diff --git a/htdocs/public/emailing/mailing-unsubscribe.php b/htdocs/public/emailing/mailing-unsubscribe.php index 76a73e8de05..7c85d9a2fc0 100644 --- a/htdocs/public/emailing/mailing-unsubscribe.php +++ b/htdocs/public/emailing/mailing-unsubscribe.php @@ -157,6 +157,10 @@ if (!empty($tag) && ($unsuscrib == '1')) { header("Content-type: text/html; charset=".$conf->file->character_set_client); + // Security options + header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) + header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) + print ''; print "\n"; print "\n"; diff --git a/htdocs/public/members/public_card.php b/htdocs/public/members/public_card.php index a6512b83a60..d58b6448edb 100644 --- a/htdocs/public/members/public_card.php +++ b/htdocs/public/members/public_card.php @@ -147,16 +147,8 @@ $db->close(); */ function llxHeaderVierge($title, $head = "") { - global $user, $conf, $langs; + top_htmlhead($head, $title); - header("Content-type: text/html; charset=".$conf->file->character_set_client); - print "\n"; - print "\n"; - print "".$title."\n"; - if ($head) { - print $head."\n"; - } - print "\n"; print ''."\n"; } diff --git a/htdocs/public/members/public_list.php b/htdocs/public/members/public_list.php index 4bf2a6b94bf..178af5fce11 100644 --- a/htdocs/public/members/public_list.php +++ b/htdocs/public/members/public_list.php @@ -65,16 +65,8 @@ $langs->loadLangs(array("main", "members", "companies", "other")); */ function llxHeaderVierge($title, $head = "") { - global $user, $conf, $langs; + top_htmlhead($head, $title); - header("Content-type: text/html; charset=".$conf->file->character_set_client); - print "\n"; - print "\n"; - print "".$title."\n"; - if ($head) { - print $head."\n"; - } - print "\n"; print ''."\n"; } @@ -151,13 +143,13 @@ if ($result) { print ''; print ''; - print ''; - print ''."\n"; + print ''; + print ''."\n"; //print_liste_field_titre("DateOfBirth", $_SERVER["PHP_SELF"],"birth",'',$param,$sortfield,$sortorder); // est-ce nécessaire ?? - print_liste_field_titre("EMail", $_SERVER["PHP_SELF"], "email", '', $param, '', $sortfield, $sortorder, 'public_'); - print_liste_field_titre("Zip", $_SERVER["PHP_SELF"], "zip", "", $param, '', $sortfield, $sortorder, 'public_'); - print_liste_field_titre("Town", $_SERVER["PHP_SELF"], "town", "", $param, '', $sortfield, $sortorder, 'public_'); - print_liste_field_titre("Photo", $_SERVER["PHP_SELF"], "", "", $param, '', $sortfield, $sortorder, 'public_'); + print_liste_field_titre("EMail", $_SERVER["PHP_SELF"], "email", '', $param, '', $sortfield, $sortorder, 'left public_'); + print_liste_field_titre("Zip", $_SERVER["PHP_SELF"], "zip", "", $param, '', $sortfield, $sortorder, 'left public_'); + print_liste_field_titre("Town", $_SERVER["PHP_SELF"], "town", "", $param, '', $sortfield, $sortorder, 'left public_'); + print_liste_field_titre("Photo", $_SERVER["PHP_SELF"], "", "", $param, '', $sortfield, $sortorder, 'center public_'); print "\n"; while ($i < $num && $i < $conf->liste_limit) { @@ -170,7 +162,7 @@ if ($result) { print ''."\n"; print ''."\n"; if (isset($objp->photo) && $objp->photo != '') { - print ''."\n"; } else { diff --git a/htdocs/public/test/test_arrays.php b/htdocs/public/test/test_arrays.php index 01910f71aaf..609ced5f684 100644 --- a/htdocs/public/test/test_arrays.php +++ b/htdocs/public/test/test_arrays.php @@ -44,6 +44,10 @@ $usedolheader = 1; // 1 = Test inside a dolibarr page, 0 = Use hard coded header if (empty($usedolheader)) { header("Content-type: text/html; charset=UTF8"); + + // Security options + header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) + header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) ?> diff --git a/htdocs/public/test/test_badges.php b/htdocs/public/test/test_badges.php index 64ccf82345b..d3ed6476f95 100644 --- a/htdocs/public/test/test_badges.php +++ b/htdocs/public/test/test_badges.php @@ -12,6 +12,16 @@ if ($dolibarr_main_prod) { accessforbidden('Access forbidden when $dolibarr_main_prod is set to 1'); } +/* + * View + */ + +header("Content-type: text/html; charset=UTF8"); + +// Security options +header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) +header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) + ?> diff --git a/htdocs/public/test/buttons.php b/htdocs/public/test/test_buttons.php similarity index 100% rename from htdocs/public/test/buttons.php rename to htdocs/public/test/test_buttons.php diff --git a/htdocs/public/test/test_csrf.php b/htdocs/public/test/test_csrf.php index 3127a765985..43372d22f15 100644 --- a/htdocs/public/test/test_csrf.php +++ b/htdocs/public/test/test_csrf.php @@ -34,6 +34,11 @@ if ($dolibarr_main_prod) { * View */ +header("Content-type: text/html; charset=UTF8"); + +// Security options +header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) +header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) ?> This is a form to test if a CSRF exists into a Dolibarr page.
diff --git a/htdocs/public/test/test_exec.php b/htdocs/public/test/test_exec.php index 026a8d12b7b..ef6f41df132 100644 --- a/htdocs/public/test/test_exec.php +++ b/htdocs/public/test/test_exec.php @@ -41,17 +41,6 @@ if (!defined("NOSESSION")) { define("NOSESSION", '1'); } -print "*** SHOW SESSION STATUS
\n"; -print "Legend:
\n"; -print 'PHP_SESSION_DISABLED='.PHP_SESSION_DISABLED."
\n"; -print 'PHP_SESSION_NONE='.PHP_SESSION_NONE."
\n"; -print 'PHP_SESSION_ACTIVE='.PHP_SESSION_ACTIVE."
\n"; -print '
'; - -print 'session_status='.session_status().' (before main.inc.php)
'; - -print '

'."\n"; - require '../../main.inc.php'; // Security @@ -64,6 +53,12 @@ if ($dolibarr_main_prod) { * View */ +header("Content-type: text/html; charset=UTF8"); + +// Security options +header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) +header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) + print "*** TEST READ OF /tmp/test.txt FILE
\n"; $out=''; diff --git a/htdocs/public/test/test_sessionlock.php b/htdocs/public/test/test_sessionlock.php index 8464ba2eb4f..1aea6204b3e 100644 --- a/htdocs/public/test/test_sessionlock.php +++ b/htdocs/public/test/test_sessionlock.php @@ -41,6 +41,17 @@ if (!defined("NOSESSION")) { define("NOSESSION", '1'); } + +// Special +// We add header and output some content before the include of main.inc.php !! +// Because we need to So we can make +header("Content-type: text/html; charset=UTF8"); + +// Security options +header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on) +header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) + + print "Legend:
\n"; print 'PHP_SESSION_DISABLED='.PHP_SESSION_DISABLED."
\n"; print 'PHP_SESSION_NONE='.PHP_SESSION_NONE."
\n";
'.dolGetFirstLastname($langs->trans("Firstname"), $langs->trans("Lastname")).''.$langs->trans("Company").''.dolGetFirstLastname($langs->trans("Firstname"), $langs->trans("Lastname")).''.$langs->trans("Company").'
'.$objp->zip.''.$objp->town.''; + print ''; print $form->showphoto('memberphoto', $objp, 64); print '