diff --git a/htdocs/api/class/api.class.php b/htdocs/api/class/api.class.php index 356caa24ec2..6cb40825ee7 100644 --- a/htdocs/api/class/api.class.php +++ b/htdocs/api/class/api.class.php @@ -73,22 +73,24 @@ class DolibarrApi } /** - * Executed method when API is called without parameter + * Check and convert a string depending on its type/name. * * Display a short message an return a http code 200 * - * @return array + * @param string $field Field name + * @param string $value Value to check/clean + * @param stdClass $object Object + * @return string Value cleaned */ - /* Disabled, most APIs does not share same signature for method index - function index() + protected function checkValForAPI($field, $value, $object) { - return array( - 'success' => array( - 'code' => 200, - 'message' => __class__.' is up and running!' - ) - ); - }*/ + // TODO Use type detected in $object->fields + if (in_array($field, array('note', 'note_private', 'note_public', 'desc', 'description'))) { + return checkVal($value, 'restricthtml'); + } else { + return checkVal($value, 'alphanohtml'); + } + } // phpcs:disable PEAR.NamingConventions.ValidFunctionName.PublicUnderscore /** diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index 5d57b9624e3..75b9ae355e8 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -217,7 +217,7 @@ class AgendaEvents extends DolibarrApi $result = $this->_validate($request_data); foreach ($request_data as $field => $value) { - $this->actioncomm->$field = $value; + $this->actioncomm->$field = $this->checkValForAPI($field, $value, $this->actioncomm); } /*if (isset($request_data["lines"])) { $lines = array(); @@ -226,6 +226,7 @@ class AgendaEvents extends DolibarrApi } $this->expensereport->lines = $lines; }*/ + if ($this->actioncomm->create(DolibarrApiAccess::$user) < 0) { throw new RestException(500, "Error creating event", array_merge(array($this->actioncomm->error), $this->actioncomm->errors)); } @@ -268,7 +269,8 @@ class AgendaEvents extends DolibarrApi if ($field == 'id') { continue; } - $this->actioncomm->$field = $value; + + $this->actioncomm->$field = $this->checkValForAPI($field, $value, $this->actioncomm); } if ($this->actioncomm->update(DolibarrApiAccess::$user, 1) > 0) { @@ -299,7 +301,7 @@ class AgendaEvents extends DolibarrApi } if (!DolibarrApiAccess::$user->rights->agenda->allactions->delete && DolibarrApiAccess::$user->id != $this->actioncomm->userownerid) { - throw new RestException(401, "Insufficient rights to delete an Agenda Event of owner id ".$request_data['userownerid'].' Your id is '.DolibarrApiAccess::$user->id); + throw new RestException(401, "Insufficient rights to delete an Agenda Event of owner id ".$this->actioncomm->userownerid.' Your id is '.DolibarrApiAccess::$user->id); } if (!$result) { diff --git a/htdocs/compta/bank/class/api_bankaccounts.class.php b/htdocs/compta/bank/class/api_bankaccounts.class.php index 8cdd33425d6..4afeac70124 100644 --- a/htdocs/compta/bank/class/api_bankaccounts.class.php +++ b/htdocs/compta/bank/class/api_bankaccounts.class.php @@ -29,7 +29,6 @@ require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; */ class BankAccounts extends DolibarrApi { - /** * array $FIELDS Mandatory fields, checked when creating an object */ @@ -158,7 +157,7 @@ class BankAccounts extends DolibarrApi $account = new Account($this->db); foreach ($request_data as $field => $value) { - $account->$field = $value; + $account->$field = $this->checkValForAPI($field, $value, $account); } // Date of the initial balance (required to create an account). $account->date_solde = time(); @@ -333,7 +332,7 @@ class BankAccounts extends DolibarrApi if ($field == 'id') { continue; } - $account->$field = $value; + $account->$field = $this->checkValForAPI($field, $value, $account); } if ($account->update(DolibarrApiAccess::$user) > 0) { diff --git a/htdocs/modulebuilder/template/class/api_mymodule.class.php b/htdocs/modulebuilder/template/class/api_mymodule.class.php index 47a3ac984f9..e4b5fcca219 100644 --- a/htdocs/modulebuilder/template/class/api_mymodule.class.php +++ b/htdocs/modulebuilder/template/class/api_mymodule.class.php @@ -213,7 +213,7 @@ class MyModuleApi extends DolibarrApi $result = $this->_validate($request_data); foreach ($request_data as $field => $value) { - $this->myobject->$field = $value; + $this->myobject->$field = $this->checkValForAPI($field, $value, $this->myobject); } // Clean data @@ -255,7 +255,7 @@ class MyModuleApi extends DolibarrApi if ($field == 'id') { continue; } - $this->myobject->$field = $value; + $this->myobject->$field = $this->checkValForAPI($field, $value, $this->myobject); } // Clean data