diff --git a/ChangeLog b/ChangeLog index abc660739cf..cdcef2d4e4f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,7 +15,10 @@ WARNING: Following changes may create regressions for some external modules, but were necessary to make Dolibarr better: * PHP 5.5 is no more supported. Minimum PHP is now 5.6+. - +* Default mode for GETPOST function is now 'alphanohtml' instead of 'none'. So check when you make POST or GET requests + with HTML content that you make a GETPOST('myparam', 'restricthtml') or GETPOST('myparam', 'none') if you really need posted content without sanitizing + the HTML into content (in such a case, sanitize data later) + ***** ChangeLog for 11.0.1 compared to 11.0.0 ***** diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php index 2e39105eb21..da23d3cc33b 100644 --- a/htdocs/accountancy/admin/accountmodel.php +++ b/htdocs/accountancy/admin/accountmodel.php @@ -157,7 +157,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) foreach ($listfield as $f => $value) { if ($value == 'country_id' && in_array($tablib[$id], array('Pcg_version'))) continue; // For some pages, country is not mandatory - if ((! isset($_POST[$value]) || $_POST[$value]=='')) + if ((! GETPOSTISSET($value)) || GETPOST($value) == '') { $ok=0; $fieldnamekey=$listfield[$f]; @@ -170,13 +170,13 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) } } // Other checks - if ($tabname[$id] == MAIN_DB_PREFIX."c_actioncomm" && isset($_POST["type"]) && in_array($_POST["type"], array('system','systemauto'))) { + if ($tabname[$id] == MAIN_DB_PREFIX."c_actioncomm" && GETPOSTISSET("type") && in_array($_POST["type"], array('system','systemauto'))) { $ok=0; setEventMessages($langs->transnoentities('ErrorReservedTypeSystemSystemAuto'), null, 'errors'); } - if (isset($_POST["pcg_version"])) + if (GETPOSTISSET("pcg_version")) { - if ($_POST["pcg_version"]=='0') + if (GETPOST("pcg_version") == '0') { $ok=0; setEventMessages($langs->transnoentities('ErrorCodeCantContainZero'), null, 'errors'); diff --git a/htdocs/accountancy/admin/categories_list.php b/htdocs/accountancy/admin/categories_list.php index dbe20bba99d..2924feb58eb 100644 --- a/htdocs/accountancy/admin/categories_list.php +++ b/htdocs/accountancy/admin/categories_list.php @@ -153,7 +153,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) if ($value == 'formula' && empty($_POST['formula'])) continue; if ($value == 'range_account' && empty($_POST['range_account'])) continue; if ($value == 'country' || $value == 'country_id') continue; - if (!isset($_POST[$value]) || $_POST[$value] == '') + if (! GETPOSTISSET($value) || GETPOST($value) == '') { $ok = 0; $fieldnamekey = $listfield[$f]; diff --git a/htdocs/accountancy/admin/journals_list.php b/htdocs/accountancy/admin/journals_list.php index 62313faa2f2..e47fba72756 100644 --- a/htdocs/accountancy/admin/journals_list.php +++ b/htdocs/accountancy/admin/journals_list.php @@ -165,9 +165,9 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) if ($fieldnamekey == 'nature') $fieldnamekey = 'NatureOfJournal'; } // Other checks - if (isset($_POST["code"])) + if (GETPOSTISSET("code")) { - if ($_POST["code"] == '0') + if (GETPOST("code") == '0') { $ok = 0; setEventMessages($langs->transnoentities('ErrorCodeCantContainZero'), null, 'errors'); diff --git a/htdocs/adherents/subscription/card.php b/htdocs/adherents/subscription/card.php index 57c50e1b6b3..02941cb9967 100644 --- a/htdocs/adherents/subscription/card.php +++ b/htdocs/adherents/subscription/card.php @@ -214,7 +214,7 @@ if ($user->rights->adherent->cotisation->creer && $action == 'edit') // Type print ''; print ''.$langs->trans("Type").''; - print $form->selectarray("typeid", $adht->liste_array(), (isset($_POST["typeid"]) ? $_POST["typeid"] : $object->fk_type)); + print $form->selectarray("typeid", $adht->liste_array(), (GETPOSTISSET("typeid") ? GETPOST("typeid") : $object->fk_type)); print''; // Date start subscription diff --git a/htdocs/adherents/type.php b/htdocs/adherents/type.php index 28594fdea40..b2b94fd5684 100644 --- a/htdocs/adherents/type.php +++ b/htdocs/adherents/type.php @@ -792,7 +792,7 @@ if ($rowid > 0) $morphys["phy"] = $langs->trans("Physical"); $morphys["mor"] = $langs->trans("Moral"); print ''.$langs->trans("MemberNature").''; - print $form->selectarray("morphy", $morphys, isset($_POST["morphy"]) ? $_POST["morphy"] : $object->morphy); + print $form->selectarray("morphy", $morphys, GETPOSTISSET("morphy") ? GETPOST("morphy") : $object->morphy); print ""; print ''.$langs->trans("SubscriptionRequired").''; diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index 314a4e61954..925688abba5 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -678,9 +678,9 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) $ok = 0; setEventMessages($langs->transnoentities('ErrorReservedTypeSystemSystemAuto'), null, 'errors'); } - if (isset($_POST["code"])) + if (GETPOSTISSET("code")) { - if ($_POST["code"] == '0') + if (GETPOST("code") == '0') { $ok = 0; setEventMessages($langs->transnoentities('ErrorCodeCantContainZero'), null, 'errors'); @@ -691,7 +691,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify')) $msg .= $langs->transnoentities('ErrorFieldFormat', $langs->transnoentities('Code')).'
'; }*/ } - if (isset($_POST["country"]) && ($_POST["country"] == '0') && ($id != 2)) + if (GETPOSTISSET("country") && ($_POST["country"] == '0') && ($id != 2)) { if (in_array($tablib[$id], array('DictionaryCompanyType', 'DictionaryHolidayTypes'))) // Field country is no mandatory for such dictionaries { diff --git a/htdocs/admin/events.php b/htdocs/admin/events.php index 9265604f427..66794cd4210 100644 --- a/htdocs/admin/events.php +++ b/htdocs/admin/events.php @@ -53,8 +53,7 @@ if ($action == "save") foreach ($eventstolog as $key => $arr) { $param='MAIN_LOGEVENTS_'.$arr['id']; - //print "param=".$param." - ".$_POST[$param]; - if (! empty($_POST[$param])) dolibarr_set_const($db, $param, $_POST[$param], 'chaine', 0, '', $conf->entity); + if (GETPOST($param, 'alphanohtml')) dolibarr_set_const($db, $param, GETPOST($param, 'alphanohtml'), 'chaine', 0, '', $conf->entity); else dolibarr_del_const($db, $param, $conf->entity); } diff --git a/htdocs/admin/fckeditor.php b/htdocs/admin/fckeditor.php index efe8ca1117d..6f2ad22015d 100644 --- a/htdocs/admin/fckeditor.php +++ b/htdocs/admin/fckeditor.php @@ -239,13 +239,6 @@ else jsdump(CKEDITOR.env, "divforlog"); '; } - - /* - print ''; - print $_POST["formtestfield"]; - print ''; - print $conf->global->FCKEDITOR_TEST; - */ } // End of page diff --git a/htdocs/admin/ldap_groups.php b/htdocs/admin/ldap_groups.php index 194475ab32c..fb49c947411 100644 --- a/htdocs/admin/ldap_groups.php +++ b/htdocs/admin/ldap_groups.php @@ -51,14 +51,14 @@ if ($action == 'setvalue' && $user->admin) $error = 0; $db->begin(); - if (!dolibarr_set_const($db, 'LDAP_GROUP_DN', GETPOST("group"), 'chaine', 0, '', $conf->entity)) $error++; - if (!dolibarr_set_const($db, 'LDAP_GROUP_OBJECT_CLASS', GETPOST("objectclass"), 'chaine', 0, '', $conf->entity)) $error++; + if (!dolibarr_set_const($db, 'LDAP_GROUP_DN', GETPOST("group", 'alphanohtml'), 'chaine', 0, '', $conf->entity)) $error++; + if (!dolibarr_set_const($db, 'LDAP_GROUP_OBJECT_CLASS', GETPOST("objectclass", 'alphanohtml'), 'chaine', 0, '', $conf->entity)) $error++; - if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_FULLNAME', GETPOST("fieldfullname"), 'chaine', 0, '', $conf->entity)) $error++; - //if (! dolibarr_set_const($db, 'LDAP_GROUP_FIELD_NAME',$_POST["fieldname"],'chaine',0,'',$conf->entity)) $error++; - if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_DESCRIPTION', GETPOST("fielddescription"), 'chaine', 0, '', $conf->entity)) $error++; - if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_GROUPMEMBERS', GETPOST("fieldgroupmembers"), 'chaine', 0, '', $conf->entity)) $error++; - if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_GROUPID', GETPOST("fieldgroupid"), 'chaine', 0, '', $conf->entity)) $error++; + if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_FULLNAME', GETPOST("fieldfullname", 'alphanohtml'), 'chaine', 0, '', $conf->entity)) $error++; + //if (! dolibarr_set_const($db, 'LDAP_GROUP_FIELD_NAME',GETPOST("fieldname", 'alphanohtml'),'chaine',0,'',$conf->entity)) $error++; + if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_DESCRIPTION', GETPOST("fielddescription", 'alphanohtml'), 'chaine', 0, '', $conf->entity)) $error++; + if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_GROUPMEMBERS', GETPOST("fieldgroupmembers", 'alphanohtml'), 'chaine', 0, '', $conf->entity)) $error++; + if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_GROUPID', GETPOST("fieldgroupid", 'alphanohtml'), 'chaine', 0, '', $conf->entity)) $error++; // This one must be after the others $valkey = ''; diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php index f82c423d438..cd27ef7b6dc 100644 --- a/htdocs/admin/menus/edit.php +++ b/htdocs/admin/menus/edit.php @@ -31,6 +31,8 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/menubase.class.php'; // Load translation files required by the page $langs->loadLangs(array("other", "admin")); +$cancel = GETPOST('cancel', 'alpha'); // We click on a Cancel button + if (!$user->admin) accessforbidden(); $dirstandard = array(); @@ -64,12 +66,12 @@ if (GETPOST("menu_handler")) $menu_handler = GETPOST("menu_handler"); if ($action == 'update') { - if (!$_POST['cancel']) + if (! $cancel) { $leftmenu = ''; $mainmenu = ''; - if (!empty($_POST['menuIdParent']) && !is_numeric($_POST['menuIdParent'])) + if (GETPOST('menuIdParent', 'alpha') && !is_numeric(GETPOST('menuIdParent', 'alpha'))) { - $tmp = explode('&', $_POST['menuIdParent']); + $tmp = explode('&', GETPOST('menuIdParent', 'alpha')); foreach ($tmp as $s) { if (preg_match('/fk_mainmenu=/', $s)) @@ -138,7 +140,7 @@ if ($action == 'update') if ($action == 'add') { - if ($_POST['cancel']) + if ($cancel) { header("Location: ".DOL_URL_ROOT."/admin/menus/index.php?menu_handler=".$menu_handler); exit; diff --git a/htdocs/admin/oauthlogintokens.php b/htdocs/admin/oauthlogintokens.php index ca75eee69ef..7b74016207b 100644 --- a/htdocs/admin/oauthlogintokens.php +++ b/htdocs/admin/oauthlogintokens.php @@ -59,9 +59,18 @@ if ($action == 'setconst' && $user->admin) { $error = 0; $db->begin(); - foreach ($_POST['setupdriver'] as $setupconst) { + + $setupconstarray = GETPOST('setupdriver', 'array'); + + foreach ($setupconstarray as $setupconst) { //print '
'.print_r($setupconst, true).'
'; - $result = dolibarr_set_const($db, $setupconst['varname'], $setupconst['value'], 'chaine', 0, '', $conf->entity); + + $constname = dol_escape_htmltag($setupconst['varname']); + $constvalue = dol_escape_htmltag($setupconst['value']); + $consttype = dol_escape_htmltag($setupconst['type']); + $constnote = dol_escape_htmltag($setupconst['note']); + + $result = dolibarr_set_const($db, $constname, $constvalue, $consttype, 0, $constnote, $conf->entity); if (!$result > 0) $error++; } diff --git a/htdocs/admin/security_other.php b/htdocs/admin/security_other.php index e85853541de..07891630c1a 100644 --- a/htdocs/admin/security_other.php +++ b/htdocs/admin/security_other.php @@ -70,8 +70,8 @@ if (preg_match('/set_([a-z0-9_\-]+)/i', $action, $reg)) elseif ($action == 'updateform') { - $res1=dolibarr_set_const($db, "MAIN_APPLICATION_TITLE", $_POST["MAIN_APPLICATION_TITLE"], 'chaine', 0, '', $conf->entity); - $res2=dolibarr_set_const($db, "MAIN_SESSION_TIMEOUT", $_POST["MAIN_SESSION_TIMEOUT"], 'chaine', 0, '', $conf->entity); + $res1=dolibarr_set_const($db, "MAIN_APPLICATION_TITLE", GETPOST("MAIN_APPLICATION_TITLE", 'alphanohtml'), 'chaine', 0, '', $conf->entity); + $res2=dolibarr_set_const($db, "MAIN_SESSION_TIMEOUT", GETPOST("MAIN_SESSION_TIMEOUT", 'alphanohtml'), 'chaine', 0, '', $conf->entity); if ($res1 && $res2) setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs'); } diff --git a/htdocs/admin/sms.php b/htdocs/admin/sms.php index b725a2e50ae..4a70104158b 100644 --- a/htdocs/admin/sms.php +++ b/htdocs/admin/sms.php @@ -28,6 +28,8 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; // Load translation files required by the page $langs->loadLangs(array("companies", "admin", "products", "sms", "other", "errors")); +$cancel = GETPOST('cancel', 'alpha'); // We click on a Cancel button + if (!$user->admin) accessforbidden(); @@ -46,14 +48,13 @@ $action = GETPOST('action', 'aZ09'); * Actions */ -if ($action == 'update' && empty($_POST["cancel"])) +if ($action == 'update' && !$cancel) { - dolibarr_set_const($db, "MAIN_DISABLE_ALL_SMS", $_POST["MAIN_DISABLE_ALL_SMS"], 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_DISABLE_ALL_SMS", GETPOST("MAIN_DISABLE_ALL_SMS", 'alphanohtml'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_SMS_SENDMODE", $_POST["MAIN_SMS_SENDMODE"], 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_SMS_SENDMODE", GETPOST("MAIN_SMS_SENDMODE", 'alphahtml'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_MAIL_SMS_FROM", $_POST["MAIN_MAIL_SMS_FROM"], 'chaine', 0, '', $conf->entity); - //dolibarr_set_const($db, "MAIN_MAIL_AUTOCOPY_TO", $_POST["MAIN_MAIL_AUTOCOPY_TO"], 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_MAIL_SMS_FROM", GETPOST("MAIN_MAIL_SMS_FROM", 'alphanohtml'), 'chaine', 0, '', $conf->entity); header("Location: ".$_SERVER["PHP_SELF"]."?mainmenu=home&leftmenu=setup"); exit; @@ -68,15 +69,15 @@ if ($action == 'send' && !$_POST['cancel']) $error = 0; $smsfrom = ''; - if (!empty($_POST["fromsms"])) $smsfrom = GETPOST("fromsms"); - if (empty($smsfrom)) $smsfrom = GETPOST("fromname"); - $sendto = GETPOST("sendto"); - $body = GETPOST('message'); - $deliveryreceipt = GETPOST("deliveryreceipt"); - $deferred = GETPOST('deferred'); - $priority = GETPOST('priority'); - $class = GETPOST('class'); - $errors_to = GETPOST("errorstosms"); + if (!empty($_POST["fromsms"])) $smsfrom = GETPOST("fromsms", 'alphanohtml'); + if (empty($smsfrom)) $smsfrom = GETPOST("fromname", 'alphanohtml'); + $sendto = GETPOST("sendto", 'alphanohtml'); + $body = GETPOST('message', 'alphanohtml'); + $deliveryreceipt = GETPOST("deliveryreceipt", 'alphanohtml'); + $deferred = GETPOST('deferred', 'alphanohtml'); + $priority = GETPOST('priority', 'alphanohtml'); + $class = GETPOST('class', 'alphanohtml'); + $errors_to = GETPOST("errorstosms", 'alphanohtml'); // Create form object include_once DOL_DOCUMENT_ROOT.'/core/class/html.formsms.class.php'; diff --git a/htdocs/admin/spip.php b/htdocs/admin/spip.php index 5b5bf692e22..d33728286e9 100644 --- a/htdocs/admin/spip.php +++ b/htdocs/admin/spip.php @@ -50,18 +50,20 @@ $action = GETPOST('action', 'aZ09'); // Action mise a jour ou ajout d'une constante if ($action == 'update' || $action == 'add') { - $constname=GETPOST("constname"); - $constvalue=GETPOST("constvalue"); + $constnamearray = GETPOST("constname", 'array'); + $constvaluearray = GETPOST("constvalue", 'array'); + $consttypearray = GETPOST("consttype", 'array'); + $constnotearray = GETPOST("constnote", 'array'); // Action mise a jour ou ajout d'une constante if ($action == 'update' || $action == 'add') { - foreach($_POST['constname'] as $key => $val) + foreach($constnamearray as $key => $val) { - $constname=$_POST["constname"][$key]; - $constvalue=$_POST["constvalue"][$key]; - $consttype=$_POST["consttype"][$key]; - $constnote=$_POST["constnote"][$key]; + $constname = dol_escape_htmltag($constnamearray[$key]); + $constvalue = dol_escape_htmltag($constvaluearray[$key]); + $consttype = dol_escape_htmltag($consttypearray[$key]); + $constnote = dol_escape_htmltag($constnotearray[$key]); $res=dolibarr_set_const($db, $constname, $constvalue, $type[$consttype], 0, $constnote, $conf->entity); diff --git a/htdocs/admin/supplier_invoice.php b/htdocs/admin/supplier_invoice.php index 9a17916cb49..977b99d0c99 100644 --- a/htdocs/admin/supplier_invoice.php +++ b/htdocs/admin/supplier_invoice.php @@ -171,7 +171,7 @@ if ($action == 'setmod') if ($action == 'addcat') { $fourn = new Fournisseur($db); - $fourn->CreateCategory($user, $_POST["cat"]); + $fourn->CreateCategory($user, GETPOST('cat', 'alphanohtml')); } if ($action == 'set_SUPPLIER_INVOICE_FREE_TEXT') diff --git a/htdocs/admin/supplier_order.php b/htdocs/admin/supplier_order.php index 1b6b6eb9921..db9b3e257f6 100644 --- a/htdocs/admin/supplier_order.php +++ b/htdocs/admin/supplier_order.php @@ -165,7 +165,7 @@ elseif ($action == 'setmod') elseif ($action == 'addcat') { $fourn = new Fournisseur($db); - $fourn->CreateCategory($user, $_POST["cat"]); + $fourn->CreateCategory($user, GETPOST('cat', 'alphanohtml')); } elseif ($action == 'set_SUPPLIER_ORDER_OTHER') diff --git a/htdocs/admin/website.php b/htdocs/admin/website.php index d639b8d2a9b..689b65cc954 100644 --- a/htdocs/admin/website.php +++ b/htdocs/admin/website.php @@ -132,7 +132,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) $ok=1; foreach ($listfield as $f => $value) { - if ($value == 'ref' && (! isset($_POST[$value]) || $_POST[$value]=='')) + if ($value == 'ref' && (! GETPOSTISSET($value) || GETPOST($value) == '')) { $ok=0; $fieldnamekey=$listfield[$f]; diff --git a/htdocs/asset/type.php b/htdocs/asset/type.php index 9f5f8597663..542dbc8e23d 100644 --- a/htdocs/asset/type.php +++ b/htdocs/asset/type.php @@ -609,37 +609,15 @@ if ($rowid > 0) print $object->showOptionals($extrafields, 'edit', $parameters); } - print ''; + // Other attributes + include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_edit.tpl.php'; - // Extra field - if (empty($reshook)) - { - print '

'; - foreach ($extrafields->attributes[$object->element]['label'] as $key=>$label) - { - if (isset($_POST["options_".$key])) { - if (is_array($_POST["options_".$key])) { - // $_POST["options"] is an array but following code expects a comma separated string - $value = implode(",", $_POST["options_".$key]); - } else { - $value = $_POST["options_".$key]; - } - } else { - $value = $adht->array_options["options_".$key]; - } - print '\n"; - } - print '
'.$label.''; - print $extrafields->showInputField($key, $value); - print "


'; - } + print ''; dol_fiche_end(); - print '
'; - print ''; - print '     '; - print ''; + print '
'; + print '   '; print '
'; print ""; diff --git a/htdocs/bom/tpl/objectline_create.tpl.php b/htdocs/bom/tpl/objectline_create.tpl.php index 7f3072d8051..c99e57bcff3 100644 --- a/htdocs/bom/tpl/objectline_create.tpl.php +++ b/htdocs/bom/tpl/objectline_create.tpl.php @@ -109,7 +109,7 @@ if (!empty($conf->product->enabled) || !empty($conf->service->enabled)) } $coldisplay++; -print ''; +print ''; print ''; if ($conf->global->PRODUCT_USE_UNITS) diff --git a/htdocs/cashdesk/tpl/facturation1.tpl.php b/htdocs/cashdesk/tpl/facturation1.tpl.php index f3b76cbaed6..b543abefb8b 100644 --- a/htdocs/cashdesk/tpl/facturation1.tpl.php +++ b/htdocs/cashdesk/tpl/facturation1.tpl.php @@ -117,7 +117,7 @@ for ($i = 0; $i < $nbtoshow; $i++) $buyer = new Societe($db); if ($_SESSION["CASHDESK_ID_THIRDPARTY"] > 0) $buyer->fetch($_SESSION["CASHDESK_ID_THIRDPARTY"]); - echo $form->load_tva('selTva', (isset($_POST["selTva"])?GETPOST("selTva", 'alpha', 2):$vatrate), $mysoc, $buyer, 0, 0, '', false, -1); + echo $form->load_tva('selTva', (GETPOSTISSET("selTva") ? GETPOST("selTva", 'alpha', 2) : $vatrate), $mysoc, $buyer, 0, 0, '', false, -1); ?> diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index 24567451840..5038079085b 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -3351,8 +3351,8 @@ if ($action == 'create') print ''; // Bank Account - if (isset($_POST['fk_account'])) { - $fk_account = $_POST['fk_account']; + if (GETPOSTISSET('fk_account')) { + $fk_account = GETPOST('fk_account'); } print ''.$langs->trans('BankAccount').''; diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index f0bbe4867d7..c62d6d09273 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -4967,7 +4967,7 @@ abstract class CommonObject global $conf, $_POST; // If param here has been posted, we use this value first. - if (isset($_POST[$fieldname])) return GETPOST($fieldname, 2); + if (GETPOSTISSET($fieldname)) return GETPOST($fieldname, 'alphanohtml', 3); if (isset($alternatevalue)) return $alternatevalue; diff --git a/htdocs/core/class/coreobject.class.php b/htdocs/core/class/coreobject.class.php index 672697cd0a3..82a644eabf2 100644 --- a/htdocs/core/class/coreobject.class.php +++ b/htdocs/core/class/coreobject.class.php @@ -416,24 +416,20 @@ class CoreObject extends CommonObject { foreach ($Tab as $key => $value) { - if($this->checkFieldType($key, 'date')) + if ($this->checkFieldType($key, 'date')) { $this->setDate($key, $value); } - elseif( $this->checkFieldType($key, 'array')) - { - $this->{$key} = $value; - } - elseif( $this->checkFieldType($key, 'float') ) + elseif ($this->checkFieldType($key, 'float')) { $this->{$key} = (double) price2num($value); } - elseif( $this->checkFieldType($key, 'int') ) { + elseif ($this->checkFieldType($key, 'int')) { $this->{$key} = (int) price2num($value); } else { - $this->{$key} = $value; + $this->{$key} = dol_string_nohtmltag($value); } } diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 4985ab35b0d..eba330e5621 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -291,6 +291,7 @@ function GETPOSTISSET($paramname) * 'array'=check it's array * 'san_alpha'=Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string) * 'nohtml', 'alphanohtml'=check there is no html content + * 'restricthtml'=check html content is restricted to some tags only * 'custom'= custom filter specify $filter and $options) * @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get) * @param int $filter Filter to apply when $check is set to 'custom'. (See http://php.net/manual/en/filter.filters.php for détails) @@ -298,7 +299,7 @@ function GETPOSTISSET($paramname) * @param string $noreplace Force disable of replacement of __xxx__ strings. * @return string|string[] Value found (string or array), or '' if check fails */ -function GETPOST($paramname, $check = 'none', $method = 0, $filter = null, $options = null, $noreplace = 0) +function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null, $options = null, $noreplace = 0) { global $mysoc, $user, $conf; diff --git a/htdocs/core/login/functions_googleoauth.php b/htdocs/core/login/functions_googleoauth.php index 2f1fbcf3667..e621f41e562 100644 --- a/htdocs/core/login/functions_googleoauth.php +++ b/htdocs/core/login/functions_googleoauth.php @@ -48,7 +48,7 @@ function check_user_password_googleoauth($usertotest, $passwordtotest, $entityto $login = ''; // Get identity from user and redirect browser to Google OAuth Server - if (isset($_POST['username'])) + if (GETPOSTISSET('username')) { /*$openid = new SimpleOpenID(); $openid->SetIdentity($_POST['username']); diff --git a/htdocs/core/login/functions_openid.php b/htdocs/core/login/functions_openid.php index c20b2a32f90..87a8acfd800 100644 --- a/htdocs/core/login/functions_openid.php +++ b/htdocs/core/login/functions_openid.php @@ -43,7 +43,7 @@ function check_user_password_openid($usertotest, $passwordtotest, $entitytotest) $login=''; // Get identity from user and redirect browser to OpenID Server - if (isset($_POST['username'])) + if (GETPOSISSET('username')) { $openid = new SimpleOpenID(); $openid->SetIdentity($_POST['username']); diff --git a/htdocs/don/payment/payment.php b/htdocs/don/payment/payment.php index abdc35c850e..4992c9f8495 100644 --- a/htdocs/don/payment/payment.php +++ b/htdocs/don/payment/payment.php @@ -197,14 +197,14 @@ if ($action == 'create') print ''; print ''.$langs->trans("PaymentMode").''; - $form->select_types_paiements(isset($_POST["paymenttype"])?$_POST["paymenttype"]:$object->paymenttype, "paymenttype"); + $form->select_types_paiements(GETPOSTISSET("paymenttype") ? GETPOST("paymenttype") : $object->paymenttype, "paymenttype"); print "\n"; print ''; print ''; print ''.$langs->trans('AccountToCredit').''; print ''; - $form->select_comptes(isset($_POST["accountid"])?$_POST["accountid"]:$object->accountid, "accountid", 0, '', 1); // Show open bank account list + $form->select_comptes(GETPOSTISSET("accountid") ? GETPOST("accountid") : $object->accountid, "accountid", 0, '', 1); // Show open bank account list print ''; // Number diff --git a/htdocs/expedition/card.php b/htdocs/expedition/card.php index 66b47ab563f..dde2b2f7f7b 100644 --- a/htdocs/expedition/card.php +++ b/htdocs/expedition/card.php @@ -241,11 +241,11 @@ if (empty($reshook)) if ($objectsrc->lines[$i]->product_tobatch) // If product need a batch number { - if (isset($_POST[$batch])) + if (GETPOSTISSET($batch)) { //shipment line with batch-enable product $qty .= '_'.$j; - while (isset($_POST[$batch])) + while (GETPOSTISSET($batch)) { // save line of detail into sub_qty $sub_qty[$j]['q'] = GETPOST($qty, 'int'); // the qty we want to move for this stock record @@ -277,11 +277,11 @@ if (empty($reshook)) } } } - elseif (isset($_POST[$stockLocation])) + elseif (GETPOSTISSET($stockLocation)) { //shipment line from multiple stock locations $qty .= '_'.$j; - while (isset($_POST[$stockLocation])) + while (GETPOSTISSET($stockLocation)) { // save sub line of warehouse $stockLine[$i][$j]['qty'] = GETPOST($qty, 'int'); diff --git a/htdocs/expensereport/class/expensereport_ik.class.php b/htdocs/expensereport/class/expensereport_ik.class.php index bac8522ca74..a62d033af2d 100644 --- a/htdocs/expensereport/class/expensereport_ik.class.php +++ b/htdocs/expensereport/class/expensereport_ik.class.php @@ -72,7 +72,7 @@ class ExpenseReportIk extends CoreObject * Attribute object linked with database * @var array */ - protected $fields=array( + public $fields=array( 'rowid'=>array('type'=>'integer','index'=>true) ,'fk_c_exp_tax_cat'=>array('type'=>'integer','index'=>true) ,'fk_range'=>array('type'=>'integer','index'=>true) diff --git a/htdocs/expensereport/class/expensereport_rule.class.php b/htdocs/expensereport/class/expensereport_rule.class.php index 9726184a94a..08538ac8f61 100644 --- a/htdocs/expensereport/class/expensereport_rule.class.php +++ b/htdocs/expensereport/class/expensereport_rule.class.php @@ -111,7 +111,7 @@ class ExpenseReportRule extends CoreObject * Attribute object linked with database * @var array */ - protected $fields=array( + public $fields=array( 'rowid'=>array('type'=>'integer','index'=>true) ,'dates'=>array('type'=>'date') ,'datee'=>array('type'=>'date') diff --git a/htdocs/exports/export.php b/htdocs/exports/export.php index c636dd292a7..a8bb8a68452 100644 --- a/htdocs/exports/export.php +++ b/htdocs/exports/export.php @@ -411,12 +411,12 @@ if ($step == 4 && $action == 'submitFormField') $newcode = (string) preg_replace('/\./', '_', $code); //print 'xxx'.$code."=".$newcode."=".$type."=".$_POST[$newcode]."\n
"; $filterqualified = 1; - if (!isset($_POST[$newcode]) || $_POST[$newcode] == '') $filterqualified = 0; - elseif (preg_match('/^List/', $type) && (is_numeric($_POST[$newcode]) && $_POST[$newcode] <= 0)) $filterqualified = 0; + if (! GETPOSTISSET($newcode) || GETPOST($newcode, 'restricthtml') == '') $filterqualified = 0; + elseif (preg_match('/^List/', $type) && (is_numeric(GETPOST($newcode, 'restricthtml')) && GETPOST($newcode, 'restricthtml') <= 0)) $filterqualified = 0; if ($filterqualified) { //print 'Filter on '.$newcode.' type='.$type.' value='.$_POST[$newcode]."\n"; - $objexport->array_export_FilterValue[0][$code] = $_POST[$newcode]; + $objexport->array_export_FilterValue[0][$code] = GETPOST($newcode, 'restricthtml'); } } $array_filtervalue = (!empty($objexport->array_export_FilterValue[0]) ? $objexport->array_export_FilterValue[0] : ''); diff --git a/htdocs/fourn/commande/dispatch.php b/htdocs/fourn/commande/dispatch.php index eb9093888af..dd55bb36ffb 100644 --- a/htdocs/fourn/commande/dispatch.php +++ b/htdocs/fourn/commande/dispatch.php @@ -273,7 +273,7 @@ if ($action == 'dispatch' && $user->rights->fournisseur->commande->receptionner) if (empty($conf->multicurrency->enabled) && empty($conf->dynamicprices->enabled)) { $dto = GETPOST("dto_".$reg[1].'_'.$reg[2]); //update supplier price - if (isset($_POST[$saveprice])) { + if (GETPOSTISSET($saveprice)) { // TODO Use class $sql = "UPDATE ".MAIN_DB_PREFIX."product_fournisseur_price"; $sql .= " SET unitprice='".GETPOST($pu)."'"; diff --git a/htdocs/langs/en_US/oauth.lang b/htdocs/langs/en_US/oauth.lang index ce02c4e23d8..d52422a194a 100644 --- a/htdocs/langs/en_US/oauth.lang +++ b/htdocs/langs/en_US/oauth.lang @@ -28,3 +28,5 @@ OAUTH_GITHUB_NAME=OAuth GitHub service OAUTH_GITHUB_ID=OAuth GitHub Id OAUTH_GITHUB_SECRET=OAuth GitHub Secret OAUTH_GITHUB_DESC=Go to this page then "Register a new application" to create OAuth credentials +OAUTH_STRIPE_TEST_NAME=OAuth Stripe Test +OAUTH_STRIPE_LIVE_NAME=OAuth Stripe Live \ No newline at end of file diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index c185b4f7968..815674a5b76 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -565,6 +565,7 @@ if (!defined('NOLOGIN')) $dol_tz_string = preg_replace('/,/', '/', $dol_tz_string); $dol_tz_string = preg_replace('/\s/', '_', $dol_tz_string); $dol_dst = 0; + // Keep $_POST here. Do not use GETPOSTISSET if (isset($_POST["dst_first"]) && isset($_POST["dst_second"])) { include_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php index 41150e913d5..66446e21ddc 100644 --- a/htdocs/master.inc.php +++ b/htdocs/master.inc.php @@ -170,7 +170,7 @@ elseif (!empty($_ENV["dol_entity"])) // Entity inside a CLI script { $conf->entity = $_ENV["dol_entity"]; } -elseif (isset($_POST["loginfunction"]) && GETPOST("entity", 'int')) // Just after a login page +elseif (GETPOSTISSET("loginfunction") && GETPOST("entity", 'int')) // Just after a login page { $conf->entity = GETPOST("entity", 'int'); } diff --git a/htdocs/modulebuilder/template/core/modules/mailings/mailinglist_mymodule_myobject.modules.php b/htdocs/modulebuilder/template/core/modules/mailings/mailinglist_mymodule_myobject.modules.php index 43970122919..c8654a14d28 100644 --- a/htdocs/modulebuilder/template/core/modules/mailings/mailinglist_mymodule_myobject.modules.php +++ b/htdocs/modulebuilder/template/core/modules/mailings/mailinglist_mymodule_myobject.modules.php @@ -112,7 +112,7 @@ class mailing_mailinglist_mymodule_myobject extends MailingTargets $sql = " select rowid as id, email, firstname, lastname, plan, partner"; $sql.= " from ".MAIN_DB_PREFIX."myobject"; $sql.= " where email IS NOT NULL AND email != ''"; - if (! empty($_POST['filter']) && $_POST['filter'] != 'none') $sql.= " AND status = '".$this->db->escape($_POST['filter'])."'"; + if (GETPOSTISSET('filter') && GETPOST('filter', 'alphanohtml') != 'none') $sql.= " AND status = '".$this->db->escape(GETPOST('filter', 'alphanohtml'))."'"; $sql.= " ORDER BY email"; // Stocke destinataires dans target diff --git a/htdocs/product/admin/dynamic_prices.php b/htdocs/product/admin/dynamic_prices.php index cf89db252e5..73ab40c75b8 100644 --- a/htdocs/product/admin/dynamic_prices.php +++ b/htdocs/product/admin/dynamic_prices.php @@ -63,9 +63,9 @@ if ($action == 'edit_updater') { if (!empty($action) && empty($cancel)) { //Global variable actions if ($action == 'create_variable' || $action == 'edit_variable') { - $price_globals->code = isset($_POST['code'])?GETPOST('code', 'alpha'):$price_globals->code; - $price_globals->description = isset($_POST['description'])?GETPOST('description', 'alpha'):$price_globals->description; - $price_globals->value = isset($_POST['value'])?GETPOST('value', 'int'):$price_globals->value; + $price_globals->code = GETPOSTISSET('code')?GETPOST('code', 'alpha'):$price_globals->code; + $price_globals->description = GETPOSTISSET('description')?GETPOST('description', 'alpha'):$price_globals->description; + $price_globals->value = GETPOSTISSET('value')?GETPOST('value', 'int'):$price_globals->value; //Check if record already exists only when saving if (!empty($save)) { foreach ($price_globals->listGlobalVariables() as $entry) { @@ -101,11 +101,11 @@ if (!empty($action) && empty($cancel)) { //Updaters actions if ($action == 'create_updater' || $action == 'edit_updater') { - $price_updaters->type = isset($_POST['type'])?GETPOST('type', 'int'):$price_updaters->type; - $price_updaters->description = isset($_POST['description'])?GETPOST('description', 'alpha'):$price_updaters->description; - $price_updaters->parameters = isset($_POST['parameters'])?GETPOST('parameters'):$price_updaters->parameters; - $price_updaters->fk_variable = isset($_POST['fk_variable'])?GETPOST('fk_variable', 'int'):$price_updaters->fk_variable; - $price_updaters->update_interval = isset($_POST['update_interval'])?GETPOST('update_interval', 'int'):$price_updaters->update_interval; + $price_updaters->type = GETPOSTISSET('type')?GETPOST('type', 'int'):$price_updaters->type; + $price_updaters->description = GETPOSTISSET('description')?GETPOST('description', 'alpha'):$price_updaters->description; + $price_updaters->parameters = GETPOSTISSET('parameters')?GETPOST('parameters'):$price_updaters->parameters; + $price_updaters->fk_variable = GETPOSTISSET('fk_variable')?GETPOST('fk_variable', 'int'):$price_updaters->fk_variable; + $price_updaters->update_interval = GETPOSTISSET('update_interval')?GETPOST('update_interval', 'int'):$price_updaters->update_interval; } if ($action == 'create_updater' && !empty($save)) { //Verify if process() works diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 992b61fc993..4cbdc915241 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -331,7 +331,7 @@ if (empty($reshook)) { for ($i = 2; $i <= $conf->global->PRODUIT_MULTIPRICES_LIMIT; $i++) { - if (isset($_POST["price_".$i])) + if (GETPOSTISSET("price_".$i)) { $object->multiprices["$i"] = price2num($_POST["price_".$i], 'MU'); $object->multiprices_base_type["$i"] = $_POST["multiprices_base_type_".$i]; diff --git a/htdocs/societe/paymentmodes.php b/htdocs/societe/paymentmodes.php index b4c91a3c04d..185c7aaf6ea 100644 --- a/htdocs/societe/paymentmodes.php +++ b/htdocs/societe/paymentmodes.php @@ -1874,7 +1874,7 @@ if ($socid && $action == 'create' && $user->rights->societe->creer) print ''.$langs->trans("WithdrawMode").''; $tblArraychoice = array("FRST" => $langs->trans("FRST"), "RECUR" => $langs->trans("RECUR")); - print $form->selectarray("frstrecur", $tblArraychoice, (isset($_POST['frstrecur']) ?GETPOST('frstrecur') : 'FRST'), 0); + print $form->selectarray("frstrecur", $tblArraychoice, (GETPOSTISSET('frstrecur') ? GETPOST('frstrecur') : 'FRST'), 0); print ''; print ''; diff --git a/htdocs/variants/ajax/orderAttribute.php b/htdocs/variants/ajax/orderAttribute.php index 354c9074192..6b697b1c38c 100644 --- a/htdocs/variants/ajax/orderAttribute.php +++ b/htdocs/variants/ajax/orderAttribute.php @@ -33,13 +33,14 @@ require '../../main.inc.php'; top_httphead(); // Registering the location of boxes -if (isset($_POST['roworder'])) { +if (GETPOSTISSET('roworder')) { $roworder=GETPOST('roworder', 'alpha', 2); dol_syslog("AjaxOrderAttribute roworder=".$roworder, LOG_DEBUG); $rowordertab = explode(',', $roworder); + $newrowordertab = array(); foreach ($rowordertab as $value) { if (!empty($value)) { $newrowordertab[] = $value;