diff --git a/htdocs/accountancy/tpl/export_journal.tpl.php b/htdocs/accountancy/tpl/export_journal.tpl.php
index b5b6920e853..d9d158607b6 100644
--- a/htdocs/accountancy/tpl/export_journal.tpl.php
+++ b/htdocs/accountancy/tpl/export_journal.tpl.php
@@ -15,6 +15,15 @@
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$prefix = $conf->global->ACCOUNTING_EXPORT_PREFIX_SPEC;
$format = $conf->global->ACCOUNTING_EXPORT_FORMAT;
$nodateexport = $conf->global->ACCOUNTING_EXPORT_NO_DATE_IN_FILENAME;
diff --git a/htdocs/adherents/canvas/default/tpl/adherentcard_create.tpl.php b/htdocs/adherents/canvas/default/tpl/adherentcard_create.tpl.php
index f0a50e2e9ba..81f34706966 100644
--- a/htdocs/adherents/canvas/default/tpl/adherentcard_create.tpl.php
+++ b/htdocs/adherents/canvas/default/tpl/adherentcard_create.tpl.php
@@ -14,8 +14,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
diff --git a/htdocs/adherents/canvas/default/tpl/adherentcard_edit.tpl.php b/htdocs/adherents/canvas/default/tpl/adherentcard_edit.tpl.php
index 8f3af3fe8df..4a699b75a22 100644
--- a/htdocs/adherents/canvas/default/tpl/adherentcard_edit.tpl.php
+++ b/htdocs/adherents/canvas/default/tpl/adherentcard_edit.tpl.php
@@ -14,9 +14,16 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$contact = $GLOBALS['objcanvas']->control->object;
?>
diff --git a/htdocs/adherents/canvas/default/tpl/adherentcard_view.tpl.php b/htdocs/adherents/canvas/default/tpl/adherentcard_view.tpl.php
index e426429ae05..f19ba96c167 100644
--- a/htdocs/adherents/canvas/default/tpl/adherentcard_view.tpl.php
+++ b/htdocs/adherents/canvas/default/tpl/adherentcard_view.tpl.php
@@ -14,10 +14,18 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$contact = $GLOBALS['objcanvas']->control->object;
+
?>
diff --git a/htdocs/adherents/subscription/info.php b/htdocs/adherents/subscription/info.php
index c83771d22ff..05856c35f75 100644
--- a/htdocs/adherents/subscription/info.php
+++ b/htdocs/adherents/subscription/info.php
@@ -36,7 +36,7 @@ $langs->load("users");
if (!$user->rights->adherent->lire)
accessforbidden();
-$rowid=isset($_GET["rowid"])?$_GET["rowid"]:$_POST["rowid"];
+$rowid=GETPOST("rowid",'int');
@@ -44,10 +44,10 @@ $rowid=isset($_GET["rowid"])?$_GET["rowid"]:$_POST["rowid"];
* View
*/
-llxHeader();
-
$form = new Form($db);
+llxHeader();
+
$object = new Subscription($db);
$result = $object->fetch($rowid);
diff --git a/htdocs/adherents/tpl/linkedobjectblock.tpl.php b/htdocs/adherents/tpl/linkedobjectblock.tpl.php
index 19324812beb..118f51a1a89 100644
--- a/htdocs/adherents/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/adherents/tpl/linkedobjectblock.tpl.php
@@ -15,8 +15,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
@@ -33,7 +40,7 @@ $var=true;
$total=0;
foreach($linkedObjectBlock as $key => $objectlink)
{
-
+
?>
>
trans("Subscription"); ?>
diff --git a/htdocs/cashdesk/tpl/facturation1.tpl.php b/htdocs/cashdesk/tpl/facturation1.tpl.php
index 3f0a0f4c371..aed83d641f3 100644
--- a/htdocs/cashdesk/tpl/facturation1.tpl.php
+++ b/htdocs/cashdesk/tpl/facturation1.tpl.php
@@ -19,6 +19,14 @@
*
*/
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$langs->load("main");
$langs->load("bills");
$langs->load("cashdesk");
diff --git a/htdocs/cashdesk/tpl/liste_articles.tpl.php b/htdocs/cashdesk/tpl/liste_articles.tpl.php
index e4b6bc14436..65f48b0603c 100644
--- a/htdocs/cashdesk/tpl/liste_articles.tpl.php
+++ b/htdocs/cashdesk/tpl/liste_articles.tpl.php
@@ -17,6 +17,14 @@
*
*/
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php';
diff --git a/htdocs/cashdesk/tpl/menu.tpl.php b/htdocs/cashdesk/tpl/menu.tpl.php
index fd9bcbca77c..4197db6b1b0 100644
--- a/htdocs/cashdesk/tpl/menu.tpl.php
+++ b/htdocs/cashdesk/tpl/menu.tpl.php
@@ -19,6 +19,14 @@
* along with this program. If not, see .
*/
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
include_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
include_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php';
include_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php';
diff --git a/htdocs/cashdesk/tpl/ticket.tpl.php b/htdocs/cashdesk/tpl/ticket.tpl.php
index 82b84ba3b56..3937c9dbde3 100644
--- a/htdocs/cashdesk/tpl/ticket.tpl.php
+++ b/htdocs/cashdesk/tpl/ticket.tpl.php
@@ -16,6 +16,15 @@
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*/
+
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
include_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php';
$langs->load("main");
diff --git a/htdocs/cashdesk/tpl/validation1.tpl.php b/htdocs/cashdesk/tpl/validation1.tpl.php
index bb3d63a9e58..2a390b99c65 100644
--- a/htdocs/cashdesk/tpl/validation1.tpl.php
+++ b/htdocs/cashdesk/tpl/validation1.tpl.php
@@ -16,6 +16,14 @@
* along with this program. If not, see .
*/
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$langs->load("main");
$langs->load("bills");
$langs->load("banks");
diff --git a/htdocs/cashdesk/tpl/validation2.tpl.php b/htdocs/cashdesk/tpl/validation2.tpl.php
index a6e2fe2a3f3..a9889451bda 100644
--- a/htdocs/cashdesk/tpl/validation2.tpl.php
+++ b/htdocs/cashdesk/tpl/validation2.tpl.php
@@ -17,6 +17,14 @@
*
*/
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$langs->load("main");
$langs->load("bills");
diff --git a/htdocs/comm/multiprix.php b/htdocs/comm/multiprix.php
index 80c6305fcec..dd4e6cef1fa 100644
--- a/htdocs/comm/multiprix.php
+++ b/htdocs/comm/multiprix.php
@@ -30,7 +30,8 @@ require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
$langs->load("orders");
$langs->load("companies");
-$_socid = $_GET["id"];
+$id = GETPOST('id','int');
+$_socid = GETPOST("id",'int');
// Security check
if ($user->societe_id > 0)
{
@@ -45,10 +46,10 @@ if ($user->societe_id > 0)
if ($_POST["action"] == 'setpricelevel')
{
$soc = New Societe($db);
- $soc->fetch($_GET["id"]);
+ $soc->fetch($id);
$soc->set_price_level($_POST["price_level"],$user);
- header("Location: multiprix.php?id=".$_GET["id"]);
+ header("Location: multiprix.php?id=".$id);
exit;
}
@@ -87,7 +88,7 @@ if ($_socid > 0)
print '";
-
+
print '
';
diff --git a/htdocs/comm/propal/tpl/linkedobjectblock.tpl.php b/htdocs/comm/propal/tpl/linkedobjectblock.tpl.php
index f797025a5de..cc8c6fe0547 100644
--- a/htdocs/comm/propal/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/comm/propal/tpl/linkedobjectblock.tpl.php
@@ -22,6 +22,14 @@
* \ingroup propal
* \brief Template to show objects linked to proposals
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
@@ -40,7 +48,7 @@ $var=true;
foreach($linkedObjectBlock as $key => $objectlink)
{
$ilink++;
-
+
$trclass=($var?'pair':'impair');
if ($ilink == count($linkedObjectBlock) && empty($noMoreLinkedObjectBlockAfter) && count($linkedObjectBlock) <= 1) $trclass.=' liste_sub_total';
?>
@@ -71,7 +79,7 @@ if (count($linkedObjectBlock) > 1)
-
diff --git a/htdocs/commande/tpl/linkedobjectblock.tpl.php b/htdocs/commande/tpl/linkedobjectblock.tpl.php
index 629cd3c0fb0..39479ba220b 100644
--- a/htdocs/commande/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/commande/tpl/linkedobjectblock.tpl.php
@@ -15,8 +15,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
@@ -36,7 +43,7 @@ $var=true;
foreach($linkedObjectBlock as $key => $objectlink)
{
$ilink++;
-
+
$trclass=($var?'pair':'impair');
if ($ilink == count($linkedObjectBlock) && empty($noMoreLinkedObjectBlockAfter) && count($linkedObjectBlock) <= 1) $trclass.=' liste_sub_total';
?>
@@ -76,7 +83,7 @@ if (count($linkedObjectBlock) > 1)
-
diff --git a/htdocs/compta/facture/tpl/linkedobjectblock.tpl.php b/htdocs/compta/facture/tpl/linkedobjectblock.tpl.php
index 63c16afae15..ca3ec7c89c0 100644
--- a/htdocs/compta/facture/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/compta/facture/tpl/linkedobjectblock.tpl.php
@@ -15,8 +15,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
@@ -36,7 +43,7 @@ $var=true;
foreach($linkedObjectBlock as $key => $objectlink)
{
$ilink++;
-
+
$trclass=($var?'pair':'impair');
if ($ilink == count($linkedObjectBlock) && empty($noMoreLinkedObjectBlockAfter) && count($linkedObjectBlock) <= 1) $trclass.=' liste_sub_total';
?>
@@ -54,7 +61,7 @@ foreach($linkedObjectBlock as $key => $objectlink)
$total = $total + $sign * $objectlink->total_ht;
echo price($objectlink->total_ht);
}
- else
+ else
{
echo ''.price($objectlink->total_ht).'';
}
@@ -76,7 +83,7 @@ if (count($linkedObjectBlock) > 1)
-
diff --git a/htdocs/compta/facture/tpl/linkedobjectblockForRec.tpl.php b/htdocs/compta/facture/tpl/linkedobjectblockForRec.tpl.php
index 44d5ec2ced5..e0f132e2ad5 100644
--- a/htdocs/compta/facture/tpl/linkedobjectblockForRec.tpl.php
+++ b/htdocs/compta/facture/tpl/linkedobjectblockForRec.tpl.php
@@ -15,8 +15,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
diff --git a/htdocs/contact/canvas/default/tpl/contactcard_create.tpl.php b/htdocs/contact/canvas/default/tpl/contactcard_create.tpl.php
index fbd1d1909a8..1561f046845 100644
--- a/htdocs/contact/canvas/default/tpl/contactcard_create.tpl.php
+++ b/htdocs/contact/canvas/default/tpl/contactcard_create.tpl.php
@@ -13,8 +13,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
diff --git a/htdocs/contact/canvas/default/tpl/contactcard_edit.tpl.php b/htdocs/contact/canvas/default/tpl/contactcard_edit.tpl.php
index 56e91894cdd..1eaccff5a1f 100644
--- a/htdocs/contact/canvas/default/tpl/contactcard_edit.tpl.php
+++ b/htdocs/contact/canvas/default/tpl/contactcard_edit.tpl.php
@@ -13,9 +13,16 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$contact = $GLOBALS['objcanvas']->control->object;
?>
diff --git a/htdocs/contact/canvas/default/tpl/contactcard_view.tpl.php b/htdocs/contact/canvas/default/tpl/contactcard_view.tpl.php
index 5dc1c12808f..6041e7c3e2c 100644
--- a/htdocs/contact/canvas/default/tpl/contactcard_view.tpl.php
+++ b/htdocs/contact/canvas/default/tpl/contactcard_view.tpl.php
@@ -13,9 +13,16 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$contact = $GLOBALS['objcanvas']->control->object;
?>
diff --git a/htdocs/contrat/tpl/linkedobjectblock.tpl.php b/htdocs/contrat/tpl/linkedobjectblock.tpl.php
index 271878b84e2..e0b76ba689b 100644
--- a/htdocs/contrat/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/contrat/tpl/linkedobjectblock.tpl.php
@@ -14,6 +14,14 @@
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
diff --git a/htdocs/core/actions_builddoc.inc.php b/htdocs/core/actions_builddoc.inc.php
index dd996f83f57..ff7a89484fa 100644
--- a/htdocs/core/actions_builddoc.inc.php
+++ b/htdocs/core/actions_builddoc.inc.php
@@ -91,13 +91,15 @@ if ($action == 'builddoc' && $permissioncreate)
}
else
{
- if (empty($donotredirect)) // This is use when include is done by bulk action "Bill Orders"
+ if (empty($donotredirect)) // This is set when include is done by bulk action "Bill Orders"
{
setEventMessages($langs->trans("FileGenerated"), null);
- $redirecturl = $_SERVER['REQUEST_URI'];
- $redirecturl = preg_replace('/&?action=builddoc/', '', $redirecturl); // Remove action=builddoc parameter to avoid infinite loop
- header('Location: '.$redirecturl.'#builddoc');
+ $urltoredirect = $_SERVER['REQUEST_URI'];
+ $urltoredirect = preg_replace('/#builddoc$/', '', $urltoredirect);
+ $urltoredirect = preg_replace('/action=builddoc&?/', '', $urltoredirect); // To avoid infinite loop
+
+ header('Location: '.$urltoredirect.'#builddoc');
exit;
}
}
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index a7cfbe2b435..bba38e459c4 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -190,7 +190,7 @@ class Form
$morealt=' style="width: '.$cols.'"';
$cols='';
}
- $ret.='';
+ $ret.='';
}
else if ($typeofdata == 'day' || $typeofdata == 'datepicker')
{
diff --git a/htdocs/core/tpl/admin_extrafields_add.tpl.php b/htdocs/core/tpl/admin_extrafields_add.tpl.php
index ec25a82b7f1..fdf2f722932 100644
--- a/htdocs/core/tpl/admin_extrafields_add.tpl.php
+++ b/htdocs/core/tpl/admin_extrafields_add.tpl.php
@@ -26,6 +26,14 @@
* $elementtype
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$langs->load("modulebuilder");
?>
@@ -106,7 +114,7 @@ $langs->load("modulebuilder");
{
required.removeAttr('checked').prop('disabled', true); alwayseditable.removeAttr('checked').prop('disabled', true); list.removeAttr('checked').prop('disabled', true);
jQuery('#size, #default_value, #langfile').val('').prop('disabled', true);
- jQuery('#list').val(3);
+ jQuery('#list').val(3); // visible on create/update/view form only
}
else
{
diff --git a/htdocs/core/tpl/admin_extrafields_edit.tpl.php b/htdocs/core/tpl/admin_extrafields_edit.tpl.php
index 2d10df38cb1..89289fac150 100644
--- a/htdocs/core/tpl/admin_extrafields_edit.tpl.php
+++ b/htdocs/core/tpl/admin_extrafields_edit.tpl.php
@@ -25,6 +25,14 @@
* $elementtype
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$langs->load("modulebuilder");
?>
@@ -101,7 +109,7 @@ $langs->load("modulebuilder");
{
required.removeAttr('checked').prop('disabled', true); alwayseditable.removeAttr('checked').prop('disabled', true); list.removeAttr('checked').prop('disabled', true);
jQuery('#size, #default_value, #langfile').val('').prop('disabled', true);
- jQuery('#list').val(3);
+ jQuery('#list').val(3); // visible on create/update/view form only
}
else
{
diff --git a/htdocs/core/tpl/admin_extrafields_view.tpl.php b/htdocs/core/tpl/admin_extrafields_view.tpl.php
index e9f880e2696..6ab7fecbf10 100644
--- a/htdocs/core/tpl/admin_extrafields_view.tpl.php
+++ b/htdocs/core/tpl/admin_extrafields_view.tpl.php
@@ -23,6 +23,14 @@
* $elementtype
*/
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$langs->load("modulebuilder");
?>
@@ -53,7 +61,6 @@ print '
';
}
@@ -92,7 +99,6 @@ if (count($extrafields->attributes[$elementtype]['type']))
else
{
$colspan=9;
- if (! empty($conf->global->MAIN_CAN_HIDE_EXTRAFIELDS)) $colspan++;
print '
';
print '
';
diff --git a/htdocs/core/tpl/ajax/fileupload_main.tpl.php b/htdocs/core/tpl/ajax/fileupload_main.tpl.php
index 034e9ebc3fc..93f0826e160 100644
--- a/htdocs/core/tpl/ajax/fileupload_main.tpl.php
+++ b/htdocs/core/tpl/ajax/fileupload_main.tpl.php
@@ -13,8 +13,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
diff --git a/htdocs/core/tpl/ajax/fileupload_view.tpl.php b/htdocs/core/tpl/ajax/fileupload_view.tpl.php
index 0c048933473..482a3aef8e4 100644
--- a/htdocs/core/tpl/ajax/fileupload_view.tpl.php
+++ b/htdocs/core/tpl/ajax/fileupload_view.tpl.php
@@ -13,8 +13,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
diff --git a/htdocs/core/tpl/ajaxrow.tpl.php b/htdocs/core/tpl/ajaxrow.tpl.php
index 49d69d6afcb..a75ed1846ff 100644
--- a/htdocs/core/tpl/ajaxrow.tpl.php
+++ b/htdocs/core/tpl/ajaxrow.tpl.php
@@ -19,6 +19,14 @@
* You can use this if you want to be abale to drag and drop rows of a table.
* You must add id="tablelines" on table level tag and have ($nboflines or count($object->lines) or count($taskarray) > 0)
*/
+
+// Protection to avoid direct call of template
+if (empty($object) || ! is_object($object))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
diff --git a/htdocs/core/tpl/bloc_showhide.tpl.php b/htdocs/core/tpl/bloc_showhide.tpl.php
index 80b928815cb..2fe6204f3b9 100644
--- a/htdocs/core/tpl/bloc_showhide.tpl.php
+++ b/htdocs/core/tpl/bloc_showhide.tpl.php
@@ -16,6 +16,13 @@
* along with this program. If not, see .
*/
+// Protection to avoid direct call of template
+if (empty($blocname))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
$hide = true; // Hide by default
if (isset($parameters['showblocbydefault'])) $hide=(empty($parameters['showblocbydefault']) ? true : false);
if (isset($object->extraparams[$blocname]['showhide'])) $hide = (empty($object->extraparams[$blocname]['showhide']) ? true : false);
diff --git a/htdocs/core/tpl/contacts.tpl.php b/htdocs/core/tpl/contacts.tpl.php
index c7b3ea7342f..27d57d3e48a 100644
--- a/htdocs/core/tpl/contacts.tpl.php
+++ b/htdocs/core/tpl/contacts.tpl.php
@@ -21,6 +21,14 @@
* $withproject (if we are on task contact)
*/
+// Protection to avoid direct call of template
+if (empty($object) || ! is_object($object))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
diff --git a/htdocs/core/tpl/document_actions_post_headers.tpl.php b/htdocs/core/tpl/document_actions_post_headers.tpl.php
index 10650364543..f50dc62fb9b 100644
--- a/htdocs/core/tpl/document_actions_post_headers.tpl.php
+++ b/htdocs/core/tpl/document_actions_post_headers.tpl.php
@@ -24,6 +24,14 @@
// $modulepart = for download
// $param = param to add to download links
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$langs->load("link");
if (empty($relativepathwithnofile)) $relativepathwithnofile='';
if (empty($permtoedit)) $permtoedit=-1;
diff --git a/htdocs/core/tpl/extrafields_view.tpl.php b/htdocs/core/tpl/extrafields_view.tpl.php
index 589a7b56e0e..e01848e458d 100644
--- a/htdocs/core/tpl/extrafields_view.tpl.php
+++ b/htdocs/core/tpl/extrafields_view.tpl.php
@@ -24,6 +24,14 @@
* $parameters
* $cols
*/
+
+// Protection to avoid direct call of template
+if (empty($object) || ! is_object($object))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
array('js'=>..., 'table'=>...);
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
header('Cache-Control: Public, must-revalidate');
header("Content-type: text/html; charset=".$conf->file->character_set_client);
diff --git a/htdocs/core/tpl/notes.tpl.php b/htdocs/core/tpl/notes.tpl.php
index 0d1a0a79339..f22b25c88a5 100644
--- a/htdocs/core/tpl/notes.tpl.php
+++ b/htdocs/core/tpl/notes.tpl.php
@@ -17,6 +17,13 @@
* along with this program. If not, see .
*/
+// Protection to avoid direct call of template
+if (empty($object) || ! is_object($object))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
// $permissionnote must be defined by caller. For example $permissionnote=$user->rights->module->create
// $cssclass must be defined by caller. For example $cssclass='fieldtitle"
$module = $object->element;
diff --git a/htdocs/core/tpl/objectline_create.tpl.php b/htdocs/core/tpl/objectline_create.tpl.php
index 27f5aa715d8..02d55057a84 100644
--- a/htdocs/core/tpl/objectline_create.tpl.php
+++ b/htdocs/core/tpl/objectline_create.tpl.php
@@ -30,6 +30,13 @@
* $inputalsopricewithtax (0 by default, 1 to also show column with unit price including tax)
*/
+// Protection to avoid direct call of template
+if (empty($object) || ! is_object($object))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
$usemargins=0;
if (! empty($conf->margin->enabled) && ! empty($object->element) && in_array($object->element,array('facture','propal','commande')))
diff --git a/htdocs/core/tpl/objectline_edit.tpl.php b/htdocs/core/tpl/objectline_edit.tpl.php
index 7cbd31e1f2e..67adba3a2ae 100644
--- a/htdocs/core/tpl/objectline_edit.tpl.php
+++ b/htdocs/core/tpl/objectline_edit.tpl.php
@@ -30,6 +30,13 @@
* $inputalsopricewithtax (0 by default, 1 to also show column with unit price including tax)
*/
+// Protection to avoid direct call of template
+if (empty($object) || ! is_object($object))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
$usemargins=0;
if (! empty($conf->margin->enabled) && ! empty($object->element) && in_array($object->element,array('facture','propal','commande'))) $usemargins=1;
diff --git a/htdocs/core/tpl/objectline_view.tpl.php b/htdocs/core/tpl/objectline_view.tpl.php
index 04452f6214a..8d5b13ece7c 100644
--- a/htdocs/core/tpl/objectline_view.tpl.php
+++ b/htdocs/core/tpl/objectline_view.tpl.php
@@ -37,6 +37,14 @@
* $type, $text, $description, $line
*/
+// Protection to avoid direct call of template
+if (empty($object) || ! is_object($object))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
global $forceall, $senderissupplier, $inputalsopricewithtax, $outputalsopricetotalwithtax;
$usemargins=0;
diff --git a/htdocs/core/tpl/originproductline.tpl.php b/htdocs/core/tpl/originproductline.tpl.php
index 2efc114cc1d..defcdb4fd72 100644
--- a/htdocs/core/tpl/originproductline.tpl.php
+++ b/htdocs/core/tpl/originproductline.tpl.php
@@ -14,8 +14,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
diff --git a/htdocs/core/tpl/passwordforgotten.tpl.php b/htdocs/core/tpl/passwordforgotten.tpl.php
index 32b103c2057..55b0040ffef 100644
--- a/htdocs/core/tpl/passwordforgotten.tpl.php
+++ b/htdocs/core/tpl/passwordforgotten.tpl.php
@@ -16,6 +16,14 @@
* along with this program. If not, see .
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
header('Cache-Control: Public, must-revalidate');
header("Content-type: text/html; charset=".$conf->file->character_set_client);
diff --git a/htdocs/core/tpl/resource_add.tpl.php b/htdocs/core/tpl/resource_add.tpl.php
index 28c42c85b71..af1d25aaee1 100644
--- a/htdocs/core/tpl/resource_add.tpl.php
+++ b/htdocs/core/tpl/resource_add.tpl.php
@@ -1,6 +1,14 @@
0)
foreach ($linked_resources as $linked_resource)
{
-
+
$object_resource = fetchObjectByElement($linked_resource['resource_id'],$linked_resource['resource_type']);
-
+
//$element_id = $linked_resource['rowid'];
-
+
if ($mode == 'edit' && $linked_resource['rowid'] == GETPOST('lineid'))
{
diff --git a/htdocs/ecm/tpl/enablefiletreeajax.tpl.php b/htdocs/ecm/tpl/enablefiletreeajax.tpl.php
index cb21c7c2799..278cc8afe3e 100644
--- a/htdocs/ecm/tpl/enablefiletreeajax.tpl.php
+++ b/htdocs/ecm/tpl/enablefiletreeajax.tpl.php
@@ -16,6 +16,14 @@
*
* Output javascript for interactions code of ecm module
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
diff --git a/htdocs/expedition/tpl/linkedobjectblock.tpl.php b/htdocs/expedition/tpl/linkedobjectblock.tpl.php
index b55654f4786..88811da2eab 100644
--- a/htdocs/expedition/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/expedition/tpl/linkedobjectblock.tpl.php
@@ -14,8 +14,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
@@ -34,7 +41,7 @@ $var=true;
foreach($linkedObjectBlock as $key => $objectlink)
{
$ilink++;
-
+
$trclass=($var?'pair':'impair');
if ($ilink == count($linkedObjectBlock) && empty($noMoreLinkedObjectBlockAfter) && count($linkedObjectBlock) <= 1) $trclass.=' liste_sub_total';
?>
@@ -73,7 +80,7 @@ if (count($linkedObjectBlock) > 1)
-
diff --git a/htdocs/expensereport/tpl/linkedobjectblock.tpl.php b/htdocs/expensereport/tpl/linkedobjectblock.tpl.php
index 7fec53bf3d8..95894a8987e 100644
--- a/htdocs/expensereport/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/expensereport/tpl/linkedobjectblock.tpl.php
@@ -15,8 +15,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
@@ -32,7 +39,7 @@ $var=true;
$total=0;
foreach($linkedObjectBlock as $key => $objectlink)
{
-
+
?>
>
trans("ExpenseReport"); ?>
diff --git a/htdocs/fichinter/tpl/linkedobjectblock.tpl.php b/htdocs/fichinter/tpl/linkedobjectblock.tpl.php
index 455f383fd4a..5d180f0aa82 100644
--- a/htdocs/fichinter/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/fichinter/tpl/linkedobjectblock.tpl.php
@@ -13,8 +13,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
@@ -33,7 +40,7 @@ $var=true;
foreach($linkedObjectBlock as $key => $objectlink)
{
$ilink++;
-
+
$trclass=($var?'pair':'impair');
if ($ilink == count($linkedObjectBlock) && empty($noMoreLinkedObjectBlockAfter) && count($linkedObjectBlock) <= 1) $trclass.=' liste_sub_total';
?>
diff --git a/htdocs/fourn/commande/tpl/linkedobjectblock.tpl.php b/htdocs/fourn/commande/tpl/linkedobjectblock.tpl.php
index 232d12fad3d..113115f9ff8 100644
--- a/htdocs/fourn/commande/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/fourn/commande/tpl/linkedobjectblock.tpl.php
@@ -14,8 +14,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
@@ -35,7 +42,7 @@ $var=true;
foreach($linkedObjectBlock as $key => $objectlink)
{
$ilink++;
-
+
$trclass=($var?'pair':'impair');
if ($ilink == count($linkedObjectBlock) && empty($noMoreLinkedObjectBlockAfter) && count($linkedObjectBlock) <= 1) $trclass.=' liste_sub_total';
?>
@@ -66,7 +73,7 @@ if (count($linkedObjectBlock) > 1)
-
diff --git a/htdocs/fourn/facture/tpl/linkedobjectblock.tpl.php b/htdocs/fourn/facture/tpl/linkedobjectblock.tpl.php
index e8154cd8259..ce72f5be42e 100644
--- a/htdocs/fourn/facture/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/fourn/facture/tpl/linkedobjectblock.tpl.php
@@ -17,6 +17,14 @@
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
@@ -36,7 +44,7 @@ $var=true;
foreach($linkedObjectBlock as $key => $objectlink)
{
$ilink++;
-
+
$trclass=($var?'pair':'impair');
if ($ilink == count($linkedObjectBlock) && empty($noMoreLinkedObjectBlockAfter) && count($linkedObjectBlock) <= 1) $trclass.=' liste_sub_total';
?>
@@ -54,7 +62,7 @@ foreach($linkedObjectBlock as $key => $objectlink)
$total = $total + $sign * $objectlink->total_ht;
echo price($objectlink->total_ht);
}
- else
+ else
{
echo ''.price($objectlink->total_ht).'';
}
@@ -62,7 +70,7 @@ foreach($linkedObjectBlock as $key => $objectlink)
';
$categstatic->id=$rowid;
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index d8c1c29c209..07779a02392 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -81,6 +81,7 @@ function test_sql_and_script_inject($val, $type)
// For SQL Injection (only GET are used to be included into bad escaped SQL requests)
if ($type == 1)
{
+ $inj += preg_match('/updatexml\(/i', $val);
$inj += preg_match('/delete\s+from/i', $val);
$inj += preg_match('/create\s+table/i', $val);
$inj += preg_match('/insert\s+into/i', $val);
diff --git a/htdocs/modulebuilder/template/core/tpl/mytemplate.tpl.php b/htdocs/modulebuilder/template/core/tpl/mytemplate.tpl.php
index 9d399c44e85..3684ded0092 100644
--- a/htdocs/modulebuilder/template/core/tpl/mytemplate.tpl.php
+++ b/htdocs/modulebuilder/template/core/tpl/mytemplate.tpl.php
@@ -23,5 +23,13 @@
* Put detailed description here.
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
/** Your code here. */
echo "Hello world!";
diff --git a/htdocs/product/canvas/product/tpl/card_create.tpl.php b/htdocs/product/canvas/product/tpl/card_create.tpl.php
index 514c5d213d5..e763605f701 100644
--- a/htdocs/product/canvas/product/tpl/card_create.tpl.php
+++ b/htdocs/product/canvas/product/tpl/card_create.tpl.php
@@ -15,6 +15,14 @@
* along with this program. If not, see .
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$object=$GLOBALS['object'];
$statutarray=array('1' => $langs->trans("OnSell"), '0' => $langs->trans("NotOnSell"));
diff --git a/htdocs/product/canvas/product/tpl/card_edit.tpl.php b/htdocs/product/canvas/product/tpl/card_edit.tpl.php
index 686ad7217b7..c64c5dbe1e4 100644
--- a/htdocs/product/canvas/product/tpl/card_edit.tpl.php
+++ b/htdocs/product/canvas/product/tpl/card_edit.tpl.php
@@ -15,6 +15,14 @@
* along with this program. If not, see .
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$object=$GLOBALS['object'];
$statutarray=array('1' => $langs->trans("OnSell"), '0' => $langs->trans("NotOnSell"));
diff --git a/htdocs/product/canvas/product/tpl/card_view.tpl.php b/htdocs/product/canvas/product/tpl/card_view.tpl.php
index 771005781cd..44b1f96203b 100644
--- a/htdocs/product/canvas/product/tpl/card_view.tpl.php
+++ b/htdocs/product/canvas/product/tpl/card_view.tpl.php
@@ -15,6 +15,14 @@
* along with this program. If not, see .
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$object=$GLOBALS['object'];
?>
diff --git a/htdocs/product/canvas/product/tpl/list.tpl.php b/htdocs/product/canvas/product/tpl/list.tpl.php
index db7cac7e51c..e5c315e8148 100644
--- a/htdocs/product/canvas/product/tpl/list.tpl.php
+++ b/htdocs/product/canvas/product/tpl/list.tpl.php
@@ -13,8 +13,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
@@ -69,7 +76,7 @@
if ($searchfield['enabled']) {
if ($searchfield['search']) { ?>
- ';
$searchpicto=$form->showFilterAndCheckAddButtons(0);
print $searchpicto;
diff --git a/htdocs/product/canvas/service/tpl/card_create.tpl.php b/htdocs/product/canvas/service/tpl/card_create.tpl.php
index e25f69d8848..46db54d63b8 100644
--- a/htdocs/product/canvas/service/tpl/card_create.tpl.php
+++ b/htdocs/product/canvas/service/tpl/card_create.tpl.php
@@ -13,9 +13,16 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$object=$GLOBALS['object'];
$statutarray=array('1' => $langs->trans("OnSell"), '0' => $langs->trans("NotOnSell"));
diff --git a/htdocs/product/canvas/service/tpl/card_edit.tpl.php b/htdocs/product/canvas/service/tpl/card_edit.tpl.php
index 27348b7820d..06d1b3ff612 100644
--- a/htdocs/product/canvas/service/tpl/card_edit.tpl.php
+++ b/htdocs/product/canvas/service/tpl/card_edit.tpl.php
@@ -15,6 +15,14 @@
* along with this program. If not, see .
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$object=$GLOBALS['object'];
$statutarray=array('1' => $langs->trans("OnSell"), '0' => $langs->trans("NotOnSell"));
diff --git a/htdocs/product/canvas/service/tpl/card_view.tpl.php b/htdocs/product/canvas/service/tpl/card_view.tpl.php
index fd5d9ad73bf..fc129132dee 100644
--- a/htdocs/product/canvas/service/tpl/card_view.tpl.php
+++ b/htdocs/product/canvas/service/tpl/card_view.tpl.php
@@ -15,6 +15,14 @@
* along with this program. If not, see .
*/
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
+
$object=$GLOBALS['object'];
?>
diff --git a/htdocs/product/canvas/service/tpl/list.tpl.php b/htdocs/product/canvas/service/tpl/list.tpl.php
index ee2a894de98..9951c71fcc3 100644
--- a/htdocs/product/canvas/service/tpl/list.tpl.php
+++ b/htdocs/product/canvas/service/tpl/list.tpl.php
@@ -13,8 +13,15 @@
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
- *
*/
+
+// Protection to avoid direct call of template
+if (empty($conf) || ! is_object($conf))
+{
+ print "Error, template page can't be called as URL";
+ exit;
+}
+
?>
@@ -69,7 +76,7 @@
if ($searchfield['enabled']) {
if ($searchfield['search']) { ?>