Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Clean htmlentities

Browse Source
This commit is contained in:
Laurent Destailleur
2022-07-22 19:25:15 +02:00
parent 3761c920eb
commit 16c087e04c
10 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/admin/dolistore/class/PSWebServiceLibrary.class.php
View File

@@ -206,7 +206,7 @@ class PrestaShopWebservice
*/ */
public function printDebug($title, $content) public function printDebug($title, $content)
{ {
echo '<div style="display:table;background:#CCC;font-size:8pt;padding:7px"><h6 style="font-size:9pt;margin:0">'.$title.'</h6><pre>'.htmlentities($content).'</pre></div>'; echo '<div style="display:table;background:#CCC;font-size:8pt;padding:7px"><h6 style="font-size:9pt;margin:0">'.dol_escape_htmltag($title).'</h6><pre>'.dol_escape_htmltag($content).'</pre></div>';
} }
/** /**

4
htdocs/admin/security_file.php
View File

@@ -128,7 +128,7 @@ if (isset($max)) {
} }
print '</td>'; print '</td>';
print '<td class="nowrap">'; print '<td class="nowrap">';
print '<input class="flat" name="MAIN_UPLOAD_DOC" type="text" size="6" value="'.htmlentities($conf->global->MAIN_UPLOAD_DOC).'"> '.$langs->trans("Kb"); print '<input class="flat" name="MAIN_UPLOAD_DOC" type="text" size="6" value="'.dol_escape_htmltag($conf->global->MAIN_UPLOAD_DOC).'"> '.$langs->trans("Kb");
print '</td>'; print '</td>';
print '</tr>'; print '</tr>';
@@ -138,7 +138,7 @@ print '<td>'.$langs->trans("UMask").'</td><td class="right">';
print $form->textwithpicto('', $langs->trans("UMaskExplanation")); print $form->textwithpicto('', $langs->trans("UMaskExplanation"));
print '</td>'; print '</td>';
print '<td class="nowrap">'; print '<td class="nowrap">';
print '<input class="flat" name="MAIN_UMASK" type="text" size="6" value="'.htmlentities($conf->global->MAIN_UMASK).'">'; print '<input class="flat" name="MAIN_UMASK" type="text" size="6" value="'.dol_escape_htmltag($conf->global->MAIN_UMASK).'">';
print '</td>'; print '</td>';
print '</tr>'; print '</tr>';

4
htdocs/admin/security_other.php
View File

@@ -165,7 +165,7 @@ if (ini_get("session.gc_probability") == 0) {
} }
print '</td>'; print '</td>';
print '<td class="nowrap">'; print '<td class="nowrap">';
print '<input class="flat" name="MAIN_SESSION_TIMEOUT" type="text" size="6" value="'.htmlentities($conf->global->MAIN_SESSION_TIMEOUT).'"> '.strtolower($langs->trans("Seconds")); print '<input class="flat" name="MAIN_SESSION_TIMEOUT" type="text" size="6" value="'.dol_escape_htmltag($conf->global->MAIN_SESSION_TIMEOUT).'"> '.strtolower($langs->trans("Seconds"));
print '</td>'; print '</td>';
print '</tr>'; print '</tr>';
@@ -177,7 +177,7 @@ print '<tr class="oddeven">';
print '<td>'.$langs->trans("MAIN_APPLICATION_TITLE").'</td><td class="right">'; print '<td>'.$langs->trans("MAIN_APPLICATION_TITLE").'</td><td class="right">';
print '</td>'; print '</td>';
print '<td class="nowrap">'; print '<td class="nowrap">';
print '<input class="flat" name="MAIN_APPLICATION_TITLE" type="text" size="20" value="'.htmlentities($conf->global->MAIN_APPLICATION_TITLE).'"> '; print '<input class="flat" name="MAIN_APPLICATION_TITLE" type="text" size="20" value="'.dol_escape_htmltag($conf->global->MAIN_APPLICATION_TITLE).'"> ';
print '</td>'; print '</td>';
print '</tr>'; print '</tr>';

1
htdocs/core/lib/functions.lib.php
View File

@@ -8201,7 +8201,6 @@ function get_htmloutput_mesg($mesgstring = '', $mesgarray = '', $style = 'ok', $
} }
} }
if ($mesgstring) { if ($mesgstring) {
$langs->load("errors");
$ret++; $ret++;
$out .= $langs->trans($mesgstring); $out .= $langs->trans($mesgstring);
} }

2
htdocs/holiday/card.php
View File

@@ -923,7 +923,7 @@ if ((empty($id) && empty($ref)) || $action == 'create' || $action == 'add') {
$errors[] = $langs->trans('ErrorEndDateCP'); $errors[] = $langs->trans('ErrorEndDateCP');
break; break;
case 'SQL_Create': case 'SQL_Create':
$errors[] = $langs->trans('ErrorSQLCreateCP').' <b>'.htmlentities($_GET['msg']).'</b>'; $errors[] = $langs->trans('ErrorSQLCreateCP');
break; break;
case 'CantCreate': case 'CantCreate':
$errors[] = $langs->trans('CantCreateCP'); $errors[] = $langs->trans('CantCreateCP');

2
htdocs/main.inc.php
View File

@@ -210,7 +210,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
} else { } else {
// Get remote IP: PS: We do not use getRemoteIP(), function is not yet loaded and we need a value that can't be spoofed // Get remote IP: PS: We do not use getRemoteIP(), function is not yet loaded and we need a value that can't be spoofed
$ip = (empty($_SERVER['REMOTE_ADDR']) ? 'unknown' : $_SERVER['REMOTE_ADDR']); $ip = (empty($_SERVER['REMOTE_ADDR']) ? 'unknown' : $_SERVER['REMOTE_ADDR']);
$errormessage = 'Access refused to '.$ip.' by SQL or Script injection protection in main.inc.php - GETPOST type='.htmlentities($type).' paramkey='.htmlentities($key).' paramvalue='.htmlentities($value).' page='.htmlentities($_SERVER["REQUEST_URI"]); $errormessage = 'Access refused to '.htmlentities($ip, ENT_COMPAT, 'UTF-8').' by SQL or Script injection protection in main.inc.php - GETPOST type='.htmlentities($type, ENT_COMPAT, 'UTF-8').' paramkey='.htmlentities($key, ENT_COMPAT, 'UTF-8').' paramvalue='.htmlentities($value, ENT_COMPAT, 'UTF-8').' page='.htmlentities($_SERVER["REQUEST_URI"], ENT_COMPAT, 'UTF-8');
print $errormessage; print $errormessage;
// Add entry into error log // Add entry into error log
if (function_exists('error_log')) { if (function_exists('error_log')) {

2
htdocs/opensurvey/results.php
View File

@@ -471,7 +471,7 @@ print '<tr><td>';
$adresseadmin = $object->mail_admin; $adresseadmin = $object->mail_admin;
print $langs->trans("Title").'</td><td>'; print $langs->trans("Title").'</td><td>';
if ($action == 'edit') { if ($action == 'edit') {
print '<input type="text" name="nouveautitre" size="40" value="'.dol_escape_htmltag(dol_htmlentities($object->title)).'">'; print '<input type="text" name="nouveautitre" size="40" value="'.dol_escape_htmltag($object->title).'">';
} else { } else {
print dol_htmlentities($object->title); print dol_htmlentities($object->title);
} }

2
htdocs/public/error-401.php
View File

@@ -21,7 +21,7 @@
Sorry. You are not allowed to access this resource. Sorry. You are not allowed to access this resource.
<br> <br>
<?php print isset($_SERVER["HTTP_REFERER"]) ? 'You come from '.htmlentities($_SERVER["HTTP_REFERER"]).'.' : ''; ?> <?php print isset($_SERVER["HTTP_REFERER"]) ? 'You come from '.htmlentities($_SERVER["HTTP_REFERER"], ENT_COMPAT, 'UTF-8').'.' : ''; ?>
<hr> <hr>

2
htdocs/public/error-404.php
View File

@@ -21,7 +21,7 @@
You requested a website or a page that does not exists. You requested a website or a page that does not exists.
<br> <br>
<?php print isset($_SERVER["HTTP_REFERER"]) ? 'You come from '.htmlentities($_SERVER["HTTP_REFERER"]).'.' : ''; ?> <?php print isset($_SERVER["HTTP_REFERER"]) ? 'You come from '.htmlentities($_SERVER["HTTP_REFERER"], ENT_COMPAT, 'UTF-8').'.' : ''; ?>
<hr> <hr>

3
htdocs/societe/consumption.php
View File

@@ -361,7 +361,8 @@ if (!empty($sql_select)) {
$sql .= " AND ".$doc_number." LIKE '%".$db->escape($sref)."%'"; $sql .= " AND ".$doc_number." LIKE '%".$db->escape($sref)."%'";
} }
if ($sprod_fulldescr) { if ($sprod_fulldescr) {
$sql .= " AND (d.description LIKE '%".$db->escape($sprod_fulldescr)."%' OR d.description LIKE '%".$db->escape(dol_htmlentities($sprod_fulldescr))."%'"; // We test both case description is correctly saved of was save after dol_escape_htmltag().
$sql .= " AND (d.description LIKE '%".$db->escape($sprod_fulldescr)."%' OR d.description LIKE '%".$db->escape(dol_escape_htmltag($sprod_fulldescr))."%'";
if (GETPOST('type_element') != 'fichinter') { if (GETPOST('type_element') != 'fichinter') {
$sql .= " OR p.ref LIKE '%".$db->escape($sprod_fulldescr)."%'"; $sql .= " OR p.ref LIKE '%".$db->escape($sprod_fulldescr)."%'";
} }