_USE_FOR_INVOICES'.$terminal}) ? '0' : $conf->global->{'TAKEPOS_TEMPLATE_TO_USE_FOR_INVOICES'.$terminal}), 1); - print ''; - print ''.$langs->trans("TakeposTerminalTemplateToUseForOrdersTicket").''; - print ''; - print $form->selectarray('TAKEPOS_TEMPLATE_TO_USE_FOR_ORDERS'.$terminal, $templates, (empty($conf->global->{'TAKEPOS_TEMPLATE_TO_USE_FOR_ORDERS'.$terminal}) ? '0' : $conf->global->{'TAKEPOS_TEMPLATE_TO_USE_FOR_ORDERS'.$terminal}), 1); - print ''; +} + +if ($conf->receiptprinter->enabled) { + // Select printer to use with terminal + require_once DOL_DOCUMENT_ROOT.'/core/class/dolreceiptprinter.class.php'; + $printer = new dolReceiptPrinter($db); + $printer->listprinters(); + $printers = array(); + foreach ($printer->listprinters as $key => $value) { + $printers[$value['rowid']] = $value['name']; } + print ''.$langs->trans("TakeposTerminalPrinterToUse").''; + print ''; + print $form->selectarray('TAKEPOS_PRINTER_TO_USE'.$terminal, $printers, (empty($conf->global->{'TAKEPOS_PRINTER_TO_USE'.$terminal}) ? '0' : $conf->global->{'TAKEPOS_PRINTER_TO_USE'.$terminal}), 1); + print ''; + $printer->listPrintersTemplates(); + $templates = array(); + foreach ($printer->listprinterstemplates as $key => $value) { + $templates[$value['rowid']] = $value['name']; + } + print ''.$langs->trans("TakeposTerminalTemplateToUseForInvoicesTicket").''; + print ''; + print $form->selectarray('TAKEPOS_TEMPLATE_TO_USE_FOR_INVOICES'.$terminal, $templates, (empty($conf->global->{'TAKEPOS_TEMPLATE_TO_USE_FOR_INVOICES'.$terminal}) ? '0' : $conf->global->{'TAKEPOS_TEMPLATE_TO_USE_FOR_INVOICES'.$terminal}), 1); + print ''; + print ''.$langs->trans("TakeposTerminalTemplateToUseForOrdersTicket").''; + print ''; + print $form->selectarray('TAKEPOS_TEMPLATE_TO_USE_FOR_ORDERS'.$terminal, $templates, (empty($conf->global->{'TAKEPOS_TEMPLATE_TO_USE_FOR_ORDERS'.$terminal}) ? '0' : $conf->global->{'TAKEPOS_TEMPLATE_TO_USE_FOR_ORDERS'.$terminal}), 1); + print ''; } print ''; From f4ae8696782fb7e35c34fd749a470e8fd5cdebfe Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 19 Jan 2020 12:15:47 +0100 Subject: [PATCH 05/11] Fix error return when creating order with not enough stock --- htdocs/commande/class/commande.class.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 434d43e8ffa..7d8e2680977 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -936,6 +936,7 @@ class Commande extends CommonOrder if ($result != self::STOCK_NOT_ENOUGH_FOR_ORDER) { $this->error=$this->db->lasterror(); + $this->errors[] = $this->error; dol_print_error($this->db); } $this->db->rollback(); @@ -1412,7 +1413,8 @@ class Commande extends CommonOrder if (! empty($conf->global->STOCK_MUST_BE_ENOUGH_FOR_ORDER) && $product_type == 0 && $product->stock_reel < $qty) { $langs->load("errors"); - $this->error=$langs->trans('ErrorStockIsNotEnoughToAddProductOnOrder', $product->ref); + $this->error = $langs->trans('ErrorStockIsNotEnoughToAddProductOnOrder', $product->ref); + $this->errors[] = $this->error; dol_syslog(get_class($this)."::addline error=Product ".$product->ref.": ".$this->error, LOG_ERR); $this->db->rollback(); return self::STOCK_NOT_ENOUGH_FOR_ORDER; @@ -3053,7 +3055,8 @@ class Commande extends CommonOrder if (! empty($conf->global->STOCK_MUST_BE_ENOUGH_FOR_ORDER) && $product_type == 0 && $product->stock_reel < $qty) { $langs->load("errors"); - $this->error=$langs->trans('ErrorStockIsNotEnoughToAddProductOnOrder', $product->ref); + $this->error = $langs->trans('ErrorStockIsNotEnoughToAddProductOnOrder', $product->ref); + $this->errors[] = $this->error; dol_syslog(get_class($this)."::addline error=Product ".$product->ref.": ".$this->error, LOG_ERR); $this->db->rollback(); return self::STOCK_NOT_ENOUGH_FOR_ORDER; From 00cddc39fd33b0d6685f04143ebeec3a5a9d9622 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 19 Jan 2020 13:56:16 +0100 Subject: [PATCH 06/11] Fix remove some orphelins in llx_ecm_files --- htdocs/install/mysql/migration/repair.sql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/htdocs/install/mysql/migration/repair.sql b/htdocs/install/mysql/migration/repair.sql index 51fe48dcda2..73cb1e6592d 100755 --- a/htdocs/install/mysql/migration/repair.sql +++ b/htdocs/install/mysql/migration/repair.sql @@ -177,6 +177,8 @@ delete from llx_categorie_member where fk_categorie not in (select rowid from ll delete from llx_categorie_contact where fk_categorie not in (select rowid from llx_categorie where type = 4); delete from llx_categorie_project where fk_categorie not in (select rowid from llx_categorie where type = 6); +-- Fix: delete orphelins in ecm_files +delete from llx_ecm_files where src_object_type = 'expensereport' and src_object_id NOT IN (select rowid from llx_expensereport); -- Fix: delete orphelin deliveries. Note: deliveries are linked to shipment by llx_element_element only. No other links. delete from llx_livraisondet where fk_livraison not in (select fk_target from llx_element_element where targettype = 'delivery') AND fk_livraison not in (select fk_source from llx_element_element where sourcetype = 'delivery'); From 8c8d492a48d3b2c6f5d6f5661c33ed59c98832b4 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 19 Jan 2020 15:19:07 +0100 Subject: [PATCH 07/11] FIX Protection to avoid blocking situation with negative lines --- htdocs/compta/facture/card.php | 48 ++++++++++++++++++++++++++++++++-- htdocs/langs/en_US/errors.lang | 3 ++- 2 files changed, 48 insertions(+), 3 deletions(-) diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index bc51fabfefc..3308d0e816e 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -137,6 +137,7 @@ $isdraft = (($object->statut == Facture::STATUS_DRAFT) ? 1 : 0); $result = restrictedArea($user, 'facture', $id, '', '', 'fk_soc', $fieldid, $isdraft); + /* * Actions */ @@ -289,6 +290,39 @@ if (empty($reshook)) setEventMessages($langs->trans("ErrorInvoiceOfThisTypeMustBePositive"), null, 'errors'); $action = ''; } + + // Also negative lines should not be allowed on 'non Credit notes' invoices. A test is done when adding or updating lines but we must + // do it again in validation to avoid cases where invoice is created from another object that allow negative lines. + // Note that we can accept the negative line if sum with other lines with same vat is positivie: Because all the lines will be merged together + // when converted into 'available credit' and we will get a positive available credit line. + // Note: Other solution if you want to add a negative line on invoice, is to create a discount for customer and consumme it (but this is possible on standard invoice only). + $array_of_pu_ht_per_vat_rate = array(); + $array_of_pu_ht_devise_per_vat_rate = array(); + foreach($object->lines as $line) { + if (empty($array_of_pu_ht_per_vat_rate[$line->tva_tx.'_'.$line->vat_src_code])) $array_of_pu_ht_per_vat_rate[$line->tva_tx.'_'.$line->vat_src_code] = 0; + if (empty($array_of_pu_ht_devise_per_vat_rate[$line->tva_tx.'_'.$line->vat_src_code])) $array_of_pu_ht_devise_per_vat_rate[$line->tva_tx.'_'.$line->vat_src_code] = 0; + $array_of_pu_ht_per_vat_rate[$line->tva_tx.'_'.$line->vat_src_code] += $line->subprice; + $array_of_pu_ht_devise_per_vat_rate[$line->tva_tx.'_'.$line->vat_src_code] += $line->multicurrency_subprice; + } + //var_dump($array_of_pu_ht_per_vat_rate);exit; + foreach($array_of_pu_ht_per_vat_rate as $vatrate => $tmpvalue) + { + $pu_ht = $array_of_pu_ht_per_vat_rate[$vatrate]; + $pu_ht_devise = $array_of_pu_ht_devise_per_vat_rate[$vatrate]; + + if (($pu_ht < 0 || $pu_ht_devise < 0) && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES)) + { + $langs->load("errors"); + if ($object->type == $object::TYPE_DEPOSIT) { + // Using negative lines on deposit lead to headach and blocking problems when you want to consume them. + setEventMessages($langs->trans("ErrorLinesCantBeNegativeOnDeposits"), null, 'errors'); + } else { + setEventMessages($langs->trans("ErrorFieldCantBeNegativeOnInvoice", $langs->transnoentitiesnoconv("UnitPriceHT"), $langs->transnoentitiesnoconv("CustomerAbsoluteDiscountShort")), null, 'errors'); + } + $error++; + $action = ''; + } + } } } @@ -1822,7 +1856,12 @@ if (empty($reshook)) if ($price_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES)) { $langs->load("errors"); - setEventMessages($langs->trans("ErrorFieldCantBeNegativeOnInvoice", $langs->transnoentitiesnoconv("UnitPriceHT")), null, 'errors'); + if ($object->type == $object::TYPE_DEPOSIT) { + // Using negative lines on deposit lead to headach and blocking problems when you want to consume them. + setEventMessages($langs->trans("ErrorLinesCantBeNegativeOnDeposits"), null, 'errors'); + } else { + setEventMessages($langs->trans("ErrorFieldCantBeNegativeOnInvoice", $langs->transnoentitiesnoconv("UnitPriceHT"), $langs->transnoentitiesnoconv("CustomerAbsoluteDiscountShort")), null, 'errors'); + } $error++; } else @@ -2203,7 +2242,12 @@ if (empty($reshook)) if ($pu_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES)) { $langs->load("errors"); - setEventMessages($langs->trans("ErrorFieldCantBeNegativeOnInvoice", $langs->transnoentitiesnoconv("UnitPriceHT")), null, 'errors'); + if ($object->type == $object::TYPE_DEPOSIT) { + // Using negative lines on deposit lead to headach and blocking problems when you want to consume them. + setEventMessages($langs->trans("ErrorLinesCantBeNegativeOnDeposits"), null, 'errors'); + } else { + setEventMessages($langs->trans("ErrorFieldCantBeNegativeOnInvoice", $langs->transnoentitiesnoconv("UnitPriceHT"), $langs->transnoentitiesnoconv("CustomerAbsoluteDiscountShort")), null, 'errors'); + } $error++; } else diff --git a/htdocs/langs/en_US/errors.lang b/htdocs/langs/en_US/errors.lang index 7aafdfbbd65..4edca737c66 100644 --- a/htdocs/langs/en_US/errors.lang +++ b/htdocs/langs/en_US/errors.lang @@ -117,7 +117,8 @@ ErrorLoginDoesNotExists=User with login %s could not be found. ErrorLoginHasNoEmail=This user has no email address. Process aborted. ErrorBadValueForCode=Bad value for security code. Try again with new value... ErrorBothFieldCantBeNegative=Fields %s and %s can't be both negative -ErrorFieldCantBeNegativeOnInvoice=Field %s cannot be negative on this type of invoice. If you want to add a discount line, just create the discount first with link %s on screen and apply it to the invoice. You can also ask your admin to set option FACTURE_ENABLE_NEGATIVE_LINES to 1 to allow the old behaviour. +ErrorFieldCantBeNegativeOnInvoice=Field %s cannot be negative on this type of invoice. If you need to add a discount line, just create the discount first (from field '%s' in thirdparty card) and apply it to the invoice. You can also ask your admin to set option FACTURE_ENABLE_NEGATIVE_LINES to 1 to allow the old behaviour. +ErrorLinesCantBeNegativeOnDeposits=Lines can't be negative in a deposit. You will face problems when you will need to consume the deposit in final invoice if you do so. ErrorQtyForCustomerInvoiceCantBeNegative=Quantity for line into customer invoices can't be negative ErrorWebServerUserHasNotPermission=User account %s used to execute web server has no permission for that ErrorNoActivatedBarcode=No barcode type activated From 6a958dd45b9fbb0a47c2254253344526408edace Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 19 Jan 2020 18:51:37 +0100 Subject: [PATCH 08/11] FIX XSS vulnerability in description of list of audit events. --- htdocs/admin/tools/listevents.php | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/htdocs/admin/tools/listevents.php b/htdocs/admin/tools/listevents.php index d508afe63d2..29f3f8fc7fb 100644 --- a/htdocs/admin/tools/listevents.php +++ b/htdocs/admin/tools/listevents.php @@ -199,9 +199,9 @@ if ($result) $i = 0; $param=''; - if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.$contextpage; - if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.$limit; - if ($optioncss != '') $param.='&optioncss='.$optioncss; + if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.urlencode($contextpage); + if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.urlencode($limit); + if ($optioncss != '') $param.='&optioncss='.urlencode($optioncss); if ($search_code) $param.='&search_code='.urlencode($search_code); if ($search_ip) $param.='&search_ip='.urlencode($search_ip); if ($search_user) $param.='&search_user='.urlencode($search_user); @@ -303,18 +303,19 @@ if ($result) // Description print ''; $text=$langs->trans($obj->description); + $reg = array(); if (preg_match('/\((.*)\)(.*)/i', $obj->description, $reg)) { $val=explode(',', $reg[1]); $text=$langs->trans($val[0], isset($val[1])?$val[1]:'', isset($val[2])?$val[2]:'', isset($val[3])?$val[3]:'', isset($val[4])?$val[4]:''); if (! empty($reg[2])) $text.=$reg[2]; } - print $text; + print dol_string_nohtmltag($text); print ''; // More informations print ''; - $htmltext=''.$langs->trans("UserAgent").': '.($obj->user_agent?$obj->user_agent:$langs->trans("Unknown")); + $htmltext=''.$langs->trans("UserAgent").': '.($obj->user_agent ? dol_string_nohtmltag($obj->user_agent) : $langs->trans("Unknown")); print $form->textwithpicto('', $htmltext); print ''; From 041d5aeb463b9638a11ec3b0f477c104aa6b43cb Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 19 Jan 2020 18:55:22 +0100 Subject: [PATCH 09/11] FIX XSS vulnerability in description of list of audit events. --- htdocs/admin/tools/listevents.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/admin/tools/listevents.php b/htdocs/admin/tools/listevents.php index 29f3f8fc7fb..39699d4240b 100644 --- a/htdocs/admin/tools/listevents.php +++ b/htdocs/admin/tools/listevents.php @@ -310,7 +310,7 @@ if ($result) $text=$langs->trans($val[0], isset($val[1])?$val[1]:'', isset($val[2])?$val[2]:'', isset($val[3])?$val[3]:'', isset($val[4])?$val[4]:''); if (! empty($reg[2])) $text.=$reg[2]; } - print dol_string_nohtmltag($text); + print dol_escape_htmltag($text); print ''; // More informations From d6bdbccf4f342fe3bc9cfb9e4cbcd2ab431dcd7e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 19 Jan 2020 19:33:57 +0100 Subject: [PATCH 10/11] Fix link --- htdocs/compta/bank/releve.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/compta/bank/releve.php b/htdocs/compta/bank/releve.php index c236266ce96..75e72dfd0a4 100644 --- a/htdocs/compta/bank/releve.php +++ b/htdocs/compta/bank/releve.php @@ -444,12 +444,11 @@ else // Date de valeur print ''; print dol_print_date($db->jdate($objp->dv), "day").' '; - print ''; + print ''; print img_edit_remove()." "; - print ''; + print ''; print img_edit_add().""; print "\n"; - print ''; // Type and num if ($objp->fk_type == 'SOLD') { @@ -466,7 +465,8 @@ else print ''.$type_label.' '.($objp->num_chq ? $objp->num_chq : '').$link.''; // Description - print ''; + print ''; + print ''; $reg = array(); preg_match('/\((.+)\)/i', $objp->label, $reg); // Si texte entoure de parenthese on tente recherche de traduction if ($reg[1] && $langs->trans($reg[1]) != $reg[1]) print $langs->trans($reg[1]); From 19ab802aafde2854f4065372e4eebbf86c6e3da2 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 19 Jan 2020 19:48:19 +0100 Subject: [PATCH 11/11] Fix disabling of balance --- htdocs/compta/bank/bankentries_list.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/htdocs/compta/bank/bankentries_list.php b/htdocs/compta/bank/bankentries_list.php index 74e9cebfe79..e56b514f7a9 100644 --- a/htdocs/compta/bank/bankentries_list.php +++ b/htdocs/compta/bank/bankentries_list.php @@ -573,11 +573,13 @@ if ($page >= $nbtotalofpages) if (empty($search_account)) $mode_balance_ok = false; // If a search is done $mode_balance_ok=false if (!empty($search_ref)) $mode_balance_ok = false; -if (!empty($req_nb)) $mode_balance_ok = false; +if (!empty($search_description)) $mode_balance_ok = false; if (!empty($search_type)) $mode_balance_ok = false; -if (!empty($debit)) $mode_balance_ok = false; -if (!empty($credit)) $mode_balance_ok = false; -if (!empty($thirdparty)) $mode_balance_ok = false; +if (!empty($search_debit)) $mode_balance_ok = false; +if (!empty($search_credit)) $mode_balance_ok = false; +if (!empty($search_thirdparty)) $mode_balance_ok = false; +if (!empty($search_conciliated)) $mode_balance_ok = false; +if (!empty($search_num_releve)) $mode_balance_ok = false; $sql .= $db->plimit($limit + 1, $offset); //print $sql;