From f90b236e0f9d249e7a92e124b8ef31d7359c1470 Mon Sep 17 00:00:00 2001
From: "jove@bisquerra.com" <jove@bisquerra.com>
Date: Thu, 15 Oct 2020 23:44:13 +0200
Subject: [PATCH 1/3] Change the tag char for security reasons in 'Receipt
 Printer' module

---
 htdocs/admin/receiptprinter.php               |   4 +-
 htdocs/core/class/dolreceiptprinter.class.php | 114 +++++++++---------
 .../core/modules/modReceiptPrinter.class.php  |   2 +-
 3 files changed, 61 insertions(+), 59 deletions(-)

diff --git a/htdocs/admin/receiptprinter.php b/htdocs/admin/receiptprinter.php
index 350d4a3dc15..26bfd1ef1c8 100644
--- a/htdocs/admin/receiptprinter.php
+++ b/htdocs/admin/receiptprinter.php
@@ -43,7 +43,7 @@ $printername = GETPOST('printername', 'alpha');
 $printerid = GETPOST('printerid', 'int');
 $parameter = GETPOST('parameter', 'alpha');
 
-$template = GETPOST('template', 'alpha');
+$template = GETPOST('template', 'nohtml');
 $templatename = GETPOST('templatename', 'alpha');
 $templateid = GETPOST('templateid', 'int');
 
@@ -473,7 +473,7 @@ if ($mode == 'template' && $user->admin) {
 	$langs->loadLangs(array("bills", "companies"));
 	foreach ($printer->tags as $key => $val) {
 		print '<tr class="oddeven">';
-		print '<td>&lt;'.$key.'&gt;</td><td>'.$langs->trans($val).'</td>';
+		print '<td>{'.$key.'}</td><td>'.$langs->trans($val).'</td>';
 		print '</tr>';
 	}
 	print '</table>';
diff --git a/htdocs/core/class/dolreceiptprinter.class.php b/htdocs/core/class/dolreceiptprinter.class.php
index f8c33f9403a..6cab6580a5a 100644
--- a/htdocs/core/class/dolreceiptprinter.class.php
+++ b/htdocs/core/class/dolreceiptprinter.class.php
@@ -25,32 +25,32 @@
 /*
  * Tags for ticket template
  *
- * <dol_align_left>                                 Left align text
- * <dol_align_center>                               Center text
- * <dol_align_right>                                Right align text
- * <dol_use_font_a>                                 Use font A of printer
- * <dol_use_font_b>                                 Use font B of printer
- * <dol_use_font_c>                                 Use font C of printer
- * <dol_bold>                                       Text Bold
- * <dol_bold_disabled>                              Disable Text Bold
- * <dol_double_height>                              Text double height
- * <dol_double_width>                               Text double width
- * <dol_default_height_width>                       Text default height and width
- * <dol_underline>                                  Underline text
- * <dol_underline_disabled>                         Disable underline text
- * <dol_cut_paper_full>                             Cut ticket completely
- * <dol_cut_paper_partial>                          Cut ticket partially
- * <dol_open_drawer>                                Open cash drawer
- * <dol_beep>                                       Activate buzzer
- * <dol_print_barcode>                              Print barcode
- * <dol_print_logo>                                 Print logo stored on printer. Example : <print_logo>32|32
- * <dol_print_logo_old>                             Print logo stored on printer. Must be followed by logo code. For old printers.
- * <dol_print_object_lines>                         Print object lines
- * <dol_print_object_tax>                           Print object total tax
- * <dol_print_object_local_tax>                     Print object local tax
- * <dol_print_object_total>                         Print object total
- * <dol_print_order_lines>                          Print order lines for Printer
- * <dol_print_payment>                              Print payment method
+ * {dol_align_left}                                 Left align text
+ * {dol_align_center}                               Center text
+ * {dol_align_right}                                Right align text
+ * {dol_use_font_a}                                 Use font A of printer
+ * {dol_use_font_b}                                 Use font B of printer
+ * {dol_use_font_c}                                 Use font C of printer
+ * {dol_bold}                                       Text Bold
+ * {dol_bold_disabled}                              Disable Text Bold
+ * {dol_double_height}                              Text double height
+ * {dol_double_width}                               Text double width
+ * {dol_default_height_width}                       Text default height and width
+ * {dol_underline}                                  Underline text
+ * {dol_underline_disabled}                         Disable underline text
+ * {dol_cut_paper_full}                             Cut ticket completely
+ * {dol_cut_paper_partial}                          Cut ticket partially
+ * {dol_open_drawer}                                Open cash drawer
+ * {dol_beep}                                       Activate buzzer
+ * {dol_print_barcode}                              Print barcode
+ * {dol_print_logo}                                 Print logo stored on printer. Example : <print_logo>32|32
+ * {dol_print_logo_old}                             Print logo stored on printer. Must be followed by logo code. For old printers.
+ * {dol_print_object_lines}                         Print object lines
+ * {dol_print_object_tax}                           Print object total tax
+ * {dol_print_object_local_tax}                     Print object local tax
+ * {dol_print_object_total}                         Print object total
+ * {dol_print_order_lines}                          Print order lines for Printer
+ * {dol_print_payment}                              Print payment method
  *
  * Code which can be placed everywhere
  * <dol_value_date>                                 Replaced by date AAAA-MM-DD
@@ -569,45 +569,47 @@ class dolReceiptPrinter extends Printer
         $ret = $this->loadTemplate($templateid);
 
         // tags a remplacer par leur valeur avant de parser (dol_value_xxx)
-        $this->template = str_replace('<dol_value_object_id>', $object->id, $this->template);
-        $this->template = str_replace('<dol_value_object_ref>', $object->ref, $this->template);
+        $this->template = str_replace('{dol_value_object_id}', $object->id, $this->template);
+        $this->template = str_replace('{dol_value_object_ref}', $object->ref, $this->template);
         //$this->template = str_replace('<dol_value_object_points>', $object->points, $this->template);
-        $this->template = str_replace('<dol_value_date>', dol_print_date($object->date, 'day'), $this->template);
-        $this->template = str_replace('<dol_value_date_time>', dol_print_date($object->date, 'dayhour'), $this->template);
-        $this->template = str_replace('<dol_value_year>', dol_print_date($object->date, '%Y'), $this->template);
-        $this->template = str_replace('<dol_value_month_letters>', $langs->trans("Month".dol_print_date($object->date, '%m')), $this->template);
-        $this->template = str_replace('<dol_value_month>', dol_print_date($object->date, '%m'), $this->template);
-        $this->template = str_replace('<dol_value_day>', dol_print_date($object->date, '%d'), $this->template);
-        $this->template = str_replace('<dol_value_day_letters>', $langs->trans("Day".dol_print_date($object->date, '%m')[1]), $this->template);
+        $this->template = str_replace('{dol_value_date}', dol_print_date($object->date, 'day'), $this->template);
+        $this->template = str_replace('{dol_value_date_time}', dol_print_date($object->date, 'dayhour'), $this->template);
+        $this->template = str_replace('{dol_value_year}', dol_print_date($object->date, '%Y'), $this->template);
+        $this->template = str_replace('{dol_value_month_letters}', $langs->trans("Month".dol_print_date($object->date, '%m')), $this->template);
+        $this->template = str_replace('{dol_value_month}', dol_print_date($object->date, '%m'), $this->template);
+        $this->template = str_replace('{dol_value_day}', dol_print_date($object->date, '%d'), $this->template);
+        $this->template = str_replace('{dol_value_day_letters}', $langs->trans("Day".dol_print_date($object->date, '%m')[1]), $this->template);
 
-        $this->template = str_replace('<dol_value_customer_firstname>', $object->thirdparty->firstname, $this->template);
-        $this->template = str_replace('<dol_value_customer_lastname>', $object->thirdparty->lastname, $this->template);
-        $this->template = str_replace('<dol_value_customer_mail>', $object->thirdparty->email, $this->template);
-        $this->template = str_replace('<dol_value_customer_phone>', $object->thirdparty->phone, $this->template);
+        $this->template = str_replace('{dol_value_customer_firstname}', $object->thirdparty->firstname, $this->template);
+        $this->template = str_replace('{dol_value_customer_lastname}', $object->thirdparty->lastname, $this->template);
+        $this->template = str_replace('{dol_value_customer_mail}', $object->thirdparty->email, $this->template);
+        $this->template = str_replace('{dol_value_customer_phone}', $object->thirdparty->phone, $this->template);
         //$this->template = str_replace('<dol_value_customer_mobile>', $object->thirdparty->mobile, $this->template);
-        $this->template = str_replace('<dol_value_customer_tax_number>', $object->thirdparty->tva_intra, $this->template);
+        $this->template = str_replace('{dol_value_customer_tax_number}', $object->thirdparty->tva_intra, $this->template);
         //$this->template = str_replace('<dol_value_customer_account_balance>', $object->customer_account_balance, $this->template);
         //$this->template = str_replace('<dol_value_customer_points>', $object->customer_points, $this->template);
 
-        $this->template = str_replace('<dol_value_mysoc_name>', $mysoc->name, $this->template);
-        $this->template = str_replace('<dol_value_mysoc_address>', $mysoc->address, $this->template);
-        $this->template = str_replace('<dol_value_mysoc_zip>', $mysoc->zip, $this->template);
-        $this->template = str_replace('<dol_value_mysoc_town>', $mysoc->town, $this->template);
-        $this->template = str_replace('<dol_value_mysoc_country>', $mysoc->country, $this->template);
-        $this->template = str_replace('<dol_value_mysoc_idprof1>', $mysoc->idprof1, $this->template);
-        $this->template = str_replace('<dol_value_mysoc_idprof2>', $mysoc->idprof2, $this->template);
-        $this->template = str_replace('<dol_value_mysoc_idprof3>', $mysoc->idprof3, $this->template);
-        $this->template = str_replace('<dol_value_mysoc_idprof4>', $mysoc->idprof4, $this->template);
-        $this->template = str_replace('<dol_value_mysoc_idprof5>', $mysoc->idprof5, $this->template);
-        $this->template = str_replace('<dol_value_mysoc_idprof6>', $mysoc->idprof6, $this->template);
-        $this->template = str_replace('<dol_value_mysoc_tva_intra>', $mysoc->tva_intra, $this->template);
-        $this->template = str_replace('<dol_value_mysoc_capital>', $mysoc->capital, $this->template);
+        $this->template = str_replace('{dol_value_mysoc_name}', $mysoc->name, $this->template);
+        $this->template = str_replace('{dol_value_mysoc_address}', $mysoc->address, $this->template);
+        $this->template = str_replace('{dol_value_mysoc_zip}', $mysoc->zip, $this->template);
+        $this->template = str_replace('{dol_value_mysoc_town}', $mysoc->town, $this->template);
+        $this->template = str_replace('{dol_value_mysoc_country}', $mysoc->country, $this->template);
+        $this->template = str_replace('{dol_value_mysoc_idprof1}', $mysoc->idprof1, $this->template);
+        $this->template = str_replace('{dol_value_mysoc_idprof2}', $mysoc->idprof2, $this->template);
+        $this->template = str_replace('{dol_value_mysoc_idprof3}', $mysoc->idprof3, $this->template);
+        $this->template = str_replace('{dol_value_mysoc_idprof4}', $mysoc->idprof4, $this->template);
+        $this->template = str_replace('{dol_value_mysoc_idprof5}', $mysoc->idprof5, $this->template);
+        $this->template = str_replace('{dol_value_mysoc_idprof6}', $mysoc->idprof6, $this->template);
+        $this->template = str_replace('{dol_value_mysoc_tva_intra}', $mysoc->tva_intra, $this->template);
+        $this->template = str_replace('{dol_value_mysoc_capital}', $mysoc->capital, $this->template);
 
-        $this->template = str_replace('<dol_value_vendor_firstname>', $user->firstname, $this->template);
-        $this->template = str_replace('<dol_value_vendor_lastname>', $user->lastname, $this->template);
-        $this->template = str_replace('<dol_value_vendor_mail>', $user->email, $this->template);
+        $this->template = str_replace('{dol_value_vendor_firstname}', $user->firstname, $this->template);
+        $this->template = str_replace('{dol_value_vendor_lastname}', $user->lastname, $this->template);
+        $this->template = str_replace('{dol_value_vendor_mail}', $user->email, $this->template);
 
         // parse template
+		$this->template = str_replace("{", "<", $this->template);
+		$this->template = str_replace("}", ">", $this->template);
         $p = xml_parser_create();
         xml_parse_into_struct($p, $this->template, $vals, $index);
         xml_parser_free($p);
diff --git a/htdocs/core/modules/modReceiptPrinter.class.php b/htdocs/core/modules/modReceiptPrinter.class.php
index 818c090dcc0..32124dc8f5b 100644
--- a/htdocs/core/modules/modReceiptPrinter.class.php
+++ b/htdocs/core/modules/modReceiptPrinter.class.php
@@ -136,7 +136,7 @@ class modReceiptPrinter extends DolibarrModules
         // Clean before activation
         $this->remove($options);
 
-        $templateexample = '<dol_align_center>\r\n<dol_print_text><dol_value_mysoc_name>\r\n<dol_print_text><dol_value_mysoc_address>\r\n<dol_print_text><dol_value_mysoc_zip><dol_value_mysoc_town>\r\n<dol_line_feed>\r\n<dol_print_text>Facture <dol_value_object_ref>\r\n<dol_line_feed>\r\n<dol_align_left>\r\n<dol_print_object_lines>\r\n<dol_line_feed>\r\n<dol_print_object_tax>\r\n<dol_line_feed>\r\n<dol_print_object_total>\r\n<dol_line_feed>\r\n<dol_cut_paper_full>';
+        $templateexample = '{dol_align_center}\r\n{dol_print_text}{dol_value_mysoc_name}\r\n{dol_print_text}{dol_value_mysoc_address}\r\n{dol_print_text}{dol_value_mysoc_zip}{dol_value_mysoc_town}\r\n{dol_line_feed}\r\n{dol_print_text}Facture {dol_value_object_ref}\r\n{dol_line_feed}\r\n{dol_align_left}\r\n{dol_print_object_lines}\r\n{dol_line_feed}\r\n{dol_print_object_tax}\r\n{dol_line_feed}\r\n{dol_print_object_total}\r\n{dol_line_feed}\r\n{dol_cut_paper_full}';
         $sql = array(
             "CREATE TABLE IF NOT EXISTS ".MAIN_DB_PREFIX."printer_receipt (rowid integer AUTO_INCREMENT PRIMARY KEY, name varchar(128), fk_type integer, fk_profile integer, parameter varchar(128), entity integer) ENGINE=innodb;",
             "CREATE TABLE IF NOT EXISTS ".MAIN_DB_PREFIX."printer_receipt_template (rowid integer AUTO_INCREMENT PRIMARY KEY, name varchar(128), template text, entity integer) ENGINE=innodb;",

From 67cf917f7b144e525df720b33e57ed77616d023a Mon Sep 17 00:00:00 2001
From: Alexandre SPANGARO <aspangaro.dolibarr@gmail.com>
Date: Fri, 16 Oct 2020 11:57:36 +0200
Subject: [PATCH 2/3] FIX Binding on expense report (Double rowid)

---
 htdocs/accountancy/expensereport/lines.php | 4 ++--
 htdocs/accountancy/expensereport/list.php  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/htdocs/accountancy/expensereport/lines.php b/htdocs/accountancy/expensereport/lines.php
index f99f1148044..a6cf6f2fc14 100644
--- a/htdocs/accountancy/expensereport/lines.php
+++ b/htdocs/accountancy/expensereport/lines.php
@@ -166,7 +166,7 @@ print '<script type="text/javascript">
 $sql = "SELECT er.ref, er.rowid as erid,";
 $sql .= " erd.rowid, erd.fk_c_type_fees, erd.comments, erd.total_ht, erd.fk_code_ventilation, erd.tva_tx, erd.vat_src_code, erd.date,";
 $sql .= " f.id as type_fees_id, f.code as type_fees_code, f.label as type_fees_label,";
-$sql .= " u.rowid, u.login, u.lastname, u.firstname, u.email, u.gender, u.employee, u.photo, u.statut,";
+$sql .= " u.rowid as userid, u.login, u.lastname, u.firstname, u.email, u.gender, u.employee, u.photo, u.statut,";
 $sql .= " aa.label, aa.labelshort, aa.account_number";
 $sql .= " FROM ".MAIN_DB_PREFIX."expensereport as er";
 $sql .= " INNER JOIN ".MAIN_DB_PREFIX."expensereport_det as erd ON er.rowid = erd.fk_expensereport";
@@ -311,7 +311,7 @@ if ($result) {
 		$expensereportstatic->ref = $objp->ref;
 		$expensereportstatic->id = $objp->erid;
 
-		$userstatic->id = $objp->rowid;
+		$userstatic->id = $objp->userid;
 		$userstatic->ref = $objp->label;
 		$userstatic->login = $objp->login;
 		$userstatic->statut = $objp->statut;
diff --git a/htdocs/accountancy/expensereport/list.php b/htdocs/accountancy/expensereport/list.php
index c2fb21a911b..2ee3044895a 100644
--- a/htdocs/accountancy/expensereport/list.php
+++ b/htdocs/accountancy/expensereport/list.php
@@ -190,7 +190,7 @@ if (empty($chartaccountcode))
 $sql = "SELECT er.ref, er.rowid as erid, er.date_debut, er.date_valid,";
 $sql .= " erd.rowid, erd.fk_c_type_fees, erd.comments, erd.total_ht as price, erd.fk_code_ventilation, erd.tva_tx as tva_tx_line, erd.vat_src_code, erd.date,";
 $sql .= " f.id as type_fees_id, f.code as type_fees_code, f.label as type_fees_label, f.accountancy_code as code_buy,";
-$sql .= " u.rowid, u.login, u.lastname, u.firstname, u.email, u.gender, u.employee, u.photo, u.statut,";
+$sql .= " u.rowid as userid, u.login, u.lastname, u.firstname, u.email, u.gender, u.employee, u.photo, u.statut,";
 $sql .= " aa.rowid as aarowid";
 $sql .= " FROM ".MAIN_DB_PREFIX."expensereport as er";
 $sql .= " INNER JOIN ".MAIN_DB_PREFIX."expensereport_det as erd ON er.rowid = erd.fk_expensereport";
@@ -356,7 +356,7 @@ if ($result) {
 		$expensereport_static->ref = $objp->ref;
 		$expensereport_static->id = $objp->erid;
 
-		$userstatic->id = $objp->rowid;
+		$userstatic->id = $objp->userid;
 		$userstatic->ref = $objp->label;
 		$userstatic->login = $objp->login;
 		$userstatic->statut = $objp->statut;

From 6ea9befb4836ffa1abf627588e2981e90867db3a Mon Sep 17 00:00:00 2001
From: Drosis Nikos <ndrosis@technicks.gr>
Date: Fri, 16 Oct 2020 15:20:12 +0300
Subject: [PATCH 3/3] Add & Update tva for Greece

---
 htdocs/install/mysql/data/llx_c_tva.sql | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/htdocs/install/mysql/data/llx_c_tva.sql b/htdocs/install/mysql/data/llx_c_tva.sql
index 831097ebf48..19c6070eb2a 100644
--- a/htdocs/install/mysql/data/llx_c_tva.sql
+++ b/htdocs/install/mysql/data/llx_c_tva.sql
@@ -123,10 +123,11 @@ insert into llx_c_tva(rowid,fk_pays,taux,recuperableonly,note,active) values ( 5
 insert into llx_c_tva(rowid,fk_pays,taux,localtax1,localtax1_type,localtax2,localtax2_type,recuperableonly,note,active) values (1021, 102,   0, 0, '0', 0, '0', 0, 'Μηδενικό Φ.Π.Α.', 1);
 insert into llx_c_tva(rowid,fk_pays,taux,localtax1,localtax1_type,localtax2,localtax2_type,recuperableonly,note,active) values (1022, 102,  24, 0, '0', 0, '0', 0, 'Κανονικός Φ.Π.Α.', 1);
 insert into llx_c_tva(rowid,fk_pays,taux,localtax1,localtax1_type,localtax2,localtax2_type,recuperableonly,note,active) values (1023, 102,  13, 0, '0', 0, '0', 0, 'Μειωμένος Φ.Π.Α.', 1);
-insert into llx_c_tva(rowid,fk_pays,taux,localtax1,localtax1_type,localtax2,localtax2_type,recuperableonly,note,active) values (1024, 102, 6.5, 0, '0', 0, '0', 0, 'Υπερμειωμένος Φ.Π.Α.', 1);
+insert into llx_c_tva(rowid,fk_pays,taux,localtax1,localtax1_type,localtax2,localtax2_type,recuperableonly,note,active) values (1024, 102,   6, 0, '0', 0, '0', 0, 'Υπερμειωμένος Φ.Π.Α.', 1);
 insert into llx_c_tva(rowid,fk_pays,taux,localtax1,localtax1_type,localtax2,localtax2_type,recuperableonly,note,active) values (1025, 102,  16, 0, '0', 0, '0', 0, 'Νήσων κανονικός Φ.Π.Α.', 1);
 insert into llx_c_tva(rowid,fk_pays,taux,localtax1,localtax1_type,localtax2,localtax2_type,recuperableonly,note,active) values (1026, 102,   9, 0, '0', 0, '0', 0, 'Νήσων μειωμένος Φ.Π.Α.', 1);
-insert into llx_c_tva(rowid,fk_pays,taux,localtax1,localtax1_type,localtax2,localtax2_type,recuperableonly,note,active) values (1027, 102,   5, 0, '0', 0, '0', 0, 'Νήσων υπερμειωμένος Φ.Π.Α.', 1);
+insert into llx_c_tva(rowid,fk_pays,taux,localtax1,localtax1_type,localtax2,localtax2_type,recuperableonly,note,active) values (1027, 102,   4, 0, '0', 0, '0', 0, 'Νήσων υπερμειωμένος Φ.Π.Α.', 1);
+insert into llx_c_tva(rowid,fk_pays,taux,localtax1,localtax1_type,localtax2,localtax2_type,recuperableonly,note,active) values (1028, 102,  17, 0, '0', 0, '0', 0, 'Νήσων υπερμειωμένος Φ.Π.Α.', 1);
 
 -- ICELAND (id country=116)
 insert into llx_c_tva(rowid,fk_pays,taux,recuperableonly,note,active) values (1161, 116,   '0','0','VAT rate 0',1);