diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index 2f5bf2343e5..dcffab2e452 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -335,7 +335,7 @@ if (empty($reshook)) { $object->phone_perso = trim(GETPOST("phone_perso", 'alpha')); $object->phone_mobile = trim(GETPOST("phone_mobile", 'alpha')); $object->email = preg_replace('/\s+/', '', GETPOST("member_email", 'alpha')); - $object->url = trim(GETPOST('member_url', 'custom', 0, FILTER_SANITIZE_URL)); + $object->url = trim(GETPOST('member_url', 'url')); $object->socialnetworks = array(); foreach ($socialnetworks as $key => $value) { if (GETPOSTISSET($key) && GETPOST($key, 'alphanohtml') != '') { @@ -485,7 +485,7 @@ if (empty($reshook)) { $phone_perso = GETPOST("phone_perso", 'alpha'); $phone_mobile = GETPOST("phone_mobile", 'alpha'); $email = preg_replace('/\s+/', '', GETPOST("member_email", 'aZ09arobase')); - $url = trim(GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL)); + $url = trim(GETPOST('url', 'url')); $login = GETPOST("member_login", 'alphanohtml'); $pass = GETPOST("password", 'password'); // For password, we use 'none' $photo = GETPOST("photo", 'alphanohtml'); diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index d72bfa65870..910f889cec9 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -240,7 +240,7 @@ if (empty($reshook)) { } } } - $object->email = (string) GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL); + $object->email = (string) GETPOST('email', 'email'); $object->no_email = GETPOSTINT("no_email"); $object->phone_pro = (string) GETPOST("phone_pro", 'alpha'); $object->phone_perso = (string) GETPOST("phone_perso", 'alpha'); @@ -358,13 +358,13 @@ if (empty($reshook)) { $action = 'edit'; } - if (isModEnabled('mailing') && getDolGlobalInt('MAILING_CONTACT_DEFAULT_BULK_STATUS') == 2 && GETPOSTINT("no_email") == -1 && !empty(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL))) { + if (isModEnabled('mailing') && getDolGlobalInt('MAILING_CONTACT_DEFAULT_BULK_STATUS') == 2 && GETPOSTINT("no_email") == -1 && !empty(GETPOST('email', 'email'))) { $error++; $errors[] = $langs->trans("ErrorFieldRequired", $langs->transnoentities("No_Email")); $action = 'edit'; } - if (!empty(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL)) && !isValidEmail(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL))) { + if (!empty(GETPOST('email', 'email')) && !isValidEmail(GETPOST('email', 'email'))) { $langs->load("errors"); $error++; $errors[] = $langs->trans("ErrorBadEMail", GETPOST('email', 'alpha')); diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index d2292169e8e..059379c28e5 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -829,6 +829,7 @@ function GETPOSTISARRAY($paramname, $method = 0) * '' or 'none'=no check (deprecated) * 'password'=allow characters for a password * 'email'=allow characters for an email "email@domain.com" + * 'url'=allow characters for an url * 'array', 'array:restricthtml' or 'array:aZ09' to check it's an array * 'int'=check it's numeric (integer or float) * 'intcomma'=check it's integer+comma ('1,2,3,4...') @@ -1317,6 +1318,11 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options case 'email': $out = filter_var($out, FILTER_SANITIZE_EMAIL); break; + case 'url': + //$out = filter_var($out, FILTER_SANITIZE_URL); // Not reliable, replaced with FILTER_VALIDATE_URL + $out = preg_replace('/[^:\/\[\]a-z0-9@\$\'\*\~\.\-_,;\?\!=%&+#]+/i', '', $out); + // TODO Allow ( ) but only into password of https://login:password@domain... + break; case 'aZ': if (!is_array($out)) { $out = trim($out); diff --git a/htdocs/partnership/class/partnershiputils.class.php b/htdocs/partnership/class/partnershiputils.class.php index fdf0d7f6619..2f5a8143f7b 100644 --- a/htdocs/partnership/class/partnershiputils.class.php +++ b/htdocs/partnership/class/partnershiputils.class.php @@ -561,7 +561,7 @@ class PartnershipUtils $url = $href->getAttribute('href'); $url = filter_var($url, FILTER_SANITIZE_URL); if (!(!filter_var($url, FILTER_VALIDATE_URL))) { - $webcontent .= $url; + $webcontent .= $url; // $webcontent is used for a test only, so having content not completely sanitized is not a problem. } } } diff --git a/htdocs/public/company/new.php b/htdocs/public/company/new.php index 0fea42142e9..0262efb2781 100644 --- a/htdocs/public/company/new.php +++ b/htdocs/public/company/new.php @@ -202,7 +202,7 @@ if (empty($reshook) && $action == 'add') { // Test on permission not required he $societe->country_id = GETPOSTINT('country_id'); $societe->phone = GETPOST('phone', 'alpha'); $societe->fax = GETPOST('fax', 'alpha'); - $societe->email = trim(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL)); + $societe->email = trim(GETPOST('email', 'email')); $societe->client = 2 ; // our client is a prospect $societe->code_client = '-1'; $societe->name_alias = GETPOST('name_alias', 'alphanohtml'); diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php index 2cd91359e11..f4c8de6de45 100644 --- a/htdocs/societe/card.php +++ b/htdocs/societe/card.php @@ -310,12 +310,12 @@ if (empty($reshook)) { $error++; } - if (isModEnabled('mailing') && getDolGlobalInt('MAILING_CONTACT_DEFAULT_BULK_STATUS') == 2 && GETPOSTINT('contact_no_email') == -1 && !empty(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL))) { + if (isModEnabled('mailing') && getDolGlobalInt('MAILING_CONTACT_DEFAULT_BULK_STATUS') == 2 && GETPOSTINT('contact_no_email') == -1 && !empty(GETPOST('email', 'email'))) { $error++; setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("No_Email")), null, 'errors'); } - if (isModEnabled('mailing') && GETPOSTINT("private") == 1 && getDolGlobalInt('MAILING_CONTACT_DEFAULT_BULK_STATUS') == 2 && GETPOSTINT('contact_no_email') == -1 && !empty(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL))) { + if (isModEnabled('mailing') && GETPOSTINT("private") == 1 && getDolGlobalInt('MAILING_CONTACT_DEFAULT_BULK_STATUS') == 2 && GETPOSTINT('contact_no_email') == -1 && !empty(GETPOST('email', 'email'))) { $error++; setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("No_Email")), null, 'errors'); } @@ -333,6 +333,7 @@ if (empty($reshook)) { $object->name = dolGetFirstLastname(GETPOST('firstname', 'alphanohtml'), GETPOST('name', 'alphanohtml')); $object->civility_id = GETPOST('civility_id', 'alphanohtml'); // Note: civility id is a code, not an int + $object->civility_code = GETPOST('civility_id', 'alphanohtml'); // Note: civility id is a code, not an int // Add non official properties $object->name_bis = GETPOST('name', 'alphanohtml'); $object->firstname = GETPOST('firstname', 'alphanohtml'); @@ -360,9 +361,9 @@ if (empty($reshook)) { $object->phone = GETPOST('phone', 'alpha'); $object->phone_mobile = (string) GETPOST("phone_mobile", 'alpha'); $object->fax = GETPOST('fax', 'alpha'); - $object->email = trim(GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL)); + $object->email = trim(GETPOST('email', 'email')); $object->no_email = GETPOSTINT("no_email"); - $object->url = trim(GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL)); + $object->url = trim(GETPOST('url', 'url')); $object->idprof1 = trim(GETPOST('idprof1', 'alphanohtml')); $object->idprof2 = trim(GETPOST('idprof2', 'alphanohtml')); $object->idprof3 = trim(GETPOST('idprof3', 'alphanohtml')); @@ -433,7 +434,7 @@ if (empty($reshook)) { $object->default_lang = GETPOST('default_lang'); // Webservices url/key - $object->webservices_url = GETPOST('webservices_url', 'custom', 0, FILTER_SANITIZE_URL); + $object->webservices_url = GETPOST('webservices_url', 'url'); $object->webservices_key = GETPOST('webservices_key', 'san_alpha'); if (GETPOSTISSET('accountancy_code_sell')) { @@ -1083,8 +1084,8 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($canvasdisplayactio $object->phone = GETPOST('phone', 'alpha'); $object->phone_mobile = (string) GETPOST("phone_mobile", 'alpha'); $object->fax = GETPOST('fax', 'alpha'); - $object->email = GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL); - $object->url = GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL); + $object->email = GETPOST('email', 'email'); + $object->url = GETPOST('url', 'url'); $object->capital = GETPOSTFLOAT('capital'); $paymentTermId = GETPOSTINT('cond_reglement_id'); // can be set by default values on create page and not already in get or post variables if (empty($paymentTermId) && !GETPOSTISSET('cond_reglement_id')) { @@ -2081,9 +2082,9 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($canvasdisplayactio $object->phone = GETPOST('phone', 'alpha'); $object->phone_mobile = (string) GETPOST('phone_mobile', 'alpha'); $object->fax = GETPOST('fax', 'alpha'); - $object->email = GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL); + $object->email = GETPOST('email', 'email'); $object->no_email = GETPOSTINT("no_email"); - $object->url = GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL); + $object->url = GETPOST('url', 'url'); $object->capital = GETPOSTFLOAT('capital'); $object->idprof1 = GETPOST('idprof1', 'alphanohtml'); $object->idprof2 = GETPOST('idprof2', 'alphanohtml'); @@ -2103,7 +2104,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($canvasdisplayactio $object->status = GETPOSTINT('status'); // Webservices url/key - $object->webservices_url = GETPOST('webservices_url', 'custom', 0, FILTER_SANITIZE_URL); + $object->webservices_url = GETPOST('webservices_url', 'url'); $object->webservices_key = GETPOST('webservices_key', 'san_alpha'); if (GETPOSTISSET('accountancy_code_sell')) {