diff --git a/htdocs/api/class/api.class.php b/htdocs/api/class/api.class.php index fa21c37649f..32d691400d6 100644 --- a/htdocs/api/class/api.class.php +++ b/htdocs/api/class/api.class.php @@ -88,9 +88,9 @@ class DolibarrApi // phpcs:enable // TODO Use type detected in $object->fields if (in_array($field, array('note', 'note_private', 'note_public', 'desc', 'description'))) { - return checkVal($value, 'restricthtml'); + return sanitizeVal($value, 'restricthtml'); } else { - return checkVal($value, 'alphanohtml'); + return sanitizeVal($value, 'alphanohtml'); } } diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index bf9442b82af..6c43e818ecc 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -919,7 +919,7 @@ class Categorie extends CommonObject $categories = array(); - $type = checkVal($type, 'aZ09'); + $type = sanitizeVal($type, 'aZ09'); $sub_type = $type; $subcol_name = "fk_".$type; diff --git a/htdocs/comm/propal/class/api_proposals.class.php b/htdocs/comm/propal/class/api_proposals.class.php index 258e264c5a7..d28b5718c2f 100644 --- a/htdocs/comm/propal/class/api_proposals.class.php +++ b/htdocs/comm/propal/class/api_proposals.class.php @@ -351,8 +351,8 @@ class Proposals extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->propal->addline( $request_data->desc, @@ -496,8 +496,8 @@ class Proposals extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $propalline = new PropaleLigne($this->db); $result = $propalline->fetch($lineid); diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php index ac9ce98777d..2c916abda9a 100644 --- a/htdocs/commande/class/api_orders.class.php +++ b/htdocs/commande/class/api_orders.class.php @@ -350,8 +350,8 @@ class Orders extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->commande->addline( $request_data->desc, @@ -418,8 +418,8 @@ class Orders extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->commande->updateline( $lineid, diff --git a/htdocs/compta/bank/class/api_bankaccounts.class.php b/htdocs/compta/bank/class/api_bankaccounts.class.php index 23d4c2eefbb..8e38d1ffe78 100644 --- a/htdocs/compta/bank/class/api_bankaccounts.class.php +++ b/htdocs/compta/bank/class/api_bankaccounts.class.php @@ -250,7 +250,7 @@ class BankAccounts extends DolibarrApi } // Clean data - $description = checkVal($description, 'alphanohtml'); + $description = sanitizeVal($description, 'alphanohtml'); /** @@ -498,13 +498,13 @@ class BankAccounts extends DolibarrApi throw new RestException(404, 'account not found'); } - $type = checkVal($type); - $label = checkVal($label); - $cheque_number = checkVal($cheque_number); - $cheque_writer = checkVal($cheque_writer); - $cheque_bank = checkVal($cheque_bank); - $accountancycode = checkVal($accountancycode); - $num_releve = checkVal($num_releve); + $type = sanitizeVal($type); + $label = sanitizeVal($label); + $cheque_number = sanitizeVal($cheque_number); + $cheque_writer = sanitizeVal($cheque_writer); + $cheque_bank = sanitizeVal($cheque_bank); + $accountancycode = sanitizeVal($accountancycode); + $num_releve = sanitizeVal($num_releve); $result = $account->addline( $date, @@ -557,9 +557,9 @@ class BankAccounts extends DolibarrApi throw new RestException(404, 'account line not found'); } - $url = checkVal($url); - $label = checkVal($label); - $type = checkVal($type); + $url = sanitizeVal($url); + $label = sanitizeVal($label); + $type = sanitizeVal($type); $result = $account->add_url_line($line_id, $url_id, $url, $label, $type); if ($result < 0) { diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php index 31bda2015dc..a864168d161 100644 --- a/htdocs/compta/facture/class/api_invoices.class.php +++ b/htdocs/compta/facture/class/api_invoices.class.php @@ -428,8 +428,8 @@ class Invoices extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->invoice->updateline( $lineid, @@ -718,8 +718,8 @@ class Invoices extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); // Reset fk_parent_line for no child products and special product if (($request_data->product_type != 9 && empty($request_data->fk_parent_line)) || $request_data->product_type == 9) { diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php index 9f68696a317..54de9440b8b 100644 --- a/htdocs/compta/facture/list.php +++ b/htdocs/compta/facture/list.php @@ -141,7 +141,6 @@ $search_btn = GETPOST('button_search', 'alpha'); $search_remove_btn = GETPOST('button_removefilter', 'alpha'); $optioncss = GETPOST('optioncss', 'alpha'); - $option = GETPOST('search_option'); if ($option == 'late') { $search_status = '1'; diff --git a/htdocs/contrat/class/api_contracts.class.php b/htdocs/contrat/class/api_contracts.class.php index 5e534f3e43c..ea228550cae 100644 --- a/htdocs/contrat/class/api_contracts.class.php +++ b/htdocs/contrat/class/api_contracts.class.php @@ -278,8 +278,8 @@ class Contracts extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->price_base_type = checkVal($request_data->price_base_type); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->price_base_type = sanitizeVal($request_data->price_base_type); $updateRes = $this->contract->addline( $request_data->desc, @@ -336,8 +336,8 @@ class Contracts extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->price_base_type = checkVal($request_data->price_base_type); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->price_base_type = sanitizeVal($request_data->price_base_type); $updateRes = $this->contract->updateline( $lineid, diff --git a/htdocs/core/class/extrafields.class.php b/htdocs/core/class/extrafields.class.php index 768031467bc..274b408411f 100644 --- a/htdocs/core/class/extrafields.class.php +++ b/htdocs/core/class/extrafields.class.php @@ -1067,35 +1067,56 @@ class ExtraFields $out = ' '; } elseif ($type == 'select') { $out = ''; - if (!empty($conf->use_javascript_ajax) && empty($conf->global->MAIN_EXTRAFIELDS_DISABLE_SELECT2)) { - include_once DOL_DOCUMENT_ROOT.'/core/lib/ajax.lib.php'; - $out .= ajax_combobox($keyprefix.$key.$keysuffix, array(), 0); - } + if ($mode) { + $options = array(); + foreach ($param['options'] as $okey => $val) { + if ((string) $okey == '') { + continue; + } - $out .= ''; + $out .= ''; + foreach ($param['options'] as $key => $val) { + if ((string) $key == '') { + continue; + } + $valarray = explode('|', $val); + $val = $valarray[0]; + $parent = ''; + if (!empty($valarray[1])) { + $parent = $valarray[1]; + } + $out .= ''; + } + $out .= ''; } - $out .= ''; } elseif ($type == 'sellist') { $out = ''; if (!empty($conf->use_javascript_ajax) && empty($conf->global->MAIN_EXTRAFIELDS_DISABLE_SELECT2)) { @@ -2133,6 +2154,16 @@ class ExtraFields } else { continue; // Value was not provided, we should not set it. } + } elseif ($key_type == 'select') { + // to detect if we are in search context + if (GETPOSTISARRAY($keysuffix."options_".$key.$keyprefix)) { + $value_arr = GETPOST($keysuffix."options_".$key.$keyprefix, 'array:aZ09'); + // Make sure we get an array even if there's only one selected + $value_arr = (array) $value_arr; + $value_key = implode(',', $value_arr); + } else { + $value_key = GETPOST($keysuffix."options_".$key.$keyprefix); + } } elseif (in_array($key_type, array('checkbox', 'chkbxlst'))) { if (!GETPOSTISSET($keysuffix."options_".$key.$keyprefix)) { continue; // Value was not provided, we should not set it. diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 27da527c093..e2bcda01b6a 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -370,6 +370,32 @@ function GETPOSTISSET($paramname) return $isset; } +/** + * Return true if the parameter $paramname is submit from a POST OR GET as an array. + * Can be used before GETPOST to know if the $check param of GETPOST need to check an array or a string + * + * @param string $paramname Name or parameter to test + * @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get) + * @return bool True if we have just submit a POST or GET request with the parameter provided (even if param is empty) + */ +function GETPOSTISARRAY($paramname, $method = 0) +{ + // for $method test need return the same $val as GETPOST + if (empty($method)) { + $val = isset($_GET[$paramname]) ? $_GET[$paramname] : (isset($_POST[$paramname]) ? $_POST[$paramname] : ''); + } elseif ($method == 1) { + $val = isset($_GET[$paramname]) ? $_GET[$paramname] : ''; + } elseif ($method == 2) { + $val = isset($_POST[$paramname]) ? $_POST[$paramname] : ''; + } elseif ($method == 3) { + $val = isset($_POST[$paramname]) ? $_POST[$paramname] : (isset($_GET[$paramname]) ? $_GET[$paramname] : ''); + } else { + $val = 'BadFirstParameterForGETPOST'; + } + + return is_array($val); +} + /** * Return value of a param into GET or POST supervariable. * Use the property $user->default_values[path]['createform'] and/or $user->default_values[path]['filters'] and/or $user->default_values[path]['sortorder'] @@ -660,11 +686,11 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null $tmpcheck = 'alphanohtml'; } foreach ($out as $outkey => $outval) { - $out[$outkey] = checkVal($outval, $tmpcheck, $filter, $options); + $out[$outkey] = sanitizeVal($outval, $tmpcheck, $filter, $options); } } } else { - $out = checkVal($out, $check, $filter, $options); + $out = sanitizeVal($out, $check, $filter, $options); } // Sanitizing for special parameters. @@ -713,9 +739,11 @@ function GETPOSTINT($paramname, $method = 0) return (int) GETPOST($paramname, 'int', $method, null, null, 0); } + /** - * Return a value after checking on a rule. A sanitization may also have been done. + * Return a sanitized or empty value after checking value against a rule. * + * @deprecated * @param string|array $out Value to check/clear. * @param string $check Type of check/sanitizing * @param int $filter Filter to apply when $check is set to 'custom'. (See http://php.net/manual/en/filter.filters.php for détails) @@ -723,9 +751,24 @@ function GETPOSTINT($paramname, $method = 0) * @return string|array Value sanitized (string or array). It may be '' if format check fails. */ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options = null) +{ + return sanitizeVal($out, $check, $filter, $options); +} + +/** + * Return a sanitized or empty value after checking value against a rule. + * + * @param string|array $out Value to check/clear. + * @param string $check Type of check/sanitizing + * @param int $filter Filter to apply when $check is set to 'custom'. (See http://php.net/manual/en/filter.filters.php for détails) + * @param mixed $options Options to pass to filter_var when $check is set to 'custom' + * @return string|array Value sanitized (string or array). It may be '' if format check fails. + */ +function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options = null) { global $conf; + // TODO : use class "Validate" to perform tests (and add missing tests) if needed for factorize // Check is done after replacement switch ($check) { case 'none': diff --git a/htdocs/core/tpl/extrafields_list_search_sql.tpl.php b/htdocs/core/tpl/extrafields_list_search_sql.tpl.php index 4ba40384648..0c3d98f03a6 100644 --- a/htdocs/core/tpl/extrafields_list_search_sql.tpl.php +++ b/htdocs/core/tpl/extrafields_list_search_sql.tpl.php @@ -48,7 +48,7 @@ if (!empty($extrafieldsobjectkey) && !empty($search_array_options) && is_array($ } $sql .= ")"; } - } elseif ($crit != '' && (!in_array($typ, array('select', 'sellist')) || $crit != '0') && (!in_array($typ, array('link')) || $crit != '-1')) { + } elseif ($crit != '' && (!in_array($typ, array('select', 'sellist', 'select')) || $crit != '0') && (!in_array($typ, array('link')) || $crit != '-1')) { $mode_search = 0; if (in_array($typ, array('int', 'double', 'real', 'price'))) { $mode_search = 1; // Search on a numeric @@ -59,13 +59,14 @@ if (!empty($extrafieldsobjectkey) && !empty($search_array_options) && is_array($ if (in_array($typ, array('sellist')) && !is_numeric($crit)) { $mode_search = 0;// Search on a foreign key string } - if (in_array($typ, array('chkbxlst', 'checkbox'))) { + if (in_array($typ, array('chkbxlst', 'checkbox', 'select'))) { $mode_search = 4; // Search on a multiselect field with sql type = text } if (is_array($crit)) { $crit = implode(' ', $crit); // natural_search() expects a string - } elseif ($typ === 'select' and is_string($crit) and strpos($crit, ' ') === false) { - $sql .= " AND (".$extrafieldsobjectprefix.$tmpkey." = '".$db->escape($crit)."')"; + } elseif ($typ === 'select' and is_string($crit) and strpos($crit, ',') === false) { + $critSelect = "'".implode("','", array_map(array($db, 'escape'), explode(',', $crit)))."'"; + $sql .= " AND (".$extrafieldsobjectprefix.$tmpkey." IN (".$db->sanitize($critSelect, 1).") )"; continue; } $sql .= natural_search($extrafieldsobjectprefix.$tmpkey, $crit, $mode_search); diff --git a/htdocs/expedition/class/api_shipments.class.php b/htdocs/expedition/class/api_shipments.class.php index 402fbdc04d1..357683ef35a 100644 --- a/htdocs/expedition/class/api_shipments.class.php +++ b/htdocs/expedition/class/api_shipments.class.php @@ -279,8 +279,8 @@ class Shipments extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->shipment->addline( $request_data->desc, @@ -347,8 +347,8 @@ class Shipments extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->shipment->updateline( $lineid, diff --git a/htdocs/expensereport/class/api_expensereports.class.php b/htdocs/expensereport/class/api_expensereports.class.php index 37319a3ec71..876b08f18f0 100644 --- a/htdocs/expensereport/class/api_expensereports.class.php +++ b/htdocs/expensereport/class/api_expensereports.class.php @@ -251,8 +251,8 @@ class ExpenseReports extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->expensereport->addline( $request_data->desc, @@ -319,8 +319,8 @@ class ExpenseReports extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); - $request_data->label = checkVal($request_data->label); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); + $request_data->label = sanitizeVal($request_data->label); $updateRes = $this->expensereport->updateline( $lineid, diff --git a/htdocs/exports/class/export.class.php b/htdocs/exports/class/export.class.php index f25192578be..883ba7ea11e 100644 --- a/htdocs/exports/class/export.class.php +++ b/htdocs/exports/class/export.class.php @@ -302,7 +302,7 @@ class Export public function build_filterQuery($TypeField, $NameField, $ValueField) { // phpcs:enable - $NameField = checkVal($NameField, 'aZ09'); + $NameField = sanitizeVal($NameField, 'aZ09'); $szFilterQuery = ''; //print $TypeField." ".$NameField." ".$ValueField; diff --git a/htdocs/fourn/class/api_supplier_invoices.class.php b/htdocs/fourn/class/api_supplier_invoices.class.php index 9497a3daa5f..418d8fa6600 100644 --- a/htdocs/fourn/class/api_supplier_invoices.class.php +++ b/htdocs/fourn/class/api_supplier_invoices.class.php @@ -558,8 +558,8 @@ class SupplierInvoices extends DolibarrApi $request_data = (object) $request_data; - $request_data->description = checkVal($request_data->description, 'restricthtml'); - $request_data->ref_supplier = checkVal($request_data->ref_supplier); + $request_data->description = sanitizeVal($request_data->description, 'restricthtml'); + $request_data->ref_supplier = sanitizeVal($request_data->ref_supplier); $updateRes = $this->invoice->addline( $request_data->description, @@ -625,8 +625,8 @@ class SupplierInvoices extends DolibarrApi $request_data = (object) $request_data; - $request_data->description = checkVal($request_data->description, 'restricthtml'); - $request_data->ref_supplier = checkVal($request_data->ref_supplier); + $request_data->description = sanitizeVal($request_data->description, 'restricthtml'); + $request_data->ref_supplier = sanitizeVal($request_data->ref_supplier); $updateRes = $this->invoice->updateline( $lineid, diff --git a/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php b/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php index d8629547658..b95a5717932 100644 --- a/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php +++ b/htdocs/knowledgemanagement/class/api_knowledgemanagement.class.php @@ -252,7 +252,7 @@ class KnowledgeManagement extends DolibarrApi } // Clean data - // $this->knowledgerecord->abc = checkVal($this->knowledgerecord->abc, 'alphanohtml'); + // $this->knowledgerecord->abc = sanitizeVal($this->knowledgerecord->abc, 'alphanohtml'); if ($this->knowledgerecord->create(DolibarrApiAccess::$user)<0) { throw new RestException(500, "Error creating KnowledgeRecord", array_merge(array($this->knowledgerecord->error), $this->knowledgerecord->errors)); @@ -294,7 +294,7 @@ class KnowledgeManagement extends DolibarrApi } // Clean data - // $this->knowledgerecord->abc = checkVal($this->knowledgerecord->abc, 'alphanohtml'); + // $this->knowledgerecord->abc = sanitizeVal($this->knowledgerecord->abc, 'alphanohtml'); if ($this->knowledgerecord->update(DolibarrApiAccess::$user, false) > 0) { return $this->get($id); diff --git a/htdocs/modulebuilder/template/class/api_mymodule.class.php b/htdocs/modulebuilder/template/class/api_mymodule.class.php index 04bf641930d..736fd9ddc38 100644 --- a/htdocs/modulebuilder/template/class/api_mymodule.class.php +++ b/htdocs/modulebuilder/template/class/api_mymodule.class.php @@ -218,7 +218,7 @@ class MyModuleApi extends DolibarrApi } // Clean data - // $this->myobject->abc = checkVal($this->myobject->abc, 'alphanohtml'); + // $this->myobject->abc = sanitizeVal($this->myobject->abc, 'alphanohtml'); if ($this->myobject->create(DolibarrApiAccess::$user)<0) { throw new RestException(500, "Error creating MyObject", array_merge(array($this->myobject->error), $this->myobject->errors)); @@ -260,7 +260,7 @@ class MyModuleApi extends DolibarrApi } // Clean data - // $this->myobject->abc = checkVal($this->myobject->abc, 'alphanohtml'); + // $this->myobject->abc = sanitizeVal($this->myobject->abc, 'alphanohtml'); if ($this->myobject->update(DolibarrApiAccess::$user, false) > 0) { return $this->get($id); diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index 8ab2c4bae79..d9ee85289b8 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -781,9 +781,9 @@ class Products extends DolibarrApi } // Clean data - $ref_fourn = checkVal($ref_fourn, 'alphanohtml'); - $desc_fourn = checkVal($desc_fourn, 'restricthtml'); - $barcode = checkVal($barcode, 'alphanohtml'); + $ref_fourn = sanitizeVal($ref_fourn, 'alphanohtml'); + $desc_fourn = sanitizeVal($desc_fourn, 'restricthtml'); + $barcode = sanitizeVal($barcode, 'alphanohtml'); $result = $this->productsupplier->update_buyprice($qty, $buyprice, DolibarrApiAccess::$user, $price_base_type, $fourn, $availability, $ref_fourn, $tva_tx, $charges, $remise_percent, $remise, $newnpr, $delivery_time_days, $supplier_reputation, $localtaxes_array, $newdefaultvatcode, $multicurrency_buyprice, $multicurrency_price_base_type, $multicurrency_tx, $multicurrency_code, $desc_fourn, $barcode, $fk_barcode_type); diff --git a/htdocs/projet/class/api_projects.class.php b/htdocs/projet/class/api_projects.class.php index 59576b961d4..6a522346210 100644 --- a/htdocs/projet/class/api_projects.class.php +++ b/htdocs/projet/class/api_projects.class.php @@ -333,7 +333,7 @@ class Projects extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); $updateRes = $this->project->addline( $request_data->desc, @@ -400,7 +400,7 @@ class Projects extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); $updateRes = $this->project->updateline( $lineid, diff --git a/htdocs/projet/class/api_tasks.class.php b/htdocs/projet/class/api_tasks.class.php index cafb60f2865..0eaf8654421 100644 --- a/htdocs/projet/class/api_tasks.class.php +++ b/htdocs/projet/class/api_tasks.class.php @@ -333,7 +333,7 @@ class Tasks extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); $updateRes = $this->project->addline( $request_data->desc, @@ -400,7 +400,7 @@ class Tasks extends DolibarrApi $request_data = (object) $request_data; - $request_data->desc = checkVal($request_data->desc, 'restricthtml'); + $request_data->desc = sanitizeVal($request_data->desc, 'restricthtml'); $updateRes = $this->project->updateline( $lineid, diff --git a/htdocs/recruitment/class/api_recruitment.class.php b/htdocs/recruitment/class/api_recruitment.class.php index ff6f3c3d65a..af2c87dcdb3 100644 --- a/htdocs/recruitment/class/api_recruitment.class.php +++ b/htdocs/recruitment/class/api_recruitment.class.php @@ -364,7 +364,7 @@ class Recruitment extends DolibarrApi } // Clean data - // $this->jobposition->abc = checkVal($this->jobposition->abc, 'alphanohtml'); + // $this->jobposition->abc = sanitizeVal($this->jobposition->abc, 'alphanohtml'); if ($this->jobposition->create(DolibarrApiAccess::$user)<0) { throw new RestException(500, "Error creating jobposition", array_merge(array($this->jobposition->error), $this->jobposition->errors)); @@ -396,7 +396,7 @@ class Recruitment extends DolibarrApi } // Clean data - // $this->jobposition->abc = checkVal($this->jobposition->abc, 'alphanohtml'); + // $this->jobposition->abc = sanitizeVal($this->jobposition->abc, 'alphanohtml'); if ($this->candidature->create(DolibarrApiAccess::$user)<0) { throw new RestException(500, "Error creating candidature", array_merge(array($this->candidature->error), $this->candidature->errors)); @@ -438,7 +438,7 @@ class Recruitment extends DolibarrApi } // Clean data - // $this->jobposition->abc = checkVal($this->jobposition->abc, 'alphanohtml'); + // $this->jobposition->abc = sanitizeVal($this->jobposition->abc, 'alphanohtml'); if ($this->jobposition->update(DolibarrApiAccess::$user, false) > 0) { return $this->get($id); @@ -481,7 +481,7 @@ class Recruitment extends DolibarrApi } // Clean data - // $this->jobposition->abc = checkVal($this->jobposition->abc, 'alphanohtml'); + // $this->jobposition->abc = sanitizeVal($this->jobposition->abc, 'alphanohtml'); if ($this->candidature->update(DolibarrApiAccess::$user, false) > 0) { return $this->get($id);