forked from Wavyzz/dolibarr
Merge branch '5.0' of git@github.com:Dolibarr/dolibarr.git into develop
Conflicts: ChangeLog htdocs/admin/tools/index.php htdocs/bookmarks/bookmarks.lib.php htdocs/compta/facture.php htdocs/core/tpl/passwordforgotten.tpl.php htdocs/fourn/ajax/getSupplierPrices.php htdocs/main.inc.php htdocs/product/stats/card.php htdocs/public/paypal/paymentko.php
This commit is contained in:
Laurent Destailleur
17
ChangeLog
17
ChangeLog
@@ -31,6 +31,23 @@ Following changes may create regression for some external modules, but were nece
|
||||
content by doing a print into function, sometimes by returning content into "resprint". This has been fixed to follow
|
||||
hook specifications so you must return output into "resprint".
|
||||
|
||||
***** ChangeLog for 5.0.4 compared to 5.0.3 *****
|
||||
FIX: #6880
|
||||
FIX: #6925
|
||||
FIX: #6926
|
||||
FIX: Can set supplier invoice to billed.
|
||||
FIX: Can't create invoice if PO disapproved
|
||||
FIX: contratligne update
|
||||
FIX: CVE-2017-7886
|
||||
FIX: default param
|
||||
FIX: Line of invoices not inserted when using POS module and VAT NPR.
|
||||
FIX: origin & originid on supplierproposal
|
||||
FIX: Redirect to payment page from member subscription page failed if a unique security key was defined.
|
||||
FIX: REST api to get project when user has permission to read all.
|
||||
FIX: situation_progress param default value must be 100 and not 0
|
||||
FIX: SQL injection on user/index.php parameter search_statut.
|
||||
FIX: Warnings
|
||||
|
||||
***** ChangeLog for 5.0.3 compared to 5.0.2 *****
|
||||
FIX: #6677 Expired contracts dashboard box does not show the name of the thirdparty
|
||||
FIX: #6813
|
||||
|
||||
@@ -54,6 +54,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
|
||||
$confirm=GETPOST('confirm','alpha');
|
||||
$id=GETPOST('id','int');
|
||||
$rowid=GETPOST('rowid','alpha');
|
||||
$code=GETPOST('code','alpha');
|
||||
|
||||
$acts[0] = "activate";
|
||||
$acts[1] = "disable";
|
||||
@@ -459,8 +460,8 @@ if ($action == $acts[0])
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -479,8 +480,8 @@ if ($action == $acts[1])
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -499,8 +500,8 @@ if ($action == 'activate_favorite')
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$_GET["code"]."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -519,8 +520,8 @@ if ($action == 'disable_favorite')
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$_GET["code"]."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -556,7 +557,7 @@ print "<br>\n";
|
||||
// Confirmation de la suppression de la ligne
|
||||
if ($action == 'delete')
|
||||
{
|
||||
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
|
||||
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
|
||||
}
|
||||
//var_dump($elementList);
|
||||
|
||||
@@ -598,7 +599,7 @@ if ($id)
|
||||
|
||||
$fieldlist=explode(',',$tabfield[$id]);
|
||||
|
||||
print '<form action="'.$_SERVER['PHP_SELF'].'?id='.$id.'" method="POST">';
|
||||
print '<form action="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?id='.$id.'" method="POST">';
|
||||
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
|
||||
print '<table class="noborder" width="100%">';
|
||||
|
||||
@@ -54,6 +54,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
|
||||
$confirm=GETPOST('confirm','alpha');
|
||||
$id=GETPOST('id','int');
|
||||
$rowid=GETPOST('rowid','alpha');
|
||||
$code=GETPOST('code','alpha');
|
||||
|
||||
// Security access
|
||||
if (! empty($user->rights->accountancy->chartofaccount))
|
||||
@@ -370,8 +371,8 @@ if ($action == $acts[0])
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -390,8 +391,8 @@ if ($action == $acts[1])
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -410,8 +411,8 @@ if ($action == 'activate_favorite')
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$_GET["code"]."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -430,8 +431,8 @@ if ($action == 'disable_favorite')
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$_GET["code"]."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -461,7 +462,7 @@ print load_fiche_titre($titre,$linkback,$titlepicto);
|
||||
// Confirmation de la suppression de la ligne
|
||||
if ($action == 'delete')
|
||||
{
|
||||
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
|
||||
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
|
||||
}
|
||||
//var_dump($elementList);
|
||||
|
||||
|
||||
@@ -38,6 +38,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
|
||||
$confirm=GETPOST('confirm','alpha');
|
||||
$id=GETPOST('id','int');
|
||||
$rowid=GETPOST('rowid','alpha');
|
||||
$code=GETPOST('code','alpha');
|
||||
|
||||
// Security access
|
||||
if (! empty($user->rights->accountancy->chartofaccount))
|
||||
@@ -321,8 +322,8 @@ if ($action == $acts[0])
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -341,8 +342,8 @@ if ($action == $acts[1])
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -375,7 +376,7 @@ print load_fiche_titre($titre,$linkback,$titlepicto);
|
||||
// Confirmation de la suppression de la ligne
|
||||
if ($action == 'delete')
|
||||
{
|
||||
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
|
||||
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
|
||||
}
|
||||
//var_dump($elementList);
|
||||
|
||||
|
||||
@@ -54,6 +54,7 @@ $action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
|
||||
$confirm=GETPOST('confirm','alpha');
|
||||
$id=GETPOST('id','int');
|
||||
$rowid=GETPOST('rowid','alpha');
|
||||
$code=GETPOST('code','alpha');
|
||||
|
||||
$allowed=$user->admin;
|
||||
if ($id == 7 && ! empty($user->rights->accounting->chartofaccount)) $allowed=1; // Tax page allowed to manager of chart account
|
||||
@@ -816,8 +817,8 @@ if ($action == $acts[0])
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".dol_escape_htmltag($_GET["code"])."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".dol_escape_htmltag($code)."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -836,8 +837,8 @@ if ($action == $acts[1])
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".dol_escape_htmltag($_GET["code"])."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".dol_escape_htmltag($code)."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -856,8 +857,8 @@ if ($action == 'activate_favorite')
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".dol_escape_htmltag($_GET["code"])."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".dol_escape_htmltag($code)."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -876,8 +877,8 @@ if ($action == 'disable_favorite')
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".dol_escape_htmltag($_GET["code"])."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".dol_escape_htmltag($code)."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -938,7 +939,7 @@ if (GETPOST('from')) $paramwithsearch.= '&from='.GETPOST('from','alpha');
|
||||
// Confirmation de la suppression de la ligne
|
||||
if ($action == 'delete')
|
||||
{
|
||||
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'rowid='.$rowid.'&code='.urlencode($_GET["code"]).$paramwithsearch, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
|
||||
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'rowid='.$rowid.'&code='.urlencode($code).$paramwithsearch, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
|
||||
}
|
||||
//var_dump($elementList);
|
||||
|
||||
|
||||
@@ -346,8 +346,8 @@ if ($action == $acts[0])
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$_GET["code"]."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -366,8 +366,8 @@ if ($action == $acts[1])
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
|
||||
}
|
||||
elseif ($_GET["code"]) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$_GET["code"]."'";
|
||||
elseif ($code) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
@@ -412,7 +412,7 @@ dol_fiche_head($head, 'templates', '', -1);
|
||||
// Confirmation de la suppression de la ligne
|
||||
if ($action == 'delete')
|
||||
{
|
||||
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$_GET["code"].'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
|
||||
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
|
||||
}
|
||||
//var_dump($elementList);
|
||||
|
||||
|
||||
@@ -38,7 +38,7 @@ if (! $user->admin)
|
||||
$form = new Form($db);
|
||||
|
||||
$title=$langs->trans("AdminTools");
|
||||
//if (GETPOST('leftmenu') == 'admintools') $title=$langs->trans("ModulesSystemTools");
|
||||
//if (GETPOST('leftmenu',"aZ09") == 'admintools') $title=$langs->trans("ModulesSystemTools");
|
||||
|
||||
llxHeader('', $title);
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ function printBookmarksList($aDb, $aLangs)
|
||||
|
||||
$langs->load("bookmarks");
|
||||
|
||||
$url= $_SERVER["PHP_SELF"].(! empty($_SERVER["QUERY_STRING"])?'?'.$_SERVER["QUERY_STRING"]:'');
|
||||
$url= $_SERVER["PHP_SELF"].(dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'');
|
||||
|
||||
$ret = '';
|
||||
|
||||
|
||||
@@ -423,8 +423,8 @@ else // If javascript off
|
||||
$newparam=$param; // newparam is for birthday links
|
||||
$newparam=preg_replace('/showbirthday=[0-1]/i','showbirthday='.(empty($showbirthday)?1:0),$newparam);
|
||||
if (! preg_match('/showbirthday=/i',$newparam)) $newparam.='&showbirthday=1';
|
||||
$link='<a href="'.$_SERVER['PHP_SELF'];
|
||||
$link.='?'.$newparam;
|
||||
$link='<a href="'.dol_escape_htmltag($_SERVER['PHP_SELF']);
|
||||
$link.='?'.dol_escape_htmltag($newparam);
|
||||
$link.='">';
|
||||
if (empty($showbirthday)) $link.=$langs->trans("AgendaShowBirthdayEvents");
|
||||
else $link.=$langs->trans("AgendaHideBirthdayEvents");
|
||||
@@ -1070,7 +1070,7 @@ if (empty($action) || $action == 'show_month') // View by month
|
||||
}
|
||||
echo "</table>\n";
|
||||
echo '<form id="move_event" action="" method="POST"><input type="hidden" name="action" value="mupdate">';
|
||||
echo '<input type="hidden" name="backtopage" value="'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'].'">';
|
||||
echo '<input type="hidden" name="backtopage" value="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']).'">';
|
||||
echo '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
echo '<input type="hidden" name="newdate" id="newdate">' ;
|
||||
echo '</form>';
|
||||
@@ -1124,7 +1124,7 @@ elseif ($action == 'show_week') // View by week
|
||||
|
||||
echo "</table>\n";
|
||||
echo '<form id="move_event" action="" method="POST"><input type="hidden" name="action" value="mupdate">';
|
||||
echo '<input type="hidden" name="backtopage" value="'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'].'">';
|
||||
echo '<input type="hidden" name="backtopage" value="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']).'">';
|
||||
echo '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
echo '<input type="hidden" name="newdate" id="newdate">' ;
|
||||
echo '</form>';
|
||||
|
||||
@@ -572,7 +572,7 @@ $newparam=preg_replace('/showbirthday_=/i','showbirthday=',$newparam); // Restor
|
||||
$newparam.='&viewweek=1';
|
||||
|
||||
echo '<form id="move_event" action="" method="POST"><input type="hidden" name="action" value="mupdate">';
|
||||
echo '<input type="hidden" name="backtopage" value="'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'].'">';
|
||||
echo '<input type="hidden" name="backtopage" value="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']).'">';
|
||||
echo '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
echo '<input type="hidden" name="newdate" id="newdate">' ;
|
||||
echo '</form>';
|
||||
|
||||
@@ -579,7 +579,7 @@ $newparam=preg_replace('/showbirthday_=/i','showbirthday=',$newparam); // Restor
|
||||
$newparam.='&viewweek=1';
|
||||
|
||||
echo '<form id="move_event" action="" method="POST"><input type="hidden" name="action" value="mupdate">';
|
||||
echo '<input type="hidden" name="backtopage" value="'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'].'">';
|
||||
echo '<input type="hidden" name="backtopage" value="'.dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']).'">';
|
||||
echo '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
echo '<input type="hidden" name="newdate" id="newdate">' ;
|
||||
echo '</form>';
|
||||
|
||||
@@ -3587,15 +3587,14 @@ else if ($id > 0 || ! empty($ref))
|
||||
if ($object->type == Facture::TYPE_SITUATION && ! empty($conf->global->INVOICE_USE_SITUATION))
|
||||
{
|
||||
if (count($object->tab_previous_situation_invoice) > 0 || count($object->tab_next_situation_invoice) > 0)
|
||||
print '<table class="nobordernopadding paymenttable" width="100%">';
|
||||
print '<table class="noborder situationstable" width="100%">';
|
||||
|
||||
if (count($object->tab_previous_situation_invoice) > 0) {
|
||||
// List of previous invoices
|
||||
print '<tr class="liste_titre">';
|
||||
print '<td>' . $langs->trans('ListOfPreviousSituationInvoices') . '</td>';
|
||||
print '<td></td>';
|
||||
if (! empty($conf->banque->enabled))
|
||||
print '<td align="right"></td>';
|
||||
if (! empty($conf->banque->enabled)) print '<td align="right"></td>';
|
||||
print '<td align="right">' . $langs->trans('AmountHT') . '</td>';
|
||||
print '<td align="right">' . $langs->trans('AmountTTC') . '</td>';
|
||||
print '<td width="18"> </td>';
|
||||
@@ -3609,8 +3608,7 @@ else if ($id > 0 || ! empty($ref))
|
||||
print '<tr class="oddeven">';
|
||||
print '<td>' . $prev_invoice->getNomUrl(1) . '</td>';
|
||||
print '<td></td>';
|
||||
if (! empty($conf->banque->enabled))
|
||||
print '<td align="right"></td>';
|
||||
if (! empty($conf->banque->enabled)) print '<td align="right"></td>';
|
||||
print '<td align="right">' . price($prev_invoice->total_ht) . '</td>';
|
||||
print '<td align="right">' . price($prev_invoice->total_ttc) . '</td>';
|
||||
print '<td align="right">' . $prev_invoice->getLibStatut(3, $totalpaye) . '</td>';
|
||||
@@ -3619,7 +3617,9 @@ else if ($id > 0 || ! empty($ref))
|
||||
}
|
||||
|
||||
print '<tr class="oddeven">';
|
||||
print '<td colspan="2" align="right"></td>';
|
||||
print '<td></td>';
|
||||
print '<td></td>';
|
||||
if (! empty($conf->banque->enabled)) print '<td></td>';
|
||||
print '<td align="right"><b>' . price($total_prev_ht) . '</b></td>';
|
||||
print '<td align="right"><b>' . price($total_prev_ttc) . '</b></td>';
|
||||
print '<td width="18"> </td>';
|
||||
|
||||
@@ -139,7 +139,7 @@ if (! dol_is_dir($upload_dir))
|
||||
}
|
||||
|
||||
print '<!-- ajaxdirpreview type='.$type.' -->'."\n";
|
||||
print '<!-- Page called with mode='.(isset($mode)?$mode:'').' type='.$type.' module='.$module.' url='.$url.' '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Page called with mode='.dol_escape_htmltag(isset($mode)?$mode:'').' type='.dol_escape_htmltag($type).' module='.dol_escape_htmltag($module).' url='.dol_escape_htmltag($url).' '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
$param=($sortfield?'&sortfield='.$sortfield:'').($sortorder?'&sortorder='.$sortorder:'');
|
||||
|
||||
|
||||
@@ -45,7 +45,7 @@ $action=GETPOST('action','aZ09');
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
if (($user->rights->banque->modifier || $user->rights->banque->consolidate) && $action == 'dvnext')
|
||||
{
|
||||
|
||||
@@ -50,7 +50,7 @@ $userid=GETPOST('userid','int');
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Add a box
|
||||
if ($boxid > 0 && $zone !='' && $userid > 0)
|
||||
|
||||
@@ -45,7 +45,7 @@ $name=GETPOST('name','alpha');
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Registering the location of boxes
|
||||
if (! empty($action) && ! empty($name))
|
||||
|
||||
@@ -41,7 +41,7 @@ $showempty = GETPOST('showempty','int');
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Load original field value
|
||||
if (! empty($id) && ! empty($action) && ! empty($htmlname))
|
||||
|
||||
@@ -40,7 +40,7 @@ $type = GETPOST('type', 'alpha');
|
||||
|
||||
top_httphead();
|
||||
|
||||
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type))
|
||||
{
|
||||
|
||||
@@ -41,7 +41,7 @@ $fk_element = GETPOST('fk_element','alpha');
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Load original field value
|
||||
if (! empty($field) && ! empty($element) && ! empty($table_element) && ! empty($fk_element))
|
||||
|
||||
@@ -42,7 +42,7 @@ $object = new GenericObject($db);
|
||||
|
||||
top_httphead();
|
||||
|
||||
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Registering new values
|
||||
if (($action == 'set') && ! empty($id))
|
||||
|
||||
@@ -39,7 +39,7 @@ $tva_tx = str_replace('*','',GETPOST('tva_tx','alpha'));
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Load original field value
|
||||
if (! empty($output) && isset($amount) && isset($tva_tx))
|
||||
|
||||
@@ -40,7 +40,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php';
|
||||
|
||||
top_httphead();
|
||||
|
||||
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Registering the location of boxes
|
||||
if ((isset($_POST['roworder']) && ! empty($_POST['roworder'])) && (isset($_POST['table_element_line']) && ! empty($_POST['table_element_line']))
|
||||
|
||||
@@ -54,7 +54,7 @@ savemethodname:
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
//print_r($_POST);
|
||||
|
||||
// Load original field value
|
||||
|
||||
@@ -38,7 +38,7 @@ require '../../main.inc.php';
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Registering the location of boxes
|
||||
if (isset($_GET['action']) && ! empty($_GET['action']))
|
||||
|
||||
@@ -41,7 +41,7 @@ $productid = (GETPOST('productid','int')?GETPOST('productid','int'):0);
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Load original field value
|
||||
if (! empty($id) && ! empty($action) && ! empty($htmlname))
|
||||
|
||||
@@ -45,7 +45,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
dol_syslog("GET is ".join(',',$_GET).', MAIN_USE_ZIPTOWN_DICTIONNARY='.(empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)?'':$conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY));
|
||||
//var_dump($_GET);
|
||||
|
||||
@@ -1062,7 +1062,7 @@ class FormOther
|
||||
async: false
|
||||
});
|
||||
// We force reload to be sure to get all boxes into list
|
||||
window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=delbox\';
|
||||
window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=delbox\';
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -1084,7 +1084,7 @@ class FormOther
|
||||
url: \''.DOL_URL_ROOT.'/core/ajax/box.php?boxorder=\'+boxorder+\'&boxid=\'+boxid+\'&zone='.$areacode.'&userid='.$user->id.'\',
|
||||
async: false
|
||||
});
|
||||
window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=addbox&boxid=\'+boxid;
|
||||
window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=addbox&boxid=\'+boxid;
|
||||
}
|
||||
});';
|
||||
if (! count($arrayboxtoactivatelabel)) $selectboxlist.='jQuery("#boxcombo").hide();';
|
||||
|
||||
@@ -411,9 +411,6 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)
|
||||
case 'intcomma':
|
||||
if (preg_match('/[^0-9,]+/i',$out)) $out='';
|
||||
break;
|
||||
case 'intcomma':
|
||||
if (preg_match('/[^0-9,]+/i',$out)) $out='';
|
||||
break;
|
||||
case 'alpha':
|
||||
$out=trim($out);
|
||||
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
|
||||
@@ -3168,8 +3165,8 @@ function dol_print_error($db='',$error='',$errors=null)
|
||||
$out.="<b>".$langs->trans("Referer").":</b> ".(isset($_SERVER["HTTP_REFERER"])?dol_htmlentities($_SERVER["HTTP_REFERER"],ENT_COMPAT,'UTF-8'):'')."<br>\n";
|
||||
$out.="<b>".$langs->trans("MenuManager").":</b> ".(isset($conf->standard_menu)?$conf->standard_menu:'')."<br>\n";
|
||||
$out.="<br>\n";
|
||||
$syslog.="url=".$_SERVER["REQUEST_URI"];
|
||||
$syslog.=", query_string=".$_SERVER["QUERY_STRING"];
|
||||
$syslog.="url=".dol_escape_htmltag($_SERVER["REQUEST_URI"]);
|
||||
$syslog.=", query_string=".dol_escape_htmltag($_SERVER["QUERY_STRING"]);
|
||||
}
|
||||
else // Mode CLI
|
||||
{
|
||||
|
||||
@@ -144,10 +144,6 @@ function dol_loginfunction($langs,$conf,$mysoc)
|
||||
|
||||
$dol_url_root = DOL_URL_ROOT;
|
||||
|
||||
$php_self = $_SERVER['PHP_SELF'];
|
||||
$php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
|
||||
if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
|
||||
|
||||
// Title
|
||||
$appli=constant('DOL_APPLICATION_TITLE');
|
||||
$title=$appli.' '.constant('DOL_VERSION');
|
||||
|
||||
@@ -45,7 +45,7 @@ $(function () {
|
||||
// Events
|
||||
$('#fileupload').fileupload({
|
||||
stop: function (e, data) {
|
||||
location.href='<?php echo $_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"]; ?>';
|
||||
location.href='<?php echo dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]); ?>';
|
||||
},
|
||||
destroy: function (e, data) {
|
||||
var that = $(this).data('fileupload');
|
||||
|
||||
@@ -63,7 +63,7 @@ $(document).ready(function(){
|
||||
function() {
|
||||
console.log("tableDND end of ajax call");
|
||||
if (reloadpage == 1) {
|
||||
location.href = '<?php echo $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']; ?>';
|
||||
location.href = '<?php echo dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']); ?>';
|
||||
} else {
|
||||
$("#<?php echo $tagidfortablednd; ?> .drag").each(
|
||||
function( intIndex ) {
|
||||
|
||||
@@ -31,6 +31,10 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
|
||||
// If we force to use jmobile, then we reenable javascript
|
||||
if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
|
||||
|
||||
$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']);
|
||||
$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
|
||||
if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
|
||||
|
||||
// Javascript code on logon page only to detect user tz, dst_observed, dst_first, dst_second
|
||||
$arrayofjs=array(
|
||||
'/includes/jstz/jstz.min.js'.(empty($conf->dol_use_jmobile)?'':'?version='.urlencode(DOL_VERSION)),
|
||||
|
||||
@@ -28,6 +28,9 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
|
||||
// If we force to use jmobile, then we reenable javascript
|
||||
if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
|
||||
|
||||
$php_self = $_SERVER['PHP_SELF'];
|
||||
$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
|
||||
|
||||
print top_htmlhead('',$langs->trans('SendNewPassword'));
|
||||
?>
|
||||
<!-- BEGIN PHP TEMPLATE PASSWORDFORGOTTEN.TPL.PHP -->
|
||||
|
||||
@@ -39,7 +39,7 @@ $element = GETPOST('element', 'alpha');
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Load original field value
|
||||
if (isset($action) && ! empty($action))
|
||||
|
||||
@@ -46,7 +46,7 @@ require '../../main.inc.php';
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
dol_syslog(join(',',$_GET));
|
||||
|
||||
|
||||
@@ -34,8 +34,8 @@ if (empty($conf->global->EXTERNALSITE_URL))
|
||||
llxFooter();
|
||||
}
|
||||
|
||||
$mainmenu=GETPOST('mainmenu', 'alpha');
|
||||
$leftmenu=GETPOST('leftmenu', 'alpha');
|
||||
$mainmenu=GETPOST('mainmenu', "aZ09");
|
||||
$leftmenu=GETPOST('leftmenu', "aZ09");
|
||||
$idmenu=GETPOST('idmenu', 'int');
|
||||
$theme=GETPOST('theme', 'alpha');
|
||||
$codelang=GETPOST('lang', 'aZ09');
|
||||
|
||||
@@ -46,7 +46,7 @@ $langs->load('margins');
|
||||
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
if ($idprod > 0)
|
||||
{
|
||||
|
||||
@@ -168,7 +168,7 @@ if($year_create > 0) {
|
||||
}
|
||||
} else {
|
||||
if($month_create > 0) {
|
||||
$filter.= " AND date_format(cp.date_create, '%m') = '$month_create'";
|
||||
$filter.= " AND date_format(cp.date_create, '%m') = '".$db->escape($month_create)."'";
|
||||
}
|
||||
}
|
||||
|
||||
@@ -302,7 +302,7 @@ print '</td>';
|
||||
|
||||
// DATE CREATE
|
||||
print '<td class="liste_titre" align="center">';
|
||||
print '<input class="flat" type="text" size="1" maxlength="2" name="month_create" value="'.$month_create.'">';
|
||||
print '<input class="flat" type="text" size="1" maxlength="2" name="month_create" value="'.dol_escape_htmltag($month_create).'">';
|
||||
$formother->select_year($year_create,'year_create',1, $min_year, 0);
|
||||
print '</td>';
|
||||
|
||||
|
||||
@@ -97,8 +97,9 @@ function test_sql_and_script_inject($val, $type)
|
||||
$sql_inj += preg_match('/<script/i', $val);
|
||||
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
|
||||
$sql_inj += preg_match('/base[\s]+href/si', $val);
|
||||
$sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
|
||||
$sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='>' onerror = alert(1)>
|
||||
$sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
|
||||
$sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)>
|
||||
// $sql_inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
|
||||
if ($type == 1)
|
||||
{
|
||||
$sql_inj += preg_match('/javascript:/i', $val);
|
||||
@@ -1486,14 +1487,14 @@ function top_menu($head, $title='', $target='', $disablejs=0, $disablehead=0, $a
|
||||
// Link to print main content area
|
||||
if (empty($conf->global->MAIN_PRINT_DISABLELINK) && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER) && empty($conf->browser->phone))
|
||||
{
|
||||
$qs=$_SERVER["QUERY_STRING"];
|
||||
$qs=dol_escape_htmltag($_SERVER["QUERY_STRING"]);
|
||||
|
||||
foreach($_POST as $key=>$value) {
|
||||
if($key!=='action' && !is_array($value))$qs.='&'.$key.'='.urlencode($value);
|
||||
if ($key!=='action' && !is_array($value)) $qs.='&'.$key.'='.urlencode($value);
|
||||
}
|
||||
|
||||
$qs.=(($qs && $morequerystring)?'&':'').$morequerystring;
|
||||
$text ='<a href="'.$_SERVER["PHP_SELF"].'?'.$qs.($qs?'&':'').'optioncss=print" target="_blank">';
|
||||
$text ='<a href="'.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.$qs.($qs?'&':'').'optioncss=print" target="_blank">';
|
||||
//$text.= img_picto(":".$langs->trans("PrintContentArea"), 'printer_top.png', 'class="printer"');
|
||||
$text.='<span class="fa fa-print atoplogin"></span>';
|
||||
$text.='</a>';
|
||||
|
||||
@@ -57,7 +57,7 @@ $warehouseStatus = GETPOST('warehousestatus', 'alpha');
|
||||
* View
|
||||
*/
|
||||
|
||||
// print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
// print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
dol_syslog(join(',', $_GET));
|
||||
// print_r($_GET);
|
||||
|
||||
@@ -66,7 +66,7 @@ $paymentmethod='paybox';
|
||||
* View
|
||||
*/
|
||||
|
||||
dol_syslog("Callback url when a PayBox payment was canceled. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paybox');
|
||||
dol_syslog("Callback url when a PayBox payment was canceled. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paybox');
|
||||
|
||||
$tracepost = "";
|
||||
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
|
||||
|
||||
@@ -76,7 +76,7 @@ $paymentmethod='paybox';
|
||||
* View
|
||||
*/
|
||||
|
||||
dol_syslog("Callback url when a PayBox payment was done. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paybox');
|
||||
dol_syslog("Callback url when a PayBox payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paybox');
|
||||
|
||||
$tracepost = "";
|
||||
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
|
||||
|
||||
@@ -76,7 +76,7 @@ $paymentmethod='paypal';
|
||||
* View
|
||||
*/
|
||||
|
||||
dol_syslog("Callback url when a PayPal payment was canceled. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paypal');
|
||||
dol_syslog("Callback url when a PayPal payment was canceled. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paypal');
|
||||
|
||||
$tracepost = "";
|
||||
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
|
||||
|
||||
@@ -106,7 +106,7 @@ $paymentmethod='paypal';
|
||||
* View
|
||||
*/
|
||||
|
||||
dol_syslog("Callback url when a PayPal payment was done. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paypal');
|
||||
dol_syslog("Callback url when a PayPal payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paypal');
|
||||
|
||||
$tracepost = "";
|
||||
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
|
||||
|
||||
@@ -43,7 +43,7 @@ $id=GETPOST('id', 'int');
|
||||
* View
|
||||
*/
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
dol_syslog(join(',', $_GET));
|
||||
//print_r($_GET);
|
||||
|
||||
@@ -44,7 +44,7 @@ require '../main.inc.php';
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
dol_syslog(join(',',$_GET));
|
||||
|
||||
|
||||
@@ -45,7 +45,7 @@ $country=GETPOST('country', 'alpha');
|
||||
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
|
||||
top_httphead();
|
||||
|
||||
print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
|
||||
print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
dol_syslog(join(',',$_POST));
|
||||
|
||||
|
||||
@@ -152,9 +152,6 @@ if ($action == 'buildnewpassword' && $username)
|
||||
* View
|
||||
*/
|
||||
|
||||
$php_self = $_SERVER['PHP_SELF'];
|
||||
$php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
|
||||
|
||||
$dol_url_root = DOL_URL_ROOT;
|
||||
|
||||
// Title
|
||||
|
||||
@@ -88,7 +88,7 @@ $forcereloadpage=empty($conf->global->MAIN_FORCE_RELOAD_PAGE)?0:1;
|
||||
},
|
||||
function() {
|
||||
if (reloadpage == 1) {
|
||||
location.href = '<?php echo $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']; ?>';
|
||||
location.href = '<?php echo dol_escape_htmltag($_SERVER['PHP_SELF']).'?'.dol_escape_htmltag($_SERVER['QUERY_STRING']); ?>';
|
||||
} else {
|
||||
$("#tablelines .drag").each(
|
||||
function( intIndex ) {
|
||||
|
||||
@@ -171,9 +171,22 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase
|
||||
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
|
||||
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['fullname'].' ('.$val[0].'). Bad.');
|
||||
//exit;
|
||||
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
|
||||
preg_match_all('/(...................)\$_SERVER\[\'PHP_SELF\'\]/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach($matches as $key => $val)
|
||||
{
|
||||
if ($val[1] != 'dol_escape_htmltag(')
|
||||
{
|
||||
$ok=false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
$this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag around in file '.$file['fullname'].' ('.$val[1].'$_SERVER[\'QUERY_STRING\']). Bad.');
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user