diff --git a/htdocs/admin/system/database.php b/htdocs/admin/system/database.php index ed039b164b7..2d20ee0fff0 100644 --- a/htdocs/admin/system/database.php +++ b/htdocs/admin/system/database.php @@ -94,7 +94,7 @@ print ''.$langs->trans("Password").''.$langs->trans("DBStoringCharset").''.$db->getDefaultCharacterSetDatabase(); if ($db->type == 'mysqli') { $tooltipexample = "
SHOW VARIABLES LIKE 'character_set_database' (cached)
You can avoid cache effect with:
SELECT DEFAULT_CHARACTER_SET_NAME FROM information_schema.SCHEMATA WHERE SCHEMA_NAME = '".$db->escape($conf->db->name)."'"; - print ' '.$form->textwithpicto('', $langs->transnoentitiesnoconv("HelpMariaDBToGetValue", $tooltipexample.'
'.$langs->transnoentitiesnoconv("HelpMariaDBToGetPossibleValues", "
SHOW CHARSET"))); + print ' '.$form->textwithpicto('', $langs->transnoentitiesnoconv("HelpMariaDBToGetValue", $tooltipexample.'
'.$langs->transnoentitiesnoconv("HelpMariaDBToGetPossibleValues", "
SHOW CHARSET")."

Example to change value: ALTER DATABASE ".$conf->db->name." CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;")); // We can use $db->getDefaultCharacterSetDatabase(), $db->getListOfCharacterSet(), } print ''."\n"; @@ -107,7 +107,7 @@ if ($db->type == 'mysqli') { print img_warning('The database default value of collation '.$defaultcollation.' differs from conf setup '.$conf->db->dolibarr_main_db_collation); } $tooltipexample = "
SHOW VARIABLES LIKE 'collation_database' (cached)
You can avoid cache effect with:
SELECT DEFAULT_COLLATION_NAME FROM information_schema.SCHEMATA WHERE SCHEMA_NAME = '".$db->escape($conf->db->name)."'"; - print ' '.$form->textwithpicto('', $langs->transnoentitiesnoconv("HelpMariaDBToGetValue", $tooltipexample.'
'.$langs->transnoentitiesnoconv("HelpMariaDBToGetPossibleValues", "
SHOW COLLATION"))); + print ' '.$form->textwithpicto('', $langs->transnoentitiesnoconv("HelpMariaDBToGetValue", $tooltipexample.'
'.$langs->transnoentitiesnoconv("HelpMariaDBToGetPossibleValues", "
SHOW COLLATION")."

Example to change value: ALTER DATABASE ".$conf->db->name." CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;")); // We can use $db->getDefaultCollationDatabase(), $db->getListOfCollation(); print '       '.$langs->trans("ConvertInto"); diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index ffdfa80e1c4..10e327a0420 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -1504,7 +1504,7 @@ class Categorie extends CommonObject $forced_color = 'colortoreplace'; if ($i == count($way)) { // Last category in hierarchy // Check contrast with background and correct text color - $forced_color = 'categtextwhite'; + $forced_color = 'categtextwhite'; // We want color white because the getNomUrl of a tag is always called inside a dark background like '' to show it as a tag. TODO Add this in param to force when called outside of span. if ($cat->color) { if (colorIsLight($cat->color)) { $forced_color = 'categtextblack'; @@ -1514,7 +1514,7 @@ class Categorie extends CommonObject } if ($url == '') { - $link = ''; + $link = ''; $linkend = ''; $w[] = $link.(($addpicto && $i == 1) ? img_object('', 'category', 'class="paddingright"') : '').$cat->label.$linkend; } elseif ($url == 'none') { diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index 081725e89e3..12cd7d8bbaf 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -5181,11 +5181,12 @@ class Facture extends CommonInvoice //Avoid php warning Warning: mt_rand(): max(0) is smaller than min(1) when no product exists if (empty($num_prods)) { $num_prods = 1; + $prodids[$num_prods] = 1; } // Initialize parameters $this->id = 0; - $this->entity = 1; + $this->entity = $conf->entity; $this->ref = 'SPECIMEN'; $this->specimen = 1; $this->socid = 1; diff --git a/htdocs/contrat/services_list.php b/htdocs/contrat/services_list.php index 72fe0e4e0a7..1f2c59b5ee4 100644 --- a/htdocs/contrat/services_list.php +++ b/htdocs/contrat/services_list.php @@ -414,10 +414,6 @@ $parameters = array(); $reshook = $hookmanager->executeHooks('printFieldListWhere', $parameters, $object, $action); // Note that $action and $object may have been modified by hook $sql .= $hookmanager->resPrint; -$sql .= $db->order($sortfield, $sortorder); - -//print $sql; - // Count total nb of records $nbtotalofrecords = ''; if (!getDolGlobalInt('MAIN_DISABLE_FULL_SCANLIST')) { @@ -429,7 +425,7 @@ if (!getDolGlobalInt('MAIN_DISABLE_FULL_SCANLIST')) { } } -// Complete request and execute it with limit +// Complete request and execute it with order and limit $sql .= $db->order($sortfield, $sortorder); if ($limit) { $sql .= $db->plimit($limit + 1, $offset); diff --git a/htdocs/core/modules/modCommande.class.php b/htdocs/core/modules/modCommande.class.php index e3eb08b5131..99cc533d4ab 100644 --- a/htdocs/core/modules/modCommande.class.php +++ b/htdocs/core/modules/modCommande.class.php @@ -94,11 +94,12 @@ class modCommande extends DolibarrModules [ "COMMANDE_ADDON_PDF_ODT_PATH", "chaine", - "DOL_DATA_ROOT/doctemplates/orders", + "DOL_DATA_ROOT".($conf->entity > 1 ? '/'.$conf->entity : '')."/doctemplates/orders", "", 0, ], ]; + /*$r++; $this->const[$r][0] = "COMMANDE_DRAFT_WATERMARK"; $this->const[$r][1] = "chaine"; @@ -460,7 +461,7 @@ class modCommande extends DolibarrModules //ODT template $src = DOL_DOCUMENT_ROOT.'/install/doctemplates/orders/template_order.odt'; - $dirodt = DOL_DATA_ROOT.'/doctemplates/orders'; + $dirodt = DOL_DATA_ROOT.($conf->entity > 1 ? '/'.$conf->entity : '').'/doctemplates/orders'; $dest = $dirodt.'/template_order.odt'; if (file_exists($src) && !file_exists($dest)) { diff --git a/htdocs/core/modules/modFacture.class.php b/htdocs/core/modules/modFacture.class.php index c20bb42dc26..cd8e0b39566 100644 --- a/htdocs/core/modules/modFacture.class.php +++ b/htdocs/core/modules/modFacture.class.php @@ -95,7 +95,7 @@ class modFacture extends DolibarrModules $this->const[$r][0] = "FACTURE_ADDON_PDF_ODT_PATH"; $this->const[$r][1] = "chaine"; - $this->const[$r][2] = "DOL_DATA_ROOT/doctemplates/invoices"; + $this->const[$r][2] = "DOL_DATA_ROOT".($conf->entity > 1 ? '/'.$conf->entity : '')."/doctemplates/invoices"; $this->const[$r][3] = ""; $this->const[$r][4] = 0; $r++; @@ -780,7 +780,7 @@ class modFacture extends DolibarrModules //ODT template $src = DOL_DOCUMENT_ROOT.'/install/doctemplates/invoices/template_invoice.odt'; - $dirodt = DOL_DATA_ROOT.'/doctemplates/invoices'; + $dirodt = DOL_DATA_ROOT.($conf->entity > 1 ? '/'.$conf->entity : '').'/doctemplates/invoices'; $dest = $dirodt.'/template_invoice.odt'; if (file_exists($src) && !file_exists($dest)) { diff --git a/htdocs/core/modules/modPropale.class.php b/htdocs/core/modules/modPropale.class.php index 4ddce5b6872..2ec295da236 100644 --- a/htdocs/core/modules/modPropale.class.php +++ b/htdocs/core/modules/modPropale.class.php @@ -100,7 +100,7 @@ class modPropale extends DolibarrModules $this->const[$r][0] = "PROPALE_ADDON_PDF_ODT_PATH"; $this->const[$r][1] = "chaine"; - $this->const[$r][2] = "DOL_DATA_ROOT/doctemplates/proposals"; + $this->const[$r][2] = "DOL_DATA_ROOT".($conf->entity > 1 ? '/'.$conf->entity : '')."/doctemplates/proposals"; $this->const[$r][3] = ""; $this->const[$r][4] = 0; $r++; @@ -490,7 +490,7 @@ class modPropale extends DolibarrModules //ODT template $src = DOL_DOCUMENT_ROOT.'/install/doctemplates/proposals/template_proposal.odt'; - $dirodt = DOL_DATA_ROOT.'/doctemplates/proposals'; + $dirodt = DOL_DATA_ROOT.($conf->entity > 1 ? '/'.$conf->entity : '').'/doctemplates/proposals'; $dest = $dirodt.'/template_proposal.odt'; if (file_exists($src) && !file_exists($dest)) { diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index b08badda776..0f19a6534e7 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -214,13 +214,13 @@ function testSqlAndScriptInject($val, $type) // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/Events $inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)[a-z]*\s*=/i', $val); // onmousexxx can be set on img or any html tag like - $inj += preg_match('/on(abort|after|animation|auxclick|before|blur|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)[a-z]*\s*=/i', $val); + $inj += preg_match('/on(abort|after|animation|auxclick|before|blur|bounce|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)[a-z]*\s*=/i', $val); $inj += preg_match('/on(dblclick|drop|durationchange|emptied|end|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)[a-z]*\s*=/i', $val); $inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)[a-z]*\s*=/i', $val); $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeked|seeking|show|stalled|start|submit|suspend)[a-z]*\s*=/i', $val); $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)[a-z]*\s*=/i', $val); // More not into the previous list - $inj += preg_match('/on(repeat|begin|finish|beforeinput)[a-z]*\s*=/i', $val); + $inj += preg_match('/on(repeat|begin|finish)[a-z]*\s*=/i', $val); // We refuse html into html because some hacks try to obfuscate evil strings by inserting HTML into HTML. // Example: error=alert(1) or =alert(1) to bypass test on onerror= @@ -228,13 +228,13 @@ function testSqlAndScriptInject($val, $type) // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/Events $inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)[a-z]*\s*=/i', $tmpval); // onmousexxx can be set on img or any html tag like - $inj += preg_match('/on(abort|after|animation|auxclick|before|blur|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)[a-z]*\s*=/i', $tmpval); + $inj += preg_match('/on(abort|after|animation|auxclick|before|blur|bounce|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)[a-z]*\s*=/i', $tmpval); $inj += preg_match('/on(dblclick|drop|durationchange|emptied|end|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)[a-z]*\s*=/i', $tmpval); $inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)[a-z]*\s*=/i', $tmpval); $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeked|seeking|show|stalled|start|submit|suspend)[a-z]*\s*=/i', $tmpval); $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)[a-z]*\s*=/i', $tmpval); // More not into the previous list - $inj += preg_match('/on(repeat|begin|finish|beforeinput)[a-z]*\s*=/i', $tmpval); + $inj += preg_match('/on(repeat|begin|finish)[a-z]*\s*=/i', $tmpval); //$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ... $inj += preg_match('/:|:|:/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...' diff --git a/htdocs/mrp/mo_card.php b/htdocs/mrp/mo_card.php index cd97ddf76be..f2043d05a52 100644 --- a/htdocs/mrp/mo_card.php +++ b/htdocs/mrp/mo_card.php @@ -455,6 +455,7 @@ if ($action == 'create') { $moLine->qty = $objectbom->lines[$key]->qty; $moLine->qty_frozen = $objectbom->lines[$key]->qty_frozen; $moLine->disable_stock_change = $objectbom->lines[$key]->disable_stock_change; + $moLine->fk_bom_child = $objectbom->lines[$key]->fk_bom_child; $arrayOfMoLines[] = $moLine; } diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 7d786f98dba..6ef1bebe09a 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -202,6 +202,13 @@ class SecurityTest extends CommonClassTest $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject bbb'); + $test=''; + $result=testSqlAndScriptInject($test, 0); + $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject onbeforeintput'); + $test=''; + $result=testSqlAndScriptInject($test, 0); + $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject onbounce'); + $test = ''; $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject ccc'); @@ -702,6 +709,7 @@ class SecurityTest extends CommonClassTest // Must be allowed global $leftmenu; // Used into strings to eval + $conf->global->MAIN_FEATURES_LEVEL = 1; $leftmenu = 'AAA'; $result = dol_eval('$conf->currency && preg_match(\'/^(AAA|BBB)/\',$leftmenu)', 1, 1, '1'); @@ -726,7 +734,7 @@ class SecurityTest extends CommonClassTest $leftmenu = 'XXX'; $conf->global->MAIN_FEATURES_LEVEL = 1; // Force for the case option is -1 - $string = '(isModEnabled("agenda") || isModEnabled("resource")) && getDolGlobalInt("MAIN_FEATURES_LEVEL") >= 0 && preg_match(\'/^(admintools|all|XXX)/\', $leftmenu)'; + $string = '(isModEnabled("user") || isModEnabled("resource")) && getDolGlobalInt("MAIN_FEATURES_LEVEL") >= 0 && preg_match(\'/^(admintools|all|XXX)/\', $leftmenu)'; $result = dol_eval($string, 1, 1, '1'); print "result17 = ".$result."\n"; $this->assertTrue($result);