diff --git a/htdocs/admin/dolistore/class/PSWebServiceLibrary.class.php b/htdocs/admin/dolistore/class/PSWebServiceLibrary.class.php index 521a24f490d..de6210ba531 100644 --- a/htdocs/admin/dolistore/class/PSWebServiceLibrary.class.php +++ b/htdocs/admin/dolistore/class/PSWebServiceLibrary.class.php @@ -206,7 +206,7 @@ class PrestaShopWebservice */ public function printDebug($title, $content) { - echo '
'.$title.'
'.htmlentities($content).'
'; + echo '
'.dol_escape_htmltag($title).'
'.dol_escape_htmltag($content).'
'; } /** diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php index 67c6914f1cf..62b91ad55b3 100644 --- a/htdocs/admin/security_file.php +++ b/htdocs/admin/security_file.php @@ -128,7 +128,7 @@ if (isset($max)) { } print ''; print ''; -print ' '.$langs->trans("Kb"); +print ' '.$langs->trans("Kb"); print ''; print ''; @@ -138,7 +138,7 @@ print ''.$langs->trans("UMask").''; print $form->textwithpicto('', $langs->trans("UMaskExplanation")); print ''; print ''; -print ''; +print ''; print ''; print ''; diff --git a/htdocs/admin/security_other.php b/htdocs/admin/security_other.php index a3d54e2a132..8b446b1eb1b 100644 --- a/htdocs/admin/security_other.php +++ b/htdocs/admin/security_other.php @@ -165,7 +165,7 @@ if (ini_get("session.gc_probability") == 0) { } print ''; print ''; -print ' '.strtolower($langs->trans("Seconds")); +print ' '.strtolower($langs->trans("Seconds")); print ''; print ''; @@ -177,7 +177,7 @@ print ''; print ''.$langs->trans("MAIN_APPLICATION_TITLE").''; print ''; print ''; -print ' '; +print ' '; print ''; print ''; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 13490de9886..868c41f5f36 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -8201,7 +8201,6 @@ function get_htmloutput_mesg($mesgstring = '', $mesgarray = '', $style = 'ok', $ } } if ($mesgstring) { - $langs->load("errors"); $ret++; $out .= $langs->trans($mesgstring); } diff --git a/htdocs/holiday/card.php b/htdocs/holiday/card.php index 383d3577a8e..733c8a444fc 100644 --- a/htdocs/holiday/card.php +++ b/htdocs/holiday/card.php @@ -923,7 +923,7 @@ if ((empty($id) && empty($ref)) || $action == 'create' || $action == 'add') { $errors[] = $langs->trans('ErrorEndDateCP'); break; case 'SQL_Create': - $errors[] = $langs->trans('ErrorSQLCreateCP').' '.htmlentities($_GET['msg']).''; + $errors[] = $langs->trans('ErrorSQLCreateCP'); break; case 'CantCreate': $errors[] = $langs->trans('CantCreateCP'); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index ea292e1d616..d8baf0883c5 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -210,7 +210,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type) } else { // Get remote IP: PS: We do not use getRemoteIP(), function is not yet loaded and we need a value that can't be spoofed $ip = (empty($_SERVER['REMOTE_ADDR']) ? 'unknown' : $_SERVER['REMOTE_ADDR']); - $errormessage = 'Access refused to '.$ip.' by SQL or Script injection protection in main.inc.php - GETPOST type='.htmlentities($type).' paramkey='.htmlentities($key).' paramvalue='.htmlentities($value).' page='.htmlentities($_SERVER["REQUEST_URI"]); + $errormessage = 'Access refused to '.htmlentities($ip, ENT_COMPAT, 'UTF-8').' by SQL or Script injection protection in main.inc.php - GETPOST type='.htmlentities($type, ENT_COMPAT, 'UTF-8').' paramkey='.htmlentities($key, ENT_COMPAT, 'UTF-8').' paramvalue='.htmlentities($value, ENT_COMPAT, 'UTF-8').' page='.htmlentities($_SERVER["REQUEST_URI"], ENT_COMPAT, 'UTF-8'); print $errormessage; // Add entry into error log if (function_exists('error_log')) { diff --git a/htdocs/opensurvey/results.php b/htdocs/opensurvey/results.php index d726152eaa4..610d690944b 100644 --- a/htdocs/opensurvey/results.php +++ b/htdocs/opensurvey/results.php @@ -471,7 +471,7 @@ print ''; $adresseadmin = $object->mail_admin; print $langs->trans("Title").''; if ($action == 'edit') { - print ''; + print ''; } else { print dol_htmlentities($object->title); } diff --git a/htdocs/public/error-401.php b/htdocs/public/error-401.php index bae712ec095..3d453cd30e5 100644 --- a/htdocs/public/error-401.php +++ b/htdocs/public/error-401.php @@ -21,7 +21,7 @@ Sorry. You are not allowed to access this resource.
- +
diff --git a/htdocs/public/error-404.php b/htdocs/public/error-404.php index 680b9e4a77c..c964e49cd85 100644 --- a/htdocs/public/error-404.php +++ b/htdocs/public/error-404.php @@ -21,7 +21,7 @@ You requested a website or a page that does not exists.
- +
diff --git a/htdocs/societe/consumption.php b/htdocs/societe/consumption.php index f74758296a9..62bcbed5ff1 100644 --- a/htdocs/societe/consumption.php +++ b/htdocs/societe/consumption.php @@ -361,7 +361,8 @@ if (!empty($sql_select)) { $sql .= " AND ".$doc_number." LIKE '%".$db->escape($sref)."%'"; } if ($sprod_fulldescr) { - $sql .= " AND (d.description LIKE '%".$db->escape($sprod_fulldescr)."%' OR d.description LIKE '%".$db->escape(dol_htmlentities($sprod_fulldescr))."%'"; + // We test both case description is correctly saved of was save after dol_escape_htmltag(). + $sql .= " AND (d.description LIKE '%".$db->escape($sprod_fulldescr)."%' OR d.description LIKE '%".$db->escape(dol_escape_htmltag($sprod_fulldescr))."%'"; if (GETPOST('type_element') != 'fichinter') { $sql .= " OR p.ref LIKE '%".$db->escape($sprod_fulldescr)."%'"; }