diff --git a/ChangeLog b/ChangeLog index 7bfd43947b6..1f4afc83e82 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,7 @@ Following changes may create regressions for some external modules, but were nec * Property num_paiement has been renamed num_payment everywhere for better code consistency. * If you build a class that implement CommonObject to use the incoterm properties or method (->fk_incoterm, ->label_incoterm, ->location_incoterm), you must now also include declaration of the Trait CommonIncoterm in your class. All incoterm functions were moved into this Trait. +* The GETPOST(..., 'alpha') has now the same behaviour than GETPOST(..., 'alpahnohtml'); ***** ChangeLog for 12.0.2 compared to 12.0.1 ***** FIX: computation of the bottom margin of returns NaN because body is not loaded yet diff --git a/SECURITY.md b/SECURITY.md index 59311cf71ba..06d1407229a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -62,13 +62,19 @@ No vulnerability disclosure, including partial is allowed for the moment. ## Scope for qualified vulnerabilities -ONLY vulnerabilities discovered, when the following setup on tested platform is used, are accepted: +ONLY vulnerabilities discovered, when the following setup on test platform is used, are accepted: * $dolibarr_main_prod must be set to 1 into conf.php -* $dolibarr_nocsrfcheck must be kept to the value 1 into conf.php (this is the default value) -* The module DebugBar must NOT be enabled (by default, this module is not enabled) +* $dolibarr_nocsrfcheck must be kept to the value 0 into conf.php (this is the default value) +* $dolibarr_main_force_https must be set to something else than 0. * The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 1 into backoffice menu Home - Setup - Other (this protection should be enabled soon by default) -* ONLY security reports on "stable" modules are allowed (troubles into "experimental" and "developement" modules are not accepted). +* The module DebugBar must NOT be enabled (by default, this module is not enabled. This is a developer tool) +* The module ModuleBuilder must NOT be enabled (by default, this module is not enabled. This is a developer tool) +* ONLY security reports on modules provided by default and with the "stable" status are allowed (troubles into "experimental", "developement" or external modules are not accepted). +* The root of web server must link to htdocs and the documents directory must be outside of the web server root (this is the default when using the default installer but may differs with external installer). +* The web server setup must be done so only the documents directory is in write mode. The root directory called htdocs must be readonly. +* CSRF attacks are accepted for all when using a POST URL, but are accepted only for creating or updating data resctricted to the admin user when using GET URL. +* Ability for a high level user to edit web site pages in the CMS by including javascript is an expected feature. Scope is the web application (back office) and the APIs. diff --git a/dev/initdemo/initdemo.sh b/dev/initdemo/initdemo.sh index 7fd9eb551d4..1b32161b44b 100755 --- a/dev/initdemo/initdemo.sh +++ b/dev/initdemo/initdemo.sh @@ -69,6 +69,7 @@ then 255) exit;; esac + rm $fichtemp # ----------------------------- database name DIALOG=${DIALOG=dialog} @@ -86,6 +87,7 @@ then 255) exit;; esac + rm $fichtemp # ---------------------------- database port DIALOG=${DIALOG=dialog} @@ -104,6 +106,7 @@ then 255) exit;; esac + rm $fichtemp # ---------------------------- compte admin mysql DIALOG=${DIALOG=dialog} @@ -122,6 +125,7 @@ then 255) exit;; esac + rm $fichtemp # ---------------------------- mot de passe admin mysql DIALOG=${DIALOG=dialog} @@ -140,6 +144,7 @@ then 255) exit;; esac + rm $fichtemp export documentdir=`cat $mydir/../../htdocs/conf/conf.php | grep '^\$dolibarr_main_data_root' | sed -e 's/$dolibarr_main_data_root=//' | sed -e 's/;//' | sed -e "s/'//g" | sed -e 's/"//g' ` diff --git a/dev/initdemo/initdemopassword.sh b/dev/initdemo/initdemopassword.sh new file mode 100755 index 00000000000..d5aa9c1ef0e --- /dev/null +++ b/dev/initdemo/initdemopassword.sh @@ -0,0 +1,166 @@ +#!/bin/sh +#------------------------------------------------------ +# Script to reinit admin password. +# Note: "dialog" tool need to be available if no parameter provided. +# +# Laurent Destailleur - eldy@users.sourceforge.net +#------------------------------------------------------ +# Usage: initdemopassword.sh confirm +# usage: initdemopassword.sh confirm base port login pass +#------------------------------------------------------ + + +export mydir=`echo "$0" | sed -e 's/initdemopassword.sh//'`; +if [ "x$mydir" = 'x' -o "x$mydir" = 'x./' ] +then + export mydir="." +fi +export id=`id -u`; + + +# ----------------------------- check if root +if [ "x$id" != "x0" -a "x$id" != "x1001" ] +then + echo "Script must be ran as root" + exit +fi + + +# ----------------------------- command line params +confirm=$1; +base=$2; +port=$3; +demologin=$4; +demopass=$5; + +# ----------------------------- check params +if [ "x$confirm" != "xconfirm" ] +then + echo "----- $0 -----" + echo "Usage: initdemopassword.sh confirm [base port login pass]" + exit +fi + + +# ----------------------------- if no params on command line +if [ "x$demopass" = "x" ] +then + export dumpfile=`ls -v $mydir/mysqldump_dolibarr_*.sql | tail -n 1` + export dumpfile=`basename $dumpfile` + + # ----------------------------- database name + DIALOG=${DIALOG=dialog} + DIALOG="$DIALOG --ascii-lines" + fichtemp=`tempfile 2>/dev/null` || fichtemp=/tmp/test$$ + trap "rm -f $fichtemp" 0 1 2 5 15 + $DIALOG --title "Init Dolibarr with demo values" --clear \ + --inputbox "Mysql database name :" 16 55 dolibarrdemo 2> $fichtemp + valret=$? + case $valret in + 0) + base=`cat $fichtemp`;; + 1) + exit;; + 255) + exit;; + esac + rm $fichtemp + + # ---------------------------- database port + DIALOG=${DIALOG=dialog} + fichtemp=`tempfile 2>/dev/null` || fichtemp=/tmp/test$$ + trap "rm -f $fichtemp" 0 1 2 5 15 + $DIALOG --title "Init Dolibarr with demo values" --clear \ + --inputbox "Mysql port (ex: 3306):" 16 55 3306 2> $fichtemp + + valret=$? + + case $valret in + 0) + port=`cat $fichtemp`;; + 1) + exit;; + 255) + exit;; + esac + rm $fichtemp + + + # ----------------------------- demo login + DIALOG=${DIALOG=dialog} + DIALOG="$DIALOG --ascii-lines" + fichtemp=`tempfile 2>/dev/null` || fichtemp=/tmp/test$$ + trap "rm -f $fichtemp" 0 1 2 5 15 + $DIALOG --title "Reset login password" --clear \ + --inputbox "Login to reset :" 16 55 dolibarrdemologin 2> $fichtemp + valret=$? + case $valret in + 0) + demologin=`cat $fichtemp`;; + 1) + exit;; + 255) + exit;; + esac + rm fichtemp + + # ----------------------------- demo pass + DIALOG=${DIALOG=dialog} + DIALOG="$DIALOG --ascii-lines" + fichtemp=`tempfile 2>/dev/null` || fichtemp=/tmp/test$$ + trap "rm -f $fichtemp" 0 1 2 5 15 + $DIALOG --title "Reset login password" --clear \ + --inputbox "Pass to set :" 16 55 dolibarrdemopass 2> $fichtemp + valret=$? + case $valret in + 0) + demopass=`cat $fichtemp`;; + 1) + exit;; + 255) + exit;; + esac + rm fichtemp + + + export documentdir=`cat $mydir/../../htdocs/conf/conf.php | grep '^\$dolibarr_main_data_root' | sed -e 's/$dolibarr_main_data_root=//' | sed -e 's/;//' | sed -e "s/'//g" | sed -e 's/"//g' ` + + + # ---------------------------- confirmation + DIALOG=${DIALOG=dialog} + $DIALOG --title "Init demo login with demo values" --clear \ + --yesno "Do you confirm ? \n Mysql database : '$base' \n Mysql port : '$port' \n Demo login: '$demologin' \n Demo password : '$demopass'" 15 55 + + case $? in + 0) echo "Ok, start process...";; + 1) exit;; + 255) exit;; + esac + +fi + + +# ---------------------------- run sql file +if [ "x$passwd" != "x" ] +then + export passwd="-p$passwd" +fi +#echo "mysql -P$port -u$admin $passwd $base < $mydir/$dumpfile" +#mysql -P$port -u$admin $passwd $base < $mydir/$dumpfile +echo "echo \"UPDATE llx_user SET pass_crypted = MD5('$demopass') WHERE login = '$demologin';\" | mysql -P$port $base" +echo "UPDATE llx_user SET pass_crypted = MD5('$demopass') WHERE login = '$demologin';" | mysql -P$port $base +export res=$? + +if [ $res -ne 0 ]; then + echo "Error to execute sql with mysql -P$port -u$admin -p***** $base" + exit +fi + + +if [ "x$res" = "x0" ] +then + echo "Success, file successfully loaded." +else + echo "Error, load failed." +fi +echo diff --git a/htdocs/accountancy/admin/account.php b/htdocs/accountancy/admin/account.php index e6264648159..93241901524 100644 --- a/htdocs/accountancy/admin/account.php +++ b/htdocs/accountancy/admin/account.php @@ -55,7 +55,7 @@ if (!$user->rights->accounting->chartofaccount) accessforbidden(); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/accountancy/admin/fiscalyear.php b/htdocs/accountancy/admin/fiscalyear.php index 89aad6e2d0d..5728f78b791 100644 --- a/htdocs/accountancy/admin/fiscalyear.php +++ b/htdocs/accountancy/admin/fiscalyear.php @@ -30,7 +30,7 @@ $action = GETPOST('action', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/accountancy/bookkeeping/balance.php b/htdocs/accountancy/bookkeeping/balance.php index a5000dda461..9079d95d670 100644 --- a/htdocs/accountancy/bookkeeping/balance.php +++ b/htdocs/accountancy/bookkeeping/balance.php @@ -47,7 +47,7 @@ $action = GETPOST('action', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/accountancy/bookkeeping/list.php b/htdocs/accountancy/bookkeeping/list.php index 987f7f3fd28..f8f0cad1996 100644 --- a/htdocs/accountancy/bookkeeping/list.php +++ b/htdocs/accountancy/bookkeeping/list.php @@ -92,7 +92,7 @@ $search_not_reconciled = GETPOST('search_reconciled_option', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } $offset = $limit * $page; diff --git a/htdocs/accountancy/bookkeeping/listbyaccount.php b/htdocs/accountancy/bookkeeping/listbyaccount.php index e5a18626b42..6e7b9dfb54f 100644 --- a/htdocs/accountancy/bookkeeping/listbyaccount.php +++ b/htdocs/accountancy/bookkeeping/listbyaccount.php @@ -39,7 +39,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; // Load translation files required by the page $langs->loadLangs(array("accountancy")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $search_date_start = dol_mktime(0, 0, 0, GETPOST('search_date_startmonth', 'int'), GETPOST('search_date_startday', 'int'), GETPOST('search_date_startyear', 'int')); $search_date_end = dol_mktime(0, 0, 0, GETPOST('search_date_endmonth', 'int'), GETPOST('search_date_endday', 'int'), GETPOST('search_date_endyear', 'int')); $search_doc_date = dol_mktime(0, 0, 0, GETPOST('doc_datemonth', 'int'), GETPOST('doc_dateday', 'int'), GETPOST('doc_dateyear', 'int')); @@ -69,7 +69,7 @@ if (GETPOST("button_delmvt_x") || GETPOST("button_delmvt.x") || GETPOST("button_ // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } $offset = $limit * $page; diff --git a/htdocs/accountancy/customer/card.php b/htdocs/accountancy/customer/card.php index 34a23b377b9..ed8f347a177 100644 --- a/htdocs/accountancy/customer/card.php +++ b/htdocs/accountancy/customer/card.php @@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formaccounting.class.php'; // Load translation files required by the page $langs->loadLangs(array("bills", "accountancy")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/accountancy/customer/lines.php b/htdocs/accountancy/customer/lines.php index 6b326ec872f..2baed5d4653 100644 --- a/htdocs/accountancy/customer/lines.php +++ b/htdocs/accountancy/customer/lines.php @@ -62,7 +62,7 @@ $search_tvaintra = GETPOST('search_tvaintra', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) $page = 0; $offset = $limit * $page; diff --git a/htdocs/accountancy/customer/list.php b/htdocs/accountancy/customer/list.php index 96750389cc0..79a693978d1 100644 --- a/htdocs/accountancy/customer/list.php +++ b/htdocs/accountancy/customer/list.php @@ -40,7 +40,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php'; // Load translation files required by the page $langs->loadLangs(array("bills", "companies", "compta", "accountancy", "other", "productbatch")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -70,7 +70,7 @@ $btn_ventil = GETPOST('ventil', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } $offset = $limit * $page; diff --git a/htdocs/accountancy/expensereport/card.php b/htdocs/accountancy/expensereport/card.php index b21882b9461..ab02592f6b8 100644 --- a/htdocs/accountancy/expensereport/card.php +++ b/htdocs/accountancy/expensereport/card.php @@ -34,7 +34,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formaccounting.class.php'; // Load translation files required by the page $langs->loadLangs(array("bills", "accountancy", "trips")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/accountancy/expensereport/lines.php b/htdocs/accountancy/expensereport/lines.php index 4fdc29b2c0f..afb6ae13a6e 100644 --- a/htdocs/accountancy/expensereport/lines.php +++ b/htdocs/accountancy/expensereport/lines.php @@ -56,7 +56,7 @@ $search_year = GETPOST("search_year", "int"); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) $page = 0; $pageprev = $page - 1; diff --git a/htdocs/accountancy/expensereport/list.php b/htdocs/accountancy/expensereport/list.php index 76d13b99805..61e2a95fd88 100644 --- a/htdocs/accountancy/expensereport/list.php +++ b/htdocs/accountancy/expensereport/list.php @@ -38,7 +38,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; // Load translation files required by the page $langs->loadLangs(array("bills", "companies", "compta", "accountancy", "other", "trips", "productbatch", "hrm")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -66,7 +66,7 @@ $search_year = GETPOST("search_year", "int"); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } $offset = $limit * $page; diff --git a/htdocs/accountancy/supplier/card.php b/htdocs/accountancy/supplier/card.php index 07f3117c266..4a4747cfaf4 100644 --- a/htdocs/accountancy/supplier/card.php +++ b/htdocs/accountancy/supplier/card.php @@ -34,7 +34,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formaccounting.class.php'; // Load translation files required by the page $langs->loadLangs(array("bills", "accountancy")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/accountancy/supplier/lines.php b/htdocs/accountancy/supplier/lines.php index 6a5e234532c..dacca2a226d 100644 --- a/htdocs/accountancy/supplier/lines.php +++ b/htdocs/accountancy/supplier/lines.php @@ -63,7 +63,7 @@ $search_tvaintra = GETPOST('search_tvaintra', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) $page = 0; $offset = $limit * $page; diff --git a/htdocs/accountancy/supplier/list.php b/htdocs/accountancy/supplier/list.php index 9e0b64160e1..9b700aeac56 100644 --- a/htdocs/accountancy/supplier/list.php +++ b/htdocs/accountancy/supplier/list.php @@ -40,7 +40,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php'; // Load translation files required by the page $langs->loadLangs(array("bills", "companies", "compta", "accountancy", "other", "productbatch")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -70,7 +70,7 @@ $btn_ventil = GETPOST('ventil', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } $offset = $limit * $page; diff --git a/htdocs/adherents/admin/adherent.php b/htdocs/adherents/admin/adherent.php index ca1d1cc2a33..f2c52daa4b0 100644 --- a/htdocs/adherents/admin/adherent.php +++ b/htdocs/adherents/admin/adherent.php @@ -41,7 +41,7 @@ if (!$user->admin) accessforbidden(); $type = array('yesno', 'texte', 'chaine'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/adherents/admin/adherent_emails.php b/htdocs/adherents/admin/adherent_emails.php index 1b26a029a01..a3550e4a35a 100644 --- a/htdocs/adherents/admin/adherent_emails.php +++ b/htdocs/adherents/admin/adherent_emails.php @@ -41,7 +41,7 @@ if (!$user->admin) accessforbidden(); $oldtypetonewone = array('texte'=>'text', 'chaine'=>'string'); // old type to new ones -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $error = 0; @@ -83,9 +83,9 @@ if ($action == 'update' || $action == 'add') { $constlineid = GETPOST('rowid', 'int'); $constname = GETPOST('constname', 'alpha'); - $constvalue = (GETPOSTISSET('constvalue_'.$constname) ? GETPOST('constvalue_'.$constname, 'alpha') : GETPOST('constvalue')); + $constvalue = (GETPOSTISSET('constvalue_'.$constname) ? GETPOST('constvalue_'.$constname, 'alphanohtml') : GETPOST('constvalue')); $consttype = (GETPOSTISSET('consttype_'.$constname) ? GETPOST('consttype_'.$constname, 'alphanohtml') : GETPOST('consttype')); - $constnote = (GETPOSTISSET('constnote_'.$constname) ? GETPOST('constnote_'.$constname, 'none') : GETPOST('constnote')); + $constnote = (GETPOSTISSET('constnote_'.$constname) ? GETPOST('constnote_'.$constname, 'restricthtml') : GETPOST('constnote')); $typetouse = empty($oldtypetonewone[$consttype]) ? $consttype : $oldtypetonewone[$consttype]; $constvalue = preg_replace('/:member$/', '', $constvalue); diff --git a/htdocs/adherents/admin/adherent_extrafields.php b/htdocs/adherents/admin/adherent_extrafields.php index d3d91ecba09..8ca29286cab 100644 --- a/htdocs/adherents/admin/adherent_extrafields.php +++ b/htdocs/adherents/admin/adherent_extrafields.php @@ -39,7 +39,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'adherent'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/adherents/admin/adherent_type_extrafields.php b/htdocs/adherents/admin/adherent_type_extrafields.php index fe7989a70b9..5546a99a334 100644 --- a/htdocs/adherents/admin/adherent_type_extrafields.php +++ b/htdocs/adherents/admin/adherent_type_extrafields.php @@ -42,7 +42,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'adherent_type'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/adherents/admin/website.php b/htdocs/adherents/admin/website.php index 0dbb998f764..64f16f8ef57 100644 --- a/htdocs/adherents/admin/website.php +++ b/htdocs/adherents/admin/website.php @@ -33,7 +33,7 @@ require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent_type.class.php'; // Load translation files required by the page $langs->loadLangs(array("admin", "members")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index cf1614bbb6e..d7a05a1805e 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -45,7 +45,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; // Load translation files required by the page $langs->loadLangs(array("companies", "bills", "members", "users", "other", "paypal")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); $confirm = GETPOST('confirm', 'alpha'); @@ -82,7 +82,7 @@ if (!empty($canvas)) { } // Security check -$result = restrictedArea($user, 'adherent', $id, '', '', 'socid', 'rowid', $objcanvas); +$result = restrictedArea($user, 'adherent', $id, '', '', 'socid', 'rowid', 0); if ($id > 0) { // Load member @@ -254,7 +254,7 @@ if (empty($reshook)) { $object->firstname = trim(GETPOST("firstname", 'alphanohtml')); $object->lastname = trim(GETPOST("lastname", 'alphanohtml')); $object->gender = trim(GETPOST("gender", 'alphanohtml')); - $object->login = trim(GETPOST("login", 'alpha')); + $object->login = trim(GETPOST("login", 'alphanohtml')); $object->pass = trim(GETPOST("pass", 'alpha')); $object->societe = trim(GETPOST("societe", 'alphanohtml')); // deprecated @@ -404,10 +404,9 @@ if (empty($reshook)) { // $facebook=GETPOST("member_facebook", 'alpha'); // $linkedin=GETPOST("member_linkedin", 'alpha'); $email = preg_replace('/\s+/', '', GETPOST("member_email", 'alpha')); - $login = GETPOST("member_login", 'alpha'); + $login = GETPOST("member_login", 'alphanohtml'); $pass = GETPOST("password", 'alpha'); $photo = GETPOST("photo", 'alpha'); - //$comment=GETPOST("comment",'none'); $morphy = GETPOST("morphy", 'alphanohtml'); $public = GETPOST("public", 'alphanohtml'); @@ -836,7 +835,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Login if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED)) { - print ''.$langs->trans("Login").' / '.$langs->trans("Id").'login).'" autofocus="autofocus">'; + print ''.$langs->trans("Login").' / '.$langs->trans("Id").'login).'" autofocus="autofocus">'; } // Password @@ -1063,7 +1062,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Login if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED)) { - print ''.$langs->trans("Login").' / '.$langs->trans("Id").'login).'">'; + print ''.$langs->trans("Login").' / '.$langs->trans("Id").'login).'">'; } // Password diff --git a/htdocs/adherents/document.php b/htdocs/adherents/document.php index 141e19d0c96..32630b9e478 100644 --- a/htdocs/adherents/document.php +++ b/htdocs/adherents/document.php @@ -38,7 +38,7 @@ $langs->loadLangs(array("companies", "members", "other")); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check diff --git a/htdocs/adherents/note.php b/htdocs/adherents/note.php index 819c3499627..85becb0aa3d 100644 --- a/htdocs/adherents/note.php +++ b/htdocs/adherents/note.php @@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent_type.class.php'; // Load translation files required by the page $langs->loadLangs(array("companies", "members", "bills")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); // Security check diff --git a/htdocs/adherents/subscription.php b/htdocs/adherents/subscription.php index c4a28c63d86..88924efdf93 100644 --- a/htdocs/adherents/subscription.php +++ b/htdocs/adherents/subscription.php @@ -40,7 +40,7 @@ require_once DOL_DOCUMENT_ROOT.'/accountancy/class/accountingjournal.class.php'; $langs->loadLangs(array("companies", "bills", "members", "users", "mails", 'other')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $rowid = GETPOST('rowid', 'int') ?GETPOST('rowid', 'int') : GETPOST('id', 'int'); $typeid = GETPOST('typeid', 'int'); @@ -48,7 +48,7 @@ $typeid = GETPOST('typeid', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/adherents/type.php b/htdocs/adherents/type.php index 39ee57a6744..853e22bfbc9 100644 --- a/htdocs/adherents/type.php +++ b/htdocs/adherents/type.php @@ -38,7 +38,7 @@ require_once DOL_DOCUMENT_ROOT.'/product/class/html.formproduct.class.php'; $langs->load("members"); $rowid = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); @@ -66,8 +66,8 @@ $subscription = GETPOST("subscription", "int"); $duration_value = GETPOST('duration_value', 'int'); $duration_unit = GETPOST('duration_unit', 'alpha'); $vote = GETPOST("vote", "int"); -$comment = GETPOST("comment", 'none'); -$mail_valid = GETPOST("mail_valid", 'none'); +$comment = GETPOST("comment", 'restricthtml'); +$mail_valid = GETPOST("mail_valid", 'restricthtml'); // Security check $result = restrictedArea($user, 'adherent', $rowid, 'adherent_type'); diff --git a/htdocs/adherents/type_ldap.php b/htdocs/adherents/type_ldap.php index 433c83d72be..5e745293050 100644 --- a/htdocs/adherents/type_ldap.php +++ b/htdocs/adherents/type_ldap.php @@ -33,7 +33,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/ldap.lib.php'; $langs->loadLangs(array("admin", "members", "ldap")); $id = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check $result = restrictedArea($user, 'adherent', $id, 'adherent_type'); diff --git a/htdocs/adherents/type_translation.php b/htdocs/adherents/type_translation.php index b45c7cf76f5..dcd4a7aa981 100644 --- a/htdocs/adherents/type_translation.php +++ b/htdocs/adherents/type_translation.php @@ -35,7 +35,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formadmin.class.php'; $langs->loadLangs(array('members', 'languages')); $id = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); // Security check diff --git a/htdocs/admin/accountant.php b/htdocs/admin/accountant.php index c8c082db6ae..b039032b9c2 100644 --- a/htdocs/admin/accountant.php +++ b/htdocs/admin/accountant.php @@ -62,7 +62,7 @@ if (($action == 'update' && !GETPOST("cancel", 'alpha')) dolibarr_set_const($db, "MAIN_INFO_ACCOUNTANT_MAIL", GETPOST("mail", 'alpha'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_ACCOUNTANT_WEB", GETPOST("web", 'alpha'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_ACCOUNTANT_CODE", GETPOST("code", 'nohtml'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_ACCOUNTANT_NOTE", GETPOST("note", 'none'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_ACCOUNTANT_NOTE", GETPOST("note", 'restricthtml'), 'chaine', 0, '', $conf->entity); if ($action != 'updateedit' && !$error) { @@ -164,7 +164,7 @@ print ''; -print ''; +print ''; print ''; print ''; diff --git a/htdocs/admin/agenda.php b/htdocs/admin/agenda.php index 1a29595a9ab..2cc79be297d 100644 --- a/htdocs/admin/agenda.php +++ b/htdocs/admin/agenda.php @@ -34,7 +34,7 @@ if (!$user->admin) // Load translation files required by the page $langs->loadLangs(array('admin', 'other', 'agenda')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $search_event = GETPOST('search_event', 'alpha'); diff --git a/htdocs/admin/agenda_extrafields.php b/htdocs/admin/agenda_extrafields.php index a0197f70274..605f3c76519 100644 --- a/htdocs/admin/agenda_extrafields.php +++ b/htdocs/admin/agenda_extrafields.php @@ -45,7 +45,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'actioncomm'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/agenda_other.php b/htdocs/admin/agenda_other.php index 560226438c3..cd7e1752274 100644 --- a/htdocs/admin/agenda_other.php +++ b/htdocs/admin/agenda_other.php @@ -37,7 +37,7 @@ if (!$user->admin) // Load translation files required by the page $langs->loadLangs(array('admin', 'other', 'agenda', 'users')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $param = GETPOST('param', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); diff --git a/htdocs/admin/agenda_reminder.php b/htdocs/admin/agenda_reminder.php index 5d23bbb08a1..982387b2ed6 100644 --- a/htdocs/admin/agenda_reminder.php +++ b/htdocs/admin/agenda_reminder.php @@ -32,7 +32,7 @@ if (!$user->admin) // Load translation files required by the page $langs->loadLangs(array("admin", "other", "agenda")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $param = GETPOST('param', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); diff --git a/htdocs/admin/bank.php b/htdocs/admin/bank.php index b43daca20d9..76df9b412ec 100644 --- a/htdocs/admin/bank.php +++ b/htdocs/admin/bank.php @@ -37,7 +37,7 @@ $langs->loadLangs(array("admin", "companies", "bills", "other", "banks")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $actionsave = GETPOST('save', 'alpha'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); diff --git a/htdocs/admin/bank_extrafields.php b/htdocs/admin/bank_extrafields.php index 940e0a7313e..312da228f50 100644 --- a/htdocs/admin/bank_extrafields.php +++ b/htdocs/admin/bank_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'bank_account'; //Must be the $element of the class that manage extrafield diff --git a/htdocs/admin/barcode.php b/htdocs/admin/barcode.php index 250e2cf6162..975869c1ff0 100644 --- a/htdocs/admin/barcode.php +++ b/htdocs/admin/barcode.php @@ -33,7 +33,7 @@ $langs->load("admin"); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/admin/bom.php b/htdocs/admin/bom.php index 621a994cabe..1f19cb75b77 100644 --- a/htdocs/admin/bom.php +++ b/htdocs/admin/bom.php @@ -32,7 +32,7 @@ $langs->loadLangs(array('admin', 'errors', 'mrp', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -151,7 +151,7 @@ elseif ($action == 'setdoc') } } elseif ($action == 'set_BOM_FREE_TEXT') { - $freetext = GETPOST("BOM_FREE_TEXT", 'none'); // No alpha here, we want exact string + $freetext = GETPOST("BOM_FREE_TEXT", 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "BOM_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); diff --git a/htdocs/admin/bom_extrafields.php b/htdocs/admin/bom_extrafields.php index 70303f1dcda..7ec50d9d7db 100644 --- a/htdocs/admin/bom_extrafields.php +++ b/htdocs/admin/bom_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'bom_bom'; diff --git a/htdocs/admin/boxes.php b/htdocs/admin/boxes.php index 8f28addc994..412427494e3 100644 --- a/htdocs/admin/boxes.php +++ b/htdocs/admin/boxes.php @@ -34,7 +34,7 @@ $langs->loadLangs(array('admin', 'boxes', 'accountancy')); if (!$user->admin) accessforbidden(); $rowid = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Define possible position of boxes diff --git a/htdocs/admin/chequereceipts.php b/htdocs/admin/chequereceipts.php index b619f584736..096ffbe02c8 100644 --- a/htdocs/admin/chequereceipts.php +++ b/htdocs/admin/chequereceipts.php @@ -37,7 +37,7 @@ $langs->loadLangs(array("admin", "companies", "bills", "other", "banks")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); @@ -72,7 +72,7 @@ if ($action == 'setmod') if ($action == 'set_BANK_CHEQUERECEIPT_FREE_TEXT') { - $freetext = GETPOST('BANK_CHEQUERECEIPT_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('BANK_CHEQUERECEIPT_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "BANK_CHEQUERECEIPT_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); diff --git a/htdocs/admin/commande.php b/htdocs/admin/commande.php index febddf901c5..9add7675da6 100644 --- a/htdocs/admin/commande.php +++ b/htdocs/admin/commande.php @@ -41,7 +41,7 @@ $langs->loadLangs(array('admin', 'errors', 'orders', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -160,7 +160,7 @@ elseif ($action == 'setdoc') } } elseif ($action == 'set_ORDER_FREE_TEXT') { - $freetext = GETPOST("ORDER_FREE_TEXT", 'none'); // No alpha here, we want exact string + $freetext = GETPOST("ORDER_FREE_TEXT", 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "ORDER_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); diff --git a/htdocs/admin/commande_fournisseur_dispatch_extrafields.php b/htdocs/admin/commande_fournisseur_dispatch_extrafields.php index 8d5925e363d..e1ec33c02d4 100644 --- a/htdocs/admin/commande_fournisseur_dispatch_extrafields.php +++ b/htdocs/admin/commande_fournisseur_dispatch_extrafields.php @@ -50,7 +50,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->trans($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'commande_fournisseur_dispatch'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/company.php b/htdocs/admin/company.php index e5c20f647e5..8211fd1cadf 100644 --- a/htdocs/admin/company.php +++ b/htdocs/admin/company.php @@ -100,7 +100,7 @@ if (($action == 'update' && !GETPOST("cancel", 'alpha')) dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax", 'alphanohtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail", 'alphanohtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_WEB", GETPOST("web", 'alphanohtml'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOTE", GETPOST("note", 'none'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOTE", GETPOST("note", 'restricthtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_GENCOD", GETPOST("barcode", 'alphanohtml'), 'chaine', 0, '', $conf->entity); $dirforimage = $conf->mycompany->dir_output.'/logos/'; @@ -524,7 +524,7 @@ print ''; // Note print ''; -print ''; +print ''; print ''; print ''; diff --git a/htdocs/admin/compta.php b/htdocs/admin/compta.php index 4b98d8975eb..faf38f44b16 100644 --- a/htdocs/admin/compta.php +++ b/htdocs/admin/compta.php @@ -36,7 +36,7 @@ $langs->loadLangs(array('admin', 'compta', 'accountancy')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Other parameters ACCOUNTING_* $list = array( diff --git a/htdocs/admin/confexped.php b/htdocs/admin/confexped.php index d2ea8da6d3f..3f1eb8d9651 100644 --- a/htdocs/admin/confexped.php +++ b/htdocs/admin/confexped.php @@ -35,7 +35,7 @@ $langs->loadLangs(array('admin', 'sendings', 'deliveries')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php index 6d4b6cd3ee8..7c08a7d0201 100644 --- a/htdocs/admin/const.php +++ b/htdocs/admin/const.php @@ -35,19 +35,19 @@ if (!$user->admin) $rowid = GETPOST('rowid', 'int'); $entity = GETPOST('entity', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $update = GETPOST('update', 'alpha'); $delete = GETPOST('delete', 'none'); // Do not use alpha here $debug = GETPOST('debug', 'int'); $consts = GETPOST('const', 'array'); $constname = GETPOST('constname', 'alphanohtml'); -$constvalue = GETPOST('constvalue', 'none'); // We shoul dbe able to send everything here +$constvalue = GETPOST('constvalue', 'restricthtml'); // We should be able to send everything here $constnote = GETPOST('constnote', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/admin/contract.php b/htdocs/admin/contract.php index 4aeabd4439d..0b84e23d992 100644 --- a/htdocs/admin/contract.php +++ b/htdocs/admin/contract.php @@ -33,7 +33,7 @@ $langs->loadLangs(array("admin", "errors", "contracts")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -143,7 +143,7 @@ elseif ($action == 'setdoc') dolibarr_set_const($db, "CONTRACT_ADDON", $value, 'chaine', 0, '', $conf->entity); } elseif ($action == 'set_other') { - $freetext = GETPOST('CONTRACT_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('CONTRACT_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res1 = dolibarr_set_const($db, "CONTRACT_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); $draft = GETPOST('CONTRACT_DRAFT_WATERMARK', 'alpha'); diff --git a/htdocs/admin/dav.php b/htdocs/admin/dav.php index 2937de3ed51..0438d5759ad 100644 --- a/htdocs/admin/dav.php +++ b/htdocs/admin/dav.php @@ -32,7 +32,7 @@ if (!$user->admin) accessforbidden(); // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/admin/defaultvalues.php b/htdocs/admin/defaultvalues.php index cada1cbc8a6..f4e33bb7259 100644 --- a/htdocs/admin/defaultvalues.php +++ b/htdocs/admin/defaultvalues.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('companies', 'products', 'admin', 'sms', 'other', 'error if (!$user->admin) accessforbidden(); $id = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $optioncss = GETPOST('optionscss', 'alphanohtml'); $mode = GETPOST('mode', 'aZ09') ?GETPOST('mode', 'aZ09') : 'createform'; // 'createform', 'filters', 'sortorder', 'focus' @@ -61,7 +61,7 @@ $defaulturl = preg_replace('/^\//', '', $defaulturl); $urlpage = GETPOST('urlpage', 'alphanohtml'); $key = GETPOST('key', 'alphanohtml'); -$value = GETPOST('value', 'none'); +$value = GETPOST('value', 'restricthtml'); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('admindefaultvalues', 'globaladmin')); diff --git a/htdocs/admin/delais.php b/htdocs/admin/delais.php index 414d75076ce..d6c708c124e 100644 --- a/htdocs/admin/delais.php +++ b/htdocs/admin/delais.php @@ -32,7 +32,7 @@ $langs->load("admin"); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $modules = array( 'agenda' => array( diff --git a/htdocs/admin/emailcollector_card.php b/htdocs/admin/emailcollector_card.php index f8129a887a8..cb48336e72c 100644 --- a/htdocs/admin/emailcollector_card.php +++ b/htdocs/admin/emailcollector_card.php @@ -148,7 +148,7 @@ if (GETPOST('addoperation', 'alpha')) { $emailcollectoroperation = new EmailCollectorAction($db); $emailcollectoroperation->type = GETPOST('operationtype', 'aZ09'); - $emailcollectoroperation->actionparam = GETPOST('operationparam', 'none'); + $emailcollectoroperation->actionparam = GETPOST('operationparam', 'restricthtml'); $emailcollectoroperation->fk_emailcollector = $object->id; $emailcollectoroperation->status = 1; $emailcollectoroperation->position = 50; @@ -168,7 +168,7 @@ if ($action == 'updateoperation') $emailcollectoroperation = new EmailCollectorAction($db); $emailcollectoroperation->fetch(GETPOST('rowidoperation2', 'int')); - $emailcollectoroperation->actionparam = GETPOST('operationparam2', 'none'); + $emailcollectoroperation->actionparam = GETPOST('operationparam2', 'restricthtml'); $result = $emailcollectoroperation->update($user); diff --git a/htdocs/admin/emailcollector_list.php b/htdocs/admin/emailcollector_list.php index ef00ece52fc..b538a64c9e9 100644 --- a/htdocs/admin/emailcollector_list.php +++ b/htdocs/admin/emailcollector_list.php @@ -52,7 +52,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/admin/events.php b/htdocs/admin/events.php index 92ff5c7631a..fe87c2a9ef4 100644 --- a/htdocs/admin/events.php +++ b/htdocs/admin/events.php @@ -42,7 +42,7 @@ $optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always '' // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters $offset = $limit * $page; diff --git a/htdocs/admin/expedition.php b/htdocs/admin/expedition.php index 1a0be0cb65f..92372c076cb 100644 --- a/htdocs/admin/expedition.php +++ b/htdocs/admin/expedition.php @@ -40,7 +40,7 @@ $langs->loadLangs(array("admin", "sendings", "deliveries", "other")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -73,7 +73,7 @@ if ($action == 'updateMask') } } elseif ($action == 'set_param') { - $freetext = GETPOST('SHIPPING_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('SHIPPING_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "SHIPPING_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); if ($res <= 0) { diff --git a/htdocs/admin/expedition_extrafields.php b/htdocs/admin/expedition_extrafields.php index e40519f9104..d9bf58027f8 100644 --- a/htdocs/admin/expedition_extrafields.php +++ b/htdocs/admin/expedition_extrafields.php @@ -47,7 +47,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'expedition'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/expeditiondet_extrafields.php b/htdocs/admin/expeditiondet_extrafields.php index 03cd140d0ee..a00816d9d75 100644 --- a/htdocs/admin/expeditiondet_extrafields.php +++ b/htdocs/admin/expeditiondet_extrafields.php @@ -48,7 +48,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'expeditiondet'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/expensereport.php b/htdocs/admin/expensereport.php index 596428d4c7f..f082c89286f 100644 --- a/htdocs/admin/expensereport.php +++ b/htdocs/admin/expensereport.php @@ -39,7 +39,7 @@ $langs->loadLangs(array('admin', 'errors', 'trips', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -152,7 +152,7 @@ elseif ($action == 'setdoc') { $db->begin(); - $freetext = GETPOST('EXPENSEREPORT_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('EXPENSEREPORT_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res1 = dolibarr_set_const($db, "EXPENSEREPORT_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); $draft = GETPOST('EXPENSEREPORT_DRAFT_WATERMARK', 'alpha'); diff --git a/htdocs/admin/expensereport_extrafields.php b/htdocs/admin/expensereport_extrafields.php index bc0f52120fb..ba29df4b766 100644 --- a/htdocs/admin/expensereport_extrafields.php +++ b/htdocs/admin/expensereport_extrafields.php @@ -44,7 +44,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'expensereport'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/expensereport_ik.php b/htdocs/admin/expensereport_ik.php index 840cf4d2681..3ff8ad0c4ce 100644 --- a/htdocs/admin/expensereport_ik.php +++ b/htdocs/admin/expensereport_ik.php @@ -37,7 +37,7 @@ if (!$user->admin) accessforbidden(); $error = 0; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); $ikoffset = GETPOST('ikoffset', 'int'); $coef = GETPOST('coef', 'int'); diff --git a/htdocs/admin/expensereport_rules.php b/htdocs/admin/expensereport_rules.php index 28d5b3341b1..6d08355b815 100644 --- a/htdocs/admin/expensereport_rules.php +++ b/htdocs/admin/expensereport_rules.php @@ -40,7 +40,7 @@ if (!$user->admin) accessforbidden(); $error = false; $message = false; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); $apply_to = GETPOST('apply_to'); diff --git a/htdocs/admin/export.php b/htdocs/admin/export.php index ef6a7c3108f..d9c2c508464 100644 --- a/htdocs/admin/export.php +++ b/htdocs/admin/export.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('admin', 'exports', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/admin/facture.php b/htdocs/admin/facture.php index 221244bfb9d..7042f291828 100644 --- a/htdocs/admin/facture.php +++ b/htdocs/admin/facture.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('admin', 'errors', 'other', 'bills')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -180,7 +180,7 @@ elseif ($action == 'setdoc') } } elseif ($action == 'set_INVOICE_FREE_TEXT') { - $freetext = GETPOST('INVOICE_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('INVOICE_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "INVOICE_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); diff --git a/htdocs/admin/facture_situation.php b/htdocs/admin/facture_situation.php index 68f8e15e81c..61969651634 100644 --- a/htdocs/admin/facture_situation.php +++ b/htdocs/admin/facture_situation.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('admin', 'errors', 'other', 'bills')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); diff --git a/htdocs/admin/fckeditor.php b/htdocs/admin/fckeditor.php index e98d02d9f9c..4c1e495939a 100644 --- a/htdocs/admin/fckeditor.php +++ b/htdocs/admin/fckeditor.php @@ -32,7 +32,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; // Load translation files required by the page $langs->loadLangs(array('admin', 'fckeditor')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Possible modes are: // dolibarr_details // dolibarr_notes diff --git a/htdocs/admin/fichinter.php b/htdocs/admin/fichinter.php index c28ebcab4b2..a30a9d767a9 100644 --- a/htdocs/admin/fichinter.php +++ b/htdocs/admin/fichinter.php @@ -39,7 +39,7 @@ $langs->loadLangs(array('admin', 'errors', 'interventions', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -144,7 +144,7 @@ elseif ($action == 'setdoc') dolibarr_set_const($db, "FICHEINTER_ADDON", $value, 'chaine', 0, '', $conf->entity); } elseif ($action == 'set_FICHINTER_FREE_TEXT') { - $freetext = GETPOST('FICHINTER_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('FICHINTER_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "FICHINTER_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); if (!$res > 0) $error++; diff --git a/htdocs/admin/holiday.php b/htdocs/admin/holiday.php index 3886f85d330..067c0698a99 100644 --- a/htdocs/admin/holiday.php +++ b/htdocs/admin/holiday.php @@ -35,7 +35,7 @@ $langs->loadLangs(array("admin", "errors", "holiday")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -145,7 +145,7 @@ elseif ($action == 'setdoc') dolibarr_set_const($db, "HOLIDAY_ADDON", $value, 'chaine', 0, '', $conf->entity); } elseif ($action == 'set_other') { - $freetext = GETPOST('HOLIDAY_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('HOLIDAY_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res1 = dolibarr_set_const($db, "HOLIDAY_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); $draft = GETPOST('HOLIDAY_DRAFT_WATERMARK', 'alpha'); diff --git a/htdocs/admin/holiday_extrafields.php b/htdocs/admin/holiday_extrafields.php index fc0bac8a019..30eb707782b 100644 --- a/htdocs/admin/holiday_extrafields.php +++ b/htdocs/admin/holiday_extrafields.php @@ -44,7 +44,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'holiday'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/ihm.php b/htdocs/admin/ihm.php index 85e36dbecb1..f220d83ebcd 100644 --- a/htdocs/admin/ihm.php +++ b/htdocs/admin/ihm.php @@ -164,8 +164,8 @@ if ($action == 'update') dolibarr_set_const($db, "MAIN_FIRSTNAME_NAME_POSITION", GETPOST("MAIN_FIRSTNAME_NAME_POSITION", 'aZ09'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_MOTD", dol_htmlcleanlastbr(GETPOST("main_motd", 'none')), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_HOME", dol_htmlcleanlastbr(GETPOST("main_home", 'none')), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_MOTD", dol_htmlcleanlastbr(GETPOST("main_motd", 'restricthtml')), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_HOME", dol_htmlcleanlastbr(GETPOST("main_home", 'restricthtml')), 'chaine', 0, '', $conf->entity); //dolibarr_set_const($db, "MAIN_BUGTRACK_ENABLELINK", GETPOST('MAIN_BUGTRACK_ENABLELINK', 'aZ09'), 'chaine', 0, '', $conf->entity); //dolibarr_set_const($db, "MAIN_HELP_DISABLELINK", GETPOST("MAIN_HELP_DISABLELINK", 'aZ09'), 'chaine', 0, '', 0); // Param for all entities diff --git a/htdocs/admin/import.php b/htdocs/admin/import.php index 37c9b205424..d36ffd5265f 100644 --- a/htdocs/admin/import.php +++ b/htdocs/admin/import.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('admin', 'exports', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); /* diff --git a/htdocs/admin/limits.php b/htdocs/admin/limits.php index caf2192a9a3..95a8d52bc57 100644 --- a/htdocs/admin/limits.php +++ b/htdocs/admin/limits.php @@ -31,7 +31,7 @@ $langs->loadLangs(array('companies', 'products', 'admin')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $currencycode = GETPOST('currencycode', 'alpha'); if (!empty($conf->multicurrency->enabled) && !empty($conf->global->MULTICURRENCY_USE_LIMIT_BY_CURRENCY)) { diff --git a/htdocs/admin/livraison.php b/htdocs/admin/livraison.php index 5e0c0ce4784..ddd2b3f83c6 100644 --- a/htdocs/admin/livraison.php +++ b/htdocs/admin/livraison.php @@ -70,7 +70,7 @@ if ($action == 'updateMask') if ($action == 'set_DELIVERY_FREE_TEXT') { - $free = GETPOST('DELIVERY_FREE_TEXT', 'none'); // No alpha here, we want exact string + $free = GETPOST('DELIVERY_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "DELIVERY_FREE_TEXT", $free, 'chaine', 0, '', $conf->entity); if (!$res > 0) $error++; diff --git a/htdocs/admin/livraison_extrafields.php b/htdocs/admin/livraison_extrafields.php index 3b6d03ac98e..d30635333be 100644 --- a/htdocs/admin/livraison_extrafields.php +++ b/htdocs/admin/livraison_extrafields.php @@ -47,7 +47,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'livraison'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/livraisondet_extrafields.php b/htdocs/admin/livraisondet_extrafields.php index ebed8de9608..cc9dfa1c49f 100644 --- a/htdocs/admin/livraisondet_extrafields.php +++ b/htdocs/admin/livraisondet_extrafields.php @@ -48,7 +48,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'livraisondet'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/loan.php b/htdocs/admin/loan.php index 651782bb23b..a138d9d0bf2 100644 --- a/htdocs/admin/loan.php +++ b/htdocs/admin/loan.php @@ -35,7 +35,7 @@ $langs->loadLangs(array('admin', 'loan')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Other parameters LOAN_* $list = array( diff --git a/htdocs/admin/mailing.php b/htdocs/admin/mailing.php index 7690ca02afa..30b92412719 100644 --- a/htdocs/admin/mailing.php +++ b/htdocs/admin/mailing.php @@ -32,7 +32,7 @@ $langs->loadLangs(array("admin", "mails")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); diff --git a/htdocs/admin/mails.php b/htdocs/admin/mails.php index 1c3d397bc83..27e64973ddf 100644 --- a/htdocs/admin/mails.php +++ b/htdocs/admin/mails.php @@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Load translation files required by the page $langs->loadLangs(array("companies", "products", "admin", "mails", "other", "errors")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); diff --git a/htdocs/admin/mails_emailing.php b/htdocs/admin/mails_emailing.php index d841dcf0827..7b8265f93f9 100644 --- a/htdocs/admin/mails_emailing.php +++ b/htdocs/admin/mails_emailing.php @@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Load translation files required by the page $langs->loadLangs(array('companies', 'products', 'admin', 'mails', 'other', 'errors')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); diff --git a/htdocs/admin/mails_senderprofile_list.php b/htdocs/admin/mails_senderprofile_list.php index 2de3c436826..a471c0369a4 100644 --- a/htdocs/admin/mails_senderprofile_list.php +++ b/htdocs/admin/mails_senderprofile_list.php @@ -48,7 +48,7 @@ $rowid = GETPOST('rowid', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php index ea36b25e3ce..b33741cd571 100644 --- a/htdocs/admin/mails_templates.php +++ b/htdocs/admin/mails_templates.php @@ -284,7 +284,6 @@ if (empty($reshook)) } else { $sql .= "'".$db->escape(GETPOST($keycode, 'nohtml'))."'"; } - $i++; } $sql .= ", 1)"; @@ -341,6 +340,7 @@ if (empty($reshook)) $i++; } + $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; //print $sql;exit; dol_syslog("actionmodify", LOG_DEBUG); diff --git a/htdocs/admin/mails_ticket.php b/htdocs/admin/mails_ticket.php index a11859efc89..39e159535ba 100644 --- a/htdocs/admin/mails_ticket.php +++ b/htdocs/admin/mails_ticket.php @@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Load translation files required by the page $langs->loadLangs(array('companies', 'products', 'admin', 'mails', 'other', 'errors')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php index 04c1b79a5bc..fbed05a1dbe 100644 --- a/htdocs/admin/menus/edit.php +++ b/htdocs/admin/menus/edit.php @@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/menubase.class.php'; // Load translation files required by the page $langs->loadLangs(array("other", "admin")); -$cancel = GETPOST('cancel', 'alpha'); // We click on a Cancel button +$cancel = GETPOST('cancel', 'alphanohtml'); // We click on a Cancel button if (!$user->admin) accessforbidden(); @@ -69,9 +69,9 @@ if ($action == 'update') if (!$cancel) { $leftmenu = ''; $mainmenu = ''; - if (GETPOST('menuIdParent', 'alpha') && !is_numeric(GETPOST('menuIdParent', 'alpha'))) + if (GETPOST('menuIdParent', 'alphanohtml') && !is_numeric(GETPOST('menuIdParent', 'alphanohtml'))) { - $tmp = explode('&', GETPOST('menuIdParent', 'alpha')); + $tmp = explode('&', GETPOST('menuIdParent', 'alphanohtml')); foreach ($tmp as $s) { if (preg_match('/fk_mainmenu=/', $s)) @@ -89,21 +89,21 @@ if ($action == 'update') $result = $menu->fetch(GETPOST('menuId', 'int')); if ($result > 0) { - $menu->title = GETPOST('titre', 'alpha'); + $menu->title = GETPOST('titre', 'alphanohtml'); $menu->leftmenu = GETPOST('leftmenu', 'aZ09'); - $menu->url = GETPOST('url', 'alpha'); - $menu->langs = GETPOST('langs', 'alpha'); + $menu->url = GETPOST('url', 'alphanohtml'); + $menu->langs = GETPOST('langs', 'alphanohtml'); $menu->position = GETPOST('position', 'int'); - $menu->enabled = GETPOST('enabled', 'alpha'); - $menu->perms = GETPOST('perms', 'alpha'); - $menu->target = GETPOST('target', 'alpha'); - $menu->user = GETPOST('user', 'alpha'); - $menu->mainmenu = GETPOST('propertymainmenu', 'alpha'); - if (is_numeric(GETPOST('menuIdParent', 'alpha'))) + $menu->enabled = GETPOST('enabled', 'alphanohtml'); + $menu->perms = GETPOST('perms', 'alphanohtml'); + $menu->target = GETPOST('target', 'alphanohtml'); + $menu->user = GETPOST('user', 'alphanohtml'); + $menu->mainmenu = GETPOST('propertymainmenu', 'alphanohtml'); + if (is_numeric(GETPOST('menuIdParent', 'alphanohtml'))) { - $menu->fk_menu = GETPOST('menuIdParent', 'alpha'); + $menu->fk_menu = GETPOST('menuIdParent', 'alphanohtml'); } else { - if (GETPOST('type', 'alpha') == 'top') $menu->fk_menu = 0; + if (GETPOST('type', 'alphanohtml') == 'top') $menu->fk_menu = 0; else $menu->fk_menu = -1; $menu->fk_mainmenu = $mainmenu; $menu->fk_leftmenu = $leftmenu; @@ -138,9 +138,9 @@ if ($action == 'add') } $leftmenu = ''; $mainmenu = ''; - if (GETPOST('menuId', 'alpha', 3) && !is_numeric(GETPOST('menuId', 'alpha', 3))) + if (GETPOST('menuId', 'alphanohtml', 3) && !is_numeric(GETPOST('menuId', 'alphanohtml', 3))) { - $tmp = explode('&', GETPOST('menuId', 'alpha', 3)); + $tmp = explode('&', GETPOST('menuId', 'alphanohtml', 3)); foreach ($tmp as $s) { if (preg_match('/fk_mainmenu=/', $s)) @@ -198,21 +198,21 @@ if ($action == 'add') { $menu = new Menubase($db); $menu->menu_handler = preg_replace('/_menu$/', '', GETPOST('menu_handler', 'aZ09')); - $menu->type = GETPOST('type', 'alpha'); - $menu->title = GETPOST('titre', 'alpha'); - $menu->url = GETPOST('url', 'alpha'); - $menu->langs = GETPOST('langs', 'alpha'); + $menu->type = GETPOST('type', 'alphanohtml'); + $menu->title = GETPOST('titre', 'alphanohtml'); + $menu->url = GETPOST('url', 'alphanohtml'); + $menu->langs = GETPOST('langs', 'alphanohtml'); $menu->position = GETPOST('position', 'int'); - $menu->enabled = GETPOST('enabled', 'alpha'); - $menu->perms = GETPOST('perms', 'alpha'); - $menu->target = GETPOST('target', 'alpha'); - $menu->user = GETPOST('user', 'alpha'); - $menu->mainmenu = GETPOST('propertymainmenu', 'alpha'); - if (is_numeric(GETPOST('menuId', 'alpha', 3))) + $menu->enabled = GETPOST('enabled', 'alphanohtml'); + $menu->perms = GETPOST('perms', 'alphanohtml'); + $menu->target = GETPOST('target', 'alphanohtml'); + $menu->user = GETPOST('user', 'alphanohtml'); + $menu->mainmenu = GETPOST('propertymainmenu', 'alphanohtml'); + if (is_numeric(GETPOST('menuId', 'alphanohtml', 3))) { - $menu->fk_menu = GETPOST('menuId', 'alpha', 3); + $menu->fk_menu = GETPOST('menuId', 'alphanohtml', 3); } else { - if (GETPOST('type', 'alpha') == 'top') $menu->fk_menu = 0; + if (GETPOST('type', 'alphanohtml') == 'top') $menu->fk_menu = 0; else $menu->fk_menu = -1; $menu->fk_mainmenu = $mainmenu; $menu->fk_leftmenu = $leftmenu; @@ -353,7 +353,7 @@ if ($action == 'create') // Mainmenu code print ''.$langs->trans('MainMenuCode').''; - print ''; + print ''; print ''; print $langs->trans("Example").': mytopmenukey'; print ''; @@ -364,23 +364,23 @@ if ($action == 'create') { print ''.$parent_rowid.''; } else { - print ''; + print ''; } print ''.$langs->trans('DetailMenuIdParent'); print ', '.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def'; print ''; // Title - print ''.$langs->trans('Title').''.$langs->trans('DetailTitre').''; + print ''.$langs->trans('Title').''.$langs->trans('DetailTitre').''; // URL - print ''.$langs->trans('URL').''.$langs->trans('DetailUrl').''; + print ''.$langs->trans('URL').''.$langs->trans('DetailUrl').''; // Langs print ''.$langs->trans('LangFile').''.$langs->trans('DetailLangs').''; // Position - print ''.$langs->trans('Position').''.$langs->trans('DetailPosition').''; + print ''.$langs->trans('Position').''.$langs->trans('DetailPosition').''; // Target print ''.$langs->trans('Target').''.$langs->trans('DetailTarget').''; // Enabled - print ''.$langs->trans('Enabled').''.$langs->trans('DetailEnabled').''; + print ''.$langs->trans('Enabled').''.$langs->trans('DetailEnabled').''; // Perms - print ''.$langs->trans('Rights').''.$langs->trans('DetailRight').''; + print ''.$langs->trans('Rights').''.$langs->trans('DetailRight').''; print ''; @@ -454,7 +454,7 @@ if ($action == 'create') } else {*/ - print 'mainmenu).'">'; + print 'mainmenu).'">'; //} print ''; print $langs->trans("Example").': mytopmenukey'; diff --git a/htdocs/admin/menus/index.php b/htdocs/admin/menus/index.php index 095905afe8b..101e57970c0 100644 --- a/htdocs/admin/menus/index.php +++ b/htdocs/admin/menus/index.php @@ -42,7 +42,7 @@ foreach ($dirmenus as $dirmenu) $dirsmartphone[] = $dirmenu.'smartphone'; } -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $menu_handler_top = $conf->global->MAIN_MENU_STANDARD; diff --git a/htdocs/admin/menus/other.php b/htdocs/admin/menus/other.php index 2fad8491e7a..cd8c7cccfa6 100644 --- a/htdocs/admin/menus/other.php +++ b/htdocs/admin/menus/other.php @@ -29,7 +29,7 @@ $langs->loadLangs(array("user", "other", "admin")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/admin/modulehelp.php b/htdocs/admin/modulehelp.php index 2e256f3c5ad..c788eca01d3 100644 --- a/htdocs/admin/modulehelp.php +++ b/htdocs/admin/modulehelp.php @@ -34,7 +34,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; $langs->loadLangs(array('errors', 'admin', 'modulebuilder')); $mode = GETPOST('mode', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); if (empty($mode)) $mode = 'desc'; diff --git a/htdocs/admin/modules.php b/htdocs/admin/modules.php index 3c525200442..38cfe37265b 100644 --- a/htdocs/admin/modules.php +++ b/htdocs/admin/modules.php @@ -40,7 +40,7 @@ $langs->loadLangs(array("errors", "admin", "modulebuilder")); $mode = GETPOSTISSET('mode') ? GETPOST('mode', 'alpha') : (empty($conf->global->MAIN_MODULE_SETUP_ON_LIST_BY_DEFAULT) ? 'commonkanban' : 'common'); if (empty($mode)) $mode = 'common'; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); //var_dump($_POST);exit; $value = GETPOST('value', 'alpha'); $page_y = GETPOST('page_y', 'int'); diff --git a/htdocs/admin/mrp.php b/htdocs/admin/mrp.php index 2ea4853e3ca..ffa4d8e7c6b 100644 --- a/htdocs/admin/mrp.php +++ b/htdocs/admin/mrp.php @@ -33,7 +33,7 @@ $langs->loadLangs(array('admin', 'errors', 'mrp', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -152,7 +152,7 @@ elseif ($action == 'setdoc') } } elseif ($action == 'set_MRP_MO_FREE_TEXT') { - $freetext = GETPOST("MRP_MO_FREE_TEXT", 'none'); // No alpha here, we want exact string + $freetext = GETPOST("MRP_MO_FREE_TEXT", 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "MRP_MO_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); diff --git a/htdocs/admin/mrp_extrafields.php b/htdocs/admin/mrp_extrafields.php index cab7232f569..b0bd0e522ab 100644 --- a/htdocs/admin/mrp_extrafields.php +++ b/htdocs/admin/mrp_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'mrp_mo'; diff --git a/htdocs/admin/multicurrency.php b/htdocs/admin/multicurrency.php index a7e073f08d2..a447551b04e 100644 --- a/htdocs/admin/multicurrency.php +++ b/htdocs/admin/multicurrency.php @@ -38,7 +38,7 @@ if (!$user->admin) { } // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/admin/notification.php b/htdocs/admin/notification.php index a32cd0fa1f5..b484e7acea9 100644 --- a/htdocs/admin/notification.php +++ b/htdocs/admin/notification.php @@ -95,7 +95,7 @@ if ($action == 'setvalue' && $user->admin) { $db->begin(); - $result = dolibarr_set_const($db, "NOTIFICATION_EMAIL_FROM", GETPOST("email_from", "none"), 'chaine', 0, '', $conf->entity); + $result = dolibarr_set_const($db, "NOTIFICATION_EMAIL_FROM", GETPOST("email_from", "restricthtml"), 'chaine', 0, '', $conf->entity); if ($result < 0) $error++; diff --git a/htdocs/admin/oauth.php b/htdocs/admin/oauth.php index 85cd9284535..8b0e9516abd 100644 --- a/htdocs/admin/oauth.php +++ b/htdocs/admin/oauth.php @@ -40,7 +40,7 @@ $langs->loadLangs(array('admin', 'oauth')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/admin/oauthlogintokens.php b/htdocs/admin/oauthlogintokens.php index a2b35c9eceb..0f12da3a02a 100644 --- a/htdocs/admin/oauthlogintokens.php +++ b/htdocs/admin/oauthlogintokens.php @@ -34,7 +34,7 @@ $langs->loadLangs(array('admin', 'printing', 'oauth')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $mode = GETPOST('mode', 'alpha'); $value = GETPOST('value', 'alpha'); $varname = GETPOST('varname', 'alpha'); diff --git a/htdocs/admin/order_extrafields.php b/htdocs/admin/order_extrafields.php index 2c72c55697f..1b2bb0c0cd0 100644 --- a/htdocs/admin/order_extrafields.php +++ b/htdocs/admin/order_extrafields.php @@ -45,7 +45,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'commande'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/orderdet_extrafields.php b/htdocs/admin/orderdet_extrafields.php index 55732a40a51..1f645241646 100644 --- a/htdocs/admin/orderdet_extrafields.php +++ b/htdocs/admin/orderdet_extrafields.php @@ -46,7 +46,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'commandedet'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/payment.php b/htdocs/admin/payment.php index 85d7e140a6d..926c102c25a 100644 --- a/htdocs/admin/payment.php +++ b/htdocs/admin/payment.php @@ -32,7 +32,7 @@ $langs->loadLangs(array("admin", "other", "errors", "bills")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -68,7 +68,7 @@ if ($action == 'setmod') if ($action == 'setparams') { - $freetext = GETPOST('FACTURE_PAYMENTS_ON_DIFFERENT_THIRDPARTIES_BILLS', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('FACTURE_PAYMENTS_ON_DIFFERENT_THIRDPARTIES_BILLS', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "FACTURE_PAYMENTS_ON_DIFFERENT_THIRDPARTIES_BILLS", $freetext, 'chaine', 0, '', $conf->entity); if (!$res > 0) $error++; diff --git a/htdocs/admin/paymentbybanktransfer.php b/htdocs/admin/paymentbybanktransfer.php index a19a69c75a5..c549e29443e 100644 --- a/htdocs/admin/paymentbybanktransfer.php +++ b/htdocs/admin/paymentbybanktransfer.php @@ -36,7 +36,7 @@ $langs->loadLangs(array("admin", "withdrawals")); // Security check if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $type = 'paymentorder'; diff --git a/htdocs/admin/pdf.php b/htdocs/admin/pdf.php index 6fb1cb297dd..95487fc0bc3 100644 --- a/htdocs/admin/pdf.php +++ b/htdocs/admin/pdf.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('admin', 'languages', 'other', 'companies', 'products', if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); diff --git a/htdocs/admin/prelevement.php b/htdocs/admin/prelevement.php index 3419551f627..0429fde6287 100644 --- a/htdocs/admin/prelevement.php +++ b/htdocs/admin/prelevement.php @@ -36,7 +36,7 @@ $langs->loadLangs(array("admin", "withdrawals")); // Security check if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $type = 'paymentorder'; diff --git a/htdocs/admin/propal.php b/htdocs/admin/propal.php index 4855a164412..a0f9adb86d9 100644 --- a/htdocs/admin/propal.php +++ b/htdocs/admin/propal.php @@ -39,7 +39,7 @@ $langs->loadLangs(array("admin", "other", "errors", "propal")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -130,7 +130,7 @@ if ($action == 'updateMask') { setEventMessages($langs->trans("Error"), null, 'errors'); } } elseif ($action == 'set_PROPOSAL_FREE_TEXT') { - $freetext = GETPOST('PROPOSAL_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('PROPOSAL_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "PROPOSAL_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); diff --git a/htdocs/admin/receiptprinter.php b/htdocs/admin/receiptprinter.php index 4332c4feab0..9b3563edd63 100644 --- a/htdocs/admin/receiptprinter.php +++ b/htdocs/admin/receiptprinter.php @@ -36,7 +36,7 @@ $langs->loadLangs(array("admin", "receiptprinter")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $mode = GETPOST('mode', 'alpha'); $printername = GETPOST('printername', 'alpha'); diff --git a/htdocs/admin/reception_extrafields.php b/htdocs/admin/reception_extrafields.php index ce5cbcd7179..d9babd5d95b 100644 --- a/htdocs/admin/reception_extrafields.php +++ b/htdocs/admin/reception_extrafields.php @@ -50,7 +50,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->trans($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'reception'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/reception_setup.php b/htdocs/admin/reception_setup.php index 3d0b591af10..4c33ee78ef7 100644 --- a/htdocs/admin/reception_setup.php +++ b/htdocs/admin/reception_setup.php @@ -32,7 +32,7 @@ $langs->loadLangs(array("admin", "receptions", 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -76,7 +76,7 @@ if ($action == 'updateMask') } } elseif ($action == 'set_param') { - $freetext = GETPOST('RECEPTION_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('RECEPTION_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "RECEPTION_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); if ($res <= 0) { diff --git a/htdocs/admin/resource.php b/htdocs/admin/resource.php index 288f338941c..b57e41ddfd4 100644 --- a/htdocs/admin/resource.php +++ b/htdocs/admin/resource.php @@ -37,7 +37,7 @@ $langs->loadLangs(array("admin", "resource")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/admin/resource_extrafields.php b/htdocs/admin/resource_extrafields.php index 57eaa0d245c..61b0bf900df 100644 --- a/htdocs/admin/resource_extrafields.php +++ b/htdocs/admin/resource_extrafields.php @@ -44,7 +44,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'resource'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php index d4d8b0718ae..4b665123e4f 100644 --- a/htdocs/admin/security_file.php +++ b/htdocs/admin/security_file.php @@ -34,7 +34,7 @@ $langs->loadLangs(array('users', 'admin', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $upload_dir = $conf->admin->dir_temp; @@ -52,8 +52,8 @@ if (GETPOST('sendit') && !empty($conf->global->MAIN_UPLOAD_DOC)) if ($action == 'updateform') { - $antivircommand = GETPOST('MAIN_ANTIVIRUS_COMMAND', 'none'); // Use GETPOST none because we must accept ". Example c:\Progra~1\ClamWin\bin\clamscan.exe - $antivirparam = GETPOST('MAIN_ANTIVIRUS_PARAM', 'none'); // Use GETPOST none because we must accept ". Example --database="C:\Program Files (x86)\ClamWin\lib" + $antivircommand = GETPOST('MAIN_ANTIVIRUS_COMMAND', 'restricthtml'); // Use GETPOST restricthtml because we must accept ". Example c:\Progra~1\ClamWin\bin\clamscan.exe + $antivirparam = GETPOST('MAIN_ANTIVIRUS_PARAM', 'restricthtml'); // Use GETPOST restricthtml because we must accept ". Example --database="C:\Program Files (x86)\ClamWin\lib" $antivircommand = dol_string_nospecial($antivircommand, '', array("|", ";", "<", ">", "&")); // Sanitize command $antivirparam = dol_string_nospecial($antivirparam, '', array("|", ";", "<", ">", "&")); // Sanitize params diff --git a/htdocs/admin/security_other.php b/htdocs/admin/security_other.php index 2bc477f6e39..686c0ddc21c 100644 --- a/htdocs/admin/security_other.php +++ b/htdocs/admin/security_other.php @@ -34,7 +34,7 @@ $langs->loadLangs(array("users", "admin", "other")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); diff --git a/htdocs/admin/stock.php b/htdocs/admin/stock.php index 4edff5e93b3..44ae6a82945 100644 --- a/htdocs/admin/stock.php +++ b/htdocs/admin/stock.php @@ -36,7 +36,7 @@ $langs->loadLangs(array("admin", "stocks")); // Securit check if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); diff --git a/htdocs/admin/supplier_invoice.php b/htdocs/admin/supplier_invoice.php index 59613f6af5b..9b618fa3d31 100644 --- a/htdocs/admin/supplier_invoice.php +++ b/htdocs/admin/supplier_invoice.php @@ -42,7 +42,7 @@ accessforbidden(); $type = GETPOST('type', 'alpha'); $value = GETPOST('value', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -167,7 +167,7 @@ if ($action == 'addcat') if ($action == 'set_SUPPLIER_INVOICE_FREE_TEXT') { - $freetext = GETPOST('SUPPLIER_INVOICE_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('SUPPLIER_INVOICE_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "SUPPLIER_INVOICE_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); diff --git a/htdocs/admin/supplier_order.php b/htdocs/admin/supplier_order.php index a390e4a4522..c7026ca7327 100644 --- a/htdocs/admin/supplier_order.php +++ b/htdocs/admin/supplier_order.php @@ -43,7 +43,7 @@ accessforbidden(); $type = GETPOST('type', 'alpha'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $scandir = GETPOST('scan_dir', 'alpha'); $specimenthirdparty = new Societe($db); @@ -154,7 +154,7 @@ elseif ($action == 'setdoc') $fourn->CreateCategory($user, GETPOST('cat', 'alphanohtml')); } elseif ($action == 'set_SUPPLIER_ORDER_OTHER') { - $freetext = GETPOST('SUPPLIER_ORDER_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('SUPPLIER_ORDER_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $doubleapproval = GETPOST('SUPPLIER_ORDER_3_STEPS_TO_BE_APPROVED', 'alpha'); $doubleapproval = price2num($doubleapproval); diff --git a/htdocs/admin/supplier_payment.php b/htdocs/admin/supplier_payment.php index 2eea751f8ac..27b3c023fcb 100644 --- a/htdocs/admin/supplier_payment.php +++ b/htdocs/admin/supplier_payment.php @@ -33,7 +33,7 @@ $langs->loadLangs(array("admin", "errors", "other", "bills", "orders")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scandir', 'alpha'); diff --git a/htdocs/admin/supplier_proposal.php b/htdocs/admin/supplier_proposal.php index 5f35f3af310..b0c5c4bff10 100644 --- a/htdocs/admin/supplier_proposal.php +++ b/htdocs/admin/supplier_proposal.php @@ -34,7 +34,7 @@ $langs->loadLangs(array("admin", "errors", "other", "supplier_proposal")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -123,7 +123,7 @@ if ($action == 'set_SUPPLIER_PROPOSAL_DRAFT_WATERMARK') if ($action == 'set_SUPPLIER_PROPOSAL_FREE_TEXT') { - $freetext = GETPOST('SUPPLIER_PROPOSAL_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('SUPPLIER_PROPOSAL_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "SUPPLIER_PROPOSAL_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); diff --git a/htdocs/admin/supplierinvoice_extrafields.php b/htdocs/admin/supplierinvoice_extrafields.php index 172f243a22c..50e2fbbbb91 100644 --- a/htdocs/admin/supplierinvoice_extrafields.php +++ b/htdocs/admin/supplierinvoice_extrafields.php @@ -45,7 +45,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'facture_fourn'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/supplierinvoicedet_extrafields.php b/htdocs/admin/supplierinvoicedet_extrafields.php index a9fa9c1b09d..15a96009392 100644 --- a/htdocs/admin/supplierinvoicedet_extrafields.php +++ b/htdocs/admin/supplierinvoicedet_extrafields.php @@ -47,7 +47,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'facture_fourn_det'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/supplierorder_extrafields.php b/htdocs/admin/supplierorder_extrafields.php index c280e56ac86..17d866d8f94 100644 --- a/htdocs/admin/supplierorder_extrafields.php +++ b/htdocs/admin/supplierorder_extrafields.php @@ -45,7 +45,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'commande_fournisseur'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/supplierorderdet_extrafields.php b/htdocs/admin/supplierorderdet_extrafields.php index 59cc6783db8..1bcfcec05c4 100644 --- a/htdocs/admin/supplierorderdet_extrafields.php +++ b/htdocs/admin/supplierorderdet_extrafields.php @@ -46,7 +46,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'commande_fournisseurdet'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/system/about.php b/htdocs/admin/system/about.php index 615d353bbf1..bbac6bdfe0c 100644 --- a/htdocs/admin/system/about.php +++ b/htdocs/admin/system/about.php @@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Load translation files required by the page $langs->loadLangs(array("help", "members", "other", "admin")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); diff --git a/htdocs/admin/system/database-tables.php b/htdocs/admin/system/database-tables.php index c0a52337a25..683fc3c4f3a 100644 --- a/htdocs/admin/system/database-tables.php +++ b/htdocs/admin/system/database-tables.php @@ -32,7 +32,7 @@ if (!$user->admin) { accessforbidden(); } -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if ($action == 'convert') diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php index 9288c2e2f1b..55a46e9f347 100644 --- a/htdocs/admin/system/dolibarr.php +++ b/htdocs/admin/system/dolibarr.php @@ -32,7 +32,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Load translation files required by the page $langs->loadLangs(array("install", "other", "admin")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); diff --git a/htdocs/admin/system/filecheck.php b/htdocs/admin/system/filecheck.php index e1f85ca77ce..88cf39b90a1 100644 --- a/htdocs/admin/system/filecheck.php +++ b/htdocs/admin/system/filecheck.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2005-2020 Laurent Destailleur * Copyright (C) 2007 Rodolphe Quiedeville * Copyright (C) 2007-2012 Regis Houssin * Copyright (C) 2015-2019 Frederic France @@ -195,9 +195,9 @@ if (!$error && $xml) $i++; $out .= ''; $out .= ''.$i.''."\n"; - $out .= ''.$constname.''."\n"; - $out .= ''.$constvalue.''."\n"; - $out .= ''.$valueforchecksum.''."\n"; + $out .= ''.dol_escape_htmltag($constname).''."\n"; + $out .= ''.dol_escape_htmltag($constvalue).''."\n"; + $out .= ''.dol_escape_htmltag($valueforchecksum).''."\n"; $out .= "\n"; } @@ -255,11 +255,11 @@ if (!$error && $xml) $i++; $out .= ''; $out .= ''.$i.''."\n"; - $out .= ''.$file['filename'].''."\n"; + $out .= ''.dol_escape_htmltag($file['filename']).''."\n"; $out .= ''; if (!empty($file['expectedsize'])) $out .= dol_print_size($file['expectedsize']); $out .= ''."\n"; - $out .= ''.$file['expectedmd5'].''."\n"; + $out .= ''.dol_escape_htmltag($file['expectedmd5']).''."\n"; $out .= "\n"; } } else { @@ -294,9 +294,9 @@ if (!$error && $xml) $i++; $out .= ''; $out .= ''.$i.''."\n"; - $out .= ''.$file['filename'].''."\n"; - $out .= ''.$file['expectedmd5'].''."\n"; - $out .= ''.$file['md5'].''."\n"; + $out .= ''.dol_escape_htmltag($file['filename']).''."\n"; + $out .= ''.dol_escape_htmltag($file['expectedmd5']).''."\n"; + $out .= ''.dol_escape_htmltag($file['md5']).''."\n"; $out .= ''; if ($file['expectedsize']) $out .= dol_print_size($file['expectedsize']); $out .= ''."\n"; @@ -346,14 +346,14 @@ if (!$error && $xml) $i++; $out .= ''; $out .= ''.$i.''."\n"; - $out .= ''.$file['filename']; + $out .= ''.dol_escape_htmltag($file['filename']); if (!preg_match('/^win/i', PHP_OS)) { $htmltext = $langs->trans("YouCanDeleteFileOnServerWith", 'rm '.DOL_DOCUMENT_ROOT.$file['filename']); // The slash is included int file['filename'] $out .= ' '.$form->textwithpicto('', $htmltext, 1, 'help', '', 0, 2, 'helprm'.$i); } $out .= ''."\n"; - $out .= ''.$file['expectedmd5'].''."\n"; - $out .= ''.$file['md5'].''."\n"; + $out .= ''.dol_escape_htmltag($file['expectedmd5']).''."\n"; + $out .= ''.dol_escape_htmltag($file['md5']).''."\n"; $size = dol_filesize(DOL_DOCUMENT_ROOT.'/'.$file['filename']); $totalsize += $size; $out .= ''.dol_print_size($size).''."\n"; diff --git a/htdocs/admin/taxes.php b/htdocs/admin/taxes.php index 687b43a6918..51a089336c6 100644 --- a/htdocs/admin/taxes.php +++ b/htdocs/admin/taxes.php @@ -34,7 +34,7 @@ $langs->loadLangs(array('admin', 'objects', 'companies', 'products')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); diff --git a/htdocs/admin/ticket.php b/htdocs/admin/ticket.php index 974f8874096..4dd8a6fa5c1 100644 --- a/htdocs/admin/ticket.php +++ b/htdocs/admin/ticket.php @@ -37,7 +37,7 @@ if (!$user->admin) { // Parameters $value = GETPOST('value', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scandir', 'alpha'); $type = 'ticket'; diff --git a/htdocs/admin/ticket_extrafields.php b/htdocs/admin/ticket_extrafields.php index a01996b31ac..91e5df44180 100644 --- a/htdocs/admin/ticket_extrafields.php +++ b/htdocs/admin/ticket_extrafields.php @@ -39,7 +39,7 @@ foreach ($tmptype2label as $key => $val) { $type2label[$key] = $langs->trans($val); } -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'ticket'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/ticket_public.php b/htdocs/admin/ticket_public.php index 72427de3ab0..02e6e6916ee 100644 --- a/htdocs/admin/ticket_public.php +++ b/htdocs/admin/ticket_public.php @@ -37,7 +37,7 @@ if (!$user->admin) { // Parameters $value = GETPOST('value', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scandir', 'alpha'); $type = 'ticket'; diff --git a/htdocs/admin/tools/dolibarr_export.php b/htdocs/admin/tools/dolibarr_export.php index b7d69247763..b8e6dc8c15e 100644 --- a/htdocs/admin/tools/dolibarr_export.php +++ b/htdocs/admin/tools/dolibarr_export.php @@ -29,10 +29,10 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; $langs->load("admin"); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "DESC"; if (!$sortfield) $sortfield = "date"; diff --git a/htdocs/admin/tools/export.php b/htdocs/admin/tools/export.php index 408d82404dc..3614e412318 100644 --- a/htdocs/admin/tools/export.php +++ b/htdocs/admin/tools/export.php @@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; $langs->load("admin"); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $what = GETPOST('what', 'alpha'); $export_type = GETPOST('export_type', 'alpha'); $file = GETPOST('filename_template', 'alpha'); @@ -38,7 +38,7 @@ $file = GETPOST('filename_template', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/admin/tools/export_files.php b/htdocs/admin/tools/export_files.php index e8b60eba5fb..45b02716524 100644 --- a/htdocs/admin/tools/export_files.php +++ b/htdocs/admin/tools/export_files.php @@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; $langs->load("admin"); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $what = GETPOST('what', 'alpha'); $export_type = GETPOST('export_type', 'alpha'); $file = GETPOST('zipfilename_template', 'alpha'); @@ -40,7 +40,7 @@ $file = dol_sanitizeFileName($file); $file = preg_replace('/(\.zip|\.tar|\.tgz|\.gz|\.tar\.gz|\.bz2)$/i', '', $file); $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "DESC"; if (!$sortfield) $sortfield = "date"; diff --git a/htdocs/admin/tools/listevents.php b/htdocs/admin/tools/listevents.php index e9d06885dfd..af55fcd1f16 100644 --- a/htdocs/admin/tools/listevents.php +++ b/htdocs/admin/tools/listevents.php @@ -1,8 +1,8 @@ +/* Copyright (C) 2004-2020 Laurent Destailleur * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2015 Bahfir Abbes - * Copyright (C) 2018 Frédéric France + * Copyright (C) 2018 Frédéric France * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check @@ -47,7 +47,7 @@ $langs->loadLangs(array("companies", "admin", "users", "other")); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; @@ -60,8 +60,8 @@ $search_code = GETPOST("search_code", "alpha"); $search_ip = GETPOST("search_ip", "alpha"); $search_user = GETPOST("search_user", "alpha"); $search_desc = GETPOST("search_desc", "alpha"); -$search_ua = GETPOST("search_ua", "none"); -$search_prefix_session = GETPOST("search_prefix_session", "none"); +$search_ua = GETPOST("search_ua", "restricthtml"); +$search_prefix_session = GETPOST("search_prefix_session", "restricthtml"); if (GETPOST("date_startmonth") == '' || GETPOST("date_startmonth") > 0) $date_start = dol_mktime(0, 0, 0, GETPOST("date_startmonth"), GETPOST("date_startday"), GETPOST("date_startyear")); else $date_start = -1; diff --git a/htdocs/admin/tools/listsessions.php b/htdocs/admin/tools/listsessions.php index 07f9f1ef47c..aedc41e0b23 100644 --- a/htdocs/admin/tools/listsessions.php +++ b/htdocs/admin/tools/listsessions.php @@ -31,7 +31,7 @@ $langs->loadLangs(array("companies", "install", "users", "other")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check diff --git a/htdocs/admin/tools/purge.php b/htdocs/admin/tools/purge.php index 9898e290ddc..c41b43b3b48 100644 --- a/htdocs/admin/tools/purge.php +++ b/htdocs/admin/tools/purge.php @@ -29,7 +29,7 @@ $langs->load("admin"); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $choice = GETPOST('choice', 'aZ09'); diff --git a/htdocs/admin/tools/update.php b/htdocs/admin/tools/update.php index 67f07a4eb24..27b53e8266e 100644 --- a/htdocs/admin/tools/update.php +++ b/htdocs/admin/tools/update.php @@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/geturl.lib.php'; // Load translation files required by the page $langs->loadLangs(array("admin", "other")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); diff --git a/htdocs/admin/translation.php b/htdocs/admin/translation.php index 309d15485eb..9259ac420b7 100644 --- a/htdocs/admin/translation.php +++ b/htdocs/admin/translation.php @@ -33,11 +33,11 @@ $langs->loadLangs(array("companies", "products", "admin", "sms", "other", "error if (!$user->admin) accessforbidden(); $id = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $langcode = GETPOST('langcode', 'alphanohtml'); $transkey = GETPOST('transkey', 'alphanohtml'); -$transvalue = GETPOST('transvalue', 'none'); +$transvalue = GETPOST('transvalue', 'restricthtml'); $mode = GETPOST('mode', 'aZ09') ?GETPOST('mode', 'aZ09') : 'searchkey'; diff --git a/htdocs/admin/user.php b/htdocs/admin/user.php index f866b418131..25822cd380b 100644 --- a/htdocs/admin/user.php +++ b/htdocs/admin/user.php @@ -38,7 +38,7 @@ if (!$user->admin) accessforbidden(); $extrafields = new ExtraFields($db); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); $value = GETPOST('value', 'alpha'); diff --git a/htdocs/admin/usergroup.php b/htdocs/admin/usergroup.php index 490c79a3363..d6b66b6fd22 100644 --- a/htdocs/admin/usergroup.php +++ b/htdocs/admin/usergroup.php @@ -38,7 +38,7 @@ if (!$user->admin) accessforbidden(); $extrafields = new ExtraFields($db); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $type = 'group'; diff --git a/htdocs/admin/website.php b/htdocs/admin/website.php index 4254408ed90..7c098aa1c4b 100644 --- a/htdocs/admin/website.php +++ b/htdocs/admin/website.php @@ -52,7 +52,7 @@ $actl[1] = img_picto($langs->trans("Activated"), 'switch_on'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/admin/website_options.php b/htdocs/admin/website_options.php index 6f0cffa41c8..2bbe3e84638 100644 --- a/htdocs/admin/website_options.php +++ b/htdocs/admin/website_options.php @@ -47,7 +47,7 @@ $status = 1; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/admin/workflow.php b/htdocs/admin/workflow.php index 671bacee080..dddcaf91c81 100644 --- a/htdocs/admin/workflow.php +++ b/htdocs/admin/workflow.php @@ -33,7 +33,7 @@ if (!$user->admin) accessforbidden(); // Load translation files required by the page $langs->loadLangs(array("admin", "workflow", "propal", "workflow", "orders", "supplier_proposal", "receptions", "errors")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/asset/admin/assets_extrafields.php b/htdocs/asset/admin/assets_extrafields.php index be36482c295..0bdbff93569 100644 --- a/htdocs/asset/admin/assets_extrafields.php +++ b/htdocs/asset/admin/assets_extrafields.php @@ -37,7 +37,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'don'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/asset/admin/assets_type_extrafields.php b/htdocs/asset/admin/assets_type_extrafields.php index 2f10938d356..ba42a3374dc 100644 --- a/htdocs/asset/admin/assets_type_extrafields.php +++ b/htdocs/asset/admin/assets_type_extrafields.php @@ -36,7 +36,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'adherent_type'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/asset/admin/setup.php b/htdocs/asset/admin/setup.php index c1afe7ba472..64e2bc2b5ad 100644 --- a/htdocs/asset/admin/setup.php +++ b/htdocs/asset/admin/setup.php @@ -35,7 +35,7 @@ $langs->loadLangs(array("admin", "assets")); if (!$user->admin) accessforbidden(); // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); $arrayofparameters = array('FIXEDASSETS_MYPARAM1'=>array('css'=>'minwidth200'), 'FIXEDASSETS_MYPARAM2'=>array('css'=>'minwidth500')); diff --git a/htdocs/asset/info.php b/htdocs/asset/info.php index 900bbc61bf2..2654ebc2d81 100644 --- a/htdocs/asset/info.php +++ b/htdocs/asset/info.php @@ -31,7 +31,7 @@ $langs->loadLangs(array("asset")); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/asset/list.php b/htdocs/asset/list.php index ab31c6c9831..224caea2e58 100644 --- a/htdocs/asset/list.php +++ b/htdocs/asset/list.php @@ -48,7 +48,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/asset/note.php b/htdocs/asset/note.php index 7b92e1dab92..8df2a7a5452 100644 --- a/htdocs/asset/note.php +++ b/htdocs/asset/note.php @@ -32,7 +32,7 @@ $langs->loadLangs(array("asset", "companies")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/asset/type.php b/htdocs/asset/type.php index eebc85fc099..01418fde201 100644 --- a/htdocs/asset/type.php +++ b/htdocs/asset/type.php @@ -34,7 +34,7 @@ if (!empty($conf->accounting->enabled)) require_once DOL_DOCUMENT_ROOT.'/account $langs->load("assets"); $rowid = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/barcode/printsheet.php b/htdocs/barcode/printsheet.php index 1ac908f361a..dabd05bf745 100644 --- a/htdocs/barcode/printsheet.php +++ b/htdocs/barcode/printsheet.php @@ -36,10 +36,10 @@ $now = dol_now(); $year = dol_print_date($now, '%Y'); $month = dol_print_date($now, '%m'); $day = dol_print_date($now, '%d'); -$forbarcode = GETPOST('forbarcode'); -$fk_barcode_type = GETPOST('fk_barcode_type'); -$mode = GETPOST('mode'); -$modellabel = GETPOST("modellabel"); // Doc template to use +$forbarcode = GETPOST('forbarcode', 'alphanohtml'); +$fk_barcode_type = GETPOST('fk_barcode_type', 'int'); +$mode = GETPOST('mode', 'aZ09'); +$modellabel = GETPOST("modellabel", 'aZ09'); // Doc template to use $numberofsticker = GETPOST('numberofsticker', 'int'); $mesg = ''; @@ -57,8 +57,8 @@ $thirdpartytmp = new Societe($db); if (GETPOST('submitproduct') && GETPOST('submitproduct')) { $action = ''; // We reset because we don't want to build doc - if (GETPOST('productid') > 0) { - $result = $producttmp->fetch(GETPOST('productid')); + if (GETPOST('productid', 'int') > 0) { + $result = $producttmp->fetch(GETPOST('productid', 'int')); if ($result < 0) { setEventMessage($producttmp->error, 'errors'); } @@ -76,9 +76,9 @@ if (GETPOST('submitproduct') && GETPOST('submitproduct')) if (GETPOST('submitthirdparty') && GETPOST('submitthirdparty')) { $action = ''; // We reset because we don't want to build doc - if (GETPOST('socid') > 0) + if (GETPOST('socid', 'int') > 0) { - $thirdpartytmp->fetch(GETPOST('socid')); + $thirdpartytmp->fetch(GETPOST('socid', 'int')); $forbarcode = $thirdpartytmp->barcode; $fk_barcode_type = $thirdpartytmp->barcode_type_code; @@ -381,7 +381,7 @@ if (!empty($user->rights->produit->lire) || !empty($user->rights->service->lire) print ' '.$langs->trans("FillBarCodeTypeAndValueFromProduct").'   '; print '
'; print '
'; - $form->select_produits(GETPOST('productid'), 'productid', '', '', 0, -1, 2, '', 0, array(), 0, '1', 0, 'minwidth400imp', 1); + $form->select_produits(GETPOST('productid', 'int'), 'productid', '', '', 0, -1, 2, '', 0, array(), 0, '1', 0, 'minwidth400imp', 1); print '   '; print '
'; } @@ -391,7 +391,7 @@ if (!empty($user->rights->societe->lire)) print ' '.$langs->trans("FillBarCodeTypeAndValueFromThirdParty").'   '; print '
'; print '
'; - print $form->select_company(GETPOST('socid'), 'socid', '', 'SelectThirdParty', 0, 0, array(), 0, 'minwidth300'); + print $form->select_company(GETPOST('socid', 'int'), 'socid', '', 'SelectThirdParty', 0, 0, array(), 0, 'minwidth300'); print '   '; print '
'; } diff --git a/htdocs/blockedlog/admin/blockedlog.php b/htdocs/blockedlog/admin/blockedlog.php index 1b6ff1fa021..051f8bb049a 100644 --- a/htdocs/blockedlog/admin/blockedlog.php +++ b/htdocs/blockedlog/admin/blockedlog.php @@ -32,7 +32,7 @@ $langs->loadLangs(array("admin", "other", "blockedlog")); if (!$user->admin || empty($conf->blockedlog->enabled)) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/blockedlog/admin/blockedlog_list.php b/htdocs/blockedlog/admin/blockedlog_list.php index ab36caedba4..818c84a8b5e 100644 --- a/htdocs/blockedlog/admin/blockedlog_list.php +++ b/htdocs/blockedlog/admin/blockedlog_list.php @@ -35,7 +35,7 @@ $langs->loadLangs(array("admin", "other", "blockedlog", "bills")); if ((!$user->admin && !$user->rights->blockedlog->read) || empty($conf->blockedlog->enabled)) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'blockedloglist'; // To manage different context of search $backtopage = GETPOST('backtopage', 'alpha'); // Go back to a dedicated page $optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always '' except when 'print') @@ -57,7 +57,7 @@ if (($search_start == -1 || empty($search_start)) && !GETPOSTISSET('search_start // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/blockedlog/ajax/block-add.php b/htdocs/blockedlog/ajax/block-add.php index 5aa344c0237..1102438f5b5 100644 --- a/htdocs/blockedlog/ajax/block-add.php +++ b/htdocs/blockedlog/ajax/block-add.php @@ -34,7 +34,7 @@ $res = require '../../main.inc.php'; $id = GETPOST('id', 'int'); $element = GETPOST('element', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if ($element === 'facture') { require_once DOL_DOCUMENT_ROOT.'/blockedlog/class/blockedlog.class.php'; diff --git a/htdocs/bom/bom_agenda.php b/htdocs/bom/bom_agenda.php index 43f1604e08c..d8361d30258 100644 --- a/htdocs/bom/bom_agenda.php +++ b/htdocs/bom/bom_agenda.php @@ -37,7 +37,7 @@ $langs->loadLangs(array("mrp", "other")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/bom/bom_list.php b/htdocs/bom/bom_list.php index 6092f11aea5..5f1728ef055 100644 --- a/htdocs/bom/bom_list.php +++ b/htdocs/bom/bom_list.php @@ -46,7 +46,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/bom/bom_note.php b/htdocs/bom/bom_note.php index dce9bc82b06..df1693e84b0 100644 --- a/htdocs/bom/bom_note.php +++ b/htdocs/bom/bom_note.php @@ -33,7 +33,7 @@ $langs->loadLangs(array("mrp", "companies")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/bookmarks/admin/bookmark.php b/htdocs/bookmarks/admin/bookmark.php index 2d8501130dc..9aa1989fa2e 100644 --- a/htdocs/bookmarks/admin/bookmark.php +++ b/htdocs/bookmarks/admin/bookmark.php @@ -31,7 +31,7 @@ $langs->load("admin"); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if ($action == 'setvalue') { diff --git a/htdocs/bookmarks/list.php b/htdocs/bookmarks/list.php index a4f0939c054..3ea33b329ff 100644 --- a/htdocs/bookmarks/list.php +++ b/htdocs/bookmarks/list.php @@ -27,7 +27,7 @@ require_once DOL_DOCUMENT_ROOT.'/bookmarks/class/bookmark.class.php'; // Load translation files required by the page $langs->loadLangs(array('bookmarks', 'admin')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -43,7 +43,7 @@ $optioncss = GETPOST('optioncss', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/cashdesk/facturation_verif.php b/htdocs/cashdesk/facturation_verif.php index c62e31b1e3f..16b4bfec017 100644 --- a/htdocs/cashdesk/facturation_verif.php +++ b/htdocs/cashdesk/facturation_verif.php @@ -29,7 +29,7 @@ require_once DOL_DOCUMENT_ROOT.'/cashdesk/class/Facturation.class.php'; require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php'; require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $obj_facturation = unserialize($_SESSION['serObjFacturation']); unset($_SESSION['serObjFacturation']); diff --git a/htdocs/categories/admin/categorie_extrafields.php b/htdocs/categories/admin/categorie_extrafields.php index bd285e5efaf..72151abdcdb 100644 --- a/htdocs/categories/admin/categorie_extrafields.php +++ b/htdocs/categories/admin/categorie_extrafields.php @@ -39,7 +39,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'categorie'; //Must be the $element of the class that manage extrafield diff --git a/htdocs/categories/traduction.php b/htdocs/categories/traduction.php index a8f3510c31b..cf3db3444c7 100644 --- a/htdocs/categories/traduction.php +++ b/htdocs/categories/traduction.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('categories', 'languages')); $id = GETPOST('id', 'int'); $label = GETPOST('label', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $type = GETPOST('type', 'aZ09'); @@ -85,7 +85,7 @@ $cancel != $langs->trans("Cancel") && // check parameters $forcelangprod = GETPOST('forcelangprod', 'alpha'); $libelle = GETPOST('libelle', 'alpha'); - $desc = GETPOST('desc', 'none'); + $desc = GETPOST('desc', 'restricthtml'); if (empty($forcelangprod)) { $error++; @@ -338,7 +338,7 @@ if ($action == 'add' && ($user->rights->produit->creer || $user->rights->service print ''.$langs->trans('Label').''; print ''; print ''.$langs->trans('Description').''; - $doleditor = new DolEditor('desc', GETPOST('desc', 'none'), '', 160, 'dolibarr_notes', '', false, true, $conf->global->FCKEDITOR_ENABLE_PRODUCTDESC, ROWS_3, '90%'); + $doleditor = new DolEditor('desc', GETPOST('desc', 'restricthtml'), '', 160, 'dolibarr_notes', '', false, true, $conf->global->FCKEDITOR_ENABLE_PRODUCTDESC, ROWS_3, '90%'); $doleditor->Create(); print ''; diff --git a/htdocs/categories/viewcat.php b/htdocs/categories/viewcat.php index 0e5b50085c9..2648a0c09f4 100644 --- a/htdocs/categories/viewcat.php +++ b/htdocs/categories/viewcat.php @@ -54,7 +54,7 @@ $optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always ' // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/collab/index.php b/htdocs/collab/index.php index 0c457fb6f47..7353ea881ee 100644 --- a/htdocs/collab/index.php +++ b/htdocs/collab/index.php @@ -39,7 +39,7 @@ $error = 0; $website = GETPOST('website', 'alpha'); $page = GETPOST('page', 'alpha'); $pageid = GETPOST('pageid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (GETPOST('delete')) { $action = 'delete'; } if (GETPOST('preview')) $action = 'preview'; diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php index 8c14a524681..0fe69fa10ea 100644 --- a/htdocs/comm/action/card.php +++ b/htdocs/comm/action/card.php @@ -50,7 +50,7 @@ require_once DOL_DOCUMENT_ROOT.'/categories/class/categorie.class.php'; // Load translation files required by the page $langs->loadLangs(array("companies", "other", "commercial", "bills", "orders", "agenda")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); $socpeopleassigned = GETPOST('socpeopleassigned', 'array'); @@ -326,7 +326,7 @@ if (empty($reshook) && $action == 'add') if (GETPOST("doneby") > 0) $object->userdoneid = GETPOST("doneby", "int"); } - $object->note_private = trim(GETPOST("note", "none")); + $object->note_private = trim(GETPOST("note", "restricthtml")); if (isset($_POST["contactid"])) $object->contact = $contact; @@ -499,7 +499,7 @@ if (empty($reshook) && $action == 'update') $object->contact_id = key($object->socpeopleassigned); } $object->fk_project = GETPOST("projectid", 'int'); - $object->note_private = trim(GETPOST("note", "none")); + $object->note_private = trim(GETPOST("note", "restricthtml")); $object->fk_element = GETPOST("fk_element", "int"); $object->elementtype = GETPOST("elementtype", "alphanohtml"); @@ -1172,7 +1172,7 @@ if ($action == 'create') // Description print ''.$langs->trans("Description").''; require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; - $doleditor = new DolEditor('note', (GETPOSTISSET('note') ? GETPOST('note', 'none') : $object->note_private), '', 120, 'dolibarr_notes', 'In', true, true, $conf->fckeditor->enabled, ROWS_4, '90%'); + $doleditor = new DolEditor('note', (GETPOSTISSET('note') ? GETPOST('note', 'restricthtml') : $object->note_private), '', 120, 'dolibarr_notes', 'In', true, true, $conf->fckeditor->enabled, ROWS_4, '90%'); $doleditor->Create(); print ''; @@ -1303,7 +1303,7 @@ if ($id > 0) $object->contact_id = GETPOST("contactid", 'int'); $object->fk_project = GETPOST("projectid", 'int'); - $object_private = GETPOST("note", 'none'); + $object_private = GETPOST("note", 'restricthtml'); } if ($result2 < 0 || $result3 < 0 || $result4 < 0 || $result5 < 0) diff --git a/htdocs/comm/action/document.php b/htdocs/comm/action/document.php index 028de1e6fb7..bed4054e018 100644 --- a/htdocs/comm/action/document.php +++ b/htdocs/comm/action/document.php @@ -40,7 +40,7 @@ if (!empty($conf->projet->enabled)) require_once DOL_DOCUMENT_ROOT.'/projet/clas $langs->loadLangs(array('companies', 'commercial', 'other', 'bills')); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php index 135f91c56f4..f4e8487b054 100644 --- a/htdocs/comm/action/index.php +++ b/htdocs/comm/action/index.php @@ -79,7 +79,7 @@ if (!$user->rights->agenda->allactions->read || $filter == 'mine') // If no per $filtert = $user->id; } -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $resourceid = GETPOST("search_resourceid", "int"); $year = GETPOST("year", "int") ?GETPOST("year", "int") : date("Y"); $month = GETPOST("month", "int") ?GETPOST("month", "int") : date("m"); @@ -118,13 +118,13 @@ if ($action == 'default') // When action is default, we want a calendar view and { $action = (($defaultview != 'show_list') ? $defaultview : 'show_month'); } -if (GETPOST('viewcal', 'none') && GETPOST('action', 'alpha') != 'show_day' && GETPOST('action', 'alpha') != 'show_week') { +if (GETPOST('viewcal', 'restricthtml') && GETPOST('action', 'alpha') != 'show_day' && GETPOST('action', 'alpha') != 'show_week') { $action = 'show_month'; $day = ''; } // View by month -if (GETPOST('viewweek', 'none') || GETPOST('action', 'alpha') == 'show_week') { +if (GETPOST('viewweek', 'restricthtml') || GETPOST('action', 'alpha') == 'show_week') { $action = 'show_week'; $week = ($week ? $week : date("W")); $day = ($day ? $day : date("d")); } // View by week -if (GETPOST('viewday', 'none') || GETPOST('action', 'alpha') == 'show_day') { +if (GETPOST('viewday', 'restricthtml') || GETPOST('action', 'alpha') == 'show_day') { $action = 'show_day'; $day = ($day ? $day : date("d")); } // View by day diff --git a/htdocs/comm/action/list.php b/htdocs/comm/action/list.php index 4584365f208..92975aafec0 100644 --- a/htdocs/comm/action/list.php +++ b/htdocs/comm/action/list.php @@ -40,7 +40,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/extrafields.class.php'; // Load translation files required by the page $langs->loadLangs(array("users", "companies", "agenda", "commercial", "other")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'actioncommlist'; // To manage different context of search $resourceid = GETPOST("search_resourceid", "int") ?GETPOST("search_resourceid", "int") : GETPOST("resourceid", "int"); diff --git a/htdocs/comm/action/rapport/index.php b/htdocs/comm/action/rapport/index.php index 6852ec2476b..fbb49772d3e 100644 --- a/htdocs/comm/action/rapport/index.php +++ b/htdocs/comm/action/rapport/index.php @@ -34,7 +34,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/modules/action/rapport.pdf.php'; // Load translation files required by the page $langs->loadLangs(array("agenda", "commercial")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $month = GETPOST('month', 'int'); $year = GETPOST('year', 'int'); diff --git a/htdocs/comm/admin/propal_extrafields.php b/htdocs/comm/admin/propal_extrafields.php index 699f290ed79..d154dc7aafb 100644 --- a/htdocs/comm/admin/propal_extrafields.php +++ b/htdocs/comm/admin/propal_extrafields.php @@ -39,7 +39,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'propal'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/comm/admin/propaldet_extrafields.php b/htdocs/comm/admin/propaldet_extrafields.php index 635ffaf8b37..1acdbfa5ca1 100644 --- a/htdocs/comm/admin/propaldet_extrafields.php +++ b/htdocs/comm/admin/propaldet_extrafields.php @@ -46,7 +46,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'propaldet'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/comm/card.php b/htdocs/comm/card.php index 2c20df32c90..d3e180b7a88 100644 --- a/htdocs/comm/card.php +++ b/htdocs/comm/card.php @@ -203,7 +203,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) { diff --git a/htdocs/comm/contact.php b/htdocs/comm/contact.php index d3075916367..83dfd203d0c 100644 --- a/htdocs/comm/contact.php +++ b/htdocs/comm/contact.php @@ -30,7 +30,7 @@ require '../main.inc.php'; $langs->load("companies"); $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "ASC"; if (!$sortfield) $sortfield = "p.name"; diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php index 555b5895fac..1ed0b684696 100644 --- a/htdocs/comm/index.php +++ b/htdocs/comm/index.php @@ -1,11 +1,11 @@ - * Copyright (C) 2004-2015 Laurent Destailleur - * Copyright (C) 2005-2012 Regis Houssin - * Copyright (C) 2015 Jean-François Ferry - * Copyright (C) 2019 Nicolas ZABOURI - * Copyright (C) 2020 Pierre Ardoin - * Copyright (C) 2020 Tobias Sekan +/* Copyright (C) 2001-2005 Rodolphe Quiedeville + * Copyright (C) 2004-2015 Laurent Destailleur + * Copyright (C) 2005-2012 Regis Houssin + * Copyright (C) 2015 Jean-François Ferry + * Copyright (C) 2019 Nicolas ZABOURI + * Copyright (C) 2020 Pierre Ardoin + * Copyright (C) 2020 Tobias Sekan * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -22,33 +22,33 @@ */ /** - * \file htdocs/comm/index.php - * \ingroup commercial - * \brief Home page of commercial area + * \file htdocs/comm/index.php + * \ingroup commercial + * \brief Home page of commercial area */ require '../main.inc.php'; -require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; -require_once DOL_DOCUMENT_ROOT.'/societe/class/client.class.php'; -require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php'; -require_once DOL_DOCUMENT_ROOT.'/core/lib/agenda.lib.php'; -if (!empty($conf->contrat->enabled)) require_once DOL_DOCUMENT_ROOT.'/contrat/class/contrat.class.php'; -if (!empty($conf->propal->enabled)) require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php'; -if (!empty($conf->supplier_proposal->enabled)) require_once DOL_DOCUMENT_ROOT.'/supplier_proposal/class/supplier_proposal.class.php'; -if (!empty($conf->commande->enabled)) require_once DOL_DOCUMENT_ROOT.'/commande/class/commande.class.php'; -if (!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SUPPLIERMOD) || ! empty($conf->supplier_order->enabled)) require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.commande.class.php'; if (!$user->rights->societe->lire) accessforbidden(); -$hookmanager = new HookManager($db); +require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/agenda.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php'; +require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php'; +require_once DOL_DOCUMENT_ROOT.'/commande/class/commande.class.php'; +require_once DOL_DOCUMENT_ROOT.'/contrat/class/contrat.class.php'; +require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.commande.class.php'; +require_once DOL_DOCUMENT_ROOT.'/societe/class/client.class.php'; +require_once DOL_DOCUMENT_ROOT.'/supplier_proposal/class/supplier_proposal.class.php'; // Initialize technical object to manage hooks. Note that conf->hooks_modules contains array +$hookmanager = new HookManager($db); $hookmanager->initHooks(array('commercialindex')); // Load translation files required by the page -$langs->loadLangs(array("commercial", "propal")); +$langs->loadLangs(array("boxes", "commercial", "contracts", "orders", "propal", "supplier_proposal")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $bid = GETPOST('bid', 'int'); // Securite acces client @@ -84,7 +84,8 @@ print load_fiche_titre($langs->trans("CommercialArea"), '', 'commercial'); print '
'; -if (!empty($conf->global->MAIN_SEARCH_FORM_ON_HOME_AREAS)) { // This is useless due to the global search combo +// This is useless due to the global search combo +if (!empty($conf->global->MAIN_SEARCH_FORM_ON_HOME_AREAS)) { // Search proposal if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { $listofsearchfields['search_proposal'] = array('text'=>'Proposal'); @@ -136,19 +137,14 @@ if (!empty($conf->global->MAIN_SEARCH_FORM_ON_HOME_AREAS)) { // This is useless * Draft customer proposals */ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { - $langs->load("propal"); - - $sql = "SELECT p.rowid, p.ref, p.ref_client, p.total_ht, p.tva as total_tva, p.total as total_ttc, s.rowid as socid, s.nom as name, s.client, s.canvas"; - $sql .= ", s.code_client"; - $sql .= ", s.email"; - $sql .= ", s.entity"; - $sql .= ", s.code_compta"; + $sql = "SELECT p.rowid, p.ref, p.ref_client, p.total_ht, p.tva as total_tva, p.total as total_ttc"; + $sql .= ", s.rowid as socid, s.nom as name, s.client, s.canvas, s.code_client, s.email, s.entity, s.code_compta"; $sql .= " FROM ".MAIN_DB_PREFIX."propal as p"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE p.fk_statut = 0"; + $sql .= " WHERE p.entity IN (".getEntity($propalstatic->element).")"; $sql .= " AND p.fk_soc = s.rowid"; - $sql .= " AND p.entity IN (".getEntity('propal').")"; + $sql .= " AND p.fk_statut = ".Propal::STATUS_DRAFT; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; if ($socid) $sql .= " AND s.rowid = ".$socid; @@ -157,7 +153,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { $total = 0; $num = $db->num_rows($resql); $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - startSimpleTable("ProposalsDraft", "comm/propal/list.php", "search_status=0", 2, $num); + startSimpleTable("ProposalsDraft", "comm/propal/list.php", "search_status=".Propal::STATUS_DRAFT, 2, $num); if ($num > 0) { $i = 0; @@ -185,11 +181,11 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { print ''; print ''.$propalstatic->getNomUrl(1).''; print ''.$companystatic->getNomUrl(1, 'customer', 16).''; - print ''.price($obj->total_ht).''; + print ''.price((!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc)).''; print ''; $i++; - $total += $obj->total_ht; + $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } } @@ -206,28 +202,23 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { * Draft supplier proposals */ if (!empty($conf->supplier_proposal->enabled) && $user->rights->supplier_proposal->lire) { - $langs->load("supplier_proposal"); - - $sql = "SELECT p.rowid, p.ref, p.total_ht, p.tva as total_tva, p.total as total_ttc, s.rowid as socid, s.nom as name, s.client, s.canvas"; - $sql .= ", s.code_client"; - $sql .= ", s.code_fournisseur"; - $sql .= ", s.entity"; - $sql .= ", s.email"; + $sql = "SELECT p.rowid, p.ref, p.total_ht, p.tva as total_tva, p.total as total_ttc"; + $sql .= ", s.rowid as socid, s.nom as name, s.client, s.canvas, s.code_client, s.code_fournisseur, s.entity, s.email"; $sql .= " FROM ".MAIN_DB_PREFIX."supplier_proposal as p"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE p.fk_statut = 0"; + $sql .= " WHERE p.entity IN (".getEntity($supplierproposalstatic->element).")"; + $sql .= " AND p.fk_statut = ".SupplierProposal::STATUS_DRAFT; $sql .= " AND p.fk_soc = s.rowid"; - $sql .= " AND p.entity IN (".getEntity('supplier_proposal').")"; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; - if ($socid) $sql .= " AND s.rowid = ".$socid; + if ($socid) $sql .= " AND s.rowid = ".$socid; $resql = $db->query($sql); if ($resql) { $total = 0; $num = $db->num_rows($resql); $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - startSimpleTable("SupplierProposalsDraft", "supplier_proposal/list.php", "search_status=0", 2, $num); + startSimpleTable("SupplierProposalsDraft", "supplier_proposal/list.php", "search_status=".SupplierProposal::STATUS_DRAFT, 2, $num); if ($num > 0) { $i = 0; @@ -251,13 +242,13 @@ if (!empty($conf->supplier_proposal->enabled) && $user->rights->supplier_proposa $companystatic->email = $obj->email; print ''; - print ''.$supplierproposalstatic->getNomUrl(1).''; + print ''.$supplierproposalstatic->getNomUrl(1).''; print ''.$companystatic->getNomUrl(1, 'supplier', 16).''; - print ''.price($obj->total_ht).''; + print ''.price(!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc).''; print ''; $i++; - $total += $obj->total_ht; + $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } } @@ -274,28 +265,23 @@ if (!empty($conf->supplier_proposal->enabled) && $user->rights->supplier_proposa * Draft customer orders */ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { - $langs->load("orders"); - - $sql = "SELECT c.rowid, c.ref, c.ref_client, c.total_ht, c.tva as total_tva, c.total_ttc, s.rowid as socid, s.nom as name, s.client, s.canvas"; - $sql .= ", s.code_client"; - $sql .= ", s.email"; - $sql .= ", s.entity"; - $sql .= ", s.code_compta"; + $sql = "SELECT c.rowid, c.ref, c.ref_client, c.total_ht, c.tva as total_tva, c.total_ttc"; + $sql .= ", s.rowid as socid, s.nom as name, s.client, s.canvas, s.code_client, s.email, s.entity, s.code_compta"; $sql .= " FROM ".MAIN_DB_PREFIX."commande as c"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE c.fk_soc = s.rowid"; - $sql .= " AND c.fk_statut = 0"; - $sql .= " AND c.entity IN (".getEntity('commande').")"; + $sql .= " WHERE c.entity IN (".getEntity($orderstatic->element).")"; + $sql .= " AND c.fk_statut = ".Commande::STATUS_DRAFT; + $sql .= " AND c.fk_soc = s.rowid"; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; - if ($socid) $sql .= " AND c.fk_soc = ".$socid; + if ($socid) $sql .= " AND c.fk_soc = ".$socid; $resql = $db->query($sql); if ($resql) { $total = 0; $num = $db->num_rows($resql); $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - startSimpleTable("DraftOrders", "commande/list.php", "search_status=0", 2, $num); + startSimpleTable("DraftOrders", "commande/list.php", "search_status=".Commande::STATUS_DRAFT, 2, $num); if ($num > 0) { $i = 0; @@ -326,7 +312,7 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { print ''; $i++; - $total += $obj->total_ttc; + $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } } @@ -343,28 +329,23 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { * Draft suppliers orders */ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SUPPLIERMOD) || !empty($conf->supplier_order->enabled)) && $user->rights->fournisseur->commande->lire) { - $langs->load("orders"); - - $sql = "SELECT cf.rowid, cf.ref, cf.ref_supplier, cf.total_ttc, s.rowid as socid, s.nom as name, s.client, s.canvas"; - $sql .= ", s.code_client"; - $sql .= ", s.code_fournisseur"; - $sql .= ", s.entity"; - $sql .= ", s.email"; + $sql = "SELECT cf.rowid, cf.ref, cf.ref_supplier, cf.total_ttc"; + $sql .= ", s.rowid as socid, s.nom as name, s.client, s.canvas, s.code_client, s.code_fournisseur, s.entity, s.email"; $sql .= " FROM ".MAIN_DB_PREFIX."commande_fournisseur as cf"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE cf.fk_soc = s.rowid"; - $sql .= " AND cf.fk_statut = 0"; - $sql .= " AND cf.entity IN (".getEntity('supplier_order').")"; + $sql .= " WHERE cf.entity IN (".getEntity($supplierorderstatic->element).")"; + $sql .= " AND cf.fk_statut = ".CommandeFournisseur::STATUS_DRAFT; + $sql .= " AND cf.fk_soc = s.rowid"; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; - if ($socid) $sql .= " AND cf.fk_soc = ".$socid; + if ($socid) $sql .= " AND cf.fk_soc = ".$socid; $resql = $db->query($sql); if ($resql) { $total = 0; $num = $db->num_rows($resql); $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - startSimpleTable("DraftSuppliersOrders", "fourn/commande/list.php", "search_status=0", 2, $num); + startSimpleTable("DraftSuppliersOrders", "fourn/commande/list.php", "search_status=".CommandeFournisseur::STATUS_DRAFT, 2, $num); if ($num > 0) { $i = 0; @@ -395,7 +376,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU print ''; $i++; - $total += $obj->total_ttc; + $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } } @@ -407,27 +388,20 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU } } -print '
'; - -$max = 3; +print '
'; +print '
'; /* * Last modified customers or prospects */ if (!empty($conf->societe->enabled) && $user->rights->societe->lire) { - $langs->load("boxes"); - - $sql = "SELECT s.rowid, s.nom as name, s.client, s.datec, s.tms, s.canvas"; - $sql .= ", s.code_client"; - $sql .= ", s.code_compta"; - $sql .= ", s.entity"; - $sql .= ", s.email"; + $sql = "SELECT s.rowid, s.nom as name, s.client, s.datec, s.tms, s.canvas, s.code_client, s.code_compta, s.entity, s.email"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE s.client IN (1, 2, 3)"; - $sql .= " AND s.entity IN (".getEntity($companystatic->element).")"; + $sql .= " WHERE s.entity IN (".getEntity($companystatic->element).")"; + $sql .= " AND s.client IN (".Societe::CUSTOMER.", ".Societe::PROSPECT.", ".Societe::CUSTOMER_AND_PROSPECT.")"; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; - if ($socid) $sql .= " AND s.rowid = $socid"; + if ($socid) $sql .= " AND s.rowid = $socid"; $sql .= " ORDER BY s.tms DESC"; $sql .= $db->plimit($max, 0); @@ -485,18 +459,13 @@ if (!empty($conf->societe->enabled) && $user->rights->societe->lire) { * Last suppliers */ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SUPPLIERMOD) || !empty($conf->supplier_order->enabled) || !empty($conf->supplier_invoice->enabled)) && $user->rights->societe->lire) { - $langs->load("boxes"); - - $sql = "SELECT s.nom as name, s.rowid, s.datec as dc, s.canvas, s.tms as dm"; - $sql .= ", s.code_fournisseur"; - $sql .= ", s.entity"; - $sql .= ", s.email"; + $sql = "SELECT s.nom as name, s.rowid, s.datec as dc, s.canvas, s.tms as dm, s.code_fournisseur, s.entity, s.email"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$user->socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE s.fournisseur = 1"; - $sql .= " AND s.entity IN (".getEntity($companystatic->element).")"; + $sql .= " WHERE s.entity IN (".getEntity($companystatic->element).")"; + $sql .= " AND s.fournisseur = ".Societe::SUPPLIER; if (!$user->rights->societe->client->voir && !$user->socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; - if ($socid) $sql .= " AND s.rowid = ".$socid; + if ($socid) $sql .= " AND s.rowid = ".$socid; $sql .= " ORDER BY s.datec DESC"; $sql .= $db->plimit($max, 0); @@ -556,21 +525,18 @@ if ($user->rights->agenda->myactions->read) { * Latest contracts */ if (!empty($conf->contrat->enabled) && $user->rights->contrat->lire && 0) { // TODO A REFAIRE DEPUIS NOUVEAU CONTRAT - $langs->load("contracts"); + $staticcontrat = new Contrat($db); - $sql = "SELECT s.nom as name, s.rowid, s.canvas, "; - $sql .= ", s.code_client"; - $sql .= ", s.entity"; - $sql .= ", s.email"; + $sql = "SELECT s.nom as name, s.rowid, s.canvas, s.code_client, s.entity, s.email"; $sql .= ", c.statut, c.rowid as contratid, p.ref, c.fin_validite as datefin, c.date_cloture as dateclo"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; $sql .= ", ".MAIN_DB_PREFIX."contrat as c"; $sql .= ", ".MAIN_DB_PREFIX."product as p"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE c.fk_soc = s.rowid"; - $sql .= " AND c.entity IN (".getEntity('contract').")"; + $sql .= " WHERE c.entity IN (".getEntity($staticcontrat->element).")"; + $sql .= " AND c.fk_soc = s.rowid"; $sql .= " AND c.fk_product = p.rowid"; - if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; + if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; if ($socid) $sql .= " AND s.rowid = ".$socid; $sql .= " ORDER BY c.tms DESC"; $sql .= $db->plimit(5, 0); @@ -582,7 +548,6 @@ if (!empty($conf->contrat->enabled) && $user->rights->contrat->lire && 0) { // T if ($num > 0) { $i = 0; - $staticcontrat = new Contrat($db); while ($i < $num) { $obj = $db->fetch_object($resql); @@ -615,21 +580,17 @@ if (!empty($conf->contrat->enabled) && $user->rights->contrat->lire && 0) { // T /* - * Opened proposals + * Opened (validated) proposals */ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { - $langs->load("propal"); - - $sql = "SELECT s.nom as name, s.rowid, s.code_client"; - $sql .= ", s.entity"; - $sql .= ", s.email"; - $sql .= ", p.rowid as propalid, p.entity, p.total as total_ttc, p.total_ht, p.tva as total_tva, p.ref, p.ref_client, p.fk_statut, p.datep as dp, p.fin_validite as dfv"; - $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; - $sql .= ", ".MAIN_DB_PREFIX."propal as p"; + $sql = "SELECT p.rowid as propalid, p.entity, p.total as total_ttc, p.total_ht, p.tva as total_tva, p.ref, p.ref_client, p.fk_statut, p.datep as dp, p.fin_validite as dfv"; + $sql .= ", s.nom as name, s.rowid, s.code_client, s.entity, s.email"; + $sql .= " FROM ".MAIN_DB_PREFIX."propal as p"; + $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE p.fk_soc = s.rowid"; - $sql .= " AND p.entity IN (".getEntity('propal').")"; - $sql .= " AND p.fk_statut = 1"; + $sql .= " WHERE p.entity IN (".getEntity($propalstatic->element).")"; + $sql .= " AND p.fk_soc = s.rowid"; + $sql .= " AND p.fk_statut = ".Propal::STATUS_VALIDATED; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; if ($socid) $sql .= " AND s.rowid = ".$socid; $sql .= " ORDER BY p.rowid DESC"; @@ -663,24 +624,21 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { $companystatic->entity = $obj->entity; $companystatic->email = $obj->email; - print ''; - - // Ref - print ''; - print ''; - print ''; - print ''; - print '
'; - print $propalstatic->getNomUrl(1); - print ''; - if ($db->jdate($obj->dfv) < ($now - $conf->propal->cloture->warning_delay)) print img_warning($langs->trans("Late")); - print ''; $filename = dol_sanitizeFileName($obj->ref); $filedir = $conf->propal->multidir_output[$obj->entity].'/'.dol_sanitizeFileName($obj->ref); $urlsource = $_SERVER['PHP_SELF'].'?id='.$obj->propalid; - print $formfile->getDocumentsLink($propalstatic->element, $filename, $filedir); - print '
'; - print ""; + $warning = ($db->jdate($obj->dfv) < ($now - $conf->propal->cloture->warning_delay)) ? img_warning($langs->trans("Late")) : ''; + + print ''; + + print ''; + print ''; + print ''; + print ''; + print ''; + print ''; + print '
'.$propalstatic->getNomUrl(1).''.$warning.''.$formfile->getDocumentsLink($propalstatic->element, $filename, $filedir).'
'; + print ''; print ''.$companystatic->getNomUrl(1, 'customer', 44).''; print ''.dol_print_date($db->jdate($obj->dp), 'day').''; @@ -690,7 +648,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { print ''; $i++; - $total += $obj->total_ttc; + $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } } @@ -704,21 +662,17 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { /* - * Opened Order + * Opened (validated) order */ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { - $langs->load("orders"); - - $sql = "SELECT s.nom as name, s.rowid, c.rowid as commandeid, c.total_ttc, c.total_ht, c.tva as total_tva, c.ref, c.ref_client, c.fk_statut, c.date_valid as dv, c.facture as billed"; - $sql .= ", s.code_client"; - $sql .= ", s.entity"; - $sql .= ", s.email"; - $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; - $sql .= ", ".MAIN_DB_PREFIX."commande as c"; + $sql = "SELECT c.rowid as commandeid, c.total_ttc, c.total_ht, c.tva as total_tva, c.ref, c.ref_client, c.fk_statut, c.date_valid as dv, c.facture as billed"; + $sql .= ", s.nom as name, s.rowid, s.code_client, s.entity, s.email"; + $sql .= " FROM ".MAIN_DB_PREFIX."commande as c"; + $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE c.fk_soc = s.rowid"; - $sql .= " AND c.entity IN (".getEntity('commande').")"; - $sql .= " AND (c.fk_statut = ".Commande::STATUS_VALIDATED." or c.fk_statut = ".Commande::STATUS_SHIPMENTONPROCESS.")"; + $sql .= " WHERE c.entity IN (".getEntity($orderstatic->element).")"; + $sql .= " AND c.fk_soc = s.rowid"; + $sql .= " AND c.fk_statut IN (".Commande::STATUS_VALIDATED.", ".Commande::STATUS_SHIPMENTONPROCESS.")"; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; if ($socid) $sql .= " AND s.rowid = ".$socid; $sql .= " ORDER BY c.rowid DESC"; @@ -728,7 +682,7 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { $total = 0; $num = $db->num_rows($resql); $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - startSimpleTable("OrdersOpened", "commande/list.php", "search_status=1", 4, $num); + startSimpleTable("OrdersOpened", "commande/list.php", "search_status=".Commande::STATUS_VALIDATED, 4, $num); if ($num > 0) { $i = 0; @@ -752,33 +706,31 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { $companystatic->entity = $obj->entity; $companystatic->email = $obj->email; - print ''; - - // Ref - print ''; - print ''; - print ''; - print ''; - print '
'; - print $orderstatic->getNomUrl(1); - print ''; - //if ($db->jdate($obj->dfv) < ($now - $conf->propal->cloture->warning_delay)) print img_warning($langs->trans("Late")); - print ''; $filename = dol_sanitizeFileName($obj->ref); $filedir = $conf->commande->dir_output.'/'.dol_sanitizeFileName($obj->ref); $urlsource = $_SERVER['PHP_SELF'].'?id='.$obj->propalid; - print $formfile->getDocumentsLink($orderstatic->element, $filename, $filedir); - print '
'; - print ""; + //$warning = ($db->jdate($obj->dfv) < ($now - $conf->propal->cloture->warning_delay)) ? img_warning($langs->trans("Late")) : ''; + + print ''; + + print ''; + print ''; + print ''; + print ''; + print ''; + print ''; + print '
'.$orderstatic->getNomUrl(1).''.$formfile->getDocumentsLink($orderstatic->element, $filename, $filedir).'
'; + print ''; print ''.$companystatic->getNomUrl(1, 'customer', 44).''; print ''.dol_print_date($db->jdate($obj->dp), 'day').''; print ''.price(!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc).''; print ''.$orderstatic->LibStatut($obj->fk_statut, $obj->billed, 3).''; - print ''."\n"; + + print ''; $i++; - $total += $obj->total_ttc; + $total +=(!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } } @@ -790,7 +742,9 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { } } -print '
'; +print '
'; +print ''; +print ''; $parameters = array('user' => $user); $reshook = $hookmanager->executeHooks('dashboardCommercials', $parameters, $object); // Note that $action and $object may have been modified by hook diff --git a/htdocs/comm/mailing/advtargetemailing.php b/htdocs/comm/mailing/advtargetemailing.php index da24f7bcb4f..fbdf3097139 100644 --- a/htdocs/comm/mailing/advtargetemailing.php +++ b/htdocs/comm/mailing/advtargetemailing.php @@ -47,7 +47,7 @@ if (!$user->rights->mailing->lire || $user->socid > 0) // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php index ccccc93da4f..26216c1ac01 100644 --- a/htdocs/comm/mailing/card.php +++ b/htdocs/comm/mailing/card.php @@ -41,7 +41,7 @@ $langs->load("mails"); if (!$user->rights->mailing->lire || (empty($conf->global->EXTERNAL_USERS_ARE_AUTHORIZED) && $user->socid > 0)) accessforbidden(); $id = (GETPOST('mailid', 'int') ? GETPOST('mailid', 'int') : GETPOST('id', 'int')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $urlfrom = GETPOST('urlfrom'); @@ -738,7 +738,7 @@ if ($action == 'create') print '
'; // Editeur wysiwyg require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; - $doleditor = new DolEditor('bodyemail', GETPOST('bodyemail', 'none'), '', 600, 'dolibarr_mailings', '', true, true, $conf->global->FCKEDITOR_ENABLE_MAILING, 20, '90%'); + $doleditor = new DolEditor('bodyemail', GETPOST('bodyemail', 'restricthtml'), '', 600, 'dolibarr_mailings', '', true, true, $conf->global->FCKEDITOR_ENABLE_MAILING, 20, '90%'); $doleditor->Create(); print '
'; diff --git a/htdocs/comm/mailing/cibles.php b/htdocs/comm/mailing/cibles.php index 27e0c2e5b0c..be0518be553 100644 --- a/htdocs/comm/mailing/cibles.php +++ b/htdocs/comm/mailing/cibles.php @@ -42,7 +42,7 @@ if (!$user->rights->mailing->lire || $user->socid > 0) accessforbidden(); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index 15785060809..f42b82718e6 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -68,7 +68,7 @@ $error = 0; $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $origin = GETPOST('origin', 'alpha'); $originid = GETPOST('originid', 'int'); @@ -355,8 +355,8 @@ if (empty($reshook)) $object->fk_project = GETPOST('projectid', 'int'); $object->model_pdf = GETPOST('model'); $object->author = $user->id; // deprecated - $object->note_private = GETPOST('note_private', 'none'); - $object->note_public = GETPOST('note_public', 'none'); + $object->note_private = GETPOST('note_private', 'restricthtml'); + $object->note_public = GETPOST('note_public', 'restricthtml'); $object->statut = Propal::STATUS_DRAFT; $object->fk_incoterms = GETPOST('incoterm_id', 'int'); $object->location_incoterms = GETPOST('location_incoterms', 'alpha'); @@ -383,8 +383,8 @@ if (empty($reshook)) $object->fk_project = GETPOST('projectid', 'int'); $object->model_pdf = GETPOST('model'); $object->author = $user->id; // deprecated - $object->note_private = GETPOST('note_private', 'none'); - $object->note_public = GETPOST('note_public', 'none'); + $object->note_private = GETPOST('note_private', 'restricthtml'); + $object->note_public = GETPOST('note_public', 'restricthtml'); $object->fk_incoterms = GETPOST('incoterm_id', 'int'); $object->location_incoterms = GETPOST('location_incoterms', 'alpha'); @@ -627,7 +627,7 @@ if (empty($reshook)) { $db->begin(); - $result = $object->cloture($user, GETPOST('statut', 'int'), GETPOST('note_private', 'none')); + $result = $object->cloture($user, GETPOST('statut', 'int'), GETPOST('note_private', 'restricthtml')); if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); @@ -792,9 +792,9 @@ if (empty($reshook)) } elseif ($action == 'addline' && $usercancreate) { // Add line // Set if we used free entry or predefined product $predef = ''; - $product_desc = (GETPOST('dp_desc', 'none') ?GETPOST('dp_desc', 'none') : ''); - $price_ht = GETPOST('price_ht'); - $price_ht_devise = GETPOST('multicurrency_price_ht'); + $product_desc = (GETPOSTISSET('dp_desc') ?GETPOST('dp_desc', 'restricthtml') : ''); + $price_ht = price2num(GETPOST('price_ht')); + $price_ht_devise = price2num(GETPOST('multicurrency_price_ht')); $prod_entry_mode = GETPOST('prod_entry_mode'); if ($prod_entry_mode == 'free') { @@ -1152,7 +1152,7 @@ if (empty($reshook)) $info_bits |= 0x01; // Clean parameters - $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'none')); + $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'restricthtml')); // Define vat_rate $vat_rate = (GETPOST('tva_tx') ? GETPOST('tva_tx') : 0); @@ -1316,7 +1316,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) { diff --git a/htdocs/comm/propal/contact.php b/htdocs/comm/propal/contact.php index c2f60516f1c..16be5930e89 100644 --- a/htdocs/comm/propal/contact.php +++ b/htdocs/comm/propal/contact.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('facture', 'orders', 'sendings', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $lineid = GETPOST('lineid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/comm/propal/index.php b/htdocs/comm/propal/index.php index 9e138c52cbe..692f561867a 100644 --- a/htdocs/comm/propal/index.php +++ b/htdocs/comm/propal/index.php @@ -1,8 +1,9 @@ - * Copyright (C) 2004-2017 Laurent Destailleur - * Copyright (C) 2005-2012 Regis Houssin - * Copyright (C) 2019 Nicolas ZABOURI +/* Copyright (C) 2003-2004 Rodolphe Quiedeville + * Copyright (C) 2004-2017 Laurent Destailleur + * Copyright (C) 2005-2012 Regis Houssin + * Copyright (C) 2019 Nicolas ZABOURI + * Copyright (C) 2020 Tobias Sekan * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -19,22 +20,12 @@ */ /** - * \file htdocs/comm/propal/index.php - * \ingroup propal - * \brief Home page of proposal area + * \file htdocs/comm/propal/index.php + * \ingroup propal + * \brief Home page of proposal area */ require '../../main.inc.php'; -require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; -require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php'; - -$hookmanager = new HookManager($db); - -// Initialize technical object to manage hooks. Note that conf->hooks_modules contains array -$hookmanager->initHooks(array('proposalindex')); - -// Load translation files required by the page -$langs->loadLangs(array('propal', 'companies')); // Security check $socid = GETPOST('socid', 'int'); @@ -43,13 +34,24 @@ if (isset($user->socid) && $user->socid > 0) $action = ''; $socid = $user->socid; } -$result = restrictedArea($user, 'propal'); +restrictedArea($user, 'propal'); +require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; +require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php'; + +// Initialize technical object to manage hooks. Note that conf->hooks_modules contains array +$hookmanager = new HookManager($db); +$hookmanager->initHooks(array('proposalindex')); + +// Load translation files required by the page +$langs->loadLangs(array('propal', 'companies')); + +$now = dol_now(); +$max = 5; /* * View */ -$now = dol_now(); $propalstatic = new Propal($db); $companystatic = new Societe($db); $form = new Form($db); @@ -60,192 +62,218 @@ llxHeader("", $langs->trans("ProspectionArea"), $help_url); print load_fiche_titre($langs->trans("ProspectionArea"), '', 'propal'); -//print ''; -//print ''; + print ''; + print ''; + } + + //if ($totalinprocess != $total) + //{ + // print ''; + // print ''; + // print ''; + // print ''; + //} + + print ''; + print ''; + print ''; + print ''; + + print '
'; -print '
'; +print '
'; +print '
'; - -if (!empty($conf->global->MAIN_SEARCH_FORM_ON_HOME_AREAS)) // This is useless due to the global search combo +// This is useless due to the global search combo +if (!empty($conf->global->MAIN_SEARCH_FORM_ON_HOME_AREAS)) { - print '
'; - print '
'; - print ''; - print ''; - print ''; - print ''; - print "
'.$langs->trans("Search").'
'; - print $langs->trans("Proposal").':

\n"; -} + print '
'; + print '
'; + print ''; + print ''; + print ''; + print ''; + print ''; + + print ''; + print ''; + print ''; + print ''; + print ''; + + print '
'.$langs->trans("Search").'
'.$langs->trans("Proposal").':
'; + print '
'; + print '
'; + print '
'; +} /* * Statistics */ +$listofstatus = array(Propal::STATUS_DRAFT, Propal::STATUS_VALIDATED, Propal::STATUS_SIGNED, Propal::STATUS_NOTSIGNED, Propal::STATUS_BILLED); $sql = "SELECT count(p.rowid) as nb, p.fk_statut as status"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; $sql .= ", ".MAIN_DB_PREFIX."propal as p"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; -$sql .= " WHERE p.fk_soc = s.rowid"; -$sql .= " AND p.entity IN (".getEntity('propal').")"; +$sql .= " WHERE p.entity IN (".getEntity($propalstatic->element).")"; +$sql .= " AND p.fk_soc = s.rowid"; if ($user->socid) $sql .= ' AND p.fk_soc = '.$user->socid; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; -$sql .= " AND p.fk_statut IN (0,1,2,3,4)"; +$sql .= " AND p.fk_statut IN (".implode(" ,", $listofstatus).")"; $sql .= " GROUP BY p.fk_statut"; $resql = $db->query($sql); if ($resql) { - $num = $db->num_rows($resql); - $i = 0; + $num = $db->num_rows($resql); + $i = 0; + $total = 0; + $totalinprocess = 0; + $dataseries = array(); + $colorseries = array(); + $vals = array(); - $total = 0; - $totalinprocess = 0; - $dataseries = array(); - $colorseries = array(); - $vals = array(); + while ($i < $num) + { + $obj = $db->fetch_object($resql); + if ($obj) + { + $vals[$obj->status] = $obj->nb; + $totalinprocess += $obj->nb; - // -1=Canceled, 0=Draft, 1=Validated, (2=Accepted/On process not managed for customer orders), 3=Closed (Sent/Received, billed or not) - while ($i < $num) - { - $obj = $db->fetch_object($resql); - if ($obj) - { - $vals[$obj->status] = $obj->nb; - $totalinprocess += $obj->nb; + $total += $obj->nb; + } + $i++; + } + $db->free($resql); - $total += $obj->nb; - } - $i++; - } - $db->free($resql); + include_once DOL_DOCUMENT_ROOT.'/theme/'.$conf->theme.'/theme_vars.inc.php'; - include_once DOL_DOCUMENT_ROOT.'/theme/'.$conf->theme.'/theme_vars.inc.php'; + print '
'; + print ''; - print '
'; - print '
'; - print ''."\n"; - $listofstatus = array(0, 1, 2, 3, 4); - foreach ($listofstatus as $status) - { - $dataseries[] = array($propalstatic->LibStatut($status, 1), (isset($vals[$status]) ? (int) $vals[$status] : 0)); - if ($status == Propal::STATUS_DRAFT) $colorseries[$status] = '-'.$badgeStatus0; - if ($status == Propal::STATUS_VALIDATED) $colorseries[$status] = $badgeStatus1; - if ($status == Propal::STATUS_SIGNED) $colorseries[$status] = $badgeStatus4; - if ($status == Propal::STATUS_NOTSIGNED) $colorseries[$status] = $badgeStatus9; - if ($status == Propal::STATUS_BILLED) $colorseries[$status] = $badgeStatus6; + print ''; + print ''; + print ''; - if (empty($conf->use_javascript_ajax)) - { - print ''; - print ''; - print ''; - print "\n"; - } - } - if ($conf->use_javascript_ajax) - { - print ''; + print ''; + print ''; + print "\n"; + } + } - print ''; - } - //if ($totalinprocess != $total) - //print ''; - print ''; - print "
'.$langs->trans("Statistics").' - '.$langs->trans("Proposals").'
'.$langs->trans("Statistics").' - '.$langs->trans("Proposals").'
'.$propalstatic->LibStatut($status, 0).''.(isset($vals[$status]) ? $vals[$status] : 0).'
'; + foreach ($listofstatus as $status) { + $dataseries[] = array($propalstatic->LibStatut($status, 1), (isset($vals[$status]) ? (int) $vals[$status] : 0)); + if ($status == Propal::STATUS_DRAFT) $colorseries[$status] = '-'.$badgeStatus0; + if ($status == Propal::STATUS_VALIDATED) $colorseries[$status] = $badgeStatus1; + if ($status == Propal::STATUS_SIGNED) $colorseries[$status] = $badgeStatus4; + if ($status == Propal::STATUS_NOTSIGNED) $colorseries[$status] = $badgeStatus9; + if ($status == Propal::STATUS_BILLED) $colorseries[$status] = $badgeStatus6; - include_once DOL_DOCUMENT_ROOT.'/core/class/dolgraph.class.php'; - $dolgraph = new DolGraph(); - $dolgraph->SetData($dataseries); - $dolgraph->SetDataColor(array_values($colorseries)); - $dolgraph->setShowLegend(2); - $dolgraph->setShowPercent(1); - $dolgraph->SetType(array('pie')); - $dolgraph->setHeight('200'); - $dolgraph->draw('idgraphthirdparties'); - print $dolgraph->show($total ? 0 : 1); + if (empty($conf->use_javascript_ajax)) { + print '
'.$propalstatic->LibStatut($status, 0).''.(isset($vals[$status]) ? $vals[$status] : 0).'
'.$langs->trans("Total").' ('.$langs->trans("CustomersOrdersRunning").')'.$totalinprocess.'
'.$langs->trans("Total").''.$total.'

"; + if ($conf->use_javascript_ajax) { + print '
'; + + include_once DOL_DOCUMENT_ROOT.'/core/class/dolgraph.class.php'; + $dolgraph = new DolGraph(); + $dolgraph->SetData($dataseries); + $dolgraph->SetDataColor(array_values($colorseries)); + $dolgraph->setShowLegend(2); + $dolgraph->setShowPercent(1); + $dolgraph->SetType(array('pie')); + $dolgraph->setHeight('200'); + $dolgraph->draw('idgraphthirdparties'); + print $dolgraph->show($total ? 0 : 1); + + print '
'.$langs->trans("Total").' ('.$langs->trans("CustomersOrdersRunning").')'.$totalinprocess.'
'.$langs->trans("Total").''.$total.'
'; + print ''; + print '
'; } else { - dol_print_error($db); + dol_print_error($db); } /* * Draft proposals */ -if (!empty($conf->propal->enabled)) -{ - $sql = "SELECT c.rowid, c.ref, s.nom as socname, s.rowid as socid, s.canvas, s.client"; - $sql .= " FROM ".MAIN_DB_PREFIX."propal as c"; +if (!empty($conf->propal->enabled)) { + $sql = "SELECT p.rowid, p.ref, p.ref_client, p.total_ht, p.tva as total_tva, p.total as total_ttc"; + $sql .= ", s.rowid as socid, s.nom as name, s.client, s.canvas, s.code_client, s.email, s.entity, s.code_compta"; + $sql .= " FROM ".MAIN_DB_PREFIX."propal as p"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE c.fk_soc = s.rowid"; - $sql .= " AND c.entity IN (".getEntity('propal').")"; - $sql .= " AND c.fk_statut = 0"; - if ($socid) $sql .= " AND c.fk_soc = ".$socid; + $sql .= " WHERE p.entity IN (".getEntity($propalstatic->element).")"; + $sql .= " AND p.fk_soc = s.rowid"; + $sql .= " AND p.fk_statut =".Propal::STATUS_DRAFT; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; + if ($socid) $sql .= " AND p.fk_soc = ".$socid; $resql = $db->query($sql); - if ($resql) - { + if ($resql) { $num = $db->num_rows($resql); - if ($num) - { - print '
'; - print ''; - print ''; - $langs->load("propal"); - print ''; + $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); + startSimpleTable("DraftPropals", "comm/propal/list.php", "search_status=".Propal::STATUS_DRAFT, 2, $num); + if ($num) { + $total = 0; $i = 0; - $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - while ($i < $nbofloop) - { + + while ($i < $nbofloop) { $obj = $db->fetch_object($resql); - print ''; $propalstatic->id = $obj->rowid; $propalstatic->ref = $obj->ref; - print ''; + $propalstatic->ref_client = $obj->ref_client; + $propalstatic->total_ht = $obj->total_ht; + $propalstatic->total_tva = $obj->total_tva; + $propalstatic->total_ttc = $obj->total_ttc; $companystatic->id = $obj->socid; - $companystatic->name = $obj->socname; + $companystatic->name = $obj->name; $companystatic->client = $obj->client; + $companystatic->code_client = $obj->code_client; + $companystatic->code_fournisseur = $obj->code_fournisseur; $companystatic->canvas = $obj->canvas; - print ''; + $companystatic->entity = $obj->entity; + $companystatic->email = $obj->email; + $companystatic->code_compta = $obj->code_compta; + print ''; + print ''; + print ''; + print ''; print ''; + $i++; + $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } - if ($num > $nbofloop) - { - print '"; - } elseif ($total > 0) - { - print '"; - } - print "
'.$langs->trans("DraftPropals").' '.$num.'
'.$propalstatic->getNomUrl(1).''.$companystatic->getNomUrl(1, 'customer', 24).'
'.$propalstatic->getNomUrl(1).''.$companystatic->getNomUrl(1, 'customer', 16).''.price(!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc).'
'.$langs->trans("XMoreLines", ($num - $nbofloop))."
'.$langs->trans("Total").''.price($total)."
"; - print "

"; } + + addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); + finishSimpleTable(true); + $db->free($resql); + } else { + dol_print_error($db); } } +print ''; -//print ''; -print '
'; - - -$max = 5; +print '
'; +print '
'; /* * Last modified proposals */ -$sql = "SELECT c.rowid, c.entity, c.ref, c.fk_statut, s.nom as socname, s.rowid as socid, s.canvas, s.client,"; -$sql .= " date_cloture as datec"; +$sql = "SELECT c.rowid, c.entity, c.ref, c.fk_statut, date_cloture as datec"; +$sql .= ", s.nom as socname, s.rowid as socid, s.canvas, s.client"; $sql .= " FROM ".MAIN_DB_PREFIX."propal as c"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; -$sql .= " WHERE c.fk_soc = s.rowid"; -$sql .= " AND c.entity IN (".getEntity('propal').")"; +$sql .= " WHERE c.entity IN (".getEntity($propalstatic->element).")"; +$sql .= " AND c.fk_soc = s.rowid"; //$sql.= " AND c.fk_statut > 2"; if ($socid) $sql .= " AND c.fk_soc = ".$socid; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; @@ -253,150 +281,126 @@ $sql .= " ORDER BY c.tms DESC"; $sql .= $db->plimit($max, 0); $resql = $db->query($sql); -if ($resql) -{ - print '
'; - print ''; - print ''; - print ''; - +if ($resql) { $num = $db->num_rows($resql); - if ($num) - { - $i = 0; - while ($i < $num) - { - $obj = $db->fetch_object($resql); + startSimpleTable($langs->trans("LastModifiedProposals", $max), "", "", 3); - print ''; - print ''; - $companystatic->id = $obj->socid; $companystatic->name = $obj->socname; $companystatic->client = $obj->client; $companystatic->canvas = $obj->canvas; - print ''; - print ''; + $filename = dol_sanitizeFileName($obj->ref); + $filedir = $conf->propal->multidir_output[$obj->entity].'/'.dol_sanitizeFileName($obj->ref); + $urlsource = $_SERVER['PHP_SELF'].'?id='.$obj->rowid; - print ''; + print ''; + + print ''; + + print ''; + print ''; + print ''; + + print ''; + $i++; } } - print "
'.$langs->trans("LastModifiedProposals", $max).'
'; + if ($num) { + $i = 0; + while ($i < $num) { + $obj = $db->fetch_object($resql); $propalstatic->id = $obj->rowid; $propalstatic->ref = $obj->ref; - print ''; - print ''; - - print ''; - - print '
'; - print $propalstatic->getNomUrl(1); - print ''; - print ' '; - print ''; - $filename = dol_sanitizeFileName($obj->ref); - $filedir = $conf->propal->multidir_output[$obj->entity].'/'.dol_sanitizeFileName($obj->ref); - $urlsource = $_SERVER['PHP_SELF'].'?id='.$obj->rowid; - print $formfile->getDocumentsLink($propalstatic->element, $filename, $filedir); - print '
'; - - print '		'.$companystatic->getNomUrl(1, 'customer').''.dol_print_date($db->jdate($obj->datec), 'day').''.$propalstatic->LibStatut($obj->fk_statut, 3).'
'; + print ''; + print ''; + print ''; + print ''; + print ''; print ''; + print '
'.$propalstatic->getNomUrl(1).''.$formfile->getDocumentsLink($propalstatic->element, $filename, $filedir).'
'; + print '		'.$companystatic->getNomUrl(1, 'customer').''.dol_print_date($db->jdate($obj->datec), 'day').''.$propalstatic->LibStatut($obj->fk_statut, 3).'
"; - print "

"; -} else dol_print_error($db); + + finishSimpleTable(true); + $db->free($resql); +} else { + dol_print_error($db); +} /* - * Open proposals + * Open (validated) proposals */ -if (!empty($conf->propal->enabled) && $user->rights->propale->lire) -{ - $langs->load("propal"); - - $now = dol_now(); - +if (!empty($conf->propal->enabled) && $user->rights->propale->lire) { $sql = "SELECT s.nom as socname, s.rowid as socid, s.canvas, s.client"; $sql .= ", p.rowid as propalid, p.entity, p.total as total_ttc, p.total_ht, p.ref, p.fk_statut, p.datep as dp, p.fin_validite as dfv"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; $sql .= ", ".MAIN_DB_PREFIX."propal as p"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql .= " WHERE p.fk_soc = s.rowid"; - $sql .= " AND p.entity IN (".getEntity('propal').")"; - $sql .= " AND p.fk_statut = 1"; + $sql .= " AND p.entity IN (".getEntity($propalstatic->element).")"; + $sql .= " AND p.fk_statut = ".Propal::STATUS_VALIDATED; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; if ($socid) $sql .= " AND s.rowid = ".$socid; $sql .= " ORDER BY p.rowid DESC"; - $result = $db->query($sql); - if ($result) - { + $resql = $db->query($sql); + if ($resql) { $total = 0; - $num = $db->num_rows($result); - $i = 0; - if ($num > 0) - { - print '
'; - print ''; - print ''; + $num = $db->num_rows($resql); + $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); + startSimpleTable("ProposalsOpened", "comm/propal/list.php", "search_status=".Propal::STATUS_VALIDATED, 4, $num); - $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - while ($i < $nbofloop) - { - $obj = $db->fetch_object($result); - - print ''; - - // Ref - print '"; - $companystatic->id = $obj->socid; $companystatic->name = $obj->socname; $companystatic->client = $obj->client; $companystatic->canvas = $obj->canvas; - print ''."\n"; - print ''."\n"; + $filename = dol_sanitizeFileName($obj->ref); + $filedir = $conf->propal->multidir_output[$obj->entity].'/'.dol_sanitizeFileName($obj->ref); + $urlsource = $_SERVER['PHP_SELF'].'?id='.$obj->propalid; - print ''; + $warning = ($db->jdate($obj->dfv) < ($now - $conf->propal->cloture->warning_delay)) ? img_warning($langs->trans("Late")) : ''; + + print ''; + + // Ref + print ''; + + print ''; + print ''; + print ''; + print ''; + + print ''; - print ''."\n"; - print ''."\n"; $i++; - $total += $obj->total_ttc; + $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } - if ($num > $nbofloop) - { - print '"; - } elseif ($total > 0) - { - print '"; - } - print "
'.$langs->trans("ProposalsOpened").' '.$num.'
'; + if ($num > 0) { + $i = 0; + while ($i < $nbofloop) { + $obj = $db->fetch_object($resql); $propalstatic->id = $obj->propalid; $propalstatic->ref = $obj->ref; - print ''; - print ''; - print ''; - print '
'; - print $propalstatic->getNomUrl(1); - print ''; - if ($db->jdate($obj->dfv) < ($now - $conf->propal->cloture->warning_delay)) print img_warning($langs->trans("Late")); - print ''; - $filename = dol_sanitizeFileName($obj->ref); - $filedir = $conf->propal->multidir_output[$obj->entity].'/'.dol_sanitizeFileName($obj->ref); - $urlsource = $_SERVER['PHP_SELF'].'?id='.$obj->propalid; - print $formfile->getDocumentsLink($propalstatic->element, $filename, $filedir); - print '
'; - - print "		'.$companystatic->getNomUrl(1, 'customer', 44).''.dol_print_date($db->jdate($obj->dp), 'day').''.price($obj->total_ttc).'
'; + print ''; + print ''; + print ''; + print ''; + print ''; + print ''; + print '
'.$propalstatic->getNomUrl(1).''.$warning.''.$formfile->getDocumentsLink($propalstatic->element, $filename, $filedir).'
'; + print '		'.$companystatic->getNomUrl(1, 'customer', 44).''.dol_print_date($db->jdate($obj->dp), 'day').''.price(!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc).''.$propalstatic->LibStatut($obj->fk_statut, 3).'
'.$propalstatic->LibStatut($obj->fk_statut, 3).'
'.$langs->trans("XMoreLines", ($num - $nbofloop))."
'.$langs->trans("Total")."".price($total)." 
"; - print "

"; } + + addSummaryTableLine(5, $num, $nbofloop, $total, "None", true); + finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); } @@ -405,6 +409,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propale->lire) /* * Proposals to process */ + /* if (! empty($conf->propal->enabled)) { @@ -479,7 +484,9 @@ if (! empty($conf->propal->enabled)) /* * Proposal that are in a shipping process */ -/*if (! empty($conf->propal->enabled)) + +/* +if (! empty($conf->propal->enabled)) { $sql = "SELECT c.rowid, c.ref, c.fk_statut, c.facture, s.nom as name, s.rowid as socid"; $sql.= " FROM ".MAIN_DB_PREFIX."commande as c"; @@ -548,8 +555,9 @@ if (! empty($conf->propal->enabled)) } */ -//print ''; -print '
'; +print '
'; +print ''; +print ''; $parameters = array('user' => $user); $reshook = $hookmanager->executeHooks('dashboardPropals', $parameters, $object); // Note that $action and $object may have been modified by hook diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index f066edb8fb2..1391bc4e1fd 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -50,7 +50,7 @@ $langs->loadLangs(array('companies', 'propal', 'compta', 'bills', 'orders', 'pro $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); diff --git a/htdocs/comm/propal/note.php b/htdocs/comm/propal/note.php index 06385bd40e9..ef35903fcd0 100644 --- a/htdocs/comm/propal/note.php +++ b/htdocs/comm/propal/note.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('propal', 'compta', 'bills', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/comm/remx.php b/htdocs/comm/remx.php index ffd4c1738c0..16a7d362ba6 100644 --- a/htdocs/comm/remx.php +++ b/htdocs/comm/remx.php @@ -35,7 +35,7 @@ $langs->loadLangs(array('orders', 'bills', 'companies')); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); // Security check diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php index c2536ee59d6..d48e990e7e8 100644 --- a/htdocs/commande/card.php +++ b/htdocs/commande/card.php @@ -67,7 +67,7 @@ if (!empty($conf->productbatch->enabled)) $langs->load("productbatch"); $id = (GETPOST('id', 'int') ? GETPOST('id', 'int') : GETPOST('orderid', 'int')); $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $confirm = GETPOST('confirm', 'alpha'); $lineid = GETPOST('lineid', 'int'); @@ -263,8 +263,8 @@ if (empty($reshook)) $db->begin(); $object->date_commande = $datecommande; - $object->note_private = GETPOST('note_private', 'none'); - $object->note_public = GETPOST('note_public', 'none'); + $object->note_private = GETPOST('note_private', 'restricthtml'); + $object->note_public = GETPOST('note_public', 'restricthtml'); $object->source = GETPOST('source_id'); $object->fk_project = GETPOST('projectid', 'int'); $object->ref_client = GETPOST('ref_client', 'alpha'); @@ -992,7 +992,7 @@ if (empty($reshook)) $date_end = ''; $date_start = dol_mktime(GETPOST('date_starthour'), GETPOST('date_startmin'), GETPOST('date_startsec'), GETPOST('date_startmonth'), GETPOST('date_startday'), GETPOST('date_startyear')); $date_end = dol_mktime(GETPOST('date_endhour'), GETPOST('date_endmin'), GETPOST('date_endsec'), GETPOST('date_endmonth'), GETPOST('date_endday'), GETPOST('date_endyear')); - $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'none')); + $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'restricthtml')); $pu_ht = GETPOST('price_ht'); $vat_rate = (GETPOST('tva_tx') ?GETPOST('tva_tx') : 0); $pu_ht_devise = GETPOST('multicurrency_subprice'); @@ -1256,7 +1256,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) diff --git a/htdocs/commande/contact.php b/htdocs/commande/contact.php index 2d11feeeee2..f44813a4994 100644 --- a/htdocs/commande/contact.php +++ b/htdocs/commande/contact.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('orders', 'sendings', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/commande/note.php b/htdocs/commande/note.php index 9054252e6d9..9922d3b0e3e 100644 --- a/htdocs/commande/note.php +++ b/htdocs/commande/note.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('companies', 'bills', 'orders')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check $socid = 0; diff --git a/htdocs/compta/accounting-files.php b/htdocs/compta/accounting-files.php index 0c20e46e316..d73e7228b82 100644 --- a/htdocs/compta/accounting-files.php +++ b/htdocs/compta/accounting-files.php @@ -60,7 +60,7 @@ $date_stopMonth = GETPOST('date_stopmonth', 'int'); $date_stopYear = GETPOST('date_stopyear', 'int'); //FIXME doldate $date_stop = ($date_stopDay) ?dol_mktime(23, 59, 59, $date_stopMonth, $date_stopDay, $date_stopYear) : strtotime($date_stop); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('comptafileslist', 'globallist')); @@ -68,7 +68,7 @@ $hookmanager->initHooks(array('comptafileslist', 'globallist')); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/bank/account_statement_document.php b/htdocs/compta/bank/account_statement_document.php index 1e9c6e3b358..3b8423b68dc 100644 --- a/htdocs/compta/bank/account_statement_document.php +++ b/htdocs/compta/bank/account_statement_document.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('banks', 'companies', 'other')); $id = (GETPOST('id', 'int') ? GETPOST('id', 'int') : GETPOST('account', 'int')); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $numref = (GETPOST('num', 'alpha') ? GETPOST('num', 'alpha') : GETPOST('sectionid', 'alpha')); diff --git a/htdocs/compta/bank/bankentries_list.php b/htdocs/compta/bank/bankentries_list.php index 9e1d1dedfc7..1573a226521 100644 --- a/htdocs/compta/bank/bankentries_list.php +++ b/htdocs/compta/bank/bankentries_list.php @@ -56,7 +56,7 @@ $langs->loadLangs(array("banks", "bills", "categories", "companies", "margins", $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $confirm = GETPOST('confirm', 'alpha'); $contextpage = 'banktransactionlist'.(empty($object->ref) ? '' : '-'.$object->id); diff --git a/htdocs/compta/bank/card.php b/htdocs/compta/bank/card.php index c99f303210b..7d9e825ce08 100644 --- a/htdocs/compta/bank/card.php +++ b/htdocs/compta/bank/card.php @@ -115,7 +115,7 @@ if ($action == 'add') $object->min_allowed = GETPOST("account_min_allowed", 'int'); $object->min_desired = GETPOST("account_min_desired", 'int'); - $object->comment = trim(GETPOST("account_comment", 'none')); + $object->comment = trim(GETPOST("account_comment", 'restricthtml')); $object->fk_user_author = $user->id; @@ -213,7 +213,7 @@ if ($action == 'update') $object->min_allowed = GETPOST("account_min_allowed", 'int'); $object->min_desired = GETPOST("account_min_desired", 'int'); - $object->comment = trim(GETPOST("account_comment", 'none')); + $object->comment = trim(GETPOST("account_comment", 'restricthtml')); if ($conf->global->MAIN_BANK_ACCOUNTANCY_CODE_ALWAYS_REQUIRED && empty($object->account_number)) { diff --git a/htdocs/compta/bank/document.php b/htdocs/compta/bank/document.php index e3863cd2922..2bd95409827 100644 --- a/htdocs/compta/bank/document.php +++ b/htdocs/compta/bank/document.php @@ -36,7 +36,7 @@ $langs->loadLangs(array('banks', 'companies', 'other')); $id = (GETPOST('id', 'int') ? GETPOST('id', 'int') : GETPOST('account', 'int')); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check diff --git a/htdocs/compta/bank/line.php b/htdocs/compta/bank/line.php index 976c6997bdd..0da5a557647 100644 --- a/htdocs/compta/bank/line.php +++ b/htdocs/compta/bank/line.php @@ -43,7 +43,7 @@ if (!empty($conf->salaries->enabled)) $langs->load("salaries"); $id = (GETPOST('id', 'int') ? GETPOST('id', 'int') : GETPOST('account', 'int')); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $rowid = GETPOST("rowid", 'int'); $orig_account = GETPOST("orig_account"); diff --git a/htdocs/compta/bank/list.php b/htdocs/compta/bank/list.php index a97d4452e2d..5cdd4711871 100644 --- a/htdocs/compta/bank/list.php +++ b/htdocs/compta/bank/list.php @@ -39,7 +39,7 @@ if (!empty($conf->categorie->enabled)) require_once DOL_DOCUMENT_ROOT.'/categori // Load translation files required by the page $langs->loadLangs(array('banks', 'categories', 'accountancy', 'compta')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); diff --git a/htdocs/compta/bank/releve.php b/htdocs/compta/bank/releve.php index aee53fe3f23..ba5e20c11c1 100644 --- a/htdocs/compta/bank/releve.php +++ b/htdocs/compta/bank/releve.php @@ -48,7 +48,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/functions.lib.php'; // Load translation files required by the page $langs->loadLangs(array("banks", "categories", "companies", "bills", "trips", "donations", "loan")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('account', 'int') ? GETPOST('account', 'int') : GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $dvid = GETPOST('dvid', 'alpha'); diff --git a/htdocs/compta/bank/transfer.php b/htdocs/compta/bank/transfer.php index 7228c38fe50..70903f9120f 100644 --- a/htdocs/compta/bank/transfer.php +++ b/htdocs/compta/bank/transfer.php @@ -37,7 +37,7 @@ $langs->loadLangs(array("banks", "categories", "multicurrency")); if (!$user->rights->banque->transfer) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $error = 0; diff --git a/htdocs/compta/bank/various_payment/card.php b/htdocs/compta/bank/various_payment/card.php index 071a5abf0a9..20eab8b349e 100644 --- a/htdocs/compta/bank/various_payment/card.php +++ b/htdocs/compta/bank/various_payment/card.php @@ -107,8 +107,8 @@ if (empty($reshook)) $object->datev = $datev; $object->datep = $datep; $object->amount = price2num(GETPOST("amount", 'alpha')); - $object->label = GETPOST("label", 'none'); - $object->note = GETPOST("note", 'none'); + $object->label = GETPOST("label", 'restricthtml'); + $object->note = GETPOST("note", 'restricthtml'); $object->type_payment = GETPOST("paymenttype", 'int') > 0 ? GETPOST("paymenttype", "int") : 0; $object->num_payment = GETPOST("num_payment", 'alpha'); $object->fk_user_author = $user->id; diff --git a/htdocs/compta/bank/various_payment/document.php b/htdocs/compta/bank/various_payment/document.php index 7a89fd77986..267908cde41 100644 --- a/htdocs/compta/bank/various_payment/document.php +++ b/htdocs/compta/bank/various_payment/document.php @@ -34,7 +34,7 @@ $langs->loadLangs(array("compta", "banks", "bills", "users", "accountancy")); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check @@ -45,7 +45,7 @@ $result = restrictedArea($user, 'banque', '', '', ''); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/cashcontrol/cashcontrol_list.php b/htdocs/compta/cashcontrol/cashcontrol_list.php index d24c4ac1059..ae2837a35cd 100644 --- a/htdocs/compta/cashcontrol/cashcontrol_list.php +++ b/htdocs/compta/cashcontrol/cashcontrol_list.php @@ -64,7 +64,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/compta/deplacement/card.php b/htdocs/compta/deplacement/card.php index 4d3ec6b1ee6..682981852d8 100644 --- a/htdocs/compta/deplacement/card.php +++ b/htdocs/compta/deplacement/card.php @@ -43,7 +43,7 @@ $id = GETPOST('id', 'int'); if ($user->socid) $socid = $user->socid; $result = restrictedArea($user, 'deplacement', $id, ''); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $object = new Deplacement($db); diff --git a/htdocs/compta/deplacement/document.php b/htdocs/compta/deplacement/document.php index 889eb390ca2..98354e328f0 100644 --- a/htdocs/compta/deplacement/document.php +++ b/htdocs/compta/deplacement/document.php @@ -39,7 +39,7 @@ $langs->loadLangs(array('other', 'trips', 'companies', 'interventions')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check @@ -50,7 +50,7 @@ $result = restrictedArea($user, 'deplacement', $id, ''); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/facture/admin/facture_cust_extrafields.php b/htdocs/compta/facture/admin/facture_cust_extrafields.php index 55d4141fc07..df5cb39f9e4 100644 --- a/htdocs/compta/facture/admin/facture_cust_extrafields.php +++ b/htdocs/compta/facture/admin/facture_cust_extrafields.php @@ -40,7 +40,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'facture'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/compta/facture/admin/facture_rec_cust_extrafields.php b/htdocs/compta/facture/admin/facture_rec_cust_extrafields.php index feeca2046d6..a8d073958ad 100644 --- a/htdocs/compta/facture/admin/facture_rec_cust_extrafields.php +++ b/htdocs/compta/facture/admin/facture_rec_cust_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'facture_rec'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/compta/facture/admin/facturedet_cust_extrafields.php b/htdocs/compta/facture/admin/facturedet_cust_extrafields.php index 87467f0dba6..ebe2a437a92 100644 --- a/htdocs/compta/facture/admin/facturedet_cust_extrafields.php +++ b/htdocs/compta/facture/admin/facturedet_cust_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'facturedet'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/compta/facture/admin/facturedet_rec_cust_extrafields.php b/htdocs/compta/facture/admin/facturedet_rec_cust_extrafields.php index 32a7a8cb75a..a09b0380f59 100644 --- a/htdocs/compta/facture/admin/facturedet_rec_cust_extrafields.php +++ b/htdocs/compta/facture/admin/facturedet_rec_cust_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'facturedet_rec'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/compta/facture/card-rec.php b/htdocs/compta/facture/card-rec.php index 0074fcc8ba9..284ec8111d5 100644 --- a/htdocs/compta/facture/card-rec.php +++ b/htdocs/compta/facture/card-rec.php @@ -190,8 +190,8 @@ if (empty($reshook)) { $object->titre = GETPOST('titre', 'nohtml'); // deprecated $object->title = GETPOST('titre', 'nohtml'); - $object->note_private = GETPOST('note_private', 'none'); - $object->note_public = GETPOST('note_public', 'none'); + $object->note_private = GETPOST('note_private', 'restricthtml'); + $object->note_public = GETPOST('note_public', 'restricthtml'); $object->model_pdf = GETPOST('modelpdf', 'alpha'); $object->usenewprice = GETPOST('usenewprice', 'alpha'); @@ -405,7 +405,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) @@ -713,7 +713,7 @@ if (empty($reshook)) $date_end = ''; //$date_start = dol_mktime(GETPOST('date_starthour'), GETPOST('date_startmin'), GETPOST('date_startsec'), GETPOST('date_startmonth'), GETPOST('date_startday'), GETPOST('date_startyear')); //$date_end = dol_mktime(GETPOST('date_endhour'), GETPOST('date_endmin'), GETPOST('date_endsec'), GETPOST('date_endmonth'), GETPOST('date_endday'), GETPOST('date_endyear')); - $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'none') ? GETPOST('product_desc', 'none') : GETPOST('desc', 'none')); + $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'restricthtml') ? GETPOST('product_desc', 'restricthtml') : GETPOST('desc', 'restricthtml')); $pu_ht = GETPOST('price_ht'); $vat_rate = (GETPOST('tva_tx') ? GETPOST('tva_tx') : 0); $qty = GETPOST('qty'); @@ -964,8 +964,8 @@ if ($action == 'create') print ''.$langs->trans("Customer").''.$object->thirdparty->getNomUrl(1, 'customer').''; print ''; - $note_public = GETPOST('note_public', 'none') ?GETPOST('note_public', 'none') : $object->note_public; - $note_private = GETPOST('note_private', 'none') ?GETPOST('note_private', 'none') : $object->note_private; + $note_public = GETPOSTISSET('note_public') ? GETPOST('note_public', 'restricthtml') : $object->note_public; + $note_private = GETPOSTISSET('note_private') ? GETPOST('note_private', 'restricthtml') : $object->note_private; // Help of substitution key $substitutionarray = getCommonSubstitutionArray($langs, 2, null, $object); diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index 3600e9a8322..b19ee852db6 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -75,7 +75,7 @@ $projectid = (GETPOST('projectid', 'int') ? GETPOST('projectid', 'int') : 0); $id = (GETPOST('id', 'int') ? GETPOST('id', 'int') : GETPOST('facid', 'int')); // For backward compatibility $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); $lineid = GETPOST('lineid', 'int'); @@ -746,8 +746,8 @@ if (empty($reshook)) elseif ($action == 'confirm_paid_partially' && $confirm == 'yes' && $usercanissuepayment) { $object->fetch($id); - $close_code = GETPOST("close_code", 'none'); - $close_note = GETPOST("close_note", 'none'); + $close_code = GETPOST("close_code", 'restricthtml'); + $close_note = GETPOST("close_note", 'restricthtml'); if ($close_code) { $result = $object->set_paid($user, $close_code, $close_note); if ($result < 0) setEventMessages($object->error, $object->errors, 'errors'); @@ -757,8 +757,8 @@ if (empty($reshook)) } // Classify "abandoned" elseif ($action == 'confirm_canceled' && $confirm == 'yes') { $object->fetch($id); - $close_code = GETPOST("close_code", 'none'); - $close_note = GETPOST("close_note", 'none'); + $close_code = GETPOST("close_code", 'restricthtml'); + $close_note = GETPOST("close_note", 'restricthtml'); if ($close_code) { $result = $object->set_canceled($user, $close_code, $close_note); if ($result < 0) setEventMessages($object->error, $object->errors, 'errors'); @@ -987,7 +987,7 @@ if (empty($reshook)) $object->date = $dateinvoice; $object->date_pointoftax = $date_pointoftax; - $object->note_public = trim(GETPOST('note_public', 'none')); + $object->note_public = trim(GETPOST('note_public', 'restricthtml')); // We do not copy the private note $object->ref_client = $_POST['ref_client']; $object->ref_int = $_POST['ref_int']; @@ -1015,7 +1015,7 @@ if (empty($reshook)) } // Credit note invoice - if ($_POST['type'] == Facture::TYPE_CREDIT_NOTE) + if (GETPOST('type') == Facture::TYPE_CREDIT_NOTE) { $sourceinvoice = GETPOST('fac_avoir'); if (!($sourceinvoice > 0) && empty($conf->global->INVOICE_CREDIT_NOTE_STANDALONE)) @@ -1033,7 +1033,7 @@ if (empty($reshook)) $action = 'create'; } - $date_pointoftax = dol_mktime(12, 0, 0, $_POST['date_pointoftaxmonth'], $_POST['date_pointoftaxday'], $_POST['date_pointoftaxyear']); + $date_pointoftax = dol_mktime(12, 0, 0, GETPOST('date_pointoftaxmonth', 'int'), GETPOST('date_pointoftaxday', 'int'), GETPOST('date_pointoftaxyear', 'int')); if (!$error) { @@ -1041,20 +1041,19 @@ if (empty($reshook)) $object->entity = $originentity; } $object->socid = GETPOST('socid', 'int'); - $object->ref = $_POST['ref']; + $object->ref = GETPOST('ref'); $object->date = $dateinvoice; $object->date_pointoftax = $date_pointoftax; - $object->note_public = trim(GETPOST('note_public', 'none')); + $object->note_public = trim(GETPOST('note_public', 'restricthtml')); // We do not copy the private note - $object->ref_client = $_POST['ref_client']; - $object->ref_int = $_POST['ref_int']; - $object->model_pdf = $_POST['model']; - $object->fk_project = $_POST['projectid']; + $object->ref_client = GETPOST('ref_client'); + $object->model_pdf = GETPOST('model'); + $object->fk_project = GETPOST('projectid', 'int'); $object->cond_reglement_id = 0; - $object->mode_reglement_id = $_POST['mode_reglement_id']; + $object->mode_reglement_id = GETPOST('mode_reglement_id'); $object->fk_account = GETPOST('fk_account', 'int'); - $object->remise_absolue = $_POST['remise_absolue']; - $object->remise_percent = $_POST['remise_percent']; + $object->remise_absolue = GETPOST('remise_absolue'); + $object->remise_percent = GETPOST('remise_percent'); $object->fk_incoterms = GETPOST('incoterm_id', 'int'); $object->location_incoterms = GETPOST('location_incoterms', 'alpha'); $object->multicurrency_code = GETPOST('multicurrency_code', 'alpha'); @@ -1256,22 +1255,21 @@ if (empty($reshook)) if (!$error) { $object->socid = GETPOST('socid', 'int'); - $object->type = $_POST['type']; - $object->ref = $_POST['ref']; + $object->type = GETPOST('type'); + $object->ref = GETPOST('ref'); $object->date = $dateinvoice; $object->date_pointoftax = $date_pointoftax; - $object->note_public = trim(GETPOST('note_public', 'none')); - $object->note_private = trim(GETPOST('note_private', 'none')); - $object->ref_client = $_POST['ref_client']; - $object->ref_int = $_POST['ref_int']; - $object->model_pdf = $_POST['model']; - $object->fk_project = $_POST['projectid']; - $object->cond_reglement_id = ($_POST['type'] == 3 ? 1 : $_POST['cond_reglement_id']); - $object->mode_reglement_id = $_POST['mode_reglement_id']; + $object->note_public = trim(GETPOST('note_public', 'restricthtml')); + $object->note_private = trim(GETPOST('note_private', 'restricthtml')); + $object->ref_client = GETPOST('ref_client'); + $object->model_pdf = GETPOST('model'); + $object->fk_project = GETPOST('projectid', 'int'); + $object->cond_reglement_id = (GETPOST('type') == 3 ? 1 : GETPOST('cond_reglement_id')); + $object->mode_reglement_id = GETPOST('mode_reglement_id', 'int'); $object->fk_account = GETPOST('fk_account', 'int'); - $object->amount = $_POST['amount']; - $object->remise_absolue = $_POST['remise_absolue']; - $object->remise_percent = $_POST['remise_percent']; + $object->amount = price2num(GETPOST('amount')); + $object->remise_absolue = GETPOST('remise_absolue'); + $object->remise_percent = GETPOST('remise_percent'); $object->fk_incoterms = GETPOST('incoterm_id', 'int'); $object->location_incoterms = GETPOST('location_incoterms', 'alpha'); $object->multicurrency_code = GETPOST('multicurrency_code', 'alpha'); @@ -1309,21 +1307,20 @@ if (empty($reshook)) // Si facture standard $object->socid = GETPOST('socid', 'int'); $object->type = GETPOST('type'); - $object->ref = $_POST['ref']; + $object->ref = GETPOST('ref'); $object->date = $dateinvoice; $object->date_pointoftax = $date_pointoftax; - $object->note_public = trim(GETPOST('note_public', 'none')); - $object->note_private = trim(GETPOST('note_private', 'none')); - $object->ref_client = $_POST['ref_client']; - $object->ref_int = $_POST['ref_int']; - $object->model_pdf = $_POST['model']; - $object->fk_project = $_POST['projectid']; - $object->cond_reglement_id = ($_POST['type'] == 3 ? 1 : $_POST['cond_reglement_id']); - $object->mode_reglement_id = $_POST['mode_reglement_id']; + $object->note_public = trim(GETPOST('note_public', 'restricthtml')); + $object->note_private = trim(GETPOST('note_private', 'restricthtml')); + $object->ref_client = GETPOST('ref_client'); + $object->model_pdf = GETPOST('model'); + $object->fk_project = GETPOST('projectid'); + $object->cond_reglement_id = (GETPOST('type') == 3 ? 1 : GETPOST('cond_reglement_id')); + $object->mode_reglement_id = GETPOST('mode_reglement_id'); $object->fk_account = GETPOST('fk_account', 'int'); - $object->amount = $_POST['amount']; - $object->remise_absolue = $_POST['remise_absolue']; - $object->remise_percent = $_POST['remise_percent']; + $object->amount = price2num(GETPOST('amount')); + $object->remise_absolue = GETPOST('remise_absolue'); + $object->remise_percent = GETPOST('remise_percent'); $object->fk_incoterms = GETPOST('incoterm_id', 'int'); $object->location_incoterms = GETPOST('location_incoterms', 'alpha'); $object->multicurrency_code = GETPOST('multicurrency_code', 'alpha'); @@ -1801,11 +1798,10 @@ if (empty($reshook)) $object->fetch_thirdparty(); $object->date = $datefacture; $object->date_pointoftax = $date_pointoftax; - $object->note_public = trim(GETPOST('note_public', 'none')); - $object->note = trim(GETPOST('note', 'none')); - $object->note_private = trim(GETPOST('note', 'none')); + $object->note_public = trim(GETPOST('note_public', 'restricthtml')); + $object->note = trim(GETPOST('note', 'restricthtml')); + $object->note_private = trim(GETPOST('note', 'restricthtml')); $object->ref_client = GETPOST('ref_client', 'alpha'); - $object->ref_int = GETPOST('ref_int', 'alpha'); $object->model_pdf = GETPOST('model', 'alpha'); $object->fk_project = GETPOST('projectid', 'int'); $object->cond_reglement_id = GETPOST('cond_reglement_id', 'int'); @@ -1883,9 +1879,9 @@ if (empty($reshook)) // Set if we used free entry or predefined product $predef = ''; - $product_desc = (GETPOST('dp_desc', 'none') ?GETPOST('dp_desc', 'none') : ''); - $price_ht = GETPOST('price_ht'); - $price_ht_devise = GETPOST('multicurrency_price_ht'); + $product_desc = (GETPOST('dp_desc', 'none') ?GETPOST('dp_desc', 'restricthtml') : ''); + $price_ht = price2num(GETPOST('price_ht')); + $price_ht_devise = price2num(GETPOST('multicurrency_price_ht')); $prod_entry_mode = GETPOST('prod_entry_mode', 'alpha'); if ($prod_entry_mode == 'free') { @@ -2204,7 +2200,7 @@ if (empty($reshook)) $date_end = ''; $date_start = dol_mktime(GETPOST('date_starthour'), GETPOST('date_startmin'), GETPOST('date_startsec'), GETPOST('date_startmonth'), GETPOST('date_startday'), GETPOST('date_startyear')); $date_end = dol_mktime(GETPOST('date_endhour'), GETPOST('date_endmin'), GETPOST('date_endsec'), GETPOST('date_endmonth'), GETPOST('date_endday'), GETPOST('date_endyear')); - $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'none') ? GETPOST('product_desc', 'none') : GETPOST('desc', 'none')); + $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'restricthtml') ? GETPOST('product_desc', 'restricthtml') : GETPOST('desc', 'restricthtml')); $pu_ht = GETPOST('price_ht'); $vat_rate = (GETPOST('tva_tx') ? GETPOST('tva_tx') : 0); $qty = GETPOST('qty'); @@ -2629,7 +2625,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from add form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index 268aaf2ad87..be0888e4c79 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -481,8 +481,8 @@ class Facture extends CommonInvoice // Fields coming from GUI (priority on template). TODO Value of template should be used as default value on GUI so we can use here always value from GUI $this->fk_project = GETPOST('projectid', 'int') > 0 ? ((int) GETPOST('projectid', 'int')) : $_facrec->fk_project; - $this->note_public = GETPOST('note_public', 'none') ? GETPOST('note_public', 'none') : $_facrec->note_public; - $this->note_private = GETPOST('note_private', 'none') ? GETPOST('note_private', 'none') : $_facrec->note_private; + $this->note_public = GETPOST('note_public', 'none') ? GETPOST('note_public', 'restricthtml') : $_facrec->note_public; + $this->note_private = GETPOST('note_private', 'none') ? GETPOST('note_private', 'restricthtml') : $_facrec->note_private; $this->modelpdf = GETPOST('model', 'alpha') ? GETPOST('model', 'alpha') : $_facrec->modelpdf; $this->cond_reglement_id = GETPOST('cond_reglement_id', 'int') > 0 ? ((int) GETPOST('cond_reglement_id', 'int')) : $_facrec->cond_reglement_id; $this->mode_reglement_id = GETPOST('mode_reglement_id', 'int') > 0 ? ((int) GETPOST('mode_reglement_id', 'int')) : $_facrec->mode_reglement_id; diff --git a/htdocs/compta/facture/contact.php b/htdocs/compta/facture/contact.php index c88fef5015c..459543dfc74 100644 --- a/htdocs/compta/facture/contact.php +++ b/htdocs/compta/facture/contact.php @@ -42,7 +42,7 @@ $id = (GETPOST('id') ?GETPOST('id', 'int') : GETPOST('facid', 'int')); // Fo $ref = GETPOST('ref', 'alpha'); $lineid = GETPOST('lineid', 'int'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/compta/facture/document.php b/htdocs/compta/facture/document.php index ed9b032ae90..722286044cc 100644 --- a/htdocs/compta/facture/document.php +++ b/htdocs/compta/facture/document.php @@ -45,7 +45,7 @@ $langs->loadLangs(array('propal', 'compta', 'other', 'bills', 'companies')); $id = (GETPOST('id', 'int') ?GETPOST('id', 'int') : GETPOST('facid', 'int')); // For backward compatibility $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php index f7cb7dc8cca..e25836c1efb 100644 --- a/htdocs/compta/facture/list.php +++ b/htdocs/compta/facture/list.php @@ -61,7 +61,7 @@ $id = (GETPOST('id', 'int') ?GETPOST('id', 'int') : GETPOST('facid', 'int')); // $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); diff --git a/htdocs/compta/facture/note.php b/htdocs/compta/facture/note.php index 954c48ec0c9..249d2dd9b8c 100644 --- a/htdocs/compta/facture/note.php +++ b/htdocs/compta/facture/note.php @@ -39,7 +39,7 @@ $langs->loadLangs(array('companies', 'bills')); $id = (GETPOST('id', 'int') ?GETPOST('id', 'int') : GETPOST('facid', 'int')); // For backward compatibility $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check $socid = 0; diff --git a/htdocs/compta/facture/prelevement.php b/htdocs/compta/facture/prelevement.php index 88a0b922e55..721c0b857ab 100644 --- a/htdocs/compta/facture/prelevement.php +++ b/htdocs/compta/facture/prelevement.php @@ -44,7 +44,7 @@ $langs->loadLangs(array('bills', 'banks', 'withdrawals', 'companies')); $id = (GETPOST('id', 'int') ?GETPOST('id', 'int') : GETPOST('facid', 'int')); // For backward compatibility $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $type = GETPOST('type', 'aZ09'); $fieldid = (!empty($ref) ? 'ref' : 'rowid'); diff --git a/htdocs/compta/index.php b/htdocs/compta/index.php index eb11950304f..6adff20725c 100644 --- a/htdocs/compta/index.php +++ b/htdocs/compta/index.php @@ -49,7 +49,7 @@ $langs->loadLangs(array('compta', 'bills')); if (!empty($conf->commande->enabled)) $langs->load("orders"); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $bid = GETPOST('bid', 'int'); // Security check diff --git a/htdocs/compta/paiement.php b/htdocs/compta/paiement.php index 865ef40a258..2dea1b245f4 100644 --- a/htdocs/compta/paiement.php +++ b/htdocs/compta/paiement.php @@ -524,7 +524,7 @@ if ($action == 'create' || $action == 'confirm_paiement' || $action == 'add_paie // Comments print ''.$langs->trans('Comments').''; print ''; - print ''; + print ''; print ''; diff --git a/htdocs/compta/paiement/card.php b/htdocs/compta/paiement/card.php index 4acfd34a53a..85f56d298df 100644 --- a/htdocs/compta/paiement/card.php +++ b/htdocs/compta/paiement/card.php @@ -39,7 +39,7 @@ $langs->loadLangs(array('bills', 'banks', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); @@ -60,7 +60,7 @@ if ($action == 'setnote' && $user->rights->facture->paiement) $db->begin(); $object->fetch($id); - $result = $object->update_note(GETPOST('note', 'none')); + $result = $object->update_note(GETPOST('note', 'restricthtml')); if ($result > 0) { $db->commit(); diff --git a/htdocs/compta/paiement/cheque/card.php b/htdocs/compta/paiement/cheque/card.php index aaf216a7558..1691fe3ecfc 100644 --- a/htdocs/compta/paiement/cheque/card.php +++ b/htdocs/compta/paiement/cheque/card.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('banks', 'categories', 'bills', 'companies', 'compta')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check @@ -47,7 +47,7 @@ if ($user->socid) $socid = $user->socid; $result = restrictedArea($user, 'cheque', $id, 'bordereau_cheque', '', 'fk_user_author', $fieldname); $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "ASC"; if (!$sortfield) $sortfield = "b.dateo,b.rowid"; diff --git a/htdocs/compta/paiement/info.php b/htdocs/compta/paiement/info.php index 00c3440b868..68d987b06ff 100644 --- a/htdocs/compta/paiement/info.php +++ b/htdocs/compta/paiement/info.php @@ -33,7 +33,7 @@ $langs->loadLangs(array('bills', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); /* diff --git a/htdocs/compta/paiement/tovalidate.php b/htdocs/compta/paiement/tovalidate.php index 349c483a5db..df0b92b5f44 100644 --- a/htdocs/compta/paiement/tovalidate.php +++ b/htdocs/compta/paiement/tovalidate.php @@ -41,7 +41,7 @@ if ($user->socid > 0) $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/paiement_charge.php b/htdocs/compta/paiement_charge.php index 298866a2020..5f442ab0b18 100644 --- a/htdocs/compta/paiement_charge.php +++ b/htdocs/compta/paiement_charge.php @@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; $langs->load("bills"); $chid = GETPOST("id", 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $amounts = array(); // Security check @@ -112,8 +112,8 @@ if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'y $paiement->amounts = $amounts; // Tableau de montant $paiement->paiementtype = GETPOST("paiementtype", 'alphanohtml'); $paiement->num_payment = GETPOST("num_payment", 'alphanohtml'); - $paiement->note = GETPOST("note", 'none'); - $paiement->note_private = GETPOST("note", 'none'); + $paiement->note = GETPOST("note", 'restricthtml'); + $paiement->note_private = GETPOST("note", 'restricthtml'); if (!$error) { diff --git a/htdocs/compta/prelevement/bons.php b/htdocs/compta/prelevement/bons.php index 608c9fe594d..cb702174434 100644 --- a/htdocs/compta/prelevement/bons.php +++ b/htdocs/compta/prelevement/bons.php @@ -42,7 +42,7 @@ $type = GETPOST('type', 'aZ09'); $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/card.php b/htdocs/compta/prelevement/card.php index 6349660c59c..a70a464b428 100644 --- a/htdocs/compta/prelevement/card.php +++ b/htdocs/compta/prelevement/card.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('banks', 'categories', 'bills', 'companies', 'withdrawal if ($user->socid > 0) accessforbidden(); // Get supervariables -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); @@ -46,7 +46,7 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/create.php b/htdocs/compta/prelevement/create.php index 8642e9ad7ab..8c8dc01a22c 100644 --- a/htdocs/compta/prelevement/create.php +++ b/htdocs/compta/prelevement/create.php @@ -46,7 +46,7 @@ $result = restrictedArea($user, 'prelevement', '', '', 'bons'); $type = GETPOST('type', 'aZ09'); // Get supervariables -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $mode = GETPOST('mode', 'alpha') ?GETPOST('mode', 'alpha') : 'real'; $format = GETPOST('format', 'aZ09'); $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; diff --git a/htdocs/compta/prelevement/factures.php b/htdocs/compta/prelevement/factures.php index c4cb6f0c7c4..4104633e111 100644 --- a/htdocs/compta/prelevement/factures.php +++ b/htdocs/compta/prelevement/factures.php @@ -46,7 +46,7 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/fiche-rejet.php b/htdocs/compta/prelevement/fiche-rejet.php index 2cfc40bb30c..29d799a8554 100644 --- a/htdocs/compta/prelevement/fiche-rejet.php +++ b/htdocs/compta/prelevement/fiche-rejet.php @@ -46,7 +46,7 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/fiche-stat.php b/htdocs/compta/prelevement/fiche-stat.php index c59ed2d4232..3bb71f8c441 100644 --- a/htdocs/compta/prelevement/fiche-stat.php +++ b/htdocs/compta/prelevement/fiche-stat.php @@ -44,7 +44,7 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/line.php b/htdocs/compta/prelevement/line.php index ae146522f39..4120672b44e 100644 --- a/htdocs/compta/prelevement/line.php +++ b/htdocs/compta/prelevement/line.php @@ -39,14 +39,14 @@ $langs->loadlangs(array('banks', 'categories', 'bills', 'withdrawals')); if ($user->socid > 0) accessforbidden(); // Get supervariables -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); $socid = GETPOST('socid', 'int'); $type = GETPOST('type', 'aZ09'); $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $sortfield = GETPOST('sortfield', 'alpha'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if ($page == -1 || $page == null) { $page = 0; } diff --git a/htdocs/compta/prelevement/list.php b/htdocs/compta/prelevement/list.php index 2666e8587e6..1255a2b861e 100644 --- a/htdocs/compta/prelevement/list.php +++ b/htdocs/compta/prelevement/list.php @@ -51,7 +51,7 @@ $type = GETPOST('type', 'aZ09'); $limit = GETPOST('limit', 'int')?GETPOST('limit', 'int'):$conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/rejets.php b/htdocs/compta/prelevement/rejets.php index a8481d25f7a..6c38e65981b 100644 --- a/htdocs/compta/prelevement/rejets.php +++ b/htdocs/compta/prelevement/rejets.php @@ -42,7 +42,7 @@ $type = GETPOST('type', 'aZ09'); // Get supervariables $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $sortfield = GETPOST('sortfield', 'alpha'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/recap-compta.php b/htdocs/compta/recap-compta.php index 8b75ec38fce..3106235430e 100644 --- a/htdocs/compta/recap-compta.php +++ b/htdocs/compta/recap-compta.php @@ -47,7 +47,7 @@ $hookmanager->initHooks(array('recapcomptacard', 'globalcard')); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/sociales/list.php b/htdocs/compta/sociales/list.php index 40ebcd1cb7c..341799a686a 100644 --- a/htdocs/compta/sociales/list.php +++ b/htdocs/compta/sociales/list.php @@ -35,7 +35,7 @@ if (!empty($conf->projet->enabled)) require_once DOL_DOCUMENT_ROOT.'/projet/clas // Load translation files required by the page $langs->loadLangs(array('compta', 'banks', 'bills')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); diff --git a/htdocs/compta/tva/card.php b/htdocs/compta/tva/card.php index 78105cf9585..717b584fe44 100644 --- a/htdocs/compta/tva/card.php +++ b/htdocs/compta/tva/card.php @@ -98,7 +98,7 @@ if ($action == 'add' && $_POST["cancel"] <> $langs->trans("Cancel")) } $object->amount = $amount; $object->label = GETPOST("label", 'alpha'); - $object->note = GETPOST("note", 'none'); + $object->note = GETPOST("note", 'restricthtml'); if (empty($object->datep)) { diff --git a/htdocs/conf/conf.php.example b/htdocs/conf/conf.php.example index 32c37301a0e..6b1b5e0ea0a 100644 --- a/htdocs/conf/conf.php.example +++ b/htdocs/conf/conf.php.example @@ -219,10 +219,10 @@ $dolibarr_main_authentication='dolibarr'; // 1 = Force redirect to https, until SCRIPT_URI start with https into response // 2 = Force redirect to https, until SERVER["HTTPS"] is 'on' into response // 'https://my.domain.com' = Force redirect to https using this domain name. -// Warning: If you enable this parameter, your web server must be configured to -// respond URL with https protocol. -// According to your web server setup, some values may works and other not. Try -// different values (1,2 or 'https://my.domain.com') if you experience problems. +// Warning: If you enable this parameter, your web server must be configured to respond URL with https protocol. +// According to your web server setup, some values may works and other not. Try different values (1,2 or 'https://my.domain.com') if you experience problems. +// Even if a redirect to HTTPS is forced by the webserver, it is recommanded to set this value to another value than 0, so your session cookies will be +// flagged as secured. // Default value: 0 // Possible values: 0, 1, 2 or 'https://my.domain.com' // Examples: @@ -233,12 +233,12 @@ $dolibarr_main_force_https='0'; // dolibarr_main_prod // When this parameter is defined, all errors messages are not reported. // This feature exists for production usage to avoid to give any information to hackers. -// Default value: 0 +// Default value: 1 // Possible values: 0 or 1 // Examples: -// $dolibarr_main_prod='0'; +// $dolibarr_main_prod='1'; // -$dolibarr_main_prod='0'; +$dolibarr_main_prod='1'; // $dolibarr_main_restrict_os_commands // To restrict commands you can execute by the backup feature, enter allowed command here. @@ -260,8 +260,8 @@ $dolibarr_main_restrict_ip=''; // dolibarr_nocsrfcheck // This parameter can be used to disable CSRF protection. -// This might be required if you access Dolibarr behind a proxy that make -// URL rewriting, to avoid false alarms. +// This might be required if you access Dolibarr behind a proxy that make bad URL rewriting, to avoid false alarms. +// In most cases, you should always keep this to 0. // Default value: 0 // Possible values: 0 or 1 // Examples: @@ -269,6 +269,12 @@ $dolibarr_main_restrict_ip=''; // $dolibarr_nocsrfcheck='0'; +// dolibarr_cron_allow_cli +// If set to 1, you will be able to define some command line in the internale Job scheduler module. +// Default value: '0' +// Examples: '1' +$dolibarr_cron_allow_cli='0'; + // dolibarr_mailing_limit_sendbyweb // Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level. // Default value: '25' diff --git a/htdocs/contact/agenda.php b/htdocs/contact/agenda.php index 0ea0018632b..7ac512bd32f 100644 --- a/htdocs/contact/agenda.php +++ b/htdocs/contact/agenda.php @@ -83,7 +83,7 @@ $search_agenda_label = GETPOST('search_agenda_label'); // Security check if ($user->socid) $socid = $user->socid; -$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', $objcanvas); // If we create a contact with no company (shared contacts), no check on write permission +$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', 0); // If we create a contact with no company (shared contacts), no check on write permission $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index 6afef016d47..dab7242b598 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -78,7 +78,7 @@ if (!empty($canvas)) // Security check if ($user->socid) $socid = $user->socid; -$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', $objcanvas); // If we create a contact with no company (shared contacts), no check on write permission +$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', 0); // If we create a contact with no company (shared contacts), no check on write permission // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('contactcard', 'globalcard')); @@ -207,8 +207,8 @@ if (empty($reshook)) $object->phone_mobile = GETPOST("phone_mobile", 'alpha'); $object->fax = GETPOST("fax", 'alpha'); $object->priv = GETPOST("priv", 'int'); - $object->note_public = GETPOST("note_public", 'none'); - $object->note_private = GETPOST("note_private", 'none'); + $object->note_public = GETPOST("note_public", 'restricthtml'); + $object->note_private = GETPOST("note_private", 'restricthtml'); $object->roles = GETPOST("roles", 'array'); $object->statut = 1; //Defult status to Actif @@ -395,8 +395,8 @@ if (empty($reshook)) $object->phone_mobile = GETPOST("phone_mobile", 'alpha'); $object->fax = GETPOST("fax", 'alpha'); $object->priv = GETPOST("priv", 'int'); - $object->note_public = GETPOST("note_public", 'none'); - $object->note_private = GETPOST("note_private", 'none'); + $object->note_public = GETPOST("note_public", 'restricthtml'); + $object->note_private = GETPOST("note_private", 'restricthtml'); $object->roles = GETPOST("roles", 'array'); // Fill array 'array_options' with data from add form diff --git a/htdocs/contact/document.php b/htdocs/contact/document.php index e21ee3e492b..f8498ddae9a 100644 --- a/htdocs/contact/document.php +++ b/htdocs/contact/document.php @@ -52,7 +52,7 @@ if (!empty($canvas)) // Security check if ($user->socid) $socid = $user->socid; -$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', $objcanvas); // If we create a contact with no company (shared contacts), no check on write permission +$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', 0); // If we create a contact with no company (shared contacts), no check on write permission // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index 03324ed26c4..7bf82aa9379 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -44,7 +44,7 @@ $langs->loadLangs(array("companies", "suppliers", "categories")); $socialnetworks = getArrayOfSocialNetworks(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -105,7 +105,7 @@ $view = GETPOST("view", 'alpha'); $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); $userid = GETPOST('userid', 'int'); $begin = GETPOST('begin'); diff --git a/htdocs/contact/perso.php b/htdocs/contact/perso.php index 724d9077ff1..1710b4dda6a 100644 --- a/htdocs/contact/perso.php +++ b/htdocs/contact/perso.php @@ -32,7 +32,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/contact.lib.php'; $langs->loadLangs(array('companies', 'other')); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/contrat/admin/contract_extrafields.php b/htdocs/contrat/admin/contract_extrafields.php index 031a1b7498d..5343ab8f349 100644 --- a/htdocs/contrat/admin/contract_extrafields.php +++ b/htdocs/contrat/admin/contract_extrafields.php @@ -42,7 +42,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'contrat'; //Must be the $element of the class that manage extrafield diff --git a/htdocs/contrat/admin/contractdet_extrafields.php b/htdocs/contrat/admin/contractdet_extrafields.php index 3e068f5650b..bd0c7b132d0 100644 --- a/htdocs/contrat/admin/contractdet_extrafields.php +++ b/htdocs/contrat/admin/contractdet_extrafields.php @@ -42,7 +42,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'contratdet'; //Must be the $element of the class that manage extrafield diff --git a/htdocs/contrat/card.php b/htdocs/contrat/card.php index cd622b38c28..fadf0831ada 100644 --- a/htdocs/contrat/card.php +++ b/htdocs/contrat/card.php @@ -50,7 +50,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/extrafields.class.php'; // Load translation files required by the page $langs->loadLangs(array("contracts", "orders", "companies", "bills", "products", 'compta')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $socid = GETPOST('socid', 'int'); $id = GETPOST('id', 'int'); @@ -665,7 +665,7 @@ if (empty($reshook)) $fk_unit = GETPOST('unit', 'alpha'); - $objectline->description = GETPOST('product_desc', 'none'); + $objectline->description = GETPOST('product_desc', 'restricthtml'); $objectline->price_ht = GETPOST('elprice'); $objectline->subprice = GETPOST('elprice'); $objectline->qty = GETPOST('elqty'); @@ -811,7 +811,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) { diff --git a/htdocs/contrat/contact.php b/htdocs/contrat/contact.php index 02d9c71776d..38a97d0aaa8 100644 --- a/htdocs/contrat/contact.php +++ b/htdocs/contrat/contact.php @@ -36,7 +36,7 @@ if (!empty($conf->projet->enabled)) { // Load translation files required by the page $langs->loadLangs(array('contracts', 'companies')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $socid = GETPOST('socid', 'int'); $id = GETPOST('id', 'int'); diff --git a/htdocs/contrat/index.php b/htdocs/contrat/index.php index 40a9a4100da..1293da8cf26 100644 --- a/htdocs/contrat/index.php +++ b/htdocs/contrat/index.php @@ -38,7 +38,7 @@ $hookmanager->initHooks(array('contractindex')); $langs->loadLangs(array('products', 'companies', 'contracts')); $sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); $statut = GETPOST('statut') ?GETPOST('statut') : 1; diff --git a/htdocs/contrat/list.php b/htdocs/contrat/list.php index 945e6a7d936..608fc6c0d81 100644 --- a/htdocs/contrat/list.php +++ b/htdocs/contrat/list.php @@ -39,7 +39,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php'; // Load translation files required by the page $langs->loadLangs(array('contracts', 'products', 'companies', 'compta')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); diff --git a/htdocs/contrat/note.php b/htdocs/contrat/note.php index d782ad5b3f5..d9eb8e3ccdc 100644 --- a/htdocs/contrat/note.php +++ b/htdocs/contrat/note.php @@ -34,7 +34,7 @@ if (!empty($conf->projet->enabled)) { // Load translation files required by the page $langs->loadLangs(array('companies', 'contracts')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $socid = GETPOST('socid', 'int'); $id = GETPOST('id', 'int'); diff --git a/htdocs/core/actions_addupdatedelete.inc.php b/htdocs/core/actions_addupdatedelete.inc.php index 09f1c7cf314..4d4c12ce473 100644 --- a/htdocs/core/actions_addupdatedelete.inc.php +++ b/htdocs/core/actions_addupdatedelete.inc.php @@ -64,7 +64,7 @@ if ($action == 'add' && !empty($permissiontoadd)) // Set value to insert if (in_array($object->fields[$key]['type'], array('text', 'html'))) { - $value = GETPOST($key, 'none'); + $value = GETPOST($key, 'restricthtml'); } elseif ($object->fields[$key]['type'] == 'date') { $value = dol_mktime(12, 0, 0, GETPOST($key.'month', 'int'), GETPOST($key.'day', 'int'), GETPOST($key.'year', 'int')); } elseif ($object->fields[$key]['type'] == 'datetime') { @@ -72,7 +72,7 @@ if ($action == 'add' && !empty($permissiontoadd)) } elseif ($object->fields[$key]['type'] == 'duration') { $value = 60 * 60 * GETPOST($key.'hour', 'int') + 60 * GETPOST($key.'min', 'int'); } elseif (preg_match('/^(integer|price|real|double)/', $object->fields[$key]['type'])) { - $value = price2num(GETPOST($key, 'none')); // To fix decimal separator according to lang setup + $value = price2num(GETPOST($key, 'alphanohtml')); // To fix decimal separator according to lang setup } elseif ($object->fields[$key]['type'] == 'boolean') { $value = (GETPOST($key) == 'on' ? 1 : 0); } else { @@ -142,7 +142,7 @@ if ($action == 'update' && !empty($permissiontoadd)) // Set value to update if (in_array($object->fields[$key]['type'], array('text', 'html'))) { - $value = GETPOST($key, 'none'); + $value = GETPOST($key, 'restricthtml'); } elseif ($object->fields[$key]['type'] == 'date') { $value = dol_mktime(12, 0, 0, GETPOST($key.'month'), GETPOST($key.'day'), GETPOST($key.'year')); } elseif ($object->fields[$key]['type'] == 'datetime') { @@ -154,7 +154,7 @@ if ($action == 'update' && !empty($permissiontoadd)) $value = ''; } } elseif (preg_match('/^(integer|price|real|double)/', $object->fields[$key]['type'])) { - $value = price2num(GETPOST($key, 'none')); // To fix decimal separator according to lang setup + $value = price2num(GETPOST($key, 'alphanohtml')); // To fix decimal separator according to lang setup } elseif ($object->fields[$key]['type'] == 'boolean') { $value = ((GETPOST($key, 'aZ09') == 'on' || GETPOST($key, 'aZ09') == '1') ? 1 : 0); } else { diff --git a/htdocs/core/actions_changeselectedfields.inc.php b/htdocs/core/actions_changeselectedfields.inc.php index 9a03ba0d29e..f4e7f01d234 100644 --- a/htdocs/core/actions_changeselectedfields.inc.php +++ b/htdocs/core/actions_changeselectedfields.inc.php @@ -28,7 +28,7 @@ // $object must be defined (object is loaded in this file with fetch) // Save selection -if (GETPOST('formfilteraction', 'none') == 'listafterchangingselectedfields') +if (GETPOST('formfilteraction', 'alphanohtml') == 'listafterchangingselectedfields') { $tabparam = array(); diff --git a/htdocs/core/actions_comments.inc.php b/htdocs/core/actions_comments.inc.php index c352f07f9f7..079f207b4a4 100644 --- a/htdocs/core/actions_comments.inc.php +++ b/htdocs/core/actions_comments.inc.php @@ -35,7 +35,7 @@ $comment = new Comment($db); if ($action == 'addcomment') { - $description = GETPOST('comment_description', 'none'); + $description = GETPOST('comment_description', 'restricthtml'); if (!empty($description)) { $comment->description = $description; @@ -59,7 +59,7 @@ if ($action === 'updatecomment') { if ($comment->fetch($idcomment) >= 0) { - $comment->description = GETPOST('comment_description', 'none'); + $comment->description = GETPOST('comment_description', 'restricthtml'); if ($comment->update($user) > 0) { setEventMessages($langs->trans("CommentAdded"), null, 'mesgs'); diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php index 7884fc09e67..3caeeed6678 100644 --- a/htdocs/core/actions_linkedfiles.inc.php +++ b/htdocs/core/actions_linkedfiles.inc.php @@ -63,7 +63,7 @@ if (GETPOST('sendit', 'alpha') && !empty($conf->global->MAIN_UPLOAD_DOC)) } } } -} elseif (GETPOST('linkit', 'none') && !empty($conf->global->MAIN_UPLOAD_DOC)) +} elseif (GETPOST('linkit', 'restricthtml') && !empty($conf->global->MAIN_UPLOAD_DOC)) { $link = GETPOST('link', 'alpha'); if ($link) diff --git a/htdocs/core/actions_massactions.inc.php b/htdocs/core/actions_massactions.inc.php index 612f988305f..4db4c94f007 100644 --- a/htdocs/core/actions_massactions.inc.php +++ b/htdocs/core/actions_massactions.inc.php @@ -141,7 +141,7 @@ if (!$error && $massaction == 'confirm_presend') $massaction = 'presend'; } - if (!GETPOST('subject', 'none')) + if (!GETPOST('subject', 'restricthtml')) { $error++; setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("MailTopic")), null, 'warnings'); @@ -376,8 +376,8 @@ if (!$error && $massaction == 'confirm_presend') } $replyto = $from; - $subject = GETPOST('subject', 'none'); - $message = GETPOST('message', 'none'); + $subject = GETPOST('subject', 'restricthtml'); + $message = GETPOST('message', 'restricthtml'); $sendtobcc = GETPOST('sendtoccc'); if ($objectclass == 'Propal') $sendtobcc .= (empty($conf->global->MAIN_MAIL_AUTOCOPY_PROPOSAL_TO) ? '' : (($sendtobcc ? ", " : "").$conf->global->MAIN_MAIL_AUTOCOPY_PROPOSAL_TO)); diff --git a/htdocs/core/actions_sendmails.inc.php b/htdocs/core/actions_sendmails.inc.php index da010380276..5be25002079 100644 --- a/htdocs/core/actions_sendmails.inc.php +++ b/htdocs/core/actions_sendmails.inc.php @@ -300,8 +300,8 @@ if (($action == 'send' || $action == 'relance') && !$_POST['addfile'] && !$_POST } $replyto = dol_string_nospecial($_POST['replytoname'], ' ', array(",")).' <'.$_POST['replytomail'].'>'; - $message = GETPOST('message', 'none'); - $subject = GETPOST('subject', 'none'); + $message = GETPOST('message', 'restricthtml'); + $subject = GETPOST('subject', 'restricthtml'); // Make a change into HTML code to allow to include images from medias directory with an external reabable URL. // diff --git a/htdocs/core/actions_setnotes.inc.php b/htdocs/core/actions_setnotes.inc.php index 7ea3dd5016f..61db9b9fc55 100644 --- a/htdocs/core/actions_setnotes.inc.php +++ b/htdocs/core/actions_setnotes.inc.php @@ -33,7 +33,7 @@ if ($action == 'setnote_public' && !empty($permissionnote) && !GETPOST('cancel', if (empty($action) || !is_object($object) || empty($id)) dol_print_error('', 'Include of actions_setnotes.inc.php was done but required variable was not set before'); if (empty($object->id)) $object->fetch($id); // Fetch may not be already done - $result_update = $object->update_note(dol_html_entity_decode(GETPOST('note_public', 'none'), ENT_QUOTES, 'UTF-8', 1), '_public'); + $result_update = $object->update_note(dol_html_entity_decode(GETPOST('note_public', 'restricthtml'), ENT_QUOTES, 'UTF-8', 1), '_public'); if ($result_update < 0) setEventMessages($object->error, $object->errors, 'errors'); elseif (in_array($object->table_element, array('supplier_proposal', 'propal', 'commande_fournisseur', 'commande', 'facture_fourn', 'facture'))) @@ -63,6 +63,6 @@ if ($action == 'setnote_public' && !empty($permissionnote) && !GETPOST('cancel', // Set public note if (empty($action) || !is_object($object) || empty($id)) dol_print_error('', 'Include of actions_setnotes.inc.php was done but required variable was not set before'); if (empty($object->id)) $object->fetch($id); // Fetch may not be already done - $result = $object->update_note(dol_html_entity_decode(GETPOST('note_private', 'none'), ENT_QUOTES), '_private'); + $result = $object->update_note(dol_html_entity_decode(GETPOST('note_private', 'restricthtml'), ENT_QUOTES), '_private'); if ($result < 0) setEventMessages($object->error, $object->errors, 'errors'); } diff --git a/htdocs/core/ajax/constantonoff.php b/htdocs/core/ajax/constantonoff.php index 1ed8ca34076..456542e331e 100644 --- a/htdocs/core/ajax/constantonoff.php +++ b/htdocs/core/ajax/constantonoff.php @@ -30,7 +30,7 @@ if (!defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1'); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $name = GETPOST('name', 'alpha'); /* diff --git a/htdocs/core/ajax/contacts.php b/htdocs/core/ajax/contacts.php index 67e769ab17f..6b476a8f59a 100644 --- a/htdocs/core/ajax/contacts.php +++ b/htdocs/core/ajax/contacts.php @@ -1,6 +1,6 @@ - * Copyright (C) 2016 Laurent Destailleur + * Copyright (C) 2020 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -27,11 +27,15 @@ if (!defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); require '../../main.inc.php'; -$id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$id = GETPOST('id', 'int'); // id of thirdparty +$action = GETPOST('action', 'aZ09'); $htmlname = GETPOST('htmlname', 'alpha'); $showempty = GETPOST('showempty', 'int'); +// Security check +$result = restrictedArea($user, 'societe', $id, '&societe', '', 'fk_soc', 'rowid', 0); + + /* * View */ diff --git a/htdocs/core/ajax/objectonoff.php b/htdocs/core/ajax/objectonoff.php index 6c9f97bfbb0..ceb221b4870 100644 --- a/htdocs/core/ajax/objectonoff.php +++ b/htdocs/core/ajax/objectonoff.php @@ -30,7 +30,7 @@ if (!defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1'); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php'; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); $value = GETPOST('value', 'int'); $field = GETPOST('field', 'alpha'); diff --git a/htdocs/core/ajax/pingresult.php b/htdocs/core/ajax/pingresult.php index e08b2c5efcf..e58895a967f 100644 --- a/htdocs/core/ajax/pingresult.php +++ b/htdocs/core/ajax/pingresult.php @@ -30,7 +30,7 @@ if (!defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1'); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $hash_unique_id = GETPOST('hash_unique_id', 'alpha'); $hash_algo = GETPOST('hash_algo', 'alpha'); diff --git a/htdocs/core/ajax/selectobject.php b/htdocs/core/ajax/selectobject.php index eed6c21c126..a672510555b 100644 --- a/htdocs/core/ajax/selectobject.php +++ b/htdocs/core/ajax/selectobject.php @@ -33,7 +33,7 @@ $objectdesc = GETPOST('objectdesc', 'alpha'); $htmlname = GETPOST('htmlname', 'aZ09'); $sqlfilter = GETPOST('sqlfilter', 'alpha'); $outjson = (GETPOST('outjson', 'int') ? GETPOST('outjson', 'int') : 0); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); diff --git a/htdocs/core/ajax/selectsearchbox.php b/htdocs/core/ajax/selectsearchbox.php index 00b66ced374..29aeb9cc7eb 100644 --- a/htdocs/core/ajax/selectsearchbox.php +++ b/htdocs/core/ajax/selectsearchbox.php @@ -48,7 +48,7 @@ include_once DOL_DOCUMENT_ROOT.'/core/lib/json.lib.php'; //global $hookmanager; $hookmanager->initHooks(array('searchform')); -$search_boxvalue = GETPOST('q', 'none'); +$search_boxvalue = GETPOST('q', 'restricthtml'); $arrayresult = array(); diff --git a/htdocs/core/ajax/vatrates.php b/htdocs/core/ajax/vatrates.php index b0ab6ed2a7e..0bd16eb6449 100644 --- a/htdocs/core/ajax/vatrates.php +++ b/htdocs/core/ajax/vatrates.php @@ -27,7 +27,7 @@ if (!defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); require '../../main.inc.php'; $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $htmlname = GETPOST('htmlname', 'alpha'); $selected = (GETPOST('selected') ?GETPOST('selected') : '-1'); $productid = (GETPOST('productid', 'int') ?GETPOST('productid', 'int') : 0); diff --git a/htdocs/core/boxes/modules_boxes.php b/htdocs/core/boxes/modules_boxes.php index e5fa9d8fb0d..51719ec6c15 100644 --- a/htdocs/core/boxes/modules_boxes.php +++ b/htdocs/core/boxes/modules_boxes.php @@ -422,6 +422,7 @@ class ModeleBoxes // Can't be abtract as it is instantiated to build "empty" box { while (($file = readdir($handle)) !== false) { + $reg = array(); if (is_readable($newdir.'/'.$file) && preg_match('/^(.+)\.php/', $file, $reg)) { if (preg_match('/\.back$/', $file)) continue; diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index a381014983b..ef519f388a7 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -6690,7 +6690,9 @@ abstract class CommonObject break; case "create": case "edit": - $getposttemp = GETPOST($keyprefix.'options_'.$key.$keysuffix, 'none'); // GETPOST can get value from GET, POST or setup of default values. + $check = 'restricthtml'; + // TODO Use check = 'alphahtml' or 'int' for some types + $getposttemp = GETPOST($keyprefix.'options_'.$key.$keysuffix, $check); // GETPOST can get value from GET, POST or setup of default values. // GETPOST("options_" . $key) can be 'abc' or array(0=>'abc') if (is_array($getposttemp) || $getposttemp != '' || GETPOSTISSET($keyprefix.'options_'.$key.$keysuffix)) { @@ -6765,7 +6767,7 @@ abstract class CommonObject // HTML, select, integer and text add default value if (in_array($extrafields->attributes[$this->table_element]['type'][$key], array('html', 'text', 'select', 'int'))) { - if ($action == 'create') $value = GETPOSTISSET($keyprefix.'options_'.$key.$keysuffix) ? GETPOST($keyprefix.'options_'.$key.$keysuffix, 'none', 3) : $extrafields->attributes[$this->table_element]['default'][$key]; + if ($action == 'create') $value = GETPOSTISSET($keyprefix.'options_'.$key.$keysuffix) ? GETPOST($keyprefix.'options_'.$key.$keysuffix, 'restricthtml', 3) : $extrafields->attributes[$this->table_element]['default'][$key]; else $value = $this->array_options['options_'.$key]; } @@ -6775,7 +6777,7 @@ abstract class CommonObject $out .= ''; $out .= 'browser->layout == 'phone') $ret.='
'; - $ret .= '
'; + $ret .= '
'; // For thirdparty, contact, user, member, the ref is the id, so we show something else if ($object->element == 'societe') diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php index 70f68a31894..360248a741e 100644 --- a/htdocs/core/class/html.formfile.class.php +++ b/htdocs/core/class/html.formfile.class.php @@ -1207,7 +1207,7 @@ class FormFile $editline = 1; } else { $filenametoshow = preg_replace('/\.noexe$/', '', $file['name']); - print dol_trunc($filenametoshow, 200); + print dol_escape_htmltag(dol_trunc($filenametoshow, 200)); print ''; } // Preview link diff --git a/htdocs/core/class/html.formmail.class.php b/htdocs/core/class/html.formmail.class.php index 3c006d8810f..f7acd09dbd1 100644 --- a/htdocs/core/class/html.formmail.class.php +++ b/htdocs/core/class/html.formmail.class.php @@ -675,7 +675,7 @@ class FormMail extends Form { $tmparray[$key] = dol_htmlentities($tmparray[$key], null, 'UTF-8', true); } - $withtoselected = GETPOST("receiver", 'none'); // Array of selected value + $withtoselected = GETPOST("receiver", 'restricthtml'); // Array of selected value if (empty($withtoselected) && count($tmparray) == 1 && GETPOST('action', 'aZ09') == 'presend') { $withtoselected = array_keys($tmparray); @@ -699,7 +699,7 @@ class FormMail extends Form { $tmparray[$key] = dol_htmlentities($tmparray[$key], null, 'UTF-8', true); } - $withtoselected = GETPOST("receiveruser", 'none'); // Array of selected value + $withtoselected = GETPOST("receiveruser", 'restricthtml'); // Array of selected value if (empty($withtoselected) && count($tmparray) == 1 && GETPOST('action', 'aZ09') == 'presend') { $withtoselected = array_keys($tmparray); @@ -763,7 +763,7 @@ class FormMail extends Form { $tmparray[$key] = dol_htmlentities($tmparray[$key], null, 'UTF-8', true); } - $withtoselected = GETPOST("receiverccuser", 'none'); // Array of selected value + $withtoselected = GETPOST("receiverccuser", 'restricthtml'); // Array of selected value if (empty($withtoselected) && count($tmparray) == 1 && GETPOST('action', 'aZ09') == 'presend') { $withtoselected = array_keys($tmparray); @@ -886,7 +886,7 @@ class FormMail extends Form // Message if (!empty($this->withbody)) { - $defaultmessage = GETPOST('message', 'none'); + $defaultmessage = GETPOST('message', 'restricthtml'); if (!GETPOST('modelselected', 'alpha') || GETPOST('modelmailselected') != '-1') { if ($arraydefaultmessage && $arraydefaultmessage->content) { @@ -1144,7 +1144,7 @@ class FormMail extends Form { global $conf, $langs, $form; - $defaulttopic = GETPOST('subject', 'none'); + $defaulttopic = GETPOST('subject', 'restricthtml'); if (!GETPOST('modelselected', 'alpha') || GETPOST('modelmailselected') != '-1') { if ($arraydefaultmessage && $arraydefaultmessage->topic) { $defaulttopic = $arraydefaultmessage->topic; diff --git a/htdocs/core/class/html.formticket.class.php b/htdocs/core/class/html.formticket.class.php index f6973314101..35ad4b83a7f 100644 --- a/htdocs/core/class/html.formticket.class.php +++ b/htdocs/core/class/html.formticket.class.php @@ -231,7 +231,7 @@ class FormTicket } // MESSAGE - $msg = GETPOSTISSET('message') ? GETPOST('message', 'none') : ''; + $msg = GETPOSTISSET('message') ? GETPOST('message', 'restricthtml') : ''; print ''; // If public form, display more information diff --git a/htdocs/core/customreports.php b/htdocs/core/customreports.php index a8bd9e93c3c..fa30da5b10a 100644 --- a/htdocs/core/customreports.php +++ b/htdocs/core/customreports.php @@ -55,7 +55,7 @@ if (!defined('USE_CUSTOME_REPORT_AS_INCLUDE')) // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST('sortfield', 'alpha'); - $sortorder = GETPOST('sortorder', 'alpha'); + $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/core/data/cloud_metadata_for_ssrf_test.txt b/htdocs/core/data/cloud_metadata_for_ssrf_test.txt new file mode 100644 index 00000000000..4d98b656b3c --- /dev/null +++ b/htdocs/core/data/cloud_metadata_for_ssrf_test.txt @@ -0,0 +1,23 @@ +## This file is a list of predefined URLs to block when trying to access them from the application, +## for example when using the grab website feature of module website +## Allowing grabbing local url allow to get metadata. + +10.0.0.0/8 +0.0.0.0/8 +100.64.0.0/10 +127.0.0.0/8 +169.254.0.0/16 +172.16.0.0/12 +192.0.0.0/29 +192.0.2.0/24 +192.88.99.0/24 +192.168.0.0/16 +198.18.0.0/15 +198.51.100.0/24 +203.0.113.0/24 +224.0.0.0/4 +240.0.0.0/4 +metadata.google.internal +100.100.100.200 (Alibaba Metadata) +[::] +[::1] diff --git a/htdocs/core/filemanagerdol/browser/default/browser.php b/htdocs/core/filemanagerdol/browser/default/browser.php index d1d5d434b5b..8f7ff82ecff 100644 --- a/htdocs/core/filemanagerdol/browser/default/browser.php +++ b/htdocs/core/filemanagerdol/browser/default/browser.php @@ -95,6 +95,10 @@ var sServerPath = GetUrlParam( 'ServerPath' ); if ( sServerPath.length > 0 ) oConnector.ConnectorUrl += 'ServerPath=' + encodeURIComponent( sServerPath ) + '&' ; +/* @CHANGE LDR Overwrite value coming from parameters for security purpose */ +oConnector.ConnectorUrl = ''; +console.log('ConnectorUrl='+oConnector.ConnectorUrl); + oConnector.ResourceType = GetUrlParam( 'Type' ); oConnector.ShowAllTypes = ( oConnector.ResourceType.length == 0 ); diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index ba96efbfd62..d8bf9ca5a1e 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2013,8 +2013,10 @@ function dol_uncompress($inputfile, $outputdir) dol_syslog("Constant ODTPHP_PATHTOPCLZIP for pclzip library is set to ".ODTPHP_PATHTOPCLZIP.", so we use Pclzip to unzip into ".$outputdir); include_once ODTPHP_PATHTOPCLZIP.'/pclzip.lib.php'; $archive = new PclZip($inputfile); - $result = $archive->extract(PCLZIP_OPT_PATH, $outputdir); - //var_dump($result); + + // Extract into outputdir, but only files that match the regex '/^((?!\.\.).)*$/' that means "does not include .." + $result = $archive->extract(PCLZIP_OPT_PATH, $outputdir, PCLZIP_OPT_BY_PREG, '/^((?!\.\.).)*$/'); + if (!is_array($result) && $result <= 0) return array('error'=>$archive->errorInfo(true)); else { $ok = 1; $errmsg = ''; @@ -2035,14 +2037,26 @@ function dol_uncompress($inputfile, $outputdir) } } - if (class_exists('ZipArchive')) + if (class_exists('ZipArchive')) // Must install php-zip to have it { dol_syslog("Class ZipArchive is set so we unzip using ZipArchive to unzip into ".$outputdir); $zip = new ZipArchive; $res = $zip->open($inputfile); if ($res === true) { - $zip->extractTo($outputdir.'/'); + //$zip->extractTo($outputdir.'/'); + // We must extract one file at time so we can check that file name does not contains '..' to avoid transversal path of zip built for example using + // python3 path_traversal_archiver.py test.zip -l 10 -p tmp/ + // with -l is the range of dot to go back in path. + // and path_traversal_archiver.py found at https://github.com/Alamot/code-snippets/blob/master/path_traversal/path_traversal_archiver.py + for ($i = 0; $i < $zip->numFiles; $i++) { + if (preg_match('/\.\./', $zip->getNameIndex($i))) { + dol_syslog("Warning: Try to unzip a file with a transversal path ".$zip->getNameIndex($i), LOG_WARNING); + continue; // Discard the file + } + $zip->extractTo($outputdir.'/', array($zip->getNameIndex($i))); + } + $zip->close(); return array(); } else { diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 7abe2e50236..051f8a031ca 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -82,6 +82,12 @@ function getEntity($element, $shared = 1, $currentobject = null) { global $conf, $mc; + // fix different element names (France to English) + switch ($element) { + case 'contrat': $element = 'contract'; break; // "/contrat/class/contrat.class.php" + case 'order_supplier': $element = 'supplier_order'; break; // "/fourn/class/fournisseur.commande.class.php" + } + if (is_object($mc)) { return $mc->getEntity($element, $shared, $currentobject); @@ -271,12 +277,13 @@ function GETPOSTISSET($paramname) * 'none'=no check (only for param that should have very rich content) * 'int'=check it's numeric (integer or float) * 'intcomma'=check it's integer+comma ('1,2,3,4...') - * 'alpha'=check it's text and sign + * 'alpha'=Same than alphanohtml since v13 + * 'alphanohtml'=check there is no html content and no " and no ../ * 'aZ'=check it's a-z only * 'aZ09'=check it's simple alpha string (recommended for keys) * 'array'=check it's array * 'san_alpha'=Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string) - * 'nohtml', 'alphanohtml'=check there is no html content + * 'nohtml'=check there is no html content and no " and no ../ * 'restricthtml'=check html content is restricted to some tags only * 'custom'= custom filter specify $filter and $options) * @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get) @@ -549,13 +556,6 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null case 'intcomma': if (preg_match('/[^0-9,-]+/i', $out)) $out = ''; break; - case 'alpha': - if (!is_array($out)) { - // '"' is dangerous because param in url can close the href= or src= and add javascript functions. - // '../' is dangerous because it allows dir transversals - $out = str_replace(array('"', '../'), '', trim($out)); - } - break; case 'san_alpha': $out = filter_var($out, FILTER_SANITIZE_STRING); break; @@ -586,12 +586,13 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null case 'nohtml': $out = dol_string_nohtmltag($out, 0); break; + case 'alpha': // No html and no " and no ../ case 'alphanohtml': // Recommended for most scalar parameters and search parameters if (!is_array($out)) { // '"' is dangerous because param in url can close the href= or src= and add javascript functions. // '../' is dangerous because it allows dir transversals - $out = str_replace(array('"', '../'), '', trim($out)); + $out = str_replace(array('"', '"', '../'), '', trim($out)); $out = dol_string_nohtmltag($out, 0); } break; @@ -1197,11 +1198,11 @@ function dol_get_fiche_head($links = array(), $active = '', $title = '', $notab if ($morehtmlright) $out .= '
'.$morehtmlright.'
'; // Output right area first so when space is missing, text is in front of tabs and not under. // Show title - if (!empty($title) && $showtitle) + if (!empty($title) && $showtitle && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) { $limittitle = 30; $out .= ''; - if ($picto && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) $out .= img_picto($title, ($pictoisfullpath ? '' : 'object_').$picto, '', $pictoisfullpath, 0, 0, '', 'imgTabTitle').' '; + if ($picto) $out .= img_picto($title, ($pictoisfullpath ? '' : 'object_').$picto, '', $pictoisfullpath, 0, 0, '', 'imgTabTitle').' '; $out .= ''.dol_trunc($title, $limittitle).''; $out .= ''; } @@ -1626,7 +1627,8 @@ function dol_banner_tab($object, $paramid, $morehtml = '', $shownav = 1, $fieldi } if (!empty($conf->global->MAIN_SHOW_TECHNICAL_ID) && ($conf->global->MAIN_SHOW_TECHNICAL_ID == '1' || preg_match('/'.preg_quote($object->element, '/').'/i', $conf->global->MAIN_SHOW_TECHNICAL_ID)) && !empty($object->id)) { - $morehtmlref .= '
'; + $morehtmlref .= '
'; + $morehtmlref .= '
'; $morehtmlref .= $langs->trans("TechnicalID").': '.$object->id; $morehtmlref .= '
'; } @@ -2692,7 +2694,15 @@ function dol_print_ip($ip, $mode = 0) */ function getUserRemoteIP() { - $ip = empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? (empty($_SERVER['HTTP_CLIENT_IP']) ? (empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR']) : $_SERVER['HTTP_CLIENT_IP']) : $_SERVER['HTTP_X_FORWARDED_FOR']; + if (empty($_SERVER['HTTP_X_FORWARDED_FOR']) || preg_match('/[^0-9\.\:,\[\]]/', $_SERVER['HTTP_X_FORWARDED_FOR'])) { + if (empty($_SERVER['HTTP_CLIENT_IP']) || preg_match('/[^0-9\.\:,\[\]]/', $_SERVER['HTTP_CLIENT_IP'])) { + $ip = (empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR']); + } else { + $ip = $_SERVER['HTTP_CLIENT_IP']; // value is clean here + } + } else { + $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; // value is clean here + } return $ip; } @@ -3150,8 +3160,8 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ // Define $color $arrayconvpictotocolor = array( - 'address'=>'#aaa', 'building'=>'#aaa', 'bom'=>'#a69944', - 'companies'=>'#aaa', 'company'=>'#aaa', 'contact'=>'#37a', 'dynamicprice'=>'#a69944', + 'address'=>'#6c6aa8', 'building'=>'#6c6aa8', 'bom'=>'#a69944', + 'companies'=>'#6c6aa8', 'company'=>'#6c6aa8', 'contact'=>'#37a', 'dynamicprice'=>'#a69944', 'edit'=>'#444', 'note'=>'#999', 'error'=>'', 'help'=>'#bbb', 'listlight'=>'#999', 'dolly'=>'#a69944', 'dollyrevert'=>'#a69944', 'lot'=>'#a69944', 'map-marker-alt'=>'#aaa', 'mrp'=>'#a69944', 'product'=>'#a69944', 'service'=>'#a69944', 'stock'=>'#a69944', @@ -5484,23 +5494,24 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto = if ($removelinefeed == 2) $stringtoclean = preg_replace('/]*>(\n|\r)+/ims', '
', $stringtoclean); $temp = preg_replace('/]*>/i', "\n", $stringtoclean); + // We remove entities BEFORE stripping (in case of a separator char is encoded and not the other, the strip will fails) + $temp = dol_html_entity_decode($temp, ENT_COMPAT, $pagecodeto); + if ($strip_tags) { $temp = strip_tags($temp); } else { $pattern = "/<[^<>]+>/"; - // Exemple of $temp: 0000-021 + // Example of $temp: 0000-021 $temp = preg_replace($pattern, "", $temp); // pass 1 // $temp after pass 1: 0000-021 $temp = preg_replace($pattern, "", $temp); // pass 2 // $temp after pass 2: 0000-021 } - $temp = dol_html_entity_decode($temp, ENT_COMPAT, $pagecodeto); - - // Supprime aussi les retours + // Remove also CR LF if ($removelinefeed == 1) $temp = str_replace(array("\r\n", "\r", "\n"), " ", $temp); - // et les espaces doubles + // and double spaces while (strpos($temp, " ")) { $temp = str_replace(" ", " ", $temp); @@ -5714,7 +5725,7 @@ function dol_htmlcleanlastbr($stringtodecode) * @param string $a Operand a * @param string $b Operand b (ENT_QUOTES=convert simple and double quotes) * @param string $c Operand c - * @param string $keepsomeentities Entities but &, <, >, " are not converted. + * @param string $keepsomeentities Entities but &, <, >, " are not converted. * @return string String decoded */ function dol_html_entity_decode($a, $b, $c = 'UTF-8', $keepsomeentities = 0) @@ -7880,19 +7891,16 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param if (empty($conf->use_javascript_ajax)) return ''; - $mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'svg+xml', 'webp'); - //$mime_preview[]='vnd.oasis.opendocument.presentation'; - //$mime_preview[]='archive'; - $num_mime = array_search(dol_mimetype($relativepath, '', 1), $mime_preview); + $isAllowedForPreview = dolIsAllowedForPreview($relativepath); if ($alldata == 1) { - if ($num_mime !== false) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath),); + if ($isAllowedForPreview) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : ''), 'mime'=>dol_mimetype($relativepath),); else return array(); } - // old behavior - if ($num_mime !== false) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')'; + // old behavior, return a string + if ($isAllowedForPreview) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')'; else return ''; } @@ -7917,6 +7925,33 @@ function ajax_autoselect($htmlname, $addlink = '') } +/** + * Return if a file is qualified for preview + * + * @param string $file Filename we looking for information + * @return int 1 If allowed, 0 otherwise + * @see dol_mimetype(), image_format_supported() from images.lib.php + */ +function dolIsAllowedForPreview($file) +{ + global $conf; + + // Check .noexe extension in filename + if (preg_match('/\.noexe$/i', $file)) return 0; + + // Check mime types + $mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'webp'); + if (!empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES)) $mime_preview[] = 'svg+xml'; + //$mime_preview[]='vnd.oasis.opendocument.presentation'; + //$mime_preview[]='archive'; + $num_mime = array_search(dol_mimetype($file, '', 1), $mime_preview); + if ($num_mime !== false) return 1; + + // By default, not allowed for preview + return 0; +} + + /** * Return mime type of a file * @@ -7924,7 +7959,7 @@ function ajax_autoselect($htmlname, $addlink = '') * @param string $default Default mime type if extension not found in known list * @param int $mode 0=Return full mime, 1=otherwise short mime string, 2=image for mime type, 3=source language, 4=css of font fa * @return string Return a mime type family (text/xxx, application/xxx, image/xxx, audio, video, archive) - * @see image_format_supported() from images.lib.php + * @see dolIsAllowedForPreview(), image_format_supported() from images.lib.php */ function dol_mimetype($file, $default = 'application/octet-stream', $mode = 0) { @@ -7944,6 +7979,7 @@ function dol_mimetype($file, $default = 'application/octet-stream', $mode = 0) if (preg_match('/\.ini$/i', $tmpfile)) { $mime = 'text/plain'; $imgmime = 'text.png'; $srclang = 'ini'; $famime = 'file-text-o'; } if (preg_match('/\.md$/i', $tmpfile)) { $mime = 'text/plain'; $imgmime = 'text.png'; $srclang = 'md'; $famime = 'file-text-o'; } if (preg_match('/\.css$/i', $tmpfile)) { $mime = 'text/css'; $imgmime = 'css.png'; $srclang = 'css'; $famime = 'file-text-o'; } + if (preg_match('/\.lang$/i', $tmpfile)) { $mime = 'text/plain'; $imgmime = 'text.png'; $srclang = 'lang'; $famime = 'file-text-o'; } // Certificate files if (preg_match('/\.(crt|cer|key|pub)$/i', $tmpfile)) { $mime = 'text/plain'; $imgmime = 'text.png'; $famime = 'file-text-o'; } // XML based (HTML/XML/XAML) @@ -8675,10 +8711,7 @@ function currentToken() } /** - * Start a table with headers and a optinal clickable number - * (don't forget to use "finishSimpleTable()" after the last table row) - * - * @see finishSimpleTable + * Start a table with headers and a optinal clickable number (don't forget to use "finishSimpleTable()" after the last table row) * * @param string $header The first left header of the table (automatic translated) * @param string $link (optional) The link to a internal dolibarr page, when click on the number (without the first "/") @@ -8686,6 +8719,8 @@ function currentToken() * @param integer $emptyRows (optional) The count of empty rows after the first header * @param integer $number (optional) The number that is shown right after the first header, when not set the link is shown on the right side of the header as "FullList" * @return void + * + * @see finishSimpleTable() */ function startSimpleTable($header, $link = "", $arguments = "", $emptyRows = 0, $number = -1) { @@ -8740,14 +8775,12 @@ function startSimpleTable($header, $link = "", $arguments = "", $emptyRows = 0, } /** - * Add the correct HTML close tags for "startSimpleTable(...)" - * (use after the last table line) + * Add the correct HTML close tags for "startSimpleTable(...)" (use after the last table line) * - * @see startSimpleTable + * @param bool $addLineBreak (optional) Add a extra line break after the complete table (\) + * @return void * - * @param bool $addLineBreak (optional) Add a extra line break after the complete table (\) - * - * @return void + * @see startSimpleTable() */ function finishSimpleTable($addLineBreak = false) { diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php index ba9a477ebd7..4e7234d5c73 100644 --- a/htdocs/core/lib/security2.lib.php +++ b/htdocs/core/lib/security2.lib.php @@ -130,8 +130,8 @@ if (!function_exists('dol_loginfunction')) */ function dol_loginfunction($langs, $conf, $mysoc) { - global $dolibarr_main_demo, $db; - global $hookmanager; + global $dolibarr_main_demo, $dolibarr_main_force_https; + global $db, $hookmanager; $langs->loadLangs(array("main", "other", "help", "admin")); @@ -184,7 +184,7 @@ if (!function_exists('dol_loginfunction')) // Set cookie for timeout management $prefix = dol_getprefix(''); $sessiontimeout = 'DOLSESSTIMEOUT_'.$prefix; - if (!empty($conf->global->MAIN_SESSION_TIMEOUT)) setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", null, false, true); + if (!empty($conf->global->MAIN_SESSION_TIMEOUT)) setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", null, (empty($dolibarr_main_force_https) ? false : true), true); if (GETPOST('urlfrom', 'alpha')) $_SESSION["urlfrom"] = GETPOST('urlfrom', 'alpha'); else unset($_SESSION["urlfrom"]); diff --git a/htdocs/core/menus/init_menu_auguria.sql b/htdocs/core/menus/init_menu_auguria.sql index 8d4a033efb3..b5f96655ed7 100644 --- a/htdocs/core/menus/init_menu_auguria.sql +++ b/htdocs/core/menus/init_menu_auguria.sql @@ -405,7 +405,7 @@ insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, left insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->hrm->enabled', __HANDLER__, 'left', 4602__+MAX_llx_menu__, 'hrm', '', 4600__+MAX_llx_menu__, '/user/list.php?mainmenu=hrm&leftmenu=hrm&mode=employee&contextpage=employeelist', 'List', 1, 'hrm', '$user->rights->hrm->employee->read', '', 0, 2, __ENTITY__); -- HRM - Holiday insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->holiday->enabled', __HANDLER__, 'left', 5000__+MAX_llx_menu__, 'hrm', 'hrm', 15__+MAX_llx_menu__, '/holiday/list.php?mainmenu=hrm&leftmenu=hrm', 'CPTitreMenu', 0, 'holiday', '$user->rights->holiday->read', '', 0, 1, __ENTITY__); -insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->holiday->enabled', __HANDLER__, 'left', 5001__+MAX_llx_menu__, 'hrm', '', 5000__+MAX_llx_menu__, '/holiday/card.php?mainmenu=hrm&action=request', 'MenuAddCP', 1, 'holiday', '$user->rights->holiday->write', '', 0, 1, __ENTITY__); +insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->holiday->enabled', __HANDLER__, 'left', 5001__+MAX_llx_menu__, 'hrm', '', 5000__+MAX_llx_menu__, '/holiday/card.php?mainmenu=hrm&action=create', 'MenuAddCP', 1, 'holiday', '$user->rights->holiday->write', '', 0, 1, __ENTITY__); insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->holiday->enabled', __HANDLER__, 'left', 5002__+MAX_llx_menu__, 'hrm', '', 5000__+MAX_llx_menu__, '/holiday/list.php?mainmenu=hrm&leftmenu=hrm', 'List', 1, 'holiday', '$user->rights->holiday->read', '', 0, 1, __ENTITY__); insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->holiday->enabled', __HANDLER__, 'left', 5003__+MAX_llx_menu__, 'hrm', '', 5002__+MAX_llx_menu__, '/holiday/list.php?mainmenu=hrm&search_statut=2&leftmenu=hrm', 'ListToApprove', 2, 'trips', '$user->rights->holiday->read', '', 0, 1, __ENTITY__); insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->holiday->enabled', __HANDLER__, 'left', 5004__+MAX_llx_menu__, 'hrm', '', 5000__+MAX_llx_menu__, '/holiday/define_holiday.php?mainmenu=hrm&action=request', 'MenuConfCP', 1, 'holiday', '$user->rights->holiday->define_holiday', '', 0, 2, __ENTITY__); diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php index a76a4839242..f721d7d4c5c 100644 --- a/htdocs/core/menus/standard/eldy.lib.php +++ b/htdocs/core/menus/standard/eldy.lib.php @@ -1773,7 +1773,7 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM $langs->loadLangs(array("holiday", "trips")); $newmenu->add("/holiday/list.php?mainmenu=hrm&leftmenu=hrm", $langs->trans("CPTitreMenu"), 0, $user->rights->holiday->read, '', $mainmenu, 'hrm'); - $newmenu->add("/holiday/card.php?mainmenu=hrm&leftmenu=holiday&action=request", $langs->trans("New"), 1, $user->rights->holiday->write); + $newmenu->add("/holiday/card.php?mainmenu=hrm&leftmenu=holiday&action=create", $langs->trans("New"), 1, $user->rights->holiday->write); $newmenu->add("/holiday/list.php?mainmenu=hrm&leftmenu=hrm", $langs->trans("List"), 1, $user->rights->holiday->read); if ($usemenuhider || empty($leftmenu) || $leftmenu == "hrm") { $newmenu->add("/holiday/list.php?search_statut=1&mainmenu=hrm&leftmenu=hrm", $langs->trans("DraftCP"), 2, $user->rights->holiday->read); diff --git a/htdocs/core/modules/modOpenSurvey.class.php b/htdocs/core/modules/modOpenSurvey.class.php index 165cb9d5858..1c1774c83fd 100644 --- a/htdocs/core/modules/modOpenSurvey.class.php +++ b/htdocs/core/modules/modOpenSurvey.class.php @@ -64,7 +64,7 @@ class modOpenSurvey extends DolibarrModules // Name of image file used for this module. // If file is in theme/yourtheme/img directory under name object_pictovalue.png, use this->picto='pictovalue' // If file is in module/img directory under name object_pictovalue.png, use this->picto='pictovalue@module' - $this->picto = '^date@opensurvey'; + $this->picto = 'poll'; // Data directories to create when module is enabled $this->dirs = array(); diff --git a/htdocs/core/modules/modProduct.class.php b/htdocs/core/modules/modProduct.class.php index 015f4050983..5237f5f9b4b 100644 --- a/htdocs/core/modules/modProduct.class.php +++ b/htdocs/core/modules/modProduct.class.php @@ -167,6 +167,9 @@ class modProduct extends DolibarrModules $r++; */ + $usenpr = 0; + if (is_object($mysoc)) $usenpr = $mysoc->useNPR(); + // Exports //-------- $r = 0; @@ -192,7 +195,7 @@ class modProduct extends DolibarrModules 'p.tva_tx'=>'VATRate', 'p.datec'=>'DateCreation', 'p.tms'=>'DateModification' ); - if (is_object($mysoc) && $mysoc->useNPR()) $this->export_fields_array[$r]['p.recuperableonly'] = 'NPR'; + if (is_object($mysoc) && $usenpr) $this->export_fields_array[$r]['p.recuperableonly'] = 'NPR'; if (!empty($conf->fournisseur->enabled) || !empty($conf->margin->enabled)) $this->export_fields_array[$r] = array_merge($this->export_fields_array[$r], array('p.cost_price'=>'CostPrice')); if (!empty($conf->stock->enabled)) $this->export_fields_array[$r] = array_merge($this->export_fields_array[$r], array('e.ref'=>'DefaultWarehouse', 'p.tobatch'=>'ManageLotSerial', 'p.stock'=>'Stock', 'p.seuil_stock_alerte'=>'StockLimit', 'p.desiredstock'=>'DesiredStock', 'p.pmp'=>'PMPValue')); if (!empty($conf->barcode->enabled)) $this->export_fields_array[$r] = array_merge($this->export_fields_array[$r], array('p.barcode'=>'BarCode')); @@ -256,7 +259,7 @@ class modProduct extends DolibarrModules 'pr.price_min'=>"MinPriceLevelUnitPriceHT", 'pr.price_min_ttc'=>"MinPriceLevelUnitPriceTTC", 'pr.tva_tx'=>'PriceLevelVATRate', 'pr.date_price'=>'DateCreation'); - if (is_object($mysoc) && $mysoc->useNPR()) $this->export_fields_array[$r]['pr.recuperableonly'] = 'NPR'; + if (is_object($mysoc) && $usenpr) $this->export_fields_array[$r]['pr.recuperableonly'] = 'NPR'; //$this->export_TypeFields_array[$r]=array( // 'p.ref'=>"Text",'p.label'=>"Text",'p.description'=>"Text",'p.url'=>"Text",'p.accountancy_code_sell'=>"Text",'p.accountancy_code_buy'=>"Text", // 'p.note'=>"Text",'p.length'=>"Numeric",'p.surface'=>"Numeric",'p.volume'=>"Numeric",'p.weight'=>"Numeric",'p.customcode'=>'Text', @@ -291,7 +294,7 @@ class modProduct extends DolibarrModules 'pr.tva_tx'=>'PriceVATRate', 'pr.default_vat_code'=>'PriceVATCode', 'pr.datec'=>'DateCreation'); - if (is_object($mysoc) && $mysoc->useNPR()) $this->export_fields_array[$r]['pr.recuperableonly'] = 'NPR'; + if (is_object($mysoc) && $usenpr) $this->export_fields_array[$r]['pr.recuperableonly'] = 'NPR'; $this->export_entities_array[$r] = array('p.rowid'=>"product", 'p.ref'=>"product", 's.nom'=>'company', 'pr.price_base_type'=>"product", 'pr.price'=>"product", @@ -513,7 +516,7 @@ class modProduct extends DolibarrModules } if (!empty($conf->fournisseur->enabled) || !empty($conf->margin->enabled)) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('p.cost_price'=>'CostPrice')); - if (is_object($mysoc) && $mysoc->useNPR()) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('p.recuperableonly'=>'NPR')); + if (is_object($mysoc) && $usenpr) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('p.recuperableonly'=>'NPR')); if (is_object($mysoc) && $mysoc->useLocalTax(1)) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('p.localtax1_tx'=>'LT1', 'p.localtax1_type'=>'LT1Type')); if (is_object($mysoc) && $mysoc->useLocalTax(2)) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('p.localtax2_tx'=>'LT2', 'p.localtax2_type'=>'LT2Type')); if (!empty($conf->barcode->enabled)) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('p.barcode'=>'BarCode')); @@ -585,7 +588,7 @@ class modProduct extends DolibarrModules 'p.desiredstock' => '' )); if (!empty($conf->fournisseur->enabled) || !empty($conf->margin->enabled)) $import_sample = array_merge($import_sample, array('p.cost_price'=>'90')); - if (is_object($mysoc) && $mysoc->useNPR()) $import_sample = array_merge($import_sample, array('p.recuperableonly'=>'0')); + if (is_object($mysoc) && $usenpr) $import_sample = array_merge($import_sample, array('p.recuperableonly'=>'0')); if (is_object($mysoc) && $mysoc->useLocalTax(1)) $import_sample = array_merge($import_sample, array('p.localtax1_tx'=>'', 'p.localtax1_type'=>'')); if (is_object($mysoc) && $mysoc->useLocalTax(2)) $import_sample = array_merge($import_sample, array('p.localtax2_tx'=>'', 'p.localtax2_type'=>'')); if (!empty($conf->barcode->enabled)) $import_sample = array_merge($import_sample, array('p.barcode'=>'')); @@ -631,7 +634,7 @@ class modProduct extends DolibarrModules 'sp.delivery_time_days' => 'DeliveryDelay', 'sp.supplier_reputation' => 'SupplierReputation' ); - if (is_object($mysoc) && $mysoc->useNPR()) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('sp.recuperableonly'=>'VATNPR')); + if (is_object($mysoc) && $usenpr) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('sp.recuperableonly'=>'VATNPR')); if (is_object($mysoc) && $mysoc->useLocalTax(1)) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('sp.localtax1_tx'=>'LT1', 'sp.localtax1_type'=>'LT1Type')); if (is_object($mysoc) && $mysoc->useLocalTax(2)) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('sp.localtax2_tx'=>'LT2', 'sp.localtax2_type'=>'LT2Type')); $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array( @@ -669,7 +672,7 @@ class modProduct extends DolibarrModules 'sp.delivery_time_days' => '5', 'sp.supplier_reputation' => 'FAVORITE / NOTTHGOOD / DONOTORDER' ); - if (is_object($mysoc) && $mysoc->useNPR()) $this->import_examplevalues_array[$r] = array_merge($this->import_examplevalues_array[$r], array('sp.recuperableonly'=>'')); + if (is_object($mysoc) && $usenpr) $this->import_examplevalues_array[$r] = array_merge($this->import_examplevalues_array[$r], array('sp.recuperableonly'=>'')); if (is_object($mysoc) && $mysoc->useLocalTax(1)) $this->import_examplevalues_array[$r] = array_merge($this->import_examplevalues_array[$r], array('sp.localtax1_tx'=>'LT1', 'sp.localtax1_type'=>'LT1Type')); if (is_object($mysoc) && $mysoc->useLocalTax(2)) $this->import_examplevalues_array[$r] = array_merge($this->import_examplevalues_array[$r], array('sp.localtax2_tx'=>'LT2', 'sp.localtax2_type'=>'LT2Type')); $this->import_examplevalues_array[$r] = array_merge($this->import_examplevalues_array[$r], array( @@ -709,7 +712,7 @@ class modProduct extends DolibarrModules 'pr.price_min'=>"MinPriceLevelUnitPriceHT", 'pr.price_min_ttc'=>"MinPriceLevelUnitPriceTTC", 'pr.date_price'=>'DateCreation*'); if (!empty($conf->global->PRODUIT_MULTIPRICES_USE_VAT_PER_LEVEL)) $this->import_fields_array[$r]['pr.tva_tx'] = 'VATRate'; - if (is_object($mysoc) && $mysoc->useNPR()) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('pr.recuperableonly'=>'NPR')); + if (is_object($mysoc) && $usenpr) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('pr.recuperableonly'=>'NPR')); $this->import_regex_array[$r] = array('pr.datec'=>'^[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]$', 'pr.recuperableonly'=>'^[0|1]$'); $this->import_convertvalue_array[$r] = array( 'pr.fk_product'=>array('rule'=>'fetchidfromref', 'classfile'=>'/product/class/product.class.php', 'class'=>'Product', 'method'=>'fetch', 'element'=>'Product') diff --git a/htdocs/core/modules/modService.class.php b/htdocs/core/modules/modService.class.php index b7933bcf3f4..258af06389a 100644 --- a/htdocs/core/modules/modService.class.php +++ b/htdocs/core/modules/modService.class.php @@ -134,6 +134,9 @@ class modService extends DolibarrModules $r++; */ + $usenpr = 0; + if (is_object($mysoc)) $usenpr = $mysoc->useNPR(); + // Exports //-------- $r = 0; @@ -158,7 +161,7 @@ class modService extends DolibarrModules 'p.tva_tx'=>'VATRate', 'p.datec'=>'DateCreation', 'p.tms'=>'DateModification' ); - if (is_object($mysoc) && $mysoc->useNPR()) $this->export_fields_array[$r]['p.recuperableonly'] = 'NPR'; + if (is_object($mysoc) && $usenpr) $this->export_fields_array[$r]['p.recuperableonly'] = 'NPR'; if (!empty($conf->fournisseur->enabled) || !empty($conf->margin->enabled)) $this->export_fields_array[$r] = array_merge($this->export_fields_array[$r], array('p.cost_price'=>'CostPrice')); if (!empty($conf->stock->enabled)) $this->export_fields_array[$r] = array_merge($this->export_fields_array[$r], array('p.stock'=>'Stock', 'p.seuil_stock_alerte'=>'StockLimit', 'p.desiredstock'=>'DesiredStock', 'p.pmp'=>'PMPValue')); if (!empty($conf->barcode->enabled)) $this->export_fields_array[$r] = array_merge($this->export_fields_array[$r], array('p.barcode'=>'BarCode')); @@ -223,7 +226,7 @@ class modService extends DolibarrModules 'pr.price_min'=>"MinPriceLevelUnitPriceHT", 'pr.price_min_ttc'=>"MinPriceLevelUnitPriceTTC", 'pr.tva_tx'=>'PriceLevelVATRate', 'pr.date_price'=>'DateCreation'); - if (is_object($mysoc) && $mysoc->useNPR()) $this->export_fields_array[$r]['pr.recuperableonly'] = 'NPR'; + if (is_object($mysoc) && $usenpr) $this->export_fields_array[$r]['pr.recuperableonly'] = 'NPR'; //$this->export_TypeFields_array[$r]=array( // 'p.ref'=>"Text",'p.label'=>"Text",'p.description'=>"Text",'p.url'=>"Text",'p.accountancy_code_sell'=>"Text",'p.accountancy_code_buy'=>"Text", // 'p.note'=>"Text",'p.length'=>"Numeric",'p.surface'=>"Numeric",'p.volume'=>"Numeric",'p.weight'=>"Numeric",'p.customcode'=>'Text', @@ -258,7 +261,7 @@ class modService extends DolibarrModules 'pr.tva_tx'=>'PriceVATRate', 'pr.default_vat_code'=>'PriceVATCode', 'pr.datec'=>'DateCreation'); - if (is_object($mysoc) && $mysoc->useNPR()) $this->export_fields_array[$r]['pr.recuperableonly'] = 'NPR'; + if (is_object($mysoc) && $usenpr) $this->export_fields_array[$r]['pr.recuperableonly'] = 'NPR'; $this->export_entities_array[$r] = array('p.rowid'=>"product", 'p.ref'=>"product", 's.nom'=>'company', 'pr.price_base_type'=>"product", 'pr.price'=>"product", @@ -452,7 +455,7 @@ class modService extends DolibarrModules ) ); if (!empty($conf->fournisseur->enabled) || !empty($conf->margin->enabled)) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('p.cost_price'=>'CostPrice')); - if (is_object($mysoc) && $mysoc->useNPR()) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('p.recuperableonly'=>'NPR')); + if (is_object($mysoc) && $usenpr) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('p.recuperableonly'=>'NPR')); if (is_object($mysoc) && $mysoc->useLocalTax(1)) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('p.localtax1_tx'=>'LT1', 'p.localtax1_type'=>'LT1Type')); if (is_object($mysoc) && $mysoc->useLocalTax(2)) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('p.localtax2_tx'=>'LT2', 'p.localtax2_type'=>'LT2Type')); if (!empty($conf->barcode->enabled)) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('p.barcode'=>'BarCode')); @@ -531,7 +534,7 @@ class modService extends DolibarrModules 'p.desiredstock' => '' )); if (!empty($conf->fournisseur->enabled) || !empty($conf->margin->enabled)) $import_sample = array_merge($import_sample, array('p.cost_price'=>'90')); - if (is_object($mysoc) && $mysoc->useNPR()) $import_sample = array_merge($import_sample, array('p.recuperableonly'=>'0')); + if (is_object($mysoc) && $usenpr) $import_sample = array_merge($import_sample, array('p.recuperableonly'=>'0')); if (is_object($mysoc) && $mysoc->useLocalTax(1)) $import_sample = array_merge($import_sample, array('p.localtax1_tx'=>'', 'p.localtax1_type'=>'')); if (is_object($mysoc) && $mysoc->useLocalTax(2)) $import_sample = array_merge($import_sample, array('p.localtax2_tx'=>'', 'p.localtax2_type'=>'')); if (!empty($conf->barcode->enabled)) $import_sample = array_merge($import_sample, array('p.barcode'=>'')); @@ -580,7 +583,7 @@ class modService extends DolibarrModules 'sp.delivery_time_days' => 'DeliveryDelay', 'sp.supplier_reputation' => 'SupplierReputation' ); - if (is_object($mysoc) && $mysoc->useNPR()) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('sp.recuperableonly'=>'VATNPR')); + if (is_object($mysoc) && $usenpr) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('sp.recuperableonly'=>'VATNPR')); if (is_object($mysoc) && $mysoc->useLocalTax(1)) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('sp.localtax1_tx'=>'LT1', 'sp.localtax1_type'=>'LT1Type')); if (is_object($mysoc) && $mysoc->useLocalTax(2)) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('sp.localtax2_tx'=>'LT2', 'sp.localtax2_type'=>'LT2Type')); $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array( @@ -617,7 +620,7 @@ class modService extends DolibarrModules 'sp.delivery_time_days' => '5', 'sp.supplier_reputation' => 'FAVORITE / NOTTHGOOD / DONOTORDER' ); - if (is_object($mysoc) && $mysoc->useNPR()) $this->import_examplevalues_array[$r] = array_merge($this->import_examplevalues_array[$r], array('sp.recuperableonly'=>'')); + if (is_object($mysoc) && $usenpr) $this->import_examplevalues_array[$r] = array_merge($this->import_examplevalues_array[$r], array('sp.recuperableonly'=>'')); if (is_object($mysoc) && $mysoc->useLocalTax(1)) $this->import_examplevalues_array[$r] = array_merge($this->import_examplevalues_array[$r], array('sp.localtax1_tx'=>'LT1', 'sp.localtax1_type'=>'LT1Type')); if (is_object($mysoc) && $mysoc->useLocalTax(2)) $this->import_examplevalues_array[$r] = array_merge($this->import_examplevalues_array[$r], array('sp.localtax2_tx'=>'LT2', 'sp.localtax2_type'=>'LT2Type')); $this->import_examplevalues_array[$r] = array_merge($this->import_examplevalues_array[$r], array( @@ -657,7 +660,7 @@ class modService extends DolibarrModules 'pr.price_min'=>"MinPriceLevelUnitPriceHT", 'pr.price_min_ttc'=>"MinPriceLevelUnitPriceTTC", 'pr.date_price'=>'DateCreation*'); if (!empty($conf->global->PRODUIT_MULTIPRICES_USE_VAT_PER_LEVEL)) $this->import_fields_array[$r]['pr.tva_tx'] = 'VATRate'; - if (is_object($mysoc) && $mysoc->useNPR()) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('pr.recuperableonly'=>'NPR')); + if (is_object($mysoc) && $usenpr) $this->import_fields_array[$r] = array_merge($this->import_fields_array[$r], array('pr.recuperableonly'=>'NPR')); $this->import_regex_array[$r] = array('pr.datec'=>'^[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]$', 'pr.recuperableonly'=>'^[0|1]$'); $this->import_convertvalue_array[$r] = array( 'pr.fk_product'=>array('rule'=>'fetchidfromref', 'classfile'=>'/product/class/product.class.php', 'class'=>'Product', 'method'=>'fetch', 'element'=>'Product') diff --git a/htdocs/core/modules/modSociete.class.php b/htdocs/core/modules/modSociete.class.php index a752b3a4c1a..60e0fb3b198 100644 --- a/htdocs/core/modules/modSociete.class.php +++ b/htdocs/core/modules/modSociete.class.php @@ -265,7 +265,7 @@ class modSociete extends DolibarrModules 's.status'=>"Status", 's.client'=>"Customer", 's.fournisseur'=>"Supplier", 's.datec'=>"DateCreation", 's.tms'=>"DateLastModification", 's.code_client'=>"CustomerCode", 's.code_fournisseur'=>"SupplierCode", 's.code_compta'=>"AccountancyCode", 's.code_compta_fournisseur'=>"SupplierAccountancyCode", 's.address'=>"Address", 's.zip'=>"Zip", 's.town'=>"Town", 'd.nom'=>'State', 'r.nom'=>'Region', 'c.label'=>"Country", 'c.code'=>"CountryCode", 's.phone'=>"Phone", 's.fax'=>"Fax", - 's.url'=>"Url", 's.email'=>"Email", 's.default_lang'=>"DefaultLang", 's.siren'=>"ProfId1", 's.siret'=>"ProfId2", 's.ape'=>"ProfId3", 's.idprof4'=>"ProfId4", + 's.url'=>"Url", 's.email'=>"Email", 's.default_lang'=>"DefaultLang", 's.canvas' => "Canvas", 's.siren'=>"ProfId1", 's.siret'=>"ProfId2", 's.ape'=>"ProfId3", 's.idprof4'=>"ProfId4", 's.idprof5'=>"ProfId5", 's.idprof6'=>"ProfId6", 's.tva_intra'=>"VATIntraShort", 's.capital'=>"Capital", 's.note_private'=>"NotePrivate", 's.note_public'=>"NotePublic", 't.libelle'=>"ThirdPartyType", 'ce.code'=>"Staff", "cfj.libelle"=>"JuridicalStatus", 's.fk_prospectlevel'=>'ProspectLevel', 'st.code'=>'ProspectStatus', 'payterm.libelle'=>'PaymentConditions', 'paymode.libelle'=>'PaymentMode', @@ -286,7 +286,7 @@ class modSociete extends DolibarrModules //$this->export_TypeFields_array[$r]=array( // 's.rowid'=>"List:societe:nom",'s.nom'=>"Text",'s.status'=>"Text",'s.client'=>"Boolean",'s.fournisseur'=>"Boolean",'s.datec'=>"Date",'s.tms'=>"Date", // 's.code_client'=>"Text",'s.code_fournisseur'=>"Text",'s.address'=>"Text",'s.zip'=>"Text",'s.town'=>"Text",'c.label'=>"List:c_country:label:label", - // 'c.code'=>"Text",'s.phone'=>"Text",'s.fax'=>"Text",'s.url'=>"Text",'s.email'=>"Text",'s.default_lang'=>"Text",'s.siret'=>"Text",'s.siren'=>"Text", + // 'c.code'=>"Text",'s.phone'=>"Text",'s.fax'=>"Text",'s.url'=>"Text",'s.email'=>"Text",'s.default_lang'=>"Text",'s.canvas' => "Canvas",'s.siret'=>"Text",'s.siren'=>"Text", // 's.ape'=>"Text",'s.idprof4'=>"Text",'s.idprof5'=>"Text",'s.idprof6'=>"Text",'s.tva_intra'=>"Text",'s.capital'=>"Numeric",'s.note'=>"Text", // 't.libelle'=>"Text",'ce.code'=>"List:c_effectif:libelle:code","cfj.libelle"=>"Text",'s.fk_prospectlevel'=>'List:c_prospectlevel:label:code', // 's.fk_stcomm'=>'List:c_stcomm:libelle:code','d.nom'=>'List:c_departements:nom:rowid' @@ -295,11 +295,15 @@ class modSociete extends DolibarrModules 's.rowid'=>"Numeric", 's.nom'=>"Text", 's.name_alias'=>"Text", 'ps.nom'=>"Text", 's.status'=>"Numeric", 's.client'=>"Numeric", 's.fournisseur'=>"Boolean", 's.datec'=>"Date", 's.tms'=>"Date", 's.code_client'=>"Text", 's.code_fournisseur'=>"Text", 's.code_compta'=>"Text", 's.code_compta_fournisseur'=>"Text", - 's.address'=>"Text", 's.zip'=>"Text",'s.town'=>"Text", 'd.nom'=>'Text', 'r.nom'=>'Text', 'c.label'=>"List:c_country:label:label", 'c.code'=>"Text", 's.phone'=>"Text", 's.fax'=>"Text", - 's.url'=>"Text", 's.email'=>"Text", 's.default_lang'=>"Text", 's.siret'=>"Text", 's.siren'=>"Text", 's.ape'=>"Text", 's.idprof4'=>"Text", - 's.idprof5'=>"Text", 's.idprof6'=>"Text", 's.tva_intra'=>"Text", 's.capital'=>"Numeric", 's.note_private'=>"Text", 's.note_public'=>"Text", + 's.address'=>"Text", 's.zip'=>"Text",'s.town'=>"Text", + 'd.nom'=>'Text', 'r.nom'=>'Text', 'c.label'=>"List:c_country:label:label", 'c.code'=>"Text", + 's.phone'=>"Text", 's.fax'=>"Text", + 's.url'=>"Text", 's.email'=>"Text", 's.default_lang'=>"Text", 's.canvas' => "Canvas", + 's.siret'=>"Text", 's.siren'=>"Text", 's.ape'=>"Text", 's.idprof4'=>"Text", 's.idprof5'=>"Text", 's.idprof6'=>"Text", + 's.tva_intra'=>"Text", 's.capital'=>"Numeric", 's.note_private'=>"Text", 's.note_public'=>"Text", 't.libelle'=>"Text", 'ce.code'=>"List:c_effectif:libelle:code", "cfj.libelle"=>"Text", 's.fk_prospectlevel'=>'List:c_prospectlevel:label:code', - 'st.code'=>'List:c_stcomm:libelle:code', 'payterm.libelle'=>'Text', 'paymode.libelle'=>'Text', + 'st.code'=>'List:c_stcomm:libelle:code', + 'payterm.libelle'=>'Text', 'paymode.libelle'=>'Text', 's.outstanding_limit'=>'Numeric', 'pbacc.ref'=>'Text', 'incoterm.code'=>'Text', 'u.login'=>'Text', 'u.firstname'=>'Text', 'u.lastname'=>'Text', 's.entity'=>'Numeric', 's.price_level'=>'Numeric' diff --git a/htdocs/core/modules/oauth/github_oauthcallback.php b/htdocs/core/modules/oauth/github_oauthcallback.php index 7df6b007f26..778baad8cc8 100644 --- a/htdocs/core/modules/oauth/github_oauthcallback.php +++ b/htdocs/core/modules/oauth/github_oauthcallback.php @@ -35,7 +35,7 @@ $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domai -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtourl = GETPOST('backtourl', 'alpha'); diff --git a/htdocs/core/modules/oauth/google_oauthcallback.php b/htdocs/core/modules/oauth/google_oauthcallback.php index c15d1da5751..7c00fdac323 100644 --- a/htdocs/core/modules/oauth/google_oauthcallback.php +++ b/htdocs/core/modules/oauth/google_oauthcallback.php @@ -35,7 +35,7 @@ $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domai -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtourl = GETPOST('backtourl', 'alpha'); diff --git a/htdocs/core/modules/oauth/stripelive_oauthcallback.php b/htdocs/core/modules/oauth/stripelive_oauthcallback.php index c1d38080657..f5b52459b30 100644 --- a/htdocs/core/modules/oauth/stripelive_oauthcallback.php +++ b/htdocs/core/modules/oauth/stripelive_oauthcallback.php @@ -35,7 +35,7 @@ $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domai -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtourl = GETPOST('backtourl', 'alpha'); diff --git a/htdocs/core/modules/oauth/stripetest_oauthcallback.php b/htdocs/core/modules/oauth/stripetest_oauthcallback.php index df468492921..efe522d9049 100644 --- a/htdocs/core/modules/oauth/stripetest_oauthcallback.php +++ b/htdocs/core/modules/oauth/stripetest_oauthcallback.php @@ -35,7 +35,7 @@ $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domai -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtourl = GETPOST('backtourl', 'alpha'); diff --git a/htdocs/core/modules/security/generate/modGeneratePassPerso.class.php b/htdocs/core/modules/security/generate/modGeneratePassPerso.class.php index 6251f02a0de..79d6865037a 100644 --- a/htdocs/core/modules/security/generate/modGeneratePassPerso.class.php +++ b/htdocs/core/modules/security/generate/modGeneratePassPerso.class.php @@ -81,8 +81,8 @@ class modGeneratePassPerso extends ModeleGenPassword $this->user = $user; if (empty($conf->global->USER_PASSWORD_PATTERN)) { - // default value (8carac, 1maj, 1digit, 1spe, 3 repeat, no ambi at auto generation. - dolibarr_set_const($db, "USER_PASSWORD_PATTERN", '8;1;1;1;3;1', 'chaine', 0, '', $conf->entity); + // default value (10carac, 1maj, 1digit, 1spe, 3 repeat, no ambi at auto generation. + dolibarr_set_const($db, "USER_PASSWORD_PATTERN", '10;1;1;1;3;1', 'chaine', 0, '', $conf->entity); } $this->Maj = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; diff --git a/htdocs/core/modules/security/generate/modGeneratePassStandard.class.php b/htdocs/core/modules/security/generate/modGeneratePassStandard.class.php index 23b71244cbd..0c5f2c1807c 100644 --- a/htdocs/core/modules/security/generate/modGeneratePassStandard.class.php +++ b/htdocs/core/modules/security/generate/modGeneratePassStandard.class.php @@ -75,7 +75,7 @@ class modGeneratePassStandard extends ModeleGenPassword public function getDescription() { global $langs; - return $langs->trans("PasswordGenerationStandard"); + return $langs->trans("PasswordGenerationStandard", $this->length); } /** diff --git a/htdocs/core/photos_resize.php b/htdocs/core/photos_resize.php index 37aa758db37..c7a52865dc7 100644 --- a/htdocs/core/photos_resize.php +++ b/htdocs/core/photos_resize.php @@ -32,7 +32,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php'; $langs->loadLangs(array("products", "other")); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $modulepart = GETPOST('modulepart', 'alpha') ?GETPOST('modulepart', 'alpha') : 'produit|service'; $original_file = GETPOST("file"); $backtourl = GETPOST('backtourl'); diff --git a/htdocs/core/tpl/admin_extrafields_add.tpl.php b/htdocs/core/tpl/admin_extrafields_add.tpl.php index 616ecb74f40..b8a37ee5969 100644 --- a/htdocs/core/tpl/admin_extrafields_add.tpl.php +++ b/htdocs/core/tpl/admin_extrafields_add.tpl.php @@ -181,7 +181,7 @@ $langs->load("modulebuilder"); trans("LanguageFile"); ?> global->MAIN_STORE_COMPUTED_EXTRAFIELDS)) { ?> - textwithpicto($langs->trans("ComputedFormula"), $langs->trans("ComputedFormulaDesc"), 1, 'help', '', 0, 2, 'tooltipcompute'); ?> + textwithpicto($langs->trans("ComputedFormula"), $langs->trans("ComputedFormulaDesc"), 1, 'help', '', 0, 2, 'tooltipcompute'); ?> textwithpicto($langs->trans("ComputedFormula"), $langs->trans("ComputedFormulaDesc")).$form->textwithpicto($langs->trans("Computedpersistent"), $langs->trans("ComputedpersistentDesc"), 1, 'warning'); ?> diff --git a/htdocs/core/tpl/commonfields_add.tpl.php b/htdocs/core/tpl/commonfields_add.tpl.php index 0bf2a60d0fe..d36f0c2a87a 100644 --- a/htdocs/core/tpl/commonfields_add.tpl.php +++ b/htdocs/core/tpl/commonfields_add.tpl.php @@ -54,7 +54,7 @@ foreach ($object->fields as $key => $val) print ''; print ''; if (in_array($val['type'], array('int', 'integer'))) $value = GETPOST($key, 'int'); - elseif ($val['type'] == 'text' || $val['type'] == 'html') $value = GETPOST($key, 'none'); + elseif ($val['type'] == 'text' || $val['type'] == 'html') $value = GETPOST($key, 'restricthtml'); else $value = GETPOST($key, 'alpha'); if ($val['noteditable']) print $object->showOutputField($val, $key, $value, '', '', '', 0); else print $object->showInputField($val, $key, $value, '', '', '', 0); diff --git a/htdocs/core/tpl/commonfields_edit.tpl.php b/htdocs/core/tpl/commonfields_edit.tpl.php index 8484d06ddb6..ace640d9b79 100644 --- a/htdocs/core/tpl/commonfields_edit.tpl.php +++ b/htdocs/core/tpl/commonfields_edit.tpl.php @@ -52,7 +52,7 @@ foreach ($object->fields as $key => $val) print ''; print ''; if (in_array($val['type'], array('int', 'integer'))) $value = GETPOSTISSET($key) ?GETPOST($key, 'int') : $object->$key; - elseif ($val['type'] == 'text' || $val['type'] == 'html') $value = GETPOSTISSET($key) ?GETPOST($key, 'none') : $object->$key; + elseif ($val['type'] == 'text' || $val['type'] == 'html') $value = GETPOSTISSET($key) ?GETPOST($key, 'restricthtml') : $object->$key; else $value = GETPOSTISSET($key) ?GETPOST($key, 'alpha') : $object->$key; //var_dump($val.' '.$key.' '.$value); if ($val['noteditable']) print $object->showOutputField($val, $key, $value, '', '', '', 0); diff --git a/htdocs/core/tpl/extrafields_view.tpl.php b/htdocs/core/tpl/extrafields_view.tpl.php index 4e9ce5d6997..8f02f40fe3c 100644 --- a/htdocs/core/tpl/extrafields_view.tpl.php +++ b/htdocs/core/tpl/extrafields_view.tpl.php @@ -176,7 +176,7 @@ if (empty($reshook) && is_array($extrafields->attributes[$object->table_element] } //TODO Improve element and rights detection - if ($action == 'edit_extras' && $permok && GETPOST('attribute', 'none') == $tmpkeyextra) + if ($action == 'edit_extras' && $permok && GETPOST('attribute', 'restricthtml') == $tmpkeyextra) { $fieldid = 'id'; if ($object->table_element == 'societe') $fieldid = 'socid'; diff --git a/htdocs/core/tpl/objectline_create.tpl.php b/htdocs/core/tpl/objectline_create.tpl.php index ed38c5ea783..eed6c9d201e 100644 --- a/htdocs/core/tpl/objectline_create.tpl.php +++ b/htdocs/core/tpl/objectline_create.tpl.php @@ -306,7 +306,7 @@ if ($nolinesbefore) { if (!empty($conf->global->MAIN_INPUT_DESC_HEIGHT)) $nbrows = $conf->global->MAIN_INPUT_DESC_HEIGHT; $toolbarname = 'dolibarr_details'; if (!empty($conf->global->FCKEDITOR_ENABLE_DETAILS_FULL)) $toolbarname = 'dolibarr_notes'; - $doleditor = new DolEditor('dp_desc', GETPOST('dp_desc', 'none'), '', (empty($conf->global->MAIN_DOLEDITOR_HEIGHT) ? 100 : $conf->global->MAIN_DOLEDITOR_HEIGHT), $toolbarname, '', false, true, $enabled, $nbrows, '98%'); + $doleditor = new DolEditor('dp_desc', GETPOST('dp_desc', 'restricthtml'), '', (empty($conf->global->MAIN_DOLEDITOR_HEIGHT) ? 100 : $conf->global->MAIN_DOLEDITOR_HEIGHT), $toolbarname, '', false, true, $enabled, $nbrows, '98%'); $doleditor->Create(); // Show autofill date for recurring invoices if (!empty($conf->service->enabled) && $object->element == 'facturerec') diff --git a/htdocs/cron/card.php b/htdocs/cron/card.php index 461c78efbdb..de4b8a03daa 100644 --- a/htdocs/cron/card.php +++ b/htdocs/cron/card.php @@ -39,7 +39,7 @@ $langs->loadLangs(array('admin', 'cron', 'members')); if (!$user->rights->cron->create) accessforbidden(); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); $backtourl = GETPOST('backtourl', 'alpha'); @@ -136,7 +136,7 @@ if ($action == 'add') $object->params = GETPOST('params'); $object->md5params = GETPOST('md5params'); $object->module_name = GETPOST('module_name', 'alpha'); - $object->note = GETPOST('note', 'none'); + $object->note_private = GETPOST('note', 'restricthtml'); $object->datestart = dol_mktime(GETPOST('datestarthour', 'int'), GETPOST('datestartmin', 'int'), 0, GETPOST('datestartmonth', 'int'), GETPOST('datestartday', 'int'), GETPOST('datestartyear', 'int')); $object->dateend = dol_mktime(GETPOST('dateendhour', 'int'), GETPOST('dateendmin', 'int'), 0, GETPOST('dateendmonth', 'int'), GETPOST('dateendday', 'int'), GETPOST('dateendyear', 'int')); $object->datenextrun = dol_mktime(GETPOST('datenextrunhour', 'int'), GETPOST('datenextrunmin', 'int'), 0, GETPOST('datenextrunmonth', 'int'), GETPOST('datenextrunday', 'int'), GETPOST('datenextrunyear', 'int')); @@ -171,7 +171,7 @@ if ($action == 'update') $object->params = GETPOST('params'); $object->md5params = GETPOST('md5params'); $object->module_name = GETPOST('module_name', 'alpha'); - $object->note = GETPOST('note', 'none'); + $object->note_private = GETPOST('note', 'restricthtml'); $object->datestart = dol_mktime(GETPOST('datestarthour', 'int'), GETPOST('datestartmin', 'int'), 0, GETPOST('datestartmonth', 'int'), GETPOST('datestartday', 'int'), GETPOST('datestartyear', 'int')); $object->dateend = dol_mktime(GETPOST('dateendhour', 'int'), GETPOST('dateendmin', 'int'), 0, GETPOST('dateendmonth', 'int'), GETPOST('dateendday', 'int'), GETPOST('dateendyear', 'int')); $object->datenextrun = dol_mktime(GETPOST('datenextrunhour', 'int'), GETPOST('datenextrunmin', 'int'), 0, GETPOST('datenextrunmonth', 'int'), GETPOST('datenextrunday', 'int'), GETPOST('datenextrunyear', 'int')); @@ -382,7 +382,7 @@ if (($action == "create") || ($action == "edit")) print ''; print $langs->trans('CronNote').""; - $doleditor = new DolEditor('note', $object->note, '', 160, 'dolibarr_notes', 'In', true, false, 0, ROWS_4, '90%'); + $doleditor = new DolEditor('note', $object->note_private, '', 160, 'dolibarr_notes', 'In', true, false, 0, ROWS_4, '90%'); $doleditor->Create(); print ""; print ""; @@ -581,7 +581,9 @@ if (($action == "create") || ($action == "edit")) print ''; print $langs->trans('CronNote').""; - print $langs->trans($object->note); + if (!is_null($object->note_private) && $object->note_private != '') { + print $langs->trans($object->note_private); + } print ""; if (!empty($conf->multicompany->enabled)) diff --git a/htdocs/cron/class/cronjob.class.php b/htdocs/cron/class/cronjob.class.php index d66c441c79c..e1c9861cc9e 100644 --- a/htdocs/cron/class/cronjob.class.php +++ b/htdocs/cron/class/cronjob.class.php @@ -151,7 +151,7 @@ class Cronjob extends CommonObject if (isset($this->unitfrequency)) $this->unitfrequency = trim($this->unitfrequency); if (isset($this->frequency)) $this->frequency = trim($this->frequency); if (isset($this->status)) $this->status = trim($this->status); - if (isset($this->note)) $this->note = trim($this->note); + if (isset($this->note_private)) $this->note_private = trim($this->note_private); if (isset($this->nbrun)) $this->nbrun = trim($this->nbrun); if (isset($this->libname)) $this->libname = trim($this->libname); if (isset($this->test)) $this->test = trim($this->test); @@ -251,7 +251,7 @@ class Cronjob extends CommonObject $sql .= " ".(!isset($this->status) ? '0' : $this->status).","; $sql .= " ".$user->id.","; $sql .= " ".$user->id.","; - $sql .= " ".(!isset($this->note) ? 'NULL' : "'".$this->db->escape($this->note)."'").","; + $sql .= " ".(!isset($this->note_private) ? 'NULL' : "'".$this->db->escape($this->note_private)."'").","; $sql .= " ".(!isset($this->nbrun) ? '0' : $this->db->escape($this->nbrun)).","; $sql .= " ".(empty($this->maxrun) ? '0' : $this->db->escape($this->maxrun)).","; $sql .= " ".(!isset($this->libname) ? 'NULL' : "'".$this->db->escape($this->libname)."'").","; @@ -322,7 +322,7 @@ class Cronjob extends CommonObject $sql .= " t.processing,"; $sql .= " t.fk_user_author,"; $sql .= " t.fk_user_mod,"; - $sql .= " t.note,"; + $sql .= " t.note as note_private,"; $sql .= " t.nbrun,"; $sql .= " t.maxrun,"; $sql .= " t.libname,"; @@ -366,7 +366,7 @@ class Cronjob extends CommonObject $this->processing = $obj->processing; $this->fk_user_author = $obj->fk_user_author; $this->fk_user_mod = $obj->fk_user_mod; - $this->note = $obj->note; + $this->note_private = $obj->note_private; $this->nbrun = $obj->nbrun; $this->maxrun = $obj->maxrun; $this->libname = $obj->libname; @@ -429,7 +429,7 @@ class Cronjob extends CommonObject $sql .= " t.processing,"; $sql .= " t.fk_user_author,"; $sql .= " t.fk_user_mod,"; - $sql .= " t.note,"; + $sql .= " t.note as note_private,"; $sql .= " t.nbrun,"; $sql .= " t.libname,"; $sql .= " t.test"; @@ -501,7 +501,7 @@ class Cronjob extends CommonObject $line->processing = $obj->processing; $line->fk_user_author = $obj->fk_user_author; $line->fk_user_mod = $obj->fk_user_mod; - $line->note = $obj->note; + $line->note_private = $obj->note_private; $line->nbrun = $obj->nbrun; $line->libname = $obj->libname; $line->test = $obj->test; @@ -551,7 +551,7 @@ class Cronjob extends CommonObject if (isset($this->unitfrequency)) $this->unitfrequency = trim($this->unitfrequency); if (isset($this->frequency)) $this->frequency = trim($this->frequency); if (isset($this->status)) $this->status = trim($this->status); - if (isset($this->note)) $this->note = trim($this->note); + if (isset($this->note_private)) $this->note_private = trim($this->note_private); if (isset($this->nbrun)) $this->nbrun = trim($this->nbrun); if (isset($this->libname)) $this->libname = trim($this->libname); if (isset($this->test)) $this->test = trim($this->test); @@ -625,7 +625,7 @@ class Cronjob extends CommonObject $sql .= " status=".(isset($this->status) ? $this->status : "null").","; $sql .= " processing=".((isset($this->processing) && $this->processing > 0) ? $this->processing : "0").","; $sql .= " fk_user_mod=".$user->id.","; - $sql .= " note=".(isset($this->note) ? "'".$this->db->escape($this->note)."'" : "null").","; + $sql .= " note=".(isset($this->note_private) ? "'".$this->db->escape($this->note_private)."'" : "null").","; $sql .= " nbrun=".((isset($this->nbrun) && $this->nbrun > 0) ? $this->nbrun : "null").","; $sql .= " maxrun=".((isset($this->maxrun) && $this->maxrun > 0) ? $this->maxrun : "0").","; $sql .= " libname=".(isset($this->libname) ? "'".$this->db->escape($this->libname)."'" : "null").","; @@ -785,7 +785,7 @@ class Cronjob extends CommonObject $this->processing = 0; $this->fk_user_author = 0; $this->fk_user_mod = 0; - $this->note = ''; + $this->note_private = ''; $this->nbrun = ''; $this->maxrun = 100; $this->libname = ''; @@ -1119,23 +1119,32 @@ class Cronjob extends CommonObject // Run a command line if ($this->jobtype == 'command') { - $outputdir = $conf->cron->dir_temp; - if (empty($outputdir)) $outputdir = $conf->cronjob->dir_temp; + global $dolibarr_cron_allow_cli; - if (!empty($outputdir)) - { - dol_mkdir($outputdir); - $outputfile = $outputdir.'/cronjob.'.$userlogin.'.out'; // File used with popen method + if (empty($dolibarr_cron_allow_cli)) { + $langs->load("errors"); + $this->error = $langs->trans("FailedToExecutCommandJob"); + $this->lastoutput = ''; + $this->lastresult = $langs->trans("ErrorParameterMustBeEnabledToAllwoThisFeature", 'dolibarr_cron_allow_cli'); + } else { + $outputdir = $conf->cron->dir_temp; + if (empty($outputdir)) $outputdir = $conf->cronjob->dir_temp; - // Execute a CLI - include_once DOL_DOCUMENT_ROOT.'/core/class/utils.class.php'; - $utils = new Utils($this->db); - $arrayresult = $utils->executeCLI($this->command, $outputfile); + if (!empty($outputdir)) + { + dol_mkdir($outputdir); + $outputfile = $outputdir.'/cronjob.'.$userlogin.'.out'; // File used with popen method - $retval = $arrayresult['result']; - $this->error = $arrayresult['error']; - $this->lastoutput = $arrayresult['output']; - $this->lastresult = $arrayresult['result']; + // Execute a CLI + include_once DOL_DOCUMENT_ROOT.'/core/class/utils.class.php'; + $utils = new Utils($this->db); + $arrayresult = $utils->executeCLI($this->command, $outputfile); + + $retval = $arrayresult['result']; + $this->error = $arrayresult['error']; + $this->lastoutput = $arrayresult['output']; + $this->lastresult = $arrayresult['result']; + } } } diff --git a/htdocs/cron/list.php b/htdocs/cron/list.php index 7f048ac17f1..a41608e7e25 100644 --- a/htdocs/cron/list.php +++ b/htdocs/cron/list.php @@ -36,7 +36,7 @@ $langs->loadLangs(array("admin", "cron", "bills", "members")); if (!$user->rights->cron->read) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); // The bulk action (combo box choice into lists) $confirm = GETPOST('confirm', 'alpha'); $toselect = GETPOST('toselect', 'array'); // Array of ids of elements selected into a list diff --git a/htdocs/datapolicy/admin/setup.php b/htdocs/datapolicy/admin/setup.php index fe9e5bbc5c3..8cbec549941 100644 --- a/htdocs/datapolicy/admin/setup.php +++ b/htdocs/datapolicy/admin/setup.php @@ -36,7 +36,7 @@ $langs->load('datapolicy@datapolicy'); if (!$user->admin) accessforbidden(); // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); $arrayofparameters = array(); diff --git a/htdocs/datapolicy/admin/setupmail.php b/htdocs/datapolicy/admin/setupmail.php index 03674f7eed7..b2b739a8f12 100644 --- a/htdocs/datapolicy/admin/setupmail.php +++ b/htdocs/datapolicy/admin/setupmail.php @@ -29,7 +29,7 @@ $langs->loadLangs(array('admin', 'companies', 'members', 'datapolicy')); // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); $formadmin = new FormAdmin($db); diff --git a/htdocs/datapolicy/public/index.php b/htdocs/datapolicy/public/index.php index c6e23db9083..079bcd340da 100644 --- a/htdocs/datapolicy/public/index.php +++ b/htdocs/datapolicy/public/index.php @@ -39,7 +39,7 @@ require_once DOL_DOCUMENT_ROOT.'/datapolicy/class/datapolicy.class.php'; $idc = GETPOST('c', 'int'); $ids = GETPOST('s', 'int'); $ida = GETPOST('a', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $lang = GETPOST('l', 'alpha'); $code = GETPOST('key', 'alpha'); diff --git a/htdocs/document.php b/htdocs/document.php index 99d9e1a29e2..ab3ad20a8f8 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -76,7 +76,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php'; $encoding = ''; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $original_file = GETPOST('file', 'alphanohtml'); // Do not use urldecode here ($_GET are already decoded by PHP). $hashp = GETPOST('hashp', 'aZ09'); $modulepart = GETPOST('modulepart', 'alpha'); @@ -153,11 +153,15 @@ if (isset($_GET["attachment"])) $attachment = GETPOST("attachment", 'alpha') ?tr if (!empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment = false; // Define mime type -$type = 'application/octet-stream'; +$type = 'application/octet-stream'; // By default if (GETPOST('type', 'alpha')) $type = GETPOST('type', 'alpha'); else $type = dol_mimetype($original_file); -// Security: Force to octet-stream if file is a dangerous file -if (preg_match('/\.noexe$/i', $original_file)) $type = 'application/octet-stream'; +// Security: Force to octet-stream if file is a dangerous file. For example when it is a .noexe file +// We do not force if file is a javascript to be able to get js from website module with