lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX #yogosha11755

Browse Source
This commit is contained in:
Laurent Destailleur 2022-07-11 20:18:03 +02:00
parent 1cbeaf6ac0
commit f0090ef928
9 changed files with 49 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/public/emailing/mailing-unsubscribe.php
View File

@ -157,6 +157,10 @@ if (!empty($tag) && ($unsuscrib == '1')) {
header("Content-type: text/html; charset=".$conf->file->character_set_client);
// Security options
header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">';
print "\n";
print "<html>\n";

10
htdocs/public/members/public_card.php
View File

@ -147,16 +147,8 @@ $db->close();
*/
function llxHeaderVierge($title, $head = "")
{
global $user, $conf, $langs;
top_htmlhead($head, $title);
header("Content-type: text/html; charset=".$conf->file->character_set_client);
print "<html>\n";
print "<head>\n";
print "<title>".$title."</title>\n";
if ($head) {
print $head."\n";
}
print "</head>\n";
print '<body class="public_body">'."\n";
}

24
htdocs/public/members/public_list.php
View File

@ -65,16 +65,8 @@ $langs->loadLangs(array("main", "members", "companies", "other"));
*/
function llxHeaderVierge($title, $head = "")
{
global $user, $conf, $langs;
top_htmlhead($head, $title);
header("Content-type: text/html; charset=".$conf->file->character_set_client);
print "<html>\n";
print "<head>\n";
print "<title>".$title."</title>\n";
if ($head) {
print $head."\n";
}
print "</head>\n";
print '<body class="public_body">'."\n";
}
@ -151,13 +143,13 @@ if ($result) {
print '<table class="public_border centpercent">';
print '<tr class="public_liste_titre">';
print '<td><a href="'.$_SERVER["PHP_SELF"].'?page='.$page.'&sortorder=ASC&sortfield=firstname">'.dolGetFirstLastname($langs->trans("Firstname"), $langs->trans("Lastname")).'</a></td>';
print '<td><a href="'.$_SERVER["PHP_SELF"].'?page='.$page.'&sortorder=ASC&sortfield=societe">'.$langs->trans("Company").'</a></td>'."\n";
print '<th class="left"><a href="'.$_SERVER["PHP_SELF"].'?page='.$page.'&sortorder=ASC&sortfield=firstname">'.dolGetFirstLastname($langs->trans("Firstname"), $langs->trans("Lastname")).'</a></th>';
print '<th class="left"><a href="'.$_SERVER["PHP_SELF"].'?page='.$page.'&sortorder=ASC&sortfield=societe">'.$langs->trans("Company").'</a></th>'."\n";
//print_liste_field_titre("DateOfBirth", $_SERVER["PHP_SELF"],"birth",'',$param,$sortfield,$sortorder); // est-ce nécessaire ??
print_liste_field_titre("EMail", $_SERVER["PHP_SELF"], "email", '', $param, '', $sortfield, $sortorder, 'public_');
print_liste_field_titre("Zip", $_SERVER["PHP_SELF"], "zip", "", $param, '', $sortfield, $sortorder, 'public_');
print_liste_field_titre("Town", $_SERVER["PHP_SELF"], "town", "", $param, '', $sortfield, $sortorder, 'public_');
print_liste_field_titre("Photo", $_SERVER["PHP_SELF"], "", "", $param, '', $sortfield, $sortorder, 'public_');
print_liste_field_titre("EMail", $_SERVER["PHP_SELF"], "email", '', $param, '', $sortfield, $sortorder, 'left public_');
print_liste_field_titre("Zip", $_SERVER["PHP_SELF"], "zip", "", $param, '', $sortfield, $sortorder, 'left public_');
print_liste_field_titre("Town", $_SERVER["PHP_SELF"], "town", "", $param, '', $sortfield, $sortorder, 'left public_');
print_liste_field_titre("Photo", $_SERVER["PHP_SELF"], "", "", $param, '', $sortfield, $sortorder, 'center public_');
print "</tr>\n";
while ($i < $num && $i < $conf->liste_limit) {
@ -170,7 +162,7 @@ if ($result) {
print '<td>'.$objp->zip.'</td>'."\n";
print '<td>'.$objp->town.'</td>'."\n";
if (isset($objp->photo) && $objp->photo != '') {
print '<td>';
print '<td class="center">';
print $form->showphoto('memberphoto', $objp, 64);
print '</td>'."\n";
} else {

4
htdocs/public/test/test_arrays.php
View File

@ -44,6 +44,10 @@ $usedolheader = 1; // 1 = Test inside a dolibarr page, 0 = Use hard coded header
if (empty($usedolheader)) {
header("Content-type: text/html; charset=UTF8");
// Security options
header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

10
htdocs/public/test/test_badges.php
View File

@ -12,6 +12,16 @@ if ($dolibarr_main_prod) {
accessforbidden('Access forbidden when $dolibarr_main_prod is set to 1');
}
/*
* View
*/
header("Content-type: text/html; charset=UTF8");
// Security options
header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
?>
<!doctype html>
<html lang="en">

0
htdocs/public/test/buttons.php → htdocs/public/test/test_buttons.php
View File

5
htdocs/public/test/test_csrf.php
View File

@ -34,6 +34,11 @@ if ($dolibarr_main_prod) {
* View
*/
header("Content-type: text/html; charset=UTF8");
// Security options
header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
?>
This is a form to test if a CSRF exists into a Dolibarr page.<br>

17
htdocs/public/test/test_exec.php
View File

@ -41,17 +41,6 @@ if (!defined("NOSESSION")) {
define("NOSESSION", '1');
}
print "*** SHOW SESSION STATUS<br>\n";
print "Legend:<br>\n";
print 'PHP_SESSION_DISABLED='.PHP_SESSION_DISABLED."<br>\n";
print 'PHP_SESSION_NONE='.PHP_SESSION_NONE."<br>\n";
print 'PHP_SESSION_ACTIVE='.PHP_SESSION_ACTIVE."<br>\n";
print '<br>';
print 'session_status='.session_status().' (before main.inc.php)<br>';
print '<br><br>'."\n";
require '../../main.inc.php';
// Security
@ -64,6 +53,12 @@ if ($dolibarr_main_prod) {
* View
*/
header("Content-type: text/html; charset=UTF8");
// Security options
header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
print "*** TEST READ OF /tmp/test.txt FILE<br>\n";
$out='';

11
htdocs/public/test/test_sessionlock.php
View File

@ -41,6 +41,17 @@ if (!defined("NOSESSION")) {
define("NOSESSION", '1');
}
// Special
// We add header and output some content before the include of main.inc.php !!
// Because we need to So we can make
header("Content-type: text/html; charset=UTF8");
// Security options
header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
print "Legend:<br>\n";
print 'PHP_SESSION_DISABLED='.PHP_SESSION_DISABLED."<br>\n";
print 'PHP_SESSION_NONE='.PHP_SESSION_NONE."<br>\n";