Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge branch '13.0' of git@github.com:Dolibarr/dolibarr.git into develop

Browse Source 
Conflicts:
	htdocs/accountancy/bookkeeping/list.php
	htdocs/accountancy/bookkeeping/listbysubaccount.php
	htdocs/accountancy/class/accountancyexport.class.php
	htdocs/user/class/usergroup.class.php
This commit is contained in:
Laurent Destailleur
2021-01-14 14:13:08 +01:00
parent 16d98d2691 768d2db8a1
commit aaddda9a6e
29 changed files with 210 additions and 124 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/core/lib/functions.lib.php
View File

@@ -675,7 +675,7 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
case 'nohtml':
$out = dol_string_nohtmltag($out, 0);
break;
case 'alpha': // No html and no " and no ../
case 'alpha': // No html and no ../ and " replaced with ''
case 'alphanohtml': // Recommended for most scalar parameters and search parameters
if (!is_array($out)) {
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
@@ -686,6 +686,14 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
$out = dol_string_nohtmltag($out, 0);
}
break;
case 'alphawithlgt': // No " and no ../ but we keep < > tags
if (!is_array($out)) {
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
$out = str_replace(array('&quot;', '"'), "", trim($out));
$out = str_replace(array('../'), '', $out);
}
break;
case 'restricthtml': // Recommended for most html textarea
$out = dol_string_onlythesehtmltags($out, 0, 1, 1);
break;