diff --git a/ChangeLog b/ChangeLog
index 766efb9c02a..ace6c60c0c0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,23 @@ Following changes may create regression for some external modules, but were nece
content by doing a print into function, sometimes by returning content into "resprint". This has been fixed to follow
hook specifications so you must return output into "resprint".
+***** ChangeLog for 5.0.4 compared to 5.0.3 *****
+FIX: #6880
+FIX: #6925
+FIX: #6926
+FIX: Can set supplier invoice to billed.
+FIX: Can't create invoice if PO disapproved
+FIX: contratligne update
+FIX: CVE-2017-7886
+FIX: default param
+FIX: Line of invoices not inserted when using POS module and VAT NPR.
+FIX: origin & originid on supplierproposal
+FIX: Redirect to payment page from member subscription page failed if a unique security key was defined.
+FIX: REST api to get project when user has permission to read all.
+FIX: situation_progress param default value must be 100 and not 0
+FIX: SQL injection on user/index.php parameter search_statut.
+FIX: Warnings
+
***** ChangeLog for 5.0.3 compared to 5.0.2 *****
FIX: #6677 Expired contracts dashboard box does not show the name of the thirdparty
FIX: #6813
diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php
index e22e993796f..80dcd2b1807 100644
--- a/htdocs/accountancy/admin/accountmodel.php
+++ b/htdocs/accountancy/admin/accountmodel.php
@@ -54,6 +54,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
$confirm=GETPOST('confirm','alpha');
$id=GETPOST('id','int');
$rowid=GETPOST('rowid','alpha');
+$code=GETPOST('code','alpha');
$acts[0] = "activate";
$acts[1] = "disable";
@@ -225,7 +226,7 @@ if ($id == 25)
if (GETPOST('button_removefilter') || GETPOST('button_removefilter.x') || GETPOST('button_removefilter_x'))
{
- $search_country_id = '';
+ $search_country_id = '';
}
// Actions add or modify an entry into a dictionary
@@ -459,8 +460,8 @@ if ($action == $acts[0])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
}
- elseif ($_GET["code"]) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'";
+ elseif ($code) {
+ $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@@ -479,8 +480,8 @@ if ($action == $acts[1])
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
}
- elseif ($_GET["code"]) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'";
+ elseif ($code) {
+ $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@@ -499,8 +500,8 @@ if ($action == 'activate_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'";
}
- elseif ($_GET["code"]) {
- $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$_GET["code"]."'";
+ elseif ($code) {
+ $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'";
}
$result = $db->query($sql);
@@ -519,8 +520,8 @@ if ($action == 'disable_favorite')
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'";
}
- elseif ($_GET["code"]) {
- $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$_GET["code"]."'";
+ elseif ($code) {
+ $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'";
}
$result = $db->query($sql);
@@ -556,7 +557,7 @@ print " \n";
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
- print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
+ print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);
@@ -574,7 +575,7 @@ if ($id)
else $sql.=" WHERE ";
$sql.= " c.rowid = ".$search_country_id;
}
-
+
if ($sortfield)
{
// If sort order is "country", we use country_code instead
@@ -598,9 +599,9 @@ if ($id)
$fieldlist=explode(',',$tabfield[$id]);
- print '';
@@ -1124,7 +1124,7 @@ elseif ($action == 'show_week') // View by week
echo "\n";
echo '';
@@ -1188,7 +1188,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
global $cachethirdparties, $cachecontacts, $cacheusers, $colorindexused;
$dateint = sprintf("%04d",$year).sprintf("%02d",$month).sprintf("%02d",$day);
-
+
print "\n";
// Line with title of day
@@ -1247,7 +1247,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
if (in_array($user->id, $keysofuserassigned))
{
$nummytasks++; $cssclass='family_mytasks';
-
+
if (empty($cacheusers[$event->userownerid]))
{
$newuser=new User($db);
@@ -1255,7 +1255,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
$cacheusers[$event->userownerid]=$newuser;
}
//var_dump($cacheusers[$event->userownerid]->color);
-
+
// We decide to choose color of owner of event (event->userownerid is user id of owner, event->userassigned contains all users assigned to event)
if (! empty($cacheusers[$event->userownerid]->color)) $color=$cacheusers[$event->userownerid]->color;
}
@@ -1277,10 +1277,10 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
}
else
{
- $numother++;
+ $numother++;
$color=($event->icalcolor?$event->icalcolor:-1);
$cssclass=(! empty($event->icalname)?'family_ext'.md5($event->icalname):'family_other');
-
+
if (empty($cacheusers[$event->userownerid]))
{
$newuser=new User($db);
@@ -1288,7 +1288,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
$cacheusers[$event->userownerid]=$newuser;
}
//var_dump($cacheusers[$event->userownerid]->color);
-
+
// We decide to choose color of owner of event (event->userownerid is user id of owner, event->userassigned contains all users assigned to event)
if (! empty($cacheusers[$event->userownerid]->color)) $color=$cacheusers[$event->userownerid]->color;
}
@@ -1364,9 +1364,9 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
print '">';
print '
';
print '
';
-
+
$daterange='';
-
+
if ($event->type_code == 'BIRTHDAY') // It's a birthday
{
print $event->getNomUrl(1,$maxnbofchar,'cal_event','birthday','contact');
@@ -1426,9 +1426,9 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
// Show title
$titletoshow = $daterange;
$titletoshow.=($titletoshow?' ':'').$event->libelle;
-
+
if ($event->type_code == 'ICALEVENT') print $titletoshow;
- else
+ else
{
$savlabel=$event->libelle;
$event->libelle=$titletoshow;
@@ -1449,11 +1449,11 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
$newuser->fetch($tmpid);
$cacheusers[$tmpid]=$newuser;
}
-
+
$listofusertoshow.=$cacheusers[$tmpid]->getNomUrl(-3, '', 0, 0, 0, 0, '', 'valigntextbottom');
}
print $listofusertoshow;
-
+
if ($event->type_code == 'ICALEVENT') print ' ('.dol_trunc($event->icalname,$maxnbofchar).')';
// If action related to company / contact
@@ -1506,7 +1506,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
if ($event->type_code != 'BIRTHDAY' && $event->type_code != 'ICALEVENT')
{
$withstatus=1;
- if ($event->percentage >= 0) $withstatus=2;
+ if ($event->percentage >= 0) $withstatus=2;
}
print '
';
if ($withstatus) print $event->getLibStatut(3,1);
diff --git a/htdocs/comm/action/pertype.php b/htdocs/comm/action/pertype.php
index 23d434742a0..cd96a4fa8ad 100644
--- a/htdocs/comm/action/pertype.php
+++ b/htdocs/comm/action/pertype.php
@@ -572,7 +572,7 @@ $newparam=preg_replace('/showbirthday_=/i','showbirthday=',$newparam); // Restor
$newparam.='&viewweek=1';
echo '';
diff --git a/htdocs/comm/action/peruser.php b/htdocs/comm/action/peruser.php
index 2f1e3735cd2..42fb67c8bde 100644
--- a/htdocs/comm/action/peruser.php
+++ b/htdocs/comm/action/peruser.php
@@ -86,12 +86,12 @@ $status=GETPOST("status");
$type=GETPOST("type");
$maxprint=(isset($_GET["maxprint"])?GETPOST("maxprint"):$conf->global->AGENDA_MAX_EVENTS_DAY_VIEW);
// Set actioncode (this code must be same for setting actioncode into peruser, listacton and index)
-if (GETPOST('actioncode','array'))
+if (GETPOST('actioncode','array'))
{
$actioncode=GETPOST('actioncode','array',3);
if (! count($actioncode)) $actioncode='0';
}
-else
+else
{
$actioncode=GETPOST("actioncode","alpha",3)?GETPOST("actioncode","alpha",3):(GETPOST("actioncode")=='0'?'0':(empty($conf->global->AGENDA_DEFAULT_FILTER_TYPE)?'':$conf->global->AGENDA_DEFAULT_FILTER_TYPE));
}
@@ -579,7 +579,7 @@ $newparam=preg_replace('/showbirthday_=/i','showbirthday=',$newparam); // Restor
$newparam.='&viewweek=1';
echo '';
diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php
index 223acb91fb3..8ad11189313 100644
--- a/htdocs/compta/facture/card.php
+++ b/htdocs/compta/facture/card.php
@@ -3587,15 +3587,14 @@ else if ($id > 0 || ! empty($ref))
if ($object->type == Facture::TYPE_SITUATION && ! empty($conf->global->INVOICE_USE_SITUATION))
{
if (count($object->tab_previous_situation_invoice) > 0 || count($object->tab_next_situation_invoice) > 0)
- print '
';
+ print '
';
if (count($object->tab_previous_situation_invoice) > 0) {
// List of previous invoices
print '
';
diff --git a/htdocs/core/ajax/ajaxdirpreview.php b/htdocs/core/ajax/ajaxdirpreview.php
index a21f0d107cd..e0623788963 100644
--- a/htdocs/core/ajax/ajaxdirpreview.php
+++ b/htdocs/core/ajax/ajaxdirpreview.php
@@ -139,7 +139,7 @@ if (! dol_is_dir($upload_dir))
}
print ''."\n";
-print ''."\n";
+//print ''."\n";
$param=($sortfield?'&sortfield='.$sortfield:'').($sortorder?'&sortorder='.$sortorder:'');
diff --git a/htdocs/core/ajax/bankconciliate.php b/htdocs/core/ajax/bankconciliate.php
index 24318be6cf8..65620c5429c 100644
--- a/htdocs/core/ajax/bankconciliate.php
+++ b/htdocs/core/ajax/bankconciliate.php
@@ -45,7 +45,7 @@ $action=GETPOST('action','aZ09');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-//print ''."\n";
+//print ''."\n";
if (($user->rights->banque->modifier || $user->rights->banque->consolidate) && $action == 'dvnext')
{
diff --git a/htdocs/core/ajax/box.php b/htdocs/core/ajax/box.php
index 7826747769b..612f38bb05b 100644
--- a/htdocs/core/ajax/box.php
+++ b/htdocs/core/ajax/box.php
@@ -50,7 +50,7 @@ $userid=GETPOST('userid','int');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-print ''."\n";
+print ''."\n";
// Add a box
if ($boxid > 0 && $zone !='' && $userid > 0)
diff --git a/htdocs/core/ajax/constantonoff.php b/htdocs/core/ajax/constantonoff.php
index 331a5e87513..f79753260d7 100644
--- a/htdocs/core/ajax/constantonoff.php
+++ b/htdocs/core/ajax/constantonoff.php
@@ -45,7 +45,7 @@ $name=GETPOST('name','alpha');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-print ''."\n";
+//print ''."\n";
// Registering the location of boxes
if (! empty($action) && ! empty($name))
diff --git a/htdocs/core/ajax/contacts.php b/htdocs/core/ajax/contacts.php
index c3788a8baeb..1c7c7a56e4b 100644
--- a/htdocs/core/ajax/contacts.php
+++ b/htdocs/core/ajax/contacts.php
@@ -41,20 +41,20 @@ $showempty = GETPOST('showempty','int');
top_httphead();
-//print ''."\n";
+//print ''."\n";
// Load original field value
if (! empty($id) && ! empty($action) && ! empty($htmlname))
{
$form = new Form($db);
-
+
$return=array();
if (empty($showempty)) $showempty=0;
-
+
$return['value'] = $form->selectcontacts($id,'',$htmlname,$showempty,'','',0,'',true);
$return['num'] = $form->num;
$return['error'] = $form->error;
-
+
echo json_encode($return);
}
diff --git a/htdocs/core/ajax/extraparams.php b/htdocs/core/ajax/extraparams.php
index 510ef8a1cf8..f8a636e52a5 100644
--- a/htdocs/core/ajax/extraparams.php
+++ b/htdocs/core/ajax/extraparams.php
@@ -40,17 +40,17 @@ $type = GETPOST('type', 'alpha');
top_httphead();
-print ''."\n";
+print ''."\n";
if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type))
{
$value = GETPOST('value','alpha');
$params=array();
-
+
dol_syslog("AjaxSetExtraParameters id=".$id." element=".$element." htmlelement=".$htmlelement." type=".$type." value=".$value, LOG_DEBUG);
-
+
$classpath = $subelement = $element;
-
+
// For compatibility
if ($element == 'order' || $element == 'commande') { $classpath = $subelement = 'commande'; }
else if ($element == 'propal') { $classpath = 'comm/propal'; $subelement = 'propal'; }
@@ -60,19 +60,19 @@ if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type))
else if ($element == 'deplacement') { $classpath = 'compta/deplacement'; $subelement = 'deplacement'; }
else if ($element == 'order_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.commande'; }
else if ($element == 'invoice_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.facture'; }
-
+
dol_include_once('/'.$classpath.'/class/'.$subelement.'.class.php');
-
+
if ($element == 'order_supplier') { $classname = 'CommandeFournisseur'; }
else if ($element == 'invoice_supplier') { $classname = 'FactureFournisseur'; }
else $classname = ucfirst($subelement);
-
+
$object = new $classname($db);
$object->fetch($id);
-
+
$params[$htmlelement] = array($type => $value);
$object->extraparams = array_merge($object->extraparams, $params);
-
+
$result=$object->setExtraParameters();
}
diff --git a/htdocs/core/ajax/loadinplace.php b/htdocs/core/ajax/loadinplace.php
index de3a4e57d19..7e9e541c768 100644
--- a/htdocs/core/ajax/loadinplace.php
+++ b/htdocs/core/ajax/loadinplace.php
@@ -41,7 +41,7 @@ $fk_element = GETPOST('fk_element','alpha');
top_httphead();
-//print ''."\n";
+//print ''."\n";
// Load original field value
if (! empty($field) && ! empty($element) && ! empty($table_element) && ! empty($fk_element))
diff --git a/htdocs/core/ajax/objectonoff.php b/htdocs/core/ajax/objectonoff.php
index 6ac5abd3bbb..37173ed9943 100644
--- a/htdocs/core/ajax/objectonoff.php
+++ b/htdocs/core/ajax/objectonoff.php
@@ -42,7 +42,7 @@ $object = new GenericObject($db);
top_httphead();
-print ''."\n";
+print ''."\n";
// Registering new values
if (($action == 'set') && ! empty($id))
diff --git a/htdocs/core/ajax/price.php b/htdocs/core/ajax/price.php
index 5c891df14d5..d4a101fb497 100644
--- a/htdocs/core/ajax/price.php
+++ b/htdocs/core/ajax/price.php
@@ -39,7 +39,7 @@ $tva_tx = str_replace('*','',GETPOST('tva_tx','alpha'));
top_httphead();
-//print ''."\n";
+//print ''."\n";
// Load original field value
if (! empty($output) && isset($amount) && isset($tva_tx))
diff --git a/htdocs/core/ajax/row.php b/htdocs/core/ajax/row.php
index 331b4ceaac8..6e358bdbd88 100644
--- a/htdocs/core/ajax/row.php
+++ b/htdocs/core/ajax/row.php
@@ -18,8 +18,8 @@
/**
* \file htdocs/core/ajax/row.php
- * \brief File to return Ajax response on Row move.
- * This ajax page is called when doing an up or down drag and drop.
+ * \brief File to return Ajax response on Row move.
+ * This ajax page is called when doing an up or down drag and drop.
*/
if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disable token renewal
@@ -40,7 +40,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php';
top_httphead();
-print ''."\n";
+print ''."\n";
// Registering the location of boxes
if ((isset($_POST['roworder']) && ! empty($_POST['roworder'])) && (isset($_POST['table_element_line']) && ! empty($_POST['table_element_line']))
diff --git a/htdocs/core/ajax/saveinplace.php b/htdocs/core/ajax/saveinplace.php
index 48797dd0432..eb04379a778 100644
--- a/htdocs/core/ajax/saveinplace.php
+++ b/htdocs/core/ajax/saveinplace.php
@@ -54,7 +54,7 @@ savemethodname:
top_httphead();
-//print ''."\n";
+//print ''."\n";
//print_r($_POST);
// Load original field value
diff --git a/htdocs/core/ajax/security.php b/htdocs/core/ajax/security.php
index 28a53a87679..cc7335618d0 100644
--- a/htdocs/core/ajax/security.php
+++ b/htdocs/core/ajax/security.php
@@ -17,8 +17,8 @@
/**
* \file htdocs/core/ajax/security.php
- * \brief This ajax component is used to generated has keys for security purposes
- * like key to use into URL to protect them.
+ * \brief This ajax component is used to generated has keys for security purposes
+ * like key to use into URL to protect them.
*/
if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disables token renewal
@@ -38,7 +38,7 @@ require '../../main.inc.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-//print ''."\n";
+//print ''."\n";
// Registering the location of boxes
if (isset($_GET['action']) && ! empty($_GET['action']))
diff --git a/htdocs/core/ajax/vatrates.php b/htdocs/core/ajax/vatrates.php
index fc30a13afec..ac9691bfa25 100644
--- a/htdocs/core/ajax/vatrates.php
+++ b/htdocs/core/ajax/vatrates.php
@@ -41,7 +41,7 @@ $productid = (GETPOST('productid','int')?GETPOST('productid','int'):0);
top_httphead();
-//print ''."\n";
+//print ''."\n";
// Load original field value
if (! empty($id) && ! empty($action) && ! empty($htmlname))
diff --git a/htdocs/core/ajax/ziptown.php b/htdocs/core/ajax/ziptown.php
index 30e0211ece1..9fa475039d9 100644
--- a/htdocs/core/ajax/ziptown.php
+++ b/htdocs/core/ajax/ziptown.php
@@ -45,7 +45,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-//print ''."\n";
+//print ''."\n";
dol_syslog("GET is ".join(',',$_GET).', MAIN_USE_ZIPTOWN_DICTIONNARY='.(empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)?'':$conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY));
//var_dump($_GET);
diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php
index 5af4024f9c2..1908d04c312 100644
--- a/htdocs/core/class/html.formother.class.php
+++ b/htdocs/core/class/html.formother.class.php
@@ -1062,7 +1062,7 @@ class FormOther
async: false
});
// We force reload to be sure to get all boxes into list
- window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=delbox\';
+ window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=delbox\';
}
else
{
@@ -1084,7 +1084,7 @@ class FormOther
url: \''.DOL_URL_ROOT.'/core/ajax/box.php?boxorder=\'+boxorder+\'&boxid=\'+boxid+\'&zone='.$areacode.'&userid='.$user->id.'\',
async: false
});
- window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=addbox&boxid=\'+boxid;
+ window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=addbox&boxid=\'+boxid;
}
});';
if (! count($arrayboxtoactivatelabel)) $selectboxlist.='jQuery("#boxcombo").hide();';
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index fd3b0012165..ca3d0587905 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -411,9 +411,6 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)
case 'intcomma':
if (preg_match('/[^0-9,]+/i',$out)) $out='';
break;
- case 'intcomma':
- if (preg_match('/[^0-9,]+/i',$out)) $out='';
- break;
case 'alpha':
$out=trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
@@ -3168,8 +3165,8 @@ function dol_print_error($db='',$error='',$errors=null)
$out.="".$langs->trans("Referer").": ".(isset($_SERVER["HTTP_REFERER"])?dol_htmlentities($_SERVER["HTTP_REFERER"],ENT_COMPAT,'UTF-8'):'')." \n";
$out.="".$langs->trans("MenuManager").": ".(isset($conf->standard_menu)?$conf->standard_menu:'')." \n";
$out.=" \n";
- $syslog.="url=".$_SERVER["REQUEST_URI"];
- $syslog.=", query_string=".$_SERVER["QUERY_STRING"];
+ $syslog.="url=".dol_escape_htmltag($_SERVER["REQUEST_URI"]);
+ $syslog.=", query_string=".dol_escape_htmltag($_SERVER["QUERY_STRING"]);
}
else // Mode CLI
{
diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php
index d20b9612b5f..248c3bde43e 100644
--- a/htdocs/core/lib/security2.lib.php
+++ b/htdocs/core/lib/security2.lib.php
@@ -144,10 +144,6 @@ function dol_loginfunction($langs,$conf,$mysoc)
$dol_url_root = DOL_URL_ROOT;
- $php_self = $_SERVER['PHP_SELF'];
- $php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
- if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
-
// Title
$appli=constant('DOL_APPLICATION_TITLE');
$title=$appli.' '.constant('DOL_VERSION');
diff --git a/htdocs/core/tpl/ajax/fileupload_main.tpl.php b/htdocs/core/tpl/ajax/fileupload_main.tpl.php
index b7437af4616..034e9ebc3fc 100644
--- a/htdocs/core/tpl/ajax/fileupload_main.tpl.php
+++ b/htdocs/core/tpl/ajax/fileupload_main.tpl.php
@@ -45,7 +45,7 @@ $(function () {
// Events
$('#fileupload').fileupload({
stop: function (e, data) {
- location.href='';
+ location.href='';
},
destroy: function (e, data) {
var that = $(this).data('fileupload');
diff --git a/htdocs/core/tpl/ajaxrow.tpl.php b/htdocs/core/tpl/ajaxrow.tpl.php
index 96be9b49196..a5d8ab039b8 100644
--- a/htdocs/core/tpl/ajaxrow.tpl.php
+++ b/htdocs/core/tpl/ajaxrow.tpl.php
@@ -63,7 +63,7 @@ $(document).ready(function(){
function() {
console.log("tableDND end of ajax call");
if (reloadpage == 1) {
- location.href = '';
+ location.href = '';
} else {
$("# .drag").each(
function( intIndex ) {
diff --git a/htdocs/core/tpl/login.tpl.php b/htdocs/core/tpl/login.tpl.php
index 81e3936d300..9cddb8d183d 100644
--- a/htdocs/core/tpl/login.tpl.php
+++ b/htdocs/core/tpl/login.tpl.php
@@ -31,6 +31,10 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
// If we force to use jmobile, then we reenable javascript
if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
+$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']);
+$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
+if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
+
// Javascript code on logon page only to detect user tz, dst_observed, dst_first, dst_second
$arrayofjs=array(
'/includes/jstz/jstz.min.js'.(empty($conf->dol_use_jmobile)?'':'?version='.urlencode(DOL_VERSION)),
@@ -82,7 +86,7 @@ $(document).ready(function () {
';
-echo dol_escape_htmltag($title);
+echo dol_escape_htmltag($title);
if ($disablenofollow) echo '';
?>
diff --git a/htdocs/core/tpl/passwordforgotten.tpl.php b/htdocs/core/tpl/passwordforgotten.tpl.php
index ad29cbfcd3d..96e8b467a02 100644
--- a/htdocs/core/tpl/passwordforgotten.tpl.php
+++ b/htdocs/core/tpl/passwordforgotten.tpl.php
@@ -28,6 +28,9 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
// If we force to use jmobile, then we reenable javascript
if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
+$php_self = $_SERVER['PHP_SELF'];
+$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
+
print top_htmlhead('',$langs->trans('SendNewPassword'));
?>
@@ -56,7 +59,7 @@ $(document).ready(function () {
';
-echo dol_escape_htmltag($title);
+echo dol_escape_htmltag($title);
if ($disablenofollow) echo '';
?>
@@ -96,7 +99,7 @@ if (! empty($hookmanager->resArray['options'])) {
}
?>
-'."\n";
+//print ''."\n";
// Load original field value
if (isset($action) && ! empty($action))
diff --git a/htdocs/expensereport/ajax/ajaxprojet.php b/htdocs/expensereport/ajax/ajaxprojet.php
index 6b9dd7e062f..423677c5da5 100644
--- a/htdocs/expensereport/ajax/ajaxprojet.php
+++ b/htdocs/expensereport/ajax/ajaxprojet.php
@@ -46,7 +46,7 @@ require '../../main.inc.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-//print ''."\n";
+//print ''."\n";
dol_syslog(join(',',$_GET));
diff --git a/htdocs/externalsite/frames.php b/htdocs/externalsite/frames.php
index adf9d547073..6005b8e55b6 100644
--- a/htdocs/externalsite/frames.php
+++ b/htdocs/externalsite/frames.php
@@ -34,8 +34,8 @@ if (empty($conf->global->EXTERNALSITE_URL))
llxFooter();
}
-$mainmenu=GETPOST('mainmenu', 'alpha');
-$leftmenu=GETPOST('leftmenu', 'alpha');
+$mainmenu=GETPOST('mainmenu', "aZ09");
+$leftmenu=GETPOST('leftmenu', "aZ09");
$idmenu=GETPOST('idmenu', 'int');
$theme=GETPOST('theme', 'alpha');
$codelang=GETPOST('lang', 'aZ09');
diff --git a/htdocs/fourn/ajax/getSupplierPrices.php b/htdocs/fourn/ajax/getSupplierPrices.php
index 817f83f7ab6..a3990333d46 100644
--- a/htdocs/fourn/ajax/getSupplierPrices.php
+++ b/htdocs/fourn/ajax/getSupplierPrices.php
@@ -46,7 +46,7 @@ $langs->load('margins');
top_httphead();
-//print ''."\n";
+//print ''."\n";
if ($idprod > 0)
{
@@ -55,7 +55,7 @@ if ($idprod > 0)
$sorttouse = 's.nom, pfp.quantity, pfp.price';
if (GETPOST('bestpricefirst')) $sorttouse = 'pfp.unitprice, s.nom, pfp.quantity, pfp.price';
-
+
$productSupplierArray = $producttmp->list_product_fournisseur_price($idprod, $sorttouse); // We list all price per supplier, and then firstly with the lower quantity. So we can choose first one with enough quantity into list.
if ( is_array($productSupplierArray))
{
@@ -63,34 +63,34 @@ if ($idprod > 0)
{
$price = $productSupplier->fourn_price * (1 - $productSupplier->fourn_remise_percent / 100);
$unitprice = $productSupplier->fourn_unitprice * (1 - $productSupplier->fourn_remise_percent / 100);
-
+
$title = $productSupplier->fourn_name.' - '.$productSupplier->fourn_ref.' - ';
-
+
if ($productSupplier->fourn_qty == 1)
{
$title.= price($price,0,$langs,0,0,-1,$conf->currency)."/";
}
$title.= $productSupplier->fourn_qty.' '.($productSupplier->fourn_qty == 1 ? $langs->trans("Unit") : $langs->trans("Units"));
-
+
if ($productSupplier->fourn_qty > 1)
{
$title.=" - ";
$title.= price($unitprice,0,$langs,0,0,-1,$conf->currency)."/".$langs->trans("Unit");
$price = $unitprice;
}
-
+
$label = price($price,0,$langs,0,0,-1,$conf->currency)."/".$langs->trans("Unit");
if ($productSupplier->fourn_ref) $label.=' ('.$productSupplier->fourn_ref.')';
-
+
$prices[] = array("id" => $productSupplier->product_fourn_price_id, "price" => price2num($price,0,'',0), "label" => $label, "title" => $title); // For price field, we must use price2num(), for label or title, price()
}
}
-
+
// Add price for costprice
$price=$producttmp->cost_price;
$prices[] = array("id" => 'costprice', "price" => price2num($price), "label" => $langs->trans("CostPrice").': '.price($price,0,$langs,0,0,-1,$conf->currency), "title" => $langs->trans("PMPValueShort").': '.price($price,0,$langs,0,0,-1,$conf->currency)); // For price field, we must use price2num(), for label or title, price()
- if(!empty($conf->stock->enabled))
+ if(!empty($conf->stock->enabled))
{
// Add price for pmp
$price=$producttmp->pmp;
diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php
index fa77287cbf4..e5afb2cfa42 100644
--- a/htdocs/holiday/list.php
+++ b/htdocs/holiday/list.php
@@ -168,7 +168,7 @@ if($year_create > 0) {
}
} else {
if($month_create > 0) {
- $filter.= " AND date_format(cp.date_create, '%m') = '$month_create'";
+ $filter.= " AND date_format(cp.date_create, '%m') = '".$db->escape($month_create)."'";
}
}
@@ -302,7 +302,7 @@ print '';
// DATE CREATE
print '