forked from Wavyzz/dolibarr
Clean code. <input name="token" value="$_SESSION['newtoken']" is now
forbidden by CI. You must use newToken().
This commit is contained in:
Laurent Destailleur
@@ -92,7 +92,7 @@ print '<span class="opacitymedium">'.$langs->trans("DefaultClosureDesc").'</span
|
||||
print '<br>';
|
||||
|
||||
print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
|
||||
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
print '<input type="hidden" name="token" value="'.newToken().'">';
|
||||
print '<input type="hidden" name="action" value="update">';
|
||||
|
||||
// Define main accounts for closure
|
||||
|
||||
@@ -185,7 +185,7 @@ if ($mesg) print $mesg;
|
||||
print '<div class="tabsAction">'."\n";
|
||||
|
||||
print '<form action="'.$_SERVER['PHP_SELF'].'?action=create" method="POST">';
|
||||
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
print '<input type="hidden" name="token" value="'.newToken().'">';
|
||||
print '<input type="hidden" name="type" value="'.$type.'">';
|
||||
if ($nb) {
|
||||
if ($pricetowithdraw) {
|
||||
|
||||
@@ -318,7 +318,7 @@ $startyear = $endyear - 2;
|
||||
$param = '';
|
||||
|
||||
print '<form method="post" action="'.$_SERVER['PHP_SELF'].'">';
|
||||
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
print '<input type="hidden" name="token" value="'.newToken().'">';
|
||||
print '<input type="hidden" name="action" value="viewgraph">';
|
||||
print '<input type="hidden" name="tabfamily" value="'.$tabfamily.'">';
|
||||
|
||||
|
||||
@@ -65,7 +65,7 @@ class mod_takepos_ref_universal extends ModeleNumRefTakepos
|
||||
|
||||
$texte = $langs->trans('GenericNumRefModelDesc')."<br>\n";
|
||||
$texte .= '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
|
||||
$texte .= '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
$texte .= '<input type="hidden" name="token" value="'.newToken().'">';
|
||||
$texte .= '<input type="hidden" name="action" value="updateMask">';
|
||||
$texte .= '<input type="hidden" name="maskconst" value="TAKEPOS_REF_UNIVERSAL_MASK">';
|
||||
$texte .= '<table class="nobordernopadding" width="100%">';
|
||||
|
||||
@@ -68,7 +68,7 @@ class mod_ticket_universal extends ModeleNumRefTicket
|
||||
|
||||
$texte = $langs->trans('GenericNumRefModelDesc')."<br>\n";
|
||||
$texte .= '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
|
||||
$texte .= '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
$texte .= '<input type="hidden" name="token" value="'.newToken().'">';
|
||||
$texte .= '<input type="hidden" name="action" value="updateMask">';
|
||||
$texte .= '<input type="hidden" name="maskconstticket" value="TICKET_UNIVERSAL_MASK">';
|
||||
$texte .= '<table class="nobordernopadding" width="100%">';
|
||||
|
||||
@@ -101,7 +101,7 @@ print "<script type='text/javascript'>
|
||||
</script>";
|
||||
|
||||
print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?l='.$l.'">';
|
||||
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
print '<input type="hidden" name="token" value="'.newToken().'">';
|
||||
print '<input type="hidden" name="action" value="setvalue">';
|
||||
print '<table>';
|
||||
if ($conf->global->MAIN_MULTILANGS) {
|
||||
|
||||
@@ -115,7 +115,7 @@ if ($id > 0 || !empty($ref))
|
||||
// $morehtmlref.=$form->form_project($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->socid, $object->fk_project, 'projectid', 0, 0, 1, 1);
|
||||
$morehtmlref .= '<form method="post" action="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'">';
|
||||
$morehtmlref .= '<input type="hidden" name="action" value="classin">';
|
||||
$morehtmlref .= '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
$morehtmlref .= '<input type="hidden" name="token" value="'.newToken().'">';
|
||||
$morehtmlref .= $formproject->select_projects($object->socid, $object->fk_project, 'projectid', $maxlength, 0, 1, 0, 1, 0, 0, '', 1);
|
||||
$morehtmlref .= '<input type="submit" class="button" value="'.$langs->trans("Modify").'">';
|
||||
$morehtmlref .= '</form>';
|
||||
|
||||
@@ -365,7 +365,7 @@ $nav .= ' <button type="submit" name="button_search_x" value="x" class="bordertr
|
||||
$picto = 'calendarweek';
|
||||
|
||||
print '<form name="addtime" method="POST" action="'.$_SERVER["PHP_SELF"].'">';
|
||||
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
print '<input type="hidden" name="token" value="'.newToken().'">';
|
||||
print '<input type="hidden" name="action" value="addtime">';
|
||||
print '<input type="hidden" name="mode" value="'.$mode.'">';
|
||||
print '<input type="hidden" name="day" value="'.$day.'">';
|
||||
|
||||
@@ -184,7 +184,7 @@ class ActionsTicket
|
||||
// MESSAGE
|
||||
|
||||
print '<form action="'.$_SERVER['PHP_SELF'].'" method="post">';
|
||||
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
print '<input type="hidden" name="token" value="'.newToken().'">';
|
||||
print '<input type="hidden" name="track_id" value="'.$object->track_id.'">';
|
||||
print '<input type="hidden" name="action" value="set_message">';
|
||||
}
|
||||
|
||||
@@ -153,6 +153,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
|
||||
include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
|
||||
$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
|
||||
//$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
|
||||
|
||||
foreach ($filesarray as $key => $file)
|
||||
{
|
||||
@@ -176,7 +177,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
break;
|
||||
}
|
||||
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
|
||||
$this->assertTrue($ok, 'Found string get_class($this)."::".__METHOD__ that must be replaced with __METHOD__ only in '.$file['fullname']);
|
||||
$this->assertTrue($ok, 'Found string get_class($this)."::".__METHOD__ that must be replaced with __METHOD__ only in '.$file['relativename']);
|
||||
//exit;
|
||||
|
||||
$ok=true;
|
||||
@@ -193,7 +194,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
//if ($reg[0] != 'db') $ok=false;
|
||||
}
|
||||
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
|
||||
$this->assertTrue($ok, 'Found a $this->db->idate to forge a sql request without quotes around this date field '.$file['fullname'].' :: '.$val[0]);
|
||||
$this->assertTrue($ok, 'Found a $this->db->idate to forge a sql request without quotes around this date field '.$file['relativename'].' :: '.$val[0]);
|
||||
//exit;
|
||||
|
||||
|
||||
@@ -211,7 +212,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
//if ($reg[0] != 'db') $ok=false;
|
||||
}
|
||||
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
|
||||
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['fullname'].' ('.$val[0].'). Bad.');
|
||||
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].' ('.$val[0].'). Bad.');
|
||||
//exit;
|
||||
|
||||
|
||||
@@ -228,7 +229,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
break;
|
||||
}
|
||||
}
|
||||
$this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag neither dol_string_nohtmltag around it, in file '.$file['fullname'].' ('.$val[1].'$_SERVER[\'QUERY_STRING\']). Bad.');
|
||||
$this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag neither dol_string_nohtmltag around it, in file '.$file['relativename'].' ('.$val[1].'$_SERVER[\'QUERY_STRING\']). Bad.');
|
||||
|
||||
|
||||
// Test that first param of print_liste_field_titre is a translation key and not the translated value
|
||||
@@ -241,7 +242,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
$ok=false;
|
||||
break;
|
||||
}
|
||||
$this->assertTrue($ok, 'Found a use of print_liste_field_titre with first parameter that is a translated value instead of just the translation key in file '.$file['fullname'].'. Bad.');
|
||||
$this->assertTrue($ok, 'Found a use of print_liste_field_titre with first parameter that is a translated value instead of just the translation key in file '.$file['relativename'].'. Bad.');
|
||||
|
||||
|
||||
// Test we don't have <br />
|
||||
@@ -257,7 +258,23 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
break;
|
||||
}
|
||||
}
|
||||
$this->assertTrue($ok, 'Found a tag <br /> that is for xml in file '.$file['fullname'].'. You may use html syntax <br> instead.');
|
||||
$this->assertTrue($ok, 'Found a tag <br /> that is for xml in file '.$file['relativename'].'. You must use html syntax <br> instead.');
|
||||
|
||||
|
||||
// Test we don't have name="token" value="'.$_SESSION['newtoken'], we must use name="token" value="'.newToken() instead.
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
// Check string name="token" value="'.$_SESSINON
|
||||
preg_match_all('/name="token" value="\'\.\$_SESSION/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val)
|
||||
{
|
||||
if ($file['name'] != 'excludefile.php')
|
||||
{
|
||||
$ok=false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
$this->assertTrue($ok, 'Found a forbidden string sequence into '.$file['relativename'].' : name="token" value="\'.$_SESSION[..., you must use a newToken() instead of $_SESSION[\'newtoken\'].');
|
||||
|
||||
|
||||
// Test we don't have @var array(
|
||||
@@ -270,7 +287,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
$ok=false;
|
||||
break;
|
||||
}
|
||||
$this->assertTrue($ok, 'Found a declaration @var array() instead of @var array in file '.$file['fullname'].'.');
|
||||
$this->assertTrue($ok, 'Found a declaration @var array() instead of @var array in file '.$file['relativename'].'.');
|
||||
}
|
||||
|
||||
return;
|
||||
|
||||
Reference in New Issue
Block a user