diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index 62d0d444c3e..0c7f3ac73aa 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -1810,7 +1810,7 @@ class Contact extends CommonObject $this->db->begin(); - $sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_contacts WHERE fk_socpeople=".$this->id." AND entity IN (".getEntity("societe_contact").")"; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_contacts WHERE fk_socpeople=".((int) $this->id)." AND entity IN (".getEntity("societe_contact").")"; $result = $this->db->query($sql); if (!$result) { diff --git a/htdocs/core/class/conf.class.php b/htdocs/core/class/conf.class.php index b7cfd103bf5..19555adf3fb 100644 --- a/htdocs/core/class/conf.class.php +++ b/htdocs/core/class/conf.class.php @@ -459,8 +459,8 @@ class Conf $this->service->dir_temp = $rootfortemp."/produit/temp"; // Module productbatch - $this->productbatch->multidir_output = array($this->entity => $rootfordata."/produitlot"); - $this->productbatch->multidir_temp = array($this->entity => $rootfortemp."/produitlot/temp"); + $this->productbatch->multidir_output = array($this->entity => $rootfordata."/productlot"); + $this->productbatch->multidir_temp = array($this->entity => $rootfortemp."/productlot/temp"); // Module contrat $this->contrat->multidir_output = array($this->entity => $rootfordata."/contract"); diff --git a/htdocs/core/class/html.formmail.class.php b/htdocs/core/class/html.formmail.class.php index 4898e8d5872..8abb9aef576 100644 --- a/htdocs/core/class/html.formmail.class.php +++ b/htdocs/core/class/html.formmail.class.php @@ -488,7 +488,7 @@ class FormMail extends Form // Zone to select email template if (count($modelmail_array) > 0) { - $model_mail_selected_id = GETPOSTISSET('modelmailselected') ? GETPOST('modelmailselected', 'int') : ($arraydefaultmessage->id > 0 ? $arraydefaultmessage->id : 0); + $model_mail_selected_id = GETPOSTISSET('modelmailselected') ? GETPOST('modelmailselected', 'int') : ($arraydefaultmessage->id > 0 ? $arraydefaultmessage->id : 0); // If list of template is filled $out .= '
'."\n"; diff --git a/htdocs/core/js/lib_head.js.php b/htdocs/core/js/lib_head.js.php index f9605619567..83646ab4f5e 100644 --- a/htdocs/core/js/lib_head.js.php +++ b/htdocs/core/js/lib_head.js.php @@ -537,9 +537,9 @@ function hideMessage(fieldId,message) { * Used by button to set on/off. * Call url then make complementary action (like show/hide, enable/disable or set another option). * - * @param string url Url + * @param string url Url (warning: as any url called in ajax mode, the url called here must not renew the token) * @param string code Code - * @param string intput Input + * @param string intput Array of complementary actions to do if success * @param int entity Entity * @param int strict Strict * @param int forcereload Force reload @@ -553,7 +553,7 @@ function setConstant(url, code, input, entity, strict, forcereload, userid, toke entity: entity, token: token }, - function() { + function() { /* handler for success of post */ console.log("url request success forcereload="+forcereload); $("#set_" + code).hide(); $("#del_" + code).show(); @@ -611,9 +611,9 @@ function setConstant(url, code, input, entity, strict, forcereload, userid, toke * Used by button to set on/off * Call url then make complementary action (like show/hide, enable/disable or set another option). * - * @param string url Url + * @param string url Url (warning: as any url called in ajax mode, the url called here must not renew the token) * @param string code Code - * @param string intput Input + * @param string intput Array of complementary actions to do if success * @param int entity Entity * @param int strict Strict * @param int forcereload Force reload @@ -678,12 +678,13 @@ function delConstant(url, code, input, entity, strict, forcereload, userid, toke } /* - * Used by button to set on/off + * Call the setConstant or delConstant but with a confirmation before. + * Used by button to set on/off. * * @param string action Action * @param string url Url * @param string code Code - * @param string intput Input + * @param string intput Array of complementary actions to do if success * @param string box Box * @param int entity Entity * @param int yesButton yesButton diff --git a/htdocs/core/lib/ajax.lib.php b/htdocs/core/lib/ajax.lib.php index 6262c9cc159..658d7816001 100644 --- a/htdocs/core/lib/ajax.lib.php +++ b/htdocs/core/lib/ajax.lib.php @@ -535,13 +535,13 @@ function ajax_combobox($htmlname, $events = array(), $minLengthToAutocomplete = * On/off button for constant * * @param string $code Name of constant - * @param array $input Array of options. ("disabled"|"enabled'|'set'|'del') => CSS element to switch, 'alert' => message to show, ... Example: array('disabled'=>array(0=>'cssid')) - * @param int $entity Entity to set. Use current entity if null. + * @param array $input Array of complementary actions to do if success ("disabled"|"enabled'|'set'|'del') => CSS element to switch, 'alert' => message to show, ... Example: array('disabled'=>array(0=>'cssid')) + * @param int $entity Entity. Current entity is used if null. * @param int $revertonoff Revert on/off * @param int $strict Use only "disabled" with delConstant and "enabled" with setConstant * @param int $forcereload Force to reload page if we click/change value (this is supported only when there is no 'alert' option in input) * @param string $marginleftonlyshort 1 = Add a short left margin on picto, 2 = Add a larger left margin on picto, 0 = No left margin. Works for fontawesome picto only. - * @param int $forcenoajax 1=Force to use a ahref link instead of ajax code. + * @param int $forcenoajax 1 = Force to use a ahref link instead of ajax code. * @return string */ function ajax_constantonoff($code, $input = array(), $entity = null, $revertonoff = 0, $strict = 0, $forcereload = 0, $marginleftonlyshort = 2, $forcenoajax = 0) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index bd4df8ffa5c..e4f04bde0a2 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -6164,6 +6164,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $allowed_tags_string = join("><", $allowed_tags); $allowed_tags_string = '<'.$allowed_tags_string.'>'; + $stringtoclean = str_replace('', '__!DOCTYPE_HTML__', $stringtoclean); // Replace DOCTYPE to avoid to have it removed by the strip_tags + $stringtoclean = dol_string_nounprintableascii($stringtoclean, 0); $stringtoclean = preg_replace('/:/i', ':', $stringtoclean); @@ -6186,6 +6188,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $temp = preg_replace('/javascript\s*:/i', '', $temp); } + $temp = str_replace('__!DOCTYPE_HTML__', '', $temp); // Restore the DOCTYPE + return $temp; } diff --git a/htdocs/core/lib/product.lib.php b/htdocs/core/lib/product.lib.php index 52db9f88e24..d5d52761140 100644 --- a/htdocs/core/lib/product.lib.php +++ b/htdocs/core/lib/product.lib.php @@ -376,7 +376,7 @@ function show_stats_for_company($product, $socid) } $langs->load("propal"); print ''; - print ''.img_object('', 'propal').' '.$langs->trans("Proposals").''; + print ''.img_object('', 'propal', 'class="paddingright"').$langs->trans("Proposals").''; print ''; print $product->stats_propale['customers']; print ''; @@ -393,9 +393,9 @@ function show_stats_for_company($product, $socid) if ($ret < 0) { dol_print_error($db); } - $langs->load("propal"); + $langs->load("supplier_proposal"); print ''; - print ''.img_object('', 'supplier_proposal').' '.$langs->trans("SupplierProposals").''; + print ''.img_object('', 'supplier_proposal', 'class="paddingright"').$langs->trans("SupplierProposals").''; print ''; print $product->stats_proposal_supplier['suppliers']; print ''; @@ -414,7 +414,7 @@ function show_stats_for_company($product, $socid) } $langs->load("orders"); print ''; - print ''.img_object('', 'order').' '.$langs->trans("CustomersOrders").''; + print ''.img_object('', 'order', 'class="paddingright"').$langs->trans("CustomersOrders").''; print ''; print $product->stats_commande['customers']; print ''; @@ -433,7 +433,7 @@ function show_stats_for_company($product, $socid) } $langs->load("orders"); print ''; - print ''.img_object('', 'supplier_order').' '.$langs->trans("SuppliersOrders").''; + print ''.img_object('', 'supplier_order', 'class="paddingright"').$langs->trans("SuppliersOrders").''; print ''; print $product->stats_commande_fournisseur['suppliers']; print ''; @@ -471,7 +471,7 @@ function show_stats_for_company($product, $socid) } $langs->load("bills"); print ''; - print ''.img_object('', 'supplier_invoice').' '.$langs->trans("SuppliersInvoices").''; + print ''.img_object('', 'supplier_invoice', 'class="paddingright"').$langs->trans("SuppliersInvoices").''; print ''; print $product->stats_facture_fournisseur['suppliers']; print ''; @@ -491,7 +491,7 @@ function show_stats_for_company($product, $socid) } $langs->load("contracts"); print ''; - print ''.img_object('', 'contract').' '.$langs->trans("Contracts").''; + print ''.img_object('', 'contract', 'class="paddingright"').$langs->trans("Contracts").''; print ''; print $product->stats_contrat['customers']; print ''; @@ -512,15 +512,15 @@ function show_stats_for_company($product, $socid) $langs->load("mrp"); print ''; - print ''.img_object('', 'mrp').' '.$langs->trans("BOM").''; + print ''.img_object('', 'bom', 'class="paddingright"').$langs->trans("BOM").''; print ''; print ''; - print $form->textwithpicto($product->stats_bom['nb_toproduce'], $langs->trans("QtyToProduce")); - print $form->textwithpicto($product->stats_bom['nb_toconsume'], $langs->trans("ToConsume")); + print $form->textwithpicto($product->stats_bom['nb_toconsume'], $langs->trans("RowMaterial")); + print $form->textwithpicto($product->stats_bom['nb_toproduce'], $langs->trans("Finished")); print ''; - print $form->textwithpicto($product->stats_bom['qty_toproduce'], $langs->trans("QtyToProduce")); - print $form->textwithpicto($product->stats_bom['qty_toconsume'], $langs->trans("ToConsume")); + print $form->textwithpicto($product->stats_bom['qty_toconsume'], $langs->trans("RowMaterial")); + print $form->textwithpicto($product->stats_bom['qty_toproduce'], $langs->trans("Finished")); print ''; print ''; } @@ -534,7 +534,7 @@ function show_stats_for_company($product, $socid) } $langs->load("mrp"); print ''; - print ''.img_object('', 'mrp').' '.$langs->trans("MO").''; + print ''.img_object('', 'mrp', 'class="paddingright"').$langs->trans("MO").''; print ''; print $form->textwithpicto($product->stats_mo['customers_toconsume'], $langs->trans("ToConsume")); print $form->textwithpicto($product->stats_mo['customers_consumed'], $langs->trans("QtyAlreadyConsumed")); diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 9a71faa5665..a8adff1c1aa 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -2464,7 +2464,7 @@ class Product extends CommonObject $this->stats_bom['qty_toconsume'] = 0; $sql = "SELECT COUNT(DISTINCT b.rowid) as nb_toproduce,"; - $sql .= " b.qty as qty_toproduce"; + $sql .= " SUM(b.qty) as qty_toproduce"; $sql .= " FROM ".MAIN_DB_PREFIX."bom_bom as b"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."bom_bomline as bl ON bl.fk_bom=b.rowid"; $sql .= " WHERE "; diff --git a/htdocs/product/stats/bom.php b/htdocs/product/stats/bom.php index 1582646cd8a..d1254a65b1e 100644 --- a/htdocs/product/stats/bom.php +++ b/htdocs/product/stats/bom.php @@ -244,8 +244,8 @@ if ($id > 0 || !empty($ref)) print ''; print_liste_field_titre("Ref", $_SERVER["PHP_SELF"], "b.rowid", "", "&id=".$product->id, '', $sortfield, $sortorder); print_liste_field_titre("Date", $_SERVER["PHP_SELF"], "b.date_valid", "", "&id=".$product->id, 'align="center"', $sortfield, $sortorder); - print_liste_field_titre("ToConsume", $_SERVER["PHP_SELF"], "", "", "&id=".$product->id, '', $sortfield, $sortorder, 'center '); - print_liste_field_titre("QtyToProduce", $_SERVER["PHP_SELF"], "", "", "&id=".$product->id, '', $sortfield, $sortorder, 'center '); + print_liste_field_titre("RowMaterial", $_SERVER["PHP_SELF"], "", "", "&id=".$product->id, '', $sortfield, $sortorder, 'center '); + print_liste_field_titre("Finished", $_SERVER["PHP_SELF"], "", "", "&id=".$product->id, '', $sortfield, $sortorder, 'center '); print_liste_field_titre("Status", $_SERVER["PHP_SELF"], "b.status", "", "&id=".$product->id, '', $sortfield, $sortorder, 'center '); print "\n"; diff --git a/htdocs/product/stock/productlot_card.php b/htdocs/product/stock/productlot_card.php index 0fd29543c6c..752b84a9ec0 100644 --- a/htdocs/product/stock/productlot_card.php +++ b/htdocs/product/stock/productlot_card.php @@ -352,7 +352,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea print dol_get_fiche_head($head, 'card', $langs->trans("Batch"), -1, $object->picto); $formconfirm = ''; - + // Confirmation to delete if ($action == 'delete') { $formconfirm = $form->formconfirm($_SERVER["PHP_SELF"].'?id='.$object->id, $langs->trans('DeleteBatch'), $langs->trans('ConfirmDeleteBatch'), 'confirm_delete', '', 0, 1); @@ -366,10 +366,10 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea } elseif ($reshook > 0) { $formconfirm = $hookmanager->resPrint; } - + // Print form confirm print $formconfirm; - + // Object card // ------------------------------------------------------------ $linkback = ''.$langs->trans("BackToList").''; @@ -378,7 +378,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea if ($user->socid && !in_array('batch', explode(',', $conf->global->MAIN_MODULES_FOR_EXTERNAL))) $shownav = 0; $morehtmlref = ''; - + dol_banner_tab($object, 'id', $linkback, $shownav, 'rowid', 'batch', $morehtmlref); print '
'; @@ -420,17 +420,17 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea print '
'; print '
'; - + print dol_get_fiche_end(); // Link to other lists print ''.$langs->trans("ShowCurrentStockOfLot").'
'; print '
'; print ''.$langs->trans("ShowLogOfMovementIfLot").'
'; - + print '
'; - - + + // Buttons for actions if ($action != 'presend' && $action != 'editline') { print '
'."\n"; @@ -443,17 +443,17 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea { print '
'.$langs->trans("Modify").'
'."\n"; } - + if ($user->rights->stock->supprimer) { print '
'.$langs->trans('Delete').'
'."\n"; } */ } - + print '
'."\n"; } - + } @@ -467,12 +467,12 @@ if ($action != 'presend') { print ''; // ancre $includedocgeneration = 1; - + // Documents if ($includedocgeneration) { $objref = dol_sanitizeFileName($object->ref); $relativepath = $objref.'/'.$objref.'.pdf'; - $filedir = $conf->productbatch->multidir_output[$object->entity].'/'.get_exdir(0, 0, 0, 0, $object, 'product_batch').dol_sanitizeFileName($object->ref); + $filedir = $conf->productbatch->multidir_output[$object->entity].'/'.get_exdir(0, 0, 0, 1, $object, 'product_batch'); $urlsource = $_SERVER["PHP_SELF"]."?id=".$object->id; $genallowed = $usercanread; // If you can read, you can build the PDF to read content $delallowed = $usercancreate; // If you can create/edit, you can remove a file on card @@ -480,12 +480,12 @@ if ($action != 'presend') { } print '
'; - + $MAXEVENT = 10; - + include_once DOL_DOCUMENT_ROOT.'/core/class/html.formactions.class.php'; $formactions = new FormActions($db); - $somethingshown = $formactions->showactions($object, 'productlot', $socid, 1, '', $MAXEVENT); + $somethingshown = $formactions->showactions($object, 'productlot', 0, 1, '', $MAXEVENT); print '
'; } diff --git a/htdocs/product/stock/productlot_document.php b/htdocs/product/stock/productlot_document.php index c9b98a1ffe4..db3e5aebe14 100644 --- a/htdocs/product/stock/productlot_document.php +++ b/htdocs/product/stock/productlot_document.php @@ -26,7 +26,7 @@ /** * \file htdocs/product/stock/productlot_document.php * \ingroup product - * \brief Page des documents joints sur les lots produits + * \brief Page of attached documents for porudct lots */ require '../../main.inc.php'; @@ -79,7 +79,7 @@ if ($id || $ref) $object->fetch($id, $productid, $batch); $object->ref = $object->batch; // For document management ( it use $object->ref) - if (!empty($conf->productbatch->enabled)) $upload_dir = $conf->productbatch->multidir_output[$object->entity].'/'.get_exdir(0, 0, 0, 0, $object, $modulepart).dol_sanitizeFileName($object->ref); + if (!empty($conf->productbatch->enabled)) $upload_dir = $conf->productbatch->multidir_output[$object->entity].'/'.get_exdir(0, 0, 0, 1, $object, $modulepart); } diff --git a/htdocs/ticket/list.php b/htdocs/ticket/list.php index 0c6db4a4a2d..1a276c75f5f 100644 --- a/htdocs/ticket/list.php +++ b/htdocs/ticket/list.php @@ -352,7 +352,7 @@ foreach ($search as $key => $val) if (count($newarrayofstatus)) $sql .= natural_search($key, join(',', $newarrayofstatus), 2); continue; } - if ($key == 'fk_user_assign' || $key == 'fk_user_create') + if ($key == 'fk_user_assign' || $key == 'fk_user_create' || $key == 'fk_project') { if ($search[$key] > 0) $sql .= natural_search($key, $search[$key], 2); continue; @@ -362,7 +362,7 @@ foreach ($search as $key => $val) } if ($search_all) $sql .= natural_search(array_keys($fieldstosearchall), $search_all); if ($search_societe) $sql .= natural_search('s.nom', $search_societe); -if ($search_fk_project) $sql .= natural_search('fk_project', $search_fk_project, 2); +//if ($search_fk_project) $sql .= natural_search('fk_project', $search_fk_project, 2); if ($search_date_start) $sql .= " AND t.datec >= '".$db->idate($search_date_start)."'"; if ($search_date_end) $sql .= " AND t.datec <= '".$db->idate($search_date_end)."'"; if ($search_dateread_start) $sql .= " AND t.date_read >= '".$db->idate($search_dateread_start)."'"; diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 6b157d2dcab..9b1378f204b 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -315,6 +315,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase $_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\''; $_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\''; $_POST["param11"]=' Name '; + $_POST["param12"]='aaa'; $result=GETPOST('id', 'int'); // Must return nothing print __METHOD__." result=".$result."\n"; @@ -412,8 +413,12 @@ class SecurityTest extends PHPUnit\Framework\TestCase print __METHOD__." result=".$result."\n"; $this->assertEquals(trim($_POST["param11"]), $result, 'Test an email string with alphawithlgt'); - return $result; - } + $result=GETPOST("param12", 'restricthtml'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals(trim($_POST["param12"]), $result, 'Test a string with DOCTYPE and restricthtml'); + + return $result; + } /** * testCheckLoginPassEntity