From ed2ca6af79d7ac92e59dc6d8c17e6e963e8f192b Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 19 Jan 2022 14:32:15 +0100
Subject: [PATCH 01/18] CSS

---
 htdocs/theme/eldy/global.inc.php           | 23 +++++++++++---
 htdocs/theme/md/btn.inc.php                |  1 +
 htdocs/theme/md/main_menu_fa_icons.inc.php |  2 +-
 htdocs/theme/md/style.css.php              | 18 ++++++++---
 htdocs/website/index.php                   | 36 +++++++++++++---------
 5 files changed, 55 insertions(+), 25 deletions(-)

diff --git a/htdocs/theme/eldy/global.inc.php b/htdocs/theme/eldy/global.inc.php
index 164fc74bc35..0ffc4e84786 100644
--- a/htdocs/theme/eldy/global.inc.php
+++ b/htdocs/theme/eldy/global.inc.php
@@ -1888,7 +1888,7 @@ div.blockvmenulogo
 	margin-left: 11px;
 	margin-right: 9px;
 	padding: 0;
-	height: <?php echo $disableimages ? '20' : '35'; ?>px;
+	height: <?php echo $disableimages ? '18' : '35'; ?>px;
 	/* width: 100px; */
 	max-width: 100px;
 	vertical-align: middle;
@@ -4936,6 +4936,11 @@ tr.visible {
 /*  Module website                                                                */
 /* ============================================================================== */
 
+.websiteformtoolbar {
+	position: sticky;
+	top: <?php echo $disableimages ? '32px' : '52px'; ?>;
+}
+
 .exampleapachesetup {
 	overflow-y: auto;
 	height: 100px;
@@ -4988,7 +4993,13 @@ span[phptag] {
 	/* display: inline-block; */
 	padding-<?php echo $right; ?>: 10px;
 	vertical-align: middle;
-	/* line-height: 28px; */
+	line-height: 28px;
+}
+.websiteselectionsection {
+	font-size: 0.85em;
+}
+.websiteselection span {
+	vertical-align: middle;
 }
 .websitetools {
 	float: right;
@@ -5000,7 +5011,7 @@ span[phptag] {
 }
 .websiteinputurl {
 	display: inline-block;
-	vertical-align: top;
+	vertical-align: middle;
 	line-height: 28px;
 }
 .websiteiframenoborder {
@@ -5035,6 +5046,10 @@ span.websitebuttonsitepreviewdisabled img, a.websitebuttonsitepreviewdisabled im
 	line-height: 1em;
 }
 
+.websitebar input.bordertransp {
+	line-height: normal !important;
+}
+
 #divbodywebsite section p {
 	margin: unset;
 }
@@ -7340,7 +7355,7 @@ div.clipboardCPValue.hidewithsize {
 
 	.websiteselectionsection {
 		border-left: unset;
-		boerder-right: unset;
+		border-right: unset;
 		padding-left: 5px;
 	}
 
diff --git a/htdocs/theme/md/btn.inc.php b/htdocs/theme/md/btn.inc.php
index 17ab4d83f28..a593f6ecdbf 100644
--- a/htdocs/theme/md/btn.inc.php
+++ b/htdocs/theme/md/btn.inc.php
@@ -234,6 +234,7 @@ span.butActionNewRefused>span.fa, span.butActionNewRefused>span.fa:hover
 	background: var(--butactiondeletebg);
 	/* border: 1px solid #633; */
 	color: #633;
+	vertical-align: middle;
 }
 
 .butActionDelete:hover {
diff --git a/htdocs/theme/md/main_menu_fa_icons.inc.php b/htdocs/theme/md/main_menu_fa_icons.inc.php
index d234ff15d4a..b8f45808293 100644
--- a/htdocs/theme/md/main_menu_fa_icons.inc.php
+++ b/htdocs/theme/md/main_menu_fa_icons.inc.php
@@ -11,7 +11,7 @@
 	font-variant: normal;
 	text-rendering: auto;
 	line-height: 26px;
-	font-size: 1.5em;
+	font-size: 1.3em;
 	-webkit-font-smoothing: antialiased;
 	text-align:center;
 	text-decoration:none;
diff --git a/htdocs/theme/md/style.css.php b/htdocs/theme/md/style.css.php
index 0257ca2465c..1d794d60de1 100644
--- a/htdocs/theme/md/style.css.php
+++ b/htdocs/theme/md/style.css.php
@@ -3041,11 +3041,11 @@ div.blockvmenulogo
 	border-bottom: 0 !important;
 }
 .menulogocontainer {
-	margin: <?php echo $disableimages ? '0' : '6'; ?>px;
+	margin: <?php echo $disableimages ? '-1' : '6'; ?>px;
 	margin-left: 12px;
 	margin-right: 6px;
 	padding: 0;
-	height: <?php echo $disableimages ? '20' : '32'; ?>px;
+	height: <?php echo $disableimages ? '18' : '32'; ?>px;
 	/* width: 100px; */
 	max-width: 100px;
 	vertical-align: middle;
@@ -4862,6 +4862,11 @@ tr.visible {
 /*  Module website                                                                */
 /* ============================================================================== */
 
+.websiteformtoolbar {
+	position: sticky;
+	top: <?php echo $disableimages ? '36px' : '50px'; ?>;
+}
+
 .exampleapachesetup {
 	overflow-y: auto;
 	max-height: 100px;
@@ -4891,7 +4896,10 @@ span[phptag] {
 	border-bottom: 1px solid #ccc;
 	background: #eee;
 	display: inline-block;
-	padding: 4px 0 4px 0;
+	padding: 5px 5px 5px 5px;
+}
+.centpercent.websitebar {
+	width: calc(100% - 10px);
 }
 .websitebar .buttonDelete, .websitebar .button {
 	text-shadow: none;
@@ -4908,7 +4916,7 @@ span[phptag] {
 }
 .websiteselection {
 	/* display: inline-block; */
-	padding-left: 10px;
+	padding-<?php echo $right; ?>: 10px;
 	vertical-align: middle;
 }
 .websitetools {
@@ -7126,7 +7134,7 @@ div.clipboardCPValue.hidewithsize {
 
 	.websiteselectionsection {
 		border-left: unset;
-		boerder-right: unset;
+		border-right: unset;
 		padding-left: 5px;
 	}
 
diff --git a/htdocs/website/index.php b/htdocs/website/index.php
index cdadc2c3eba..af2f3a96ae1 100644
--- a/htdocs/website/index.php
+++ b/htdocs/website/index.php
@@ -2508,7 +2508,7 @@ llxHeader($moreheadcss.$moreheadjs, $langs->trans("WebsiteSetup"), $helpurl, '',
 
 print "\n";
 print '<!-- Open form for all page -->'."\n";
-print '<form action="'.$_SERVER["PHP_SELF"].($action == 'file_manager' ? '?uploadform=1': '').'" method="POST" enctype="multipart/form-data">';
+print '<form action="'.$_SERVER["PHP_SELF"].($action == 'file_manager' ? '?uploadform=1': '').'" method="POST" enctype="multipart/form-data" class="websiteformtoolbar">';
 print '<input type="hidden" name="token" value="'.newToken().'">';
 print '<input type="hidden" name="backtopage" value="'.$backtopage.'">';
 
@@ -2669,7 +2669,7 @@ if (!GETPOST('hide_websitemenu')) {
 			print ' &nbsp; ';
 
 			//print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("EditCss")).'" name="editcss">';
-			print '<a href="'.$_SERVER["PHP_SELF"].'?website='.$object->ref.'&pageid='.$pageid.'&action=editcss&token='.newToken().'" class="button bordertransp"'.$disabled.'>'.dol_escape_htmltag($langs->trans($conf->dol_optimize_smallscreen ? "Properties" : "EditCss")).'</a>';
+			print '<a href="'.$_SERVER["PHP_SELF"].'?website='.$object->ref.'&pageid='.$pageid.'&action=editcss&token='.newToken().'" class="button bordertransp" title="'.dol_escape_htmltag($langs->trans("EditCss")).'"'.$disabled.'><span class="fa fa-cog paddingrightonly"></span><span class="hideonsmartphone">'.dol_escape_htmltag($langs->trans("EditCss")).'</span></a>';
 
 			$importlabel = $langs->trans("ImportSite");
 			$exportlabel = $langs->trans("ExportSite");
@@ -2692,24 +2692,24 @@ if (!GETPOST('hide_websitemenu')) {
 			print '<input type="submit" class="buttonDelete bordertransp" name="deletesite" value="'.$langs->trans("Delete").'"'.($atleastonepage ? ' disabled="disabled"' : '').'>';
 
 			// Regenerate all pages
-			print '<a href="'.$_SERVER["PHP_SELF"].'?action=regeneratesite&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("RegenerateWebsiteContent")).'"><span class="fa fa-cogs"><span></a>';
+			print '<a href="'.$_SERVER["PHP_SELF"].'?action=regeneratesite&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("RegenerateWebsiteContent")).'"><span class="far fa-hdd"></span></a>';
 
 			// Generate site map
-			print '<a href="'.$_SERVER["PHP_SELF"].'?action=confirmgeneratesitemaps&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("GenerateSitemaps")).'"><span class="fa fa-sitemap"><span></a>';
+			print '<a href="'.$_SERVER["PHP_SELF"].'?action=confirmgeneratesitemaps&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("GenerateSitemaps")).'"><span class="fa fa-sitemap"></span></a>';
 
-			print '<a href="'.$_SERVER["PHP_SELF"].'?action=replacesite&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("ReplaceWebsiteContent")).'"><span class="fa fa-search"><span></a>';
+			print '<a href="'.$_SERVER["PHP_SELF"].'?action=replacesite&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("ReplaceWebsiteContent")).'"><span class="fa fa-search"></span></a>';
 		}
 
 		print '</span>';
 
 		if ($websitekey && $websitekey != '-1' && ($action == 'preview' || $action == 'createfromclone' || $action == 'createpagefromclone' || $action == 'deletesite')) {
 			print '<span class="websiteselection">';
-			//print '<a href="'.$_SERVER["PHP_SELF"].'?action=file_manager&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("MediaFiles")).'"><span class="fa fa-image"><span></a>';
-			print dolButtonToOpenUrlInDialogPopup('file_manager', $langs->transnoentitiesnoconv("MediaFiles"), '<span class="fa fa-image"><span>', '/website/index.php?action=file_manager&website='.$website->ref, $disabled);
+			//print '<a href="'.$_SERVER["PHP_SELF"].'?action=file_manager&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("MediaFiles")).'"><span class="fa fa-image"></span></a>';
+			print dolButtonToOpenUrlInDialogPopup('file_manager', $langs->transnoentitiesnoconv("MediaFiles"), '<span class="fa fa-image"></span>', '/website/index.php?action=file_manager&website='.$website->ref, $disabled);
 
 			if (!empty($conf->categorie->enabled)) {
-				//print '<a href="'.DOL_URL_ROOT.'/categories/index.php?leftmenu=website&dol_hide_leftmenu=1&nosearch=1&type=website_page&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("Categories")).'"><span class="fa fa-tags"><span></a>';
-				print dolButtonToOpenUrlInDialogPopup('categories', $langs->transnoentitiesnoconv("Categories"), '<span class="fa fa-tags"><span>', '/categories/index.php?leftmenu=website&nosearch=1&type=website_page&website='.$website->ref, $disabled);
+				//print '<a href="'.DOL_URL_ROOT.'/categories/index.php?leftmenu=website&dol_hide_leftmenu=1&nosearch=1&type=website_page&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("Categories")).'"><span class="fa fa-tags"></span></a>';
+				print dolButtonToOpenUrlInDialogPopup('categories', $langs->transnoentitiesnoconv("Categories"), '<span class="fa fa-tags"></span>', '/categories/index.php?leftmenu=website&nosearch=1&type=website_page&website='.$website->ref, $disabled);
 			}
 
 			print '</span>';
@@ -2808,7 +2808,7 @@ if (!GETPOST('hide_websitemenu')) {
 		print '</span>';
 
 		print '<span class="websiteselection hideonsmartphoneimp">';
-		print '<a href="'.$_SERVER["PHP_SELF"].'?action=createcontainer&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("AddPage")).'"><span class="fa fa-plus-circle valignmiddle btnTitle-icon"><span></a>';
+		print '<a href="'.$_SERVER["PHP_SELF"].'?action=createcontainer&website='.$website->ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("AddPage")).'"><span class="fa fa-plus-circle valignmiddle btnTitle-icon"></span></a>';
 		print '</span>';
 
 		//print '<span class="websiteselection">';
@@ -2846,9 +2846,10 @@ if (!GETPOST('hide_websitemenu')) {
 			print $langs->trans("New");
 		}
 
-		//print '<input type="submit" class="button" name="refreshpage" value="'.$langs->trans("Load").'"'.($atleastonepage?'':' disabled="disabled"').'>';
-		print '<input type="image" class="valignmiddle" src="'.img_picto('', 'refresh', '', 0, 1).'" name="refreshpage" value="'.$langs->trans("Load").'"'.(($atleastonepage && $action != 'editsource') ? '' : ' disabled="disabled"').'>';
 
+		print '<span class="websiteselection">';
+
+		print '<input type="image" class="valignmiddle" src="'.img_picto('', 'refresh', '', 0, 1).'" name="refreshpage" value="'.$langs->trans("Load").'"'.(($atleastonepage && $action != 'editsource') ? '' : ' disabled="disabled"').'>';
 
 		// Print nav arrows
 		$pagepreviousid = 0;
@@ -2887,6 +2888,8 @@ if (!GETPOST('hide_websitemenu')) {
 			print '<span class="valignmiddle opacitymedium">'.img_next($langs->trans("Next")).'</span>';
 		}
 
+		print '</span>';
+
 		$websitepage = new WebSitePage($db);
 		if ($pageid > 0 && ($action == 'preview' || $action == 'createfromclone' || $action == 'createpagefromclone')) {
 			$websitepage->fetch($pageid);
@@ -2962,13 +2965,16 @@ if (!GETPOST('hide_websitemenu')) {
 					print $formconfirm;
 				}
 
+				print '<span class="websiteselection">';
+
 				print ' &nbsp; ';
 
 				//print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("EditPageMeta")).'" name="editmeta">';
-				print '<a href="'.$_SERVER["PHP_SELF"].'?website='.$object->ref.'&pageid='.$pageid.'&action=editmeta&token='.newToken().'" class="button bordertransp"'.$disabled.'>'.dol_escape_htmltag($langs->trans($conf->dol_optimize_smallscreen ? "Properties" : "EditPageMeta")).'</a>';
+				print '<a href="'.$_SERVER["PHP_SELF"].'?website='.$object->ref.'&pageid='.$pageid.'&action=editmeta&token='.newToken().'" class="button bordertransp" title="'.dol_escape_htmltag($langs->trans("EditPageMeta")).'"'.$disabled.'><span class="fa fa-cog paddingrightonly"></span><span class="hideonsmartphone">'.dol_escape_htmltag($langs->trans("EditPageMeta")).'</span></a>';
 
 				//print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("EditHTMLSource")).'" name="editsource">';
 				print '<a href="'.$_SERVER["PHP_SELF"].'?website='.$object->ref.'&pageid='.$pageid.'&action=editsource&token='.newToken().'" class="button bordertransp"'.$disabled.'>'.dol_escape_htmltag($langs->trans($conf->dol_optimize_smallscreen ? "HTML" : "EditHTMLSource")).'</a>';
+				print '</span>';
 
 				print '<!-- button EditInLine and ShowSubcontainers -->'."\n";
 				print '<div class="websiteselectionsection inline-block">';
@@ -3055,11 +3061,11 @@ if (!GETPOST('hide_websitemenu')) {
 					//$disabled=' disabled="disabled"';
 					//print '<span class="button bordertransp disabled"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'"><span class="fa fa-home"></span></span>';
 					//print '<input type="submit" class="button bordertransp" disabled="disabled" value="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'" name="setashome">';
-					print '<a href="#" class="button bordertransp disabled" disabled="disabled" title="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'"><span class="fa fa-home valignmiddle btnTitle-icon"><span></a>';
+					print '<a href="#" class="button bordertransp disabled" disabled="disabled" title="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'"><span class="fa fa-home valignmiddle btnTitle-icon"></span></a>';
 				} else {
 					//$disabled='';
 					//print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'" name="setashome">';
-					print '<a href="'.$_SERVER["PHP_SELF"].'?action=setashome&token='.newToken().'&website='.$website->ref.'&pageid='.$pageid.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'"><span class="fa fa-home valignmiddle btnTitle-icon"><span></a>';
+					print '<a href="'.$_SERVER["PHP_SELF"].'?action=setashome&token='.newToken().'&website='.$website->ref.'&pageid='.$pageid.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("SetAsHomePage")).'"><span class="fa fa-home valignmiddle btnTitle-icon"></span></a>';
 				}
 				print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("ClonePage")).'" name="createpagefromclone">';
 				print '<input type="submit" class="buttonDelete bordertransp" name="delete" value="'.$langs->trans("Delete").'"'.($atleastonepage ? '' : ' disabled="disabled"').'>';

From 60b90056c4a5ea0a2b15931325b76aa6afe96f61 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 19 Jan 2022 15:20:10 +0100
Subject: [PATCH 02/18] Fix #yogosha8450

---
 htdocs/adherents/partnership.php              | 21 -------------------
 htdocs/admin/const.php                        |  2 --
 htdocs/admin/defaultvalues.php                |  2 +-
 htdocs/comm/mailing/card.php                  | 12 +++++------
 htdocs/compta/facture/class/facture.class.php |  6 +++---
 htdocs/compta/tva/card.php                    |  5 +++--
 htdocs/core/customreports.php                 |  2 +-
 htdocs/core/lib/functions.lib.php             |  2 +-
 htdocs/core/tpl/admin_extrafields_add.tpl.php |  2 +-
 .../conferenceorboothattendee_note.php        |  1 -
 htdocs/externalsite/admin/index.php           |  4 ++--
 htdocs/hrm/position.php                       |  1 -
 htdocs/main.inc.php                           |  2 +-
 htdocs/modulebuilder/index.php                |  2 +-
 .../template/scripts/mymodule.php             |  1 -
 htdocs/public/onlinesign/newonlinesign.php    |  2 --
 htdocs/public/ticket/create_ticket.php        |  2 +-
 htdocs/salaries/card.php                      |  2 +-
 htdocs/salaries/paiement_salary.php           |  4 ++--
 htdocs/user/card.php                          |  2 +-
 htdocs/viewimage.php                          |  2 +-
 test/phpunit/CodingPhpTest.php                | 19 +++++++++++++++++
 22 files changed, 45 insertions(+), 53 deletions(-)

diff --git a/htdocs/adherents/partnership.php b/htdocs/adherents/partnership.php
index cf0e11d70e0..160a037c187 100644
--- a/htdocs/adherents/partnership.php
+++ b/htdocs/adherents/partnership.php
@@ -22,27 +22,6 @@
  *		\brief      Page to create/edit/view partnership
  */
 
-//if (! defined('NOREQUIREDB'))              define('NOREQUIREDB', '1');				// Do not create database handler $db
-//if (! defined('NOREQUIREUSER'))            define('NOREQUIREUSER', '1');				// Do not load object $user
-//if (! defined('NOREQUIRESOC'))             define('NOREQUIRESOC', '1');				// Do not load object $mysoc
-//if (! defined('NOREQUIRETRAN'))            define('NOREQUIRETRAN', '1');				// Do not load object $langs
-//if (! defined('NOSCANGETFORINJECTION'))    define('NOSCANGETFORINJECTION', '1');		// Do not check injection attack on GET parameters
-//if (! defined('NOSCANPOSTFORINJECTION'))   define('NOSCANPOSTFORINJECTION', '1');		// Do not check injection attack on POST parameters
-//if (! defined('NOCSRFCHECK'))              define('NOCSRFCHECK', '1');				// Do not check CSRF attack (test on referer + on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on).
-//if (! defined('NOTOKENRENEWAL'))           define('NOTOKENRENEWAL', '1');				// Do not roll the Anti CSRF token (used if MAIN_SECURITY_CSRF_WITH_TOKEN is on)
-//if (! defined('NOSTYLECHECK'))             define('NOSTYLECHECK', '1');				// Do not check style html tag into posted data
-//if (! defined('NOREQUIREMENU'))            define('NOREQUIREMENU', '1');				// If there is no need to load and show top and left menu
-//if (! defined('NOREQUIREHTML'))            define('NOREQUIREHTML', '1');				// If we don't need to load the html.form.class.php
-//if (! defined('NOREQUIREAJAX'))            define('NOREQUIREAJAX', '1');       	  	// Do not load ajax.lib.php library
-//if (! defined("NOLOGIN"))                  define("NOLOGIN", '1');					// If this page is public (can be called outside logged session). This include the NOIPCHECK too.
-//if (! defined('NOIPCHECK'))                define('NOIPCHECK', '1');					// Do not check IP defined into conf $dolibarr_main_restrict_ip
-//if (! defined("MAIN_LANG_DEFAULT"))        define('MAIN_LANG_DEFAULT', 'auto');					// Force lang to a particular value
-//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule');	// Force authentication handler
-//if (! defined("NOREDIRECTBYMAINTOLOGIN"))  define('NOREDIRECTBYMAINTOLOGIN', 1);		// The main.inc.php does not make a redirect if not logged, instead show simple error message
-//if (! defined("FORCECSP"))                 define('FORCECSP', 'none');				// Disable all Content Security Policies
-//if (! defined('CSRFCHECK_WITH_TOKEN'))     define('CSRFCHECK_WITH_TOKEN', '1');		// Force use of CSRF protection with tokens even for GET
-//if (! defined('NOBROWSERNOTIF'))     		 define('NOBROWSERNOTIF', '1');				// Disable browser notification
-
 // Load Dolibarr environment
 require '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php';
diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php
index a632d5f1a41..1426c323c01 100644
--- a/htdocs/admin/const.php
+++ b/htdocs/admin/const.php
@@ -37,8 +37,6 @@ if (!$user->admin) {
 $rowid = GETPOST('rowid', 'int');
 $entity = GETPOST('entity', 'int');
 $action = GETPOST('action', 'aZ09');
-$update = GETPOST('update', 'alpha');
-$delete = GETPOST('delete', 'none'); // Do not use alpha here
 $debug = GETPOST('debug', 'int');
 $consts = GETPOST('const', 'array');
 $constname = GETPOST('constname', 'alphanohtml');
diff --git a/htdocs/admin/defaultvalues.php b/htdocs/admin/defaultvalues.php
index 4d88675ffd4..58a72250d64 100644
--- a/htdocs/admin/defaultvalues.php
+++ b/htdocs/admin/defaultvalues.php
@@ -64,7 +64,7 @@ if (!$sortorder) {
 
 $defaulturl = GETPOST('defaulturl', 'alphanohtml');
 $defaultkey = GETPOST('defaultkey', 'alphanohtml');
-$defaultvalue = GETPOST('defaultvalue', 'none');
+$defaultvalue = GETPOST('defaultvalue', 'restricthtml');
 
 $defaulturl = preg_replace('/^\//', '', $defaulturl);
 
diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php
index 7f2410da136..79faf4b2cd2 100644
--- a/htdocs/comm/mailing/card.php
+++ b/htdocs/comm/mailing/card.php
@@ -493,9 +493,9 @@ if (empty($reshook)) {
 	if ($action == 'add') {
 		$mesgs = array();
 
-		$object->email_from     = (string) GETPOST("from", "none"); // Must allow 'name <email>'
-		$object->email_replyto  = (string) GETPOST("replyto", "none"); // Must allow 'name <email>'
-		$object->email_errorsto = (string) GETPOST("errorsto", "none"); // Must allow 'name <email>'
+		$object->email_from     = (string) GETPOST("from", 'alphawithlgt'); // Must allow 'name <email>'
+		$object->email_replyto  = (string) GETPOST("replyto", 'alphawithlgt'); // Must allow 'name <email>'
+		$object->email_errorsto = (string) GETPOST("errorsto", 'alphawithlgt'); // Must allow 'name <email>'
 		$object->title          = (string) GETPOST("title");
 		$object->sujet          = (string) GETPOST("sujet");
 		$object->body           = (string) GETPOST("bodyemail", 'restricthtml');
@@ -531,11 +531,11 @@ if (empty($reshook)) {
 		if ($action == 'settitle') {
 			$object->title = trim(GETPOST('title', 'alpha'));
 		} elseif ($action == 'setemail_from') {
-			$object->email_from = trim(GETPOST('email_from', 'none')); // Must allow 'name <email>'
+			$object->email_from = trim(GETPOST('email_from', 'alphawithlgt')); // Must allow 'name <email>'
 		} elseif ($action == 'setemail_replyto') {
-			$object->email_replyto = trim(GETPOST('email_replyto', 'none')); // Must allow 'name <email>'
+			$object->email_replyto = trim(GETPOST('email_replyto', 'alphawithlgt')); // Must allow 'name <email>'
 		} elseif ($action == 'setemail_errorsto') {
-			$object->email_errorsto = trim(GETPOST('email_errorsto', 'none')); // Must allow 'name <email>'
+			$object->email_errorsto = trim(GETPOST('email_errorsto', 'alphawithlgt')); // Must allow 'name <email>'
 		} elseif ($action == 'settitle' && empty($object->title)) {
 			$mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTitle"));
 		} elseif ($action == 'setfrom' && empty($object->email_from)) {
diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php
index 74d08ddef2a..63fee0085bb 100644
--- a/htdocs/compta/facture/class/facture.class.php
+++ b/htdocs/compta/facture/class/facture.class.php
@@ -527,9 +527,9 @@ class Facture extends CommonInvoice
 
 			// Fields coming from GUI (priority on template). TODO Value of template should be used as default value on GUI so we can use here always value from GUI
 			$this->fk_project        = GETPOST('projectid', 'int') > 0 ? ((int) GETPOST('projectid', 'int')) : $_facrec->fk_project;
-			$this->note_public       = GETPOST('note_public', 'none') ? GETPOST('note_public', 'restricthtml') : $_facrec->note_public;
-			$this->note_private      = GETPOST('note_private', 'none') ? GETPOST('note_private', 'restricthtml') : $_facrec->note_private;
-			$this->model_pdf = GETPOST('model', 'alpha') ? GETPOST('model', 'alpha') : $_facrec->model_pdf;
+			$this->note_public       = GETPOSTISSET('note_public') ? GETPOST('note_public', 'restricthtml') : $_facrec->note_public;
+			$this->note_private      = GETPOSTISSET('note_private') ? GETPOST('note_private', 'restricthtml') : $_facrec->note_private;
+			$this->model_pdf = GETPOSTISSET('model') ? GETPOST('model', 'alpha') : $_facrec->model_pdf;
 			$this->cond_reglement_id = GETPOST('cond_reglement_id', 'int') > 0 ? ((int) GETPOST('cond_reglement_id', 'int')) : $_facrec->cond_reglement_id;
 			$this->mode_reglement_id = GETPOST('mode_reglement_id', 'int') > 0 ? ((int) GETPOST('mode_reglement_id', 'int')) : $_facrec->mode_reglement_id;
 			$this->fk_account        = GETPOST('fk_account') > 0 ? ((int) GETPOST('fk_account')) : $_facrec->fk_account;
diff --git a/htdocs/compta/tva/card.php b/htdocs/compta/tva/card.php
index 530d18d17f9..317838009c7 100644
--- a/htdocs/compta/tva/card.php
+++ b/htdocs/compta/tva/card.php
@@ -196,7 +196,8 @@ if ($action == 'add' && !$cancel) {
 	}
 	$object->amount = $amount;
 	$object->label = GETPOST("label", 'alpha');
-	$object->note = GETPOST("note", 'none');
+	$object->note = GETPOST("note", 'restricthtml');
+	$object->note_private = GETPOST("note", 'restricthtml');
 
 	if (empty($object->datep)) {
 		setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("DatePayment")), null, 'errors');
@@ -236,7 +237,7 @@ if ($action == 'add' && !$cancel) {
 			$paiement->amounts      = array($object->id=>$amount); // Tableau de montant
 			$paiement->paiementtype = GETPOST("type_payment", 'alphanohtml');
 			$paiement->num_payment  = GETPOST("num_payment", 'alphanohtml');
-			$paiement->note = GETPOST("note", 'none');
+			$paiement->note = GETPOST("note", 'restricthtml');
 
 			if (!$error) {
 				$paymentid = $paiement->create($user, (int) GETPOST('closepaidtva'));
diff --git a/htdocs/core/customreports.php b/htdocs/core/customreports.php
index e380dea8403..fafd1c015e8 100644
--- a/htdocs/core/customreports.php
+++ b/htdocs/core/customreports.php
@@ -56,7 +56,7 @@ if (!defined('USE_CUSTOM_REPORT_AS_INCLUDE')) {
 	}
 
 	$search_yaxis = GETPOST('search_yaxis', 'array');
-	$search_graph = GETPOST('search_graph', 'none');
+	$search_graph = GETPOST('search_graph', 'restricthtml');
 
 	// Load variable for pagination
 	$limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 28a20ad6b09..535eb7f226e 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -641,7 +641,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
 	}
 
 	// Check rule
-	if (preg_match('/^array/', $check)) {	// If 'array' or 'array:restricthtml' or 'array:aZ09'
+	if (preg_match('/^array/', $check)) {	// If 'array' or 'array:restricthtml' or 'array:aZ09' or 'array:intcomma'
 		if (!is_array($out) || empty($out)) {
 			$out = array();
 		} else {
diff --git a/htdocs/core/tpl/admin_extrafields_add.tpl.php b/htdocs/core/tpl/admin_extrafields_add.tpl.php
index d9c0f650395..9b46fba6c67 100644
--- a/htdocs/core/tpl/admin_extrafields_add.tpl.php
+++ b/htdocs/core/tpl/admin_extrafields_add.tpl.php
@@ -185,7 +185,7 @@ $listofexamplesforlink = 'Societe:societe/class/societe.class.php<br>Contact:con
 <?php } else { ?>
 	<td><?php echo $form->textwithpicto($langs->trans("ComputedFormula"), $langs->trans("ComputedFormulaDesc")).$form->textwithpicto($langs->trans("Computedpersistent"), $langs->trans("ComputedpersistentDesc"), 1, 'warning'); ?></td>
 <?php } ?>
-<td class="valeur"><textarea name="computed_value" id="computed_value" class="quatrevingtpercent" rows="<?php echo ROWS_4 ?>"><?php echo (GETPOST('computed_value', 'none') ?GETPOST('computed_value', 'none') : ''); ?></textarea></td>
+<td class="valeur"><textarea name="computed_value" id="computed_value" class="quatrevingtpercent" rows="<?php echo ROWS_4 ?>"><?php echo (GETPOSTISSET('computed_value') ? GETPOST('computed_value', 'restricthtml') : ''); ?></textarea></td>
 </tr>
 <!-- Default Value (at sql setup level) -->
 <tr class="extra_default_value"><td><?php echo $langs->trans("DefaultValue").' ('.$langs->trans("Database").')'; ?></td><td class="valeur"><input id="default_value" type="text" name="default_value" size="5" value="<?php echo (GETPOST('default_value', 'alpha') ?GETPOST('default_value', 'alpha') : ''); ?>"></td></tr>
diff --git a/htdocs/eventorganization/conferenceorboothattendee_note.php b/htdocs/eventorganization/conferenceorboothattendee_note.php
index 19d413daaa0..b8fb87d39fa 100644
--- a/htdocs/eventorganization/conferenceorboothattendee_note.php
+++ b/htdocs/eventorganization/conferenceorboothattendee_note.php
@@ -39,7 +39,6 @@
 //if (! defined("MAIN_LANG_DEFAULT"))        define('MAIN_LANG_DEFAULT', 'auto');					// Force lang to a particular value
 //if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule');	// Force authentication handler
 //if (! defined("NOREDIRECTBYMAINTOLOGIN"))  define('NOREDIRECTBYMAINTOLOGIN', 1);		// The main.inc.php does not make a redirect if not logged, instead show simple error message
-//if (! defined("FORCECSP"))                 define('FORCECSP', 'none');				// Disable all Content Security Policies
 //if (! defined('CSRFCHECK_WITH_TOKEN'))     define('CSRFCHECK_WITH_TOKEN', '1');		// Force use of CSRF protection with tokens even for GET
 //if (! defined('NOBROWSERNOTIF'))     		 define('NOBROWSERNOTIF', '1');				// Disable browser notification
 
diff --git a/htdocs/externalsite/admin/index.php b/htdocs/externalsite/admin/index.php
index ba23b88e68e..0b55a297be9 100644
--- a/htdocs/externalsite/admin/index.php
+++ b/htdocs/externalsite/admin/index.php
@@ -57,7 +57,7 @@ if ($action == 'update') {
 	$label  = GETPOST('EXTERNALSITE_LABEL', 'alphanohtml');
 
 	// exturl can be an url or a HTML string
-	$exturl = GETPOST('EXTERNALSITE_URL', 'none');
+	$exturl = GETPOST('EXTERNALSITE_URL', 'restricthtml');
 	$exturl = dol_string_onlythesehtmltags($exturl, 1, 1, 0, 1);
 	$exturl = dol_string_onlythesehtmlattributes($exturl);
 
@@ -110,7 +110,7 @@ print '<tr class="oddeven">';
 print '<td class="fieldrequired">'.$langs->trans("ExternalSiteURL")."</td>";
 print '<td><textarea class="flat minwidth500" name="EXTERNALSITE_URL">';
 
-$exturl = GETPOST('EXTERNALSITE_URL', 'none');
+$exturl = GETPOST('EXTERNALSITE_URL', 'restricthtml');
 $exturl = dol_string_onlythesehtmltags($exturl, 1, 1, 0, 1);
 $exturl = dol_string_onlythesehtmlattributes($exturl);
 
diff --git a/htdocs/hrm/position.php b/htdocs/hrm/position.php
index 208a397f135..d36d352e895 100644
--- a/htdocs/hrm/position.php
+++ b/htdocs/hrm/position.php
@@ -42,7 +42,6 @@
 //if (! defined("MAIN_LANG_DEFAULT"))        define('MAIN_LANG_DEFAULT', 'auto');					// Force lang to a particular value
 //if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule');	// Force authentication handler
 //if (! defined("NOREDIRECTBYMAINTOLOGIN"))  define('NOREDIRECTBYMAINTOLOGIN', 1);		// The main.inc.php does not make a redirect if not logged, instead show simple error message
-//if (! defined("FORCECSP"))                 define('FORCECSP', 'none');				// Disable all Content Security Policies
 //if (! defined('CSRFCHECK_WITH_TOKEN'))     define('CSRFCHECK_WITH_TOKEN', '1');		// Force use of CSRF protection with tokens even for GET
 //if (! defined('NOBROWSERNOTIF'))     		 define('NOBROWSERNOTIF', '1');				// Disable browser notification
 
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index b2247294d40..4ec8767a801 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -661,7 +661,7 @@ if (!defined('NOLOGIN')) {
 		// Verification security graphic code
 		if ($test && GETPOST("username", "alpha", 2) && !empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA) && !isset($_SESSION['dol_bypass_antispam'])) {
 			$sessionkey = 'dol_antispam_value';
-			$ok = (array_key_exists($sessionkey, $_SESSION) === true && (strtolower($_SESSION[$sessionkey]) === strtolower(GETPOST('code', 'none'))));
+			$ok = (array_key_exists($sessionkey, $_SESSION) === true && (strtolower($_SESSION[$sessionkey]) === strtolower(GETPOST('code', 'restricthtml'))));
 
 			// Check code
 			if (!$ok) {
diff --git a/htdocs/modulebuilder/index.php b/htdocs/modulebuilder/index.php
index ac7522fed2e..4e66e655f5e 100644
--- a/htdocs/modulebuilder/index.php
+++ b/htdocs/modulebuilder/index.php
@@ -767,7 +767,7 @@ if ($dirins && $action == 'addlanguage' && !empty($module)) {
 
 // remove/delete File
 if ($dirins && $action == 'confirm_removefile' && !empty($module)) {
-	$relativefilename = dol_sanitizePathName(GETPOST('file', 'none'));
+	$relativefilename = dol_sanitizePathName(GETPOST('file', 'restricthtml'));
 	if ($relativefilename) {
 		$dirnametodelete = dirname($relativefilename);
 		$filetodelete = $dirins.'/'.$relativefilename;
diff --git a/htdocs/modulebuilder/template/scripts/mymodule.php b/htdocs/modulebuilder/template/scripts/mymodule.php
index f0a7ca715a4..3f117a51094 100644
--- a/htdocs/modulebuilder/template/scripts/mymodule.php
+++ b/htdocs/modulebuilder/template/scripts/mymodule.php
@@ -40,7 +40,6 @@
 //if (! defined("MAIN_LANG_DEFAULT"))        define('MAIN_LANG_DEFAULT', 'auto');					// Force lang to a particular value
 //if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule');	// Force authentication handler
 //if (! defined("NOREDIRECTBYMAINTOLOGIN"))  define('NOREDIRECTBYMAINTOLOGIN', 1);		// The main.inc.php does not make a redirect if not logged, instead show simple error message
-//if (! defined("FORCECSP"))                 define('FORCECSP', 'none');				// Disable all Content Security Policies
 //if (! defined('CSRFCHECK_WITH_TOKEN'))     define('CSRFCHECK_WITH_TOKEN', '1');		// Force use of CSRF protection with tokens even for GET
 //if (! defined('NOBROWSERNOTIF'))     		 define('NOBROWSERNOTIF', '1');				// Disable browser notification
 if (!defined('NOSESSION')) define('NOSESSION', '1');	// On CLI mode, no need to use web sessions
diff --git a/htdocs/public/onlinesign/newonlinesign.php b/htdocs/public/onlinesign/newonlinesign.php
index 3aaa3676663..8bd95d23c8d 100644
--- a/htdocs/public/onlinesign/newonlinesign.php
+++ b/htdocs/public/onlinesign/newonlinesign.php
@@ -448,10 +448,8 @@ if ($action == "dosign" && empty($cancel)) {
 	  $("#clearsignature").on("click",function(){
 		$("#signature").jSignature("clear");
 		$("#signbutton").attr("disabled",true);
-		/* $("#clearsignature").css("display","none"); */
 	  });
 
-	  /* $("#clearsignature").css("display","none"); */
 	  $("#signbutton").attr("disabled",true);
 	});
 	</script>';
diff --git a/htdocs/public/ticket/create_ticket.php b/htdocs/public/ticket/create_ticket.php
index 9efa561341e..6a3fd1aa688 100644
--- a/htdocs/public/ticket/create_ticket.php
+++ b/htdocs/public/ticket/create_ticket.php
@@ -173,7 +173,7 @@ if (empty($reshook) && $action == 'create_ticket' && GETPOST('save', 'alpha')) {
 	// Check Captcha code if is enabled
 	if (!empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA)) {
 		$sessionkey = 'dol_antispam_value';
-		$ok = (array_key_exists($sessionkey, $_SESSION) === true && (strtolower($_SESSION[$sessionkey]) === strtolower(GETPOST('code', 'none'))));
+		$ok = (array_key_exists($sessionkey, $_SESSION) === true && (strtolower($_SESSION[$sessionkey]) === strtolower(GETPOST('code', 'restricthtml'))));
 		if (!$ok) {
 			$error++;
 			array_push($object->errors, $langs->trans("ErrorBadValueForCode"));
diff --git a/htdocs/salaries/card.php b/htdocs/salaries/card.php
index 89676e50140..689a2664c0a 100644
--- a/htdocs/salaries/card.php
+++ b/htdocs/salaries/card.php
@@ -277,7 +277,7 @@ if ($action == 'add' && empty($cancel)) {
 			$paiement->amounts      = array($object->id=>$amount); // Tableau de montant
 			$paiement->paiementtype = $type_payment;
 			$paiement->num_payment  = GETPOST("num_payment", 'alphanohtml');
-			$paiement->note = GETPOST("note", 'none');
+			$paiement->note = GETPOST("note", 'restricthtml');
 
 			if (!$error) {
 				$paymentid = $paiement->create($user, (int) GETPOST('closepaidsalary'));
diff --git a/htdocs/salaries/paiement_salary.php b/htdocs/salaries/paiement_salary.php
index d4465103308..221e5cf2c0e 100644
--- a/htdocs/salaries/paiement_salary.php
+++ b/htdocs/salaries/paiement_salary.php
@@ -110,8 +110,8 @@ if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'y
 			$paiement->amounts      = $amounts; // Tableau de montant
 			$paiement->paiementtype = GETPOST("paiementtype", 'alphanohtml');
 			$paiement->num_payment  = GETPOST("num_payment", 'alphanohtml');
-			$paiement->note         = GETPOST("note", 'none');
-			$paiement->note_private = GETPOST("note", 'none');
+			$paiement->note         = GETPOST("note", 'restricthtml');
+			$paiement->note_private = GETPOST("note", 'restricthtml');
 
 			if (!$error) {
 				$paymentid = $paiement->create($user, (GETPOST('closepaidsalary') == 'on' ? 1 : 0));
diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index ac7fad391ef..4d748cd6946 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -404,7 +404,7 @@ if (empty($reshook)) {
 				$object->firstname = GETPOST("firstname", 'alphanohtml');
 				$object->login = GETPOST("login", 'alphanohtml');
 				$object->gender = GETPOST("gender", 'aZ09');
-				$object->pass = GETPOST("password", 'none');
+				$object->pass = GETPOST("password", 'none');	// We can keep 'none' for password fields
 				$object->api_key = (GETPOST("api_key", 'alphanohtml')) ? GETPOST("api_key", 'alphanohtml') : $object->api_key;
 				if (!empty($user->admin)) {
 					$object->admin = GETPOST("admin", "int"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index 0e91bd5bc9f..24c41e5e927 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -290,7 +290,7 @@ if ($modulepart == 'barcode') {
 	if (in_array($encoding, array('EAN8', 'EAN13'))) {
 		$code = GETPOST("code", 'alphanohtml');
 	} else {
-		$code = GETPOST("code", 'none'); // This can be rich content (qrcode, datamatrix, ...)
+		$code = GETPOST("code", 'restricthtml'); // This can be rich content (qrcode, datamatrix, ...)
 	}
 
 	if (empty($generator) || empty($encoding)) {
diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php
index 597aad1024c..ae69c3f0eed 100644
--- a/test/phpunit/CodingPhpTest.php
+++ b/test/phpunit/CodingPhpTest.php
@@ -437,6 +437,25 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
 			$this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag neither dol_string_nohtmltag around it, in file '.$file['relativename'].'. Bad.');
 
 
+			// Check GETPOST(... 'none');
+			$ok=true;
+			$matches=array();
+			preg_match_all('/GETPOST\s*\(([^\)]+),\s*["\']none["\']/i', $filecontent, $matches, PREG_SET_ORDER);
+			foreach ($matches as $key => $val) {
+				var_dump($val);
+				if (!in_array($val[1], array(
+						"'replacestring'", "'htmlheader'", "'WEBSITE_HTML_HEADER'", "'WEBSITE_CSS_INLINE'", "'WEBSITE_JS_INLINE'", "'WEBSITE_MANIFEST_JSON'", "'PAGE_CONTENT'", "'WEBSITE_README'",
+						"'search_status'", '"mysqldump"', '"postgresqldump"', "'db_pass_root'", "'db_pass'", '"pass"', '"pass1"', '"pass2"', '"password"', "'password'", '"MAIN_MAIL_SMTPS_PW"'))) {
+					$ok=false;
+					break;
+				}
+				//if ($reg[0] != 'db') $ok=false;
+			}
+			//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+			$this->assertTrue($ok, 'Found a GETPOST that use \'none\' as a parameter in file '.$file['relativename'].' and param is not an allowed parameter for using none - Bad.');
+			//exit;
+
+
 			// Test that first param of print_liste_field_titre is a translation key and not the translated value
 			$ok=true;
 			$matches=array();

From db903ad64d5a50fd2c43f4efcad5d2415052e052 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 19 Jan 2022 16:40:48 +0100
Subject: [PATCH 03/18] Fix #yogosha8457

---
 htdocs/core/lib/geturl.lib.php | 13 ++++++++-----
 test/phpunit/SecurityTest.php  |  5 +++++
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/htdocs/core/lib/geturl.lib.php b/htdocs/core/lib/geturl.lib.php
index be7e1ffa80b..79ed4821ac8 100644
--- a/htdocs/core/lib/geturl.lib.php
+++ b/htdocs/core/lib/geturl.lib.php
@@ -214,11 +214,14 @@ function getURLContent($url, $postorget = 'GET', $param = '', $followlocation =
 				}
 			}
 
-			// Common check (local and external)
-			if (in_array($iptocheck, array('100.100.100.200'))) {
-				$info['http_code'] = 400;
-				$info['content'] = 'Error bad hostname IP (Used by Alibaba metadata). Must be an external URL.';
-				break;
+			// Common check on ip (local and external)
+			$arrayofmetadataserver = array('100.100.100.200' => 'Alibaba', '192.0.0.192'=> 'Oracle');
+			foreach ($arrayofmetadataserver as $ipofmetadataserver => $nameofmetadataserver) {
+				if ($iptocheck == $ipofmetadataserver) {
+					$info['http_code'] = 400;
+					$info['content'] = 'Error bad hostname IP (Used by '.$nameofmetadataserver.' metadata server). This IP is forbidden.';
+					break 2;	// exit the foreach and the do...
+				}
 			}
 
 			// Set CURLOPT_CONNECT_TO so curl will not try another resolution that may give a different result. Possible only on PHP v7+
diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php
index 6ca58e0d450..95aeb948c1d 100644
--- a/test/phpunit/SecurityTest.php
+++ b/test/phpunit/SecurityTest.php
@@ -791,6 +791,11 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 		 $this->assertEquals(400, $tmp['http_code'], 'Should GET url to '.$url.' that resolves to a local URL');	// Test we receive an error because localtest.me is not an external URL
 		 */
 
+		$url = 'http://192.0.0.192';
+		$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0);		// Only external URL but on an IP in blacklist
+		print __METHOD__." url=".$url." tmp['http_code'] = ".$tmp['http_code']."\n";
+		$this->assertEquals(400, $tmp['http_code'], 'Access should be refused and was not');	// Test we receive an error because ip is in blacklist
+
 		return 0;
 	}
 

From ff1037634b202ba99a3f160ef1fe35b9a5a9ba01 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 19 Jan 2022 18:23:31 +0100
Subject: [PATCH 04/18] Clean OAuth feature

---
 htdocs/admin/oauth.php            | 22 ++++++++++------
 htdocs/admin/oauthlogintokens.php | 44 +++++++++++++++++--------------
 htdocs/core/lib/functions.lib.php |  4 +--
 htdocs/core/lib/oauth.lib.php     | 10 +++----
 4 files changed, 45 insertions(+), 35 deletions(-)

diff --git a/htdocs/admin/oauth.php b/htdocs/admin/oauth.php
index 9bf5be2c294..a0d82d1d6bd 100644
--- a/htdocs/admin/oauth.php
+++ b/htdocs/admin/oauth.php
@@ -27,6 +27,7 @@ require '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/oauth.lib.php';
 
+// $supportedoauth2array is defined into oauth.lib.php
 
 // Define $urlwithroot
 $urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
@@ -96,10 +97,12 @@ print '<table class="noborder centpercent">';
 
 $i = 0;
 
-// $list is defined into oauth.lib.php
+// $list is defined into oauth.lib.php to the list of supporter OAuth providers.
 foreach ($list as $key) {
 	$supported = 0;
-	if (in_array($key[0], array_keys($supportedoauth2array))) {
+	$keyforsupportedoauth2array = $key[0];
+
+	if (in_array($keyforsupportedoauth2array, array_keys($supportedoauth2array))) {
 		$supported = 1;
 	}
 	if (!$supported) {
@@ -110,20 +113,23 @@ foreach ($list as $key) {
 
 	print '<tr class="liste_titre'.($i > 1 ? ' liste_titre_add' : '').'">';
 	// Api Name
-	$label = $langs->trans($key[0]);
-	print '<td>'.$label.'</td>';
+	$label = $langs->trans($keyforsupportedoauth2array);
 	print '<td>';
-	if (!empty($key[3])) {
-		print $langs->trans($key[3]);
+	print img_picto('', $supportedoauth2array[$keyforsupportedoauth2array]['picto'], 'class="pictofixedwidth"');
+	print $label;
+	print '</td>';
+	print '<td>';
+	if (!empty($supportedoauth2array[$keyforsupportedoauth2array]['urlforapp'])) {
+		print $langs->trans($supportedoauth2array[$keyforsupportedoauth2array]['urlforapp']);
 	}
 	print '</td>';
 	print '</tr>';
 
 	if ($supported) {
-		$redirect_uri = $urlwithroot.'/core/modules/oauth/'.$supportedoauth2array[$key[0]].'_oauthcallback.php';
+		$redirect_uri = $urlwithroot.'/core/modules/oauth/'.$supportedoauth2array[$keyforsupportedoauth2array]['callbackfile'].'_oauthcallback.php';
 		print '<tr class="oddeven value">';
 		print '<td>'.$langs->trans("UseTheFollowingUrlAsRedirectURI").'</td>';
-		print '<td><input style="width: 80%" type"text" name="uri'.$key[0].'" value="'.$redirect_uri.'">';
+		print '<td><input style="width: 80%" type"text" name="uri'.$keyforsupportedoauth2array.'" value="'.$redirect_uri.'">';
 		print '</td></tr>';
 	} else {
 		print '<tr class="oddeven value">';
diff --git a/htdocs/admin/oauthlogintokens.php b/htdocs/admin/oauthlogintokens.php
index 8697b400a2b..680a5f1f02f 100644
--- a/htdocs/admin/oauthlogintokens.php
+++ b/htdocs/admin/oauthlogintokens.php
@@ -25,17 +25,13 @@
 
 require '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
-require_once DOL_DOCUMENT_ROOT.'/core/lib/oauth.lib.php'; // This define $list
+require_once DOL_DOCUMENT_ROOT.'/core/lib/oauth.lib.php'; // This define $list and $supportedoauth2array
 require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
 use OAuth\Common\Storage\DoliStorage;
 
 // Load translation files required by the page
 $langs->loadLangs(array('admin', 'printing', 'oauth'));
 
-if (!$user->admin) {
-	accessforbidden();
-}
-
 $action = GETPOST('action', 'aZ09');
 $mode = GETPOST('mode', 'alpha');
 $value = GETPOST('value', 'alpha');
@@ -50,6 +46,10 @@ if (!$mode) {
 	$mode = 'setup';
 }
 
+if (!$user->admin) {
+	accessforbidden();
+}
+
 
 /*
  * Action
@@ -140,7 +140,9 @@ if ($mode == 'setup' && $user->admin) {
 
 	foreach ($list as $key) {
 		$supported = 0;
-		if (in_array($key[0], array_keys($supportedoauth2array))) {
+		$keyforsupportedoauth2array = $key[0];
+
+		if (in_array($keyforsupportedoauth2array, array_keys($supportedoauth2array))) {
 			$supported = 1;
 		}
 		if (!$supported) {
@@ -148,17 +150,18 @@ if ($mode == 'setup' && $user->admin) {
 		}
 
 
-		$OAUTH_SERVICENAME = 'Unknown';
-		if ($key[0] == 'OAUTH_GITHUB_NAME') {
-			$OAUTH_SERVICENAME = 'GitHub';
+		$OAUTH_SERVICENAME = empty($supportedoauth2array[$keyforsupportedoauth2array]['name']) ? 'Unknown' : $supportedoauth2array[$keyforsupportedoauth2array]['name'];
+
+		// Define $shortscope, $urltorenew, $urltodelete, $urltocheckperms
+		// TODO Use array $supportedoauth2array
+		if ($keyforsupportedoauth2array == 'OAUTH_GITHUB_NAME') {
 			// List of keys that will be converted into scopes (from constants 'SCOPE_state_in_uppercase' in file of service).
 			// We pass this param list in to 'state' because we need it before and after the redirect.
 			$shortscope = 'user,public_repo';
 			$urltorenew = $urlwithroot.'/core/modules/oauth/github_oauthcallback.php?shortscope='.$shortscope.'&state='.$shortscope.'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
 			$urltodelete = $urlwithroot.'/core/modules/oauth/github_oauthcallback.php?action=delete&token='.newToken().'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
 			$urltocheckperms = 'https://github.com/settings/applications/';
-		} elseif ($key[0] == 'OAUTH_GOOGLE_NAME') {
-			$OAUTH_SERVICENAME = 'Google';
+		} elseif ($keyforsupportedoauth2array == 'OAUTH_GOOGLE_NAME') {
 			// List of keys that will be converted into scopes (from constants 'SCOPE_state_in_uppercase' in file of service).
 			// We pass this param list in to 'state' because we need it before and after the redirect.
 			$shortscope = 'userinfo_email,userinfo_profile,cloud_print';
@@ -169,13 +172,11 @@ if ($mode == 'setup' && $user->admin) {
 			$urltorenew = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?shortscope='.$shortscope.'&state='.$shortscope.'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
 			$urltodelete = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?action=delete&token='.newToken().'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
 			$urltocheckperms = 'https://security.google.com/settings/security/permissions';
-		} elseif ($key[0] == 'OAUTH_STRIPE_TEST_NAME') {
-			$OAUTH_SERVICENAME = 'StripeTest';
+		} elseif ($keyforsupportedoauth2array == 'OAUTH_STRIPE_TEST_NAME') {
 			$urltorenew = $urlwithroot.'/core/modules/oauth/stripetest_oauthcallback.php?backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
 			$urltodelete = '';
 			$urltocheckperms = '';
-		} elseif ($key[0] == 'OAUTH_STRIPE_LIVE_NAME') {
-			$OAUTH_SERVICENAME = 'StripeLive';
+		} elseif ($keyforsupportedoauth2array == 'OAUTH_STRIPE_LIVE_NAME') {
 			$urltorenew = $urlwithroot.'/core/modules/oauth/stripelive_oauthcallback.php?backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
 			$urltodelete = '';
 			$urltocheckperms = '';
@@ -230,11 +231,14 @@ if ($mode == 'setup' && $user->admin) {
 		print '<input type="hidden" name="token" value="'.newToken().'">';
 		print '<input type="hidden" name="action" value="setconst">';
 
-		print '<div class="div-table-responsive">';
+		print '<div class="div-table-responsive-no-min">';
 		print '<table class="noborder centpercent">'."\n";
 
 		print '<tr class="liste_titre">';
-		print '<th class="titlefieldcreate">'.$langs->trans($key[0]).'</th>';
+		print '<th class="titlefieldcreate">';
+		print img_picto('', $supportedoauth2array[$keyforsupportedoauth2array]['picto'], 'class="pictofixedwidth"');
+		print $langs->trans($keyforsupportedoauth2array);
+		print '</th>';
 		print '<th></th>';
 		print '<th></th>';
 		print "</tr>\n";
@@ -244,7 +248,7 @@ if ($mode == 'setup' && $user->admin) {
 		//var_dump($key);
 		print $langs->trans("OAuthIDSecret").'</td>';
 		print '<td>';
-		print $langs->trans("SeePreviousTab");
+		print '<span class="opacitymedium">'.$langs->trans("SeePreviousTab").'</span>';
 		print '</td>';
 		print '<td>';
 		print '</td>';
@@ -259,7 +263,7 @@ if ($mode == 'setup' && $user->admin) {
 		if (is_object($tokenobj)) {
 			print $langs->trans("HasAccessToken");
 		} else {
-			print $langs->trans("NoAccessToken");
+			print '<span class="opacitymedium">'.$langs->trans("NoAccessToken").'</span>';
 		}
 		print '</td>';
 		print '<td width="50%">';
@@ -346,7 +350,7 @@ if ($mode == 'setup' && $user->admin) {
 if ($mode == 'test' && $user->admin) {
 	print $langs->trans('PrintTestDesc'.$driver)."<br><br>\n";
 
-	print '<div class="div-table-responsive">';
+	print '<div class="div-table-responsive-no-min">';
 	print '<table class="noborder centpercent">';
 	if (!empty($driver)) {
 		require_once DOL_DOCUMENT_ROOT.'/core/modules/printing/'.$driver.'.modules.php';
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 535eb7f226e..975e1f20a88 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -3658,7 +3658,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $
 				'paiment', 'paragraph', 'play', 'pdf', 'phone', 'phoning', 'phoning_mobile', 'phoning_fax', 'playdisabled', 'previous', 'poll', 'pos', 'printer', 'product', 'propal', 'puce',
 				'stock', 'resize', 'service', 'stats', 'trip',
 				'security', 'setup', 'share-alt', 'sign-out', 'split', 'stripe', 'stripe-s', 'switch_off', 'switch_on', 'switch_on_red', 'tools', 'unlink', 'uparrow', 'user', 'vcard', 'wrench',
-				'github', 'jabber', 'skype', 'twitter', 'facebook', 'linkedin', 'instagram', 'snapchat', 'youtube', 'google-plus-g', 'whatsapp',
+				'github', 'google', 'jabber', 'skype', 'twitter', 'facebook', 'linkedin', 'instagram', 'snapchat', 'youtube', 'google-plus-g', 'whatsapp',
 				'chevron-left', 'chevron-right', 'chevron-down', 'chevron-top', 'commercial', 'companies',
 				'generic', 'home', 'hrm', 'members', 'products', 'invoicing',
 				'partnership', 'payment', 'payment_vat', 'pencil-ruler', 'preview', 'project', 'projectpub', 'projecttask', 'question', 'refresh', 'region',
@@ -3678,7 +3678,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $
 			if (in_array($pictowithouttext, array('card', 'bell', 'clock', 'establishment', 'generic', 'minus-square', 'object_generic', 'pdf', 'plus-square', 'timespent', 'note', 'off', 'on', 'object_bookmark', 'bookmark', 'vcard'))) {
 				$fa = 'far';
 			}
-			if (in_array($pictowithouttext, array('black-tie', 'github', 'skype', 'twitter', 'facebook', 'linkedin', 'instagram', 'snapchat', 'stripe', 'stripe-s', 'youtube', 'google-plus-g', 'whatsapp'))) {
+			if (in_array($pictowithouttext, array('black-tie', 'github', 'google', 'skype', 'twitter', 'facebook', 'linkedin', 'instagram', 'snapchat', 'stripe', 'stripe-s', 'youtube', 'google-plus-g', 'whatsapp'))) {
 				$fa = 'fab';
 			}
 
diff --git a/htdocs/core/lib/oauth.lib.php b/htdocs/core/lib/oauth.lib.php
index 48356868143..ab1b5a217b8 100644
--- a/htdocs/core/lib/oauth.lib.php
+++ b/htdocs/core/lib/oauth.lib.php
@@ -25,13 +25,13 @@
 
 // Supported OAUTH (a provider is supported when a file xxx_oauthcallback.php is available into htdocs/core/modules/oauth)
 $supportedoauth2array = array(
-	'OAUTH_GOOGLE_NAME'=>'google',
+	'OAUTH_GOOGLE_NAME'=>array('callbackfile' => 'google', 'picto' => 'google', 'urlforapp' => 'OAUTH_GOOGLE_DESC', 'name'=>'Google'),
 );
-if ($conf->global->MAIN_FEATURES_LEVEL >= 2) {
-	$supportedoauth2array['OAUTH_STRIPE_TEST_NAME'] = 'stripetest';
-	$supportedoauth2array['OAUTH_STRIPE_LIVE_NAME'] = 'stripelive';
+if (!empty($conf->stripe->enabled)) {
+	$supportedoauth2array['OAUTH_STRIPE_TEST_NAME'] = array('callbackfile' => 'stripetest', 'picto' => 'stripe', 'urlforapp' => '', 'name'=>'StripeTest');
+	$supportedoauth2array['OAUTH_STRIPE_LIVE_NAME'] = array('callbackfile' => 'stripelive', 'picto' => 'stripe', 'urlforapp' => '', 'name'=>'StripeLive');
 }
-$supportedoauth2array['OAUTH_GITHUB_NAME'] = 'github';
+$supportedoauth2array['OAUTH_GITHUB_NAME'] = array('callbackfile' => 'github', 'picto' => 'github', 'urlforapp' => 'OAUTH_GITHUB_DESC', 'name'=>'GitHub');
 
 
 

From d38784f45a0f996a023e4e28ac057b641076017a Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 19 Jan 2022 20:33:20 +0100
Subject: [PATCH 05/18] WIP Login with Google

---
 htdocs/admin/oauthlogintokens.php             | 23 ++++++++---
 htdocs/core/modules/modPrinting.class.php     |  1 -
 .../modules/oauth/google_oauthcallback.php    | 41 ++++++++++++-------
 htdocs/core/tpl/login.tpl.php                 | 33 +++++++++++++++
 htdocs/langs/en_US/other.lang                 |  3 +-
 5 files changed, 78 insertions(+), 23 deletions(-)

diff --git a/htdocs/admin/oauthlogintokens.php b/htdocs/admin/oauthlogintokens.php
index 680a5f1f02f..820ce847030 100644
--- a/htdocs/admin/oauthlogintokens.php
+++ b/htdocs/admin/oauthlogintokens.php
@@ -122,7 +122,7 @@ $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domai
 
 $form = new Form($db);
 
-llxHeader('', $langs->trans("PrintingSetup"));
+llxHeader('', $langs->trans("TokenManager"));
 
 $linkback = '<a href="'.DOL_URL_ROOT.'/admin/modules.php?restore_lastsearch_values=1">'.$langs->trans("BackToModuleList").'</a>';
 print load_fiche_titre($langs->trans('ConfigOAuth'), $linkback, 'title_setup');
@@ -163,13 +163,24 @@ if ($mode == 'setup' && $user->admin) {
 			$urltocheckperms = 'https://github.com/settings/applications/';
 		} elseif ($keyforsupportedoauth2array == 'OAUTH_GOOGLE_NAME') {
 			// List of keys that will be converted into scopes (from constants 'SCOPE_state_in_uppercase' in file of service).
-			// We pass this param list in to 'state' because we need it before and after the redirect.
-			$shortscope = 'userinfo_email,userinfo_profile,cloud_print';
-			if (!empty($conf->global->OAUTH_GSUITE)) {
+			// List of scopes for Google are here: https://developers.google.com/identity/protocols/oauth2/scopes
+			// We pass this key list into the param 'state' because we need it before and after the redirect.
+			$shortscope = 'userinfo_email,userinfo_profile';
+			$shortscope .= ',openid,email,profile';	// For openid connect
+			if (!empty($conf->printing->enabled)) {
+				$shortscope .= ',cloud_print';
+			}
+			if (!empty($conf->global->OAUTH_GOOGLE_GSUITE)) {
 				$shortscope .= ',admin_directory_user';
 			}
-			//$scope.=',gmail_full';
-			$urltorenew = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?shortscope='.$shortscope.'&state='.$shortscope.'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
+			if (!empty($conf->global->OAUTH_GOOGLE_GMAIL)) {
+				$shortscope.=',gmail_full';
+			}
+
+			$oauthstateanticsrf = bin2hex(random_bytes(128/8));
+			$_SESSION['oauthstateanticsrf'] = $shortscope.'-'.$oauthstateanticsrf;
+
+			$urltorenew = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?shortscope='.$shortscope.'&state='.$shortscope.$oauthstateanticsrf.'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
 			$urltodelete = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?action=delete&token='.newToken().'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
 			$urltocheckperms = 'https://security.google.com/settings/security/permissions';
 		} elseif ($keyforsupportedoauth2array == 'OAUTH_STRIPE_TEST_NAME') {
diff --git a/htdocs/core/modules/modPrinting.class.php b/htdocs/core/modules/modPrinting.class.php
index 4c104b30ecf..c9e99b3d933 100644
--- a/htdocs/core/modules/modPrinting.class.php
+++ b/htdocs/core/modules/modPrinting.class.php
@@ -34,7 +34,6 @@ include_once DOL_DOCUMENT_ROOT.'/core/modules/DolibarrModules.class.php';
  */
 class modPrinting extends DolibarrModules
 {
-
 	/**
 	 *  Constructor
 	 *
diff --git a/htdocs/core/modules/oauth/google_oauthcallback.php b/htdocs/core/modules/oauth/google_oauthcallback.php
index 4f9fded878f..520da0881e9 100644
--- a/htdocs/core/modules/oauth/google_oauthcallback.php
+++ b/htdocs/core/modules/oauth/google_oauthcallback.php
@@ -16,6 +16,9 @@
  * along with this program. If not, see <https://www.gnu.org/licenses/>.
  */
 
+// This page should make the process to login and get token as described here:
+// https://developers.google.com/identity/protocols/oauth2/openid-connect#server-flow
+
 /**
  *      \file       htdocs/core/modules/oauth/google_oauthcallback.php
  *      \ingroup    oauth
@@ -70,9 +73,13 @@ $credentials = new Credentials(
 	$currentUri->getAbsoluteUri()
 );
 
+$state = GETPOST('state');
+
 $requestedpermissionsarray = array();
-if (GETPOST('state')) {
-	$requestedpermissionsarray = explode(',', GETPOST('state')); // Example: 'userinfo_email,userinfo_profile,cloud_print'. 'state' parameter is standard to store a hash value and can be used to retrieve some parameters back
+if ($state) {
+	// 'state' parameter is standard to store a hash value and can be used to retrieve some parameters back
+	$statewithscopeonly = preg_replace('/\-.*$/', '', $state);
+	$requestedpermissionsarray = explode(',', $statewithscopeonly); // Example: 'userinfo_email,userinfo_profile,openid,email,profile,cloud_print'.
 }
 if ($action != 'delete' && empty($requestedpermissionsarray)) {
 	print 'Error, parameter state is not defined';
@@ -80,6 +87,8 @@ if ($action != 'delete' && empty($requestedpermissionsarray)) {
 }
 //var_dump($requestedpermissionsarray);exit;
 
+
+
 // Instantiate the Api service using the credentials, http client and storage mechanism for the token
 // $requestedpermissionsarray contains list of scopes.
 // Conversion into URL is done by Reflection on constant with name SCOPE_scope_in_uppercase
@@ -91,6 +100,8 @@ $apiService->setAccessType('offline');
 
 $apiService->setApprouvalPrompt('force');
 
+//$apiService->setLoginHint(email); // If we know the email of Google account, we can set it to have it correctly selected on login prompt on multiaccount
+
 $langs->load("oauth");
 
 
@@ -108,17 +119,12 @@ if ($action == 'delete') {
 	exit();
 }
 
-if (!empty($_GET['code'])) {     // We are coming from oauth provider page
+if (GETPOST('code')) {     // We are coming from oauth provider page.
 	dol_syslog("We are coming from the oauth provider page");
-	//llxHeader('',$langs->trans("OAuthSetup"));
 
-	//$linkback='<a href="'.DOL_URL_ROOT.'/admin/modules.php?restore_lastsearch_values=1">'.$langs->trans("BackToModuleList").'</a>';
-	//print load_fiche_titre($langs->trans("OAuthSetup"),$linkback,'title_setup');
+	// TODO
+	// We should validate that the $sate is same than the one into $_SESSION['oauthstateanticsrf'], return error if not.
 
-	//print dol_get_fiche_head();
-	// retrieve the CSRF state parameter
-	$state = isset($_GET['state']) ? $_GET['state'] : null;
-	//print '<table>';
 
 	// This was a callback request from service, get the token
 	try {
@@ -126,9 +132,13 @@ if (!empty($_GET['code'])) {     // We are coming from oauth provider page
 		//var_dump($state);
 		//var_dump($apiService);      // OAuth\OAuth2\Service\Google
 
-		$token = $apiService->requestAccessToken($_GET['code'], $state);
+		// This request the token
+		// Result is stored into object managed by class DoliStorage into includes/OAuth/Common/Storage/DoliStorage.php, so into table llx_oauth_token
+		$token = $apiService->requestAccessToken(GETPOST('code'), $state);
 
-		setEventMessages($langs->trans('NewTokenStored'), null, 'mesgs'); // Stored into object managed by class DoliStorage so into table oauth_token
+		// Note: The token contains a lot of information about the user.
+
+		setEventMessages($langs->trans('NewTokenStored'), null, 'mesgs');
 
 		$backtourl = $_SESSION["backtourlsavedbeforeoauthjump"];
 		unset($_SESSION["backtourlsavedbeforeoauthjump"]);
@@ -138,8 +148,9 @@ if (!empty($_GET['code'])) {     // We are coming from oauth provider page
 	} catch (Exception $e) {
 		print $e->getMessage();
 	}
-} else // If entry on page with no parameter, we arrive here
-{
+} else {
+	// If we enter this page without 'code' parameter, we arrive here. this is the case when we want to get the redirect
+	// to the OAuth provider login page
 	$_SESSION["backtourlsavedbeforeoauthjump"] = $backtourl;
 
 	// This may create record into oauth_state before the header redirect.
@@ -160,6 +171,6 @@ if (!empty($_GET['code'])) {     // We are coming from oauth provider page
  * View
  */
 
-// No view at all, just actions
+// No view at all, just actions, so we never reach this line, except on error.
 
 $db->close();
diff --git a/htdocs/core/tpl/login.tpl.php b/htdocs/core/tpl/login.tpl.php
index 338d2bd1a19..2645a76a8ab 100644
--- a/htdocs/core/tpl/login.tpl.php
+++ b/htdocs/core/tpl/login.tpl.php
@@ -33,6 +33,8 @@ if (empty($conf) || !is_object($conf)) {
 
 require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
 
+
+
 header('Cache-Control: Public, must-revalidate');
 header("Content-type: text/html; charset=".$conf->file->character_set_client);
 
@@ -316,6 +318,37 @@ if (isset($conf->file->main_authentication) && preg_match('/openid/', $conf->fil
 	echo '</div>';
 }
 
+if (isset($conf->file->main_authentication) && preg_match('/google/', $conf->file->main_authentication)) {
+	$langs->load("users");
+
+	global $dolibarr_main_url_root;
+
+	// Define $urlwithroot
+	$urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
+	$urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file
+	//$urlwithroot=DOL_MAIN_URL_ROOT;					// This is to use same domain name than current
+
+	echo '<br>';
+	echo '<div class="center" style="margin-top: 4px;">';
+
+	$shortscope = 'userinfo_email,userinfo_profile';
+	$shortscope .= ',openid,email,profile';	// For openid connect
+
+	$oauthstateanticsrf = bin2hex(random_bytes(128/8));
+	$_SESSION['oauthstateanticsrf'] = $shortscope.'-'.$oauthstateanticsrf;
+	$urltorenew = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?shortscope='.$shortscope.'&state='.$shortscope.$oauthstateanticsrf.'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
+
+	$url = $urltorenew;
+
+	//if (!empty($url)) {
+		print img_picto('', 'google', 'class="pictofixedwidth"').'<a class="alogin" href="'.$url.'">'.$langs->trans("LoginWith", "Google").'</a>';
+	/*} else {
+		$langs->load("errors");
+		print '<span class="warning">'.$langs->trans("ErrorOpenIDSetupNotComplete", 'MAIN_AUTHENTICATION_OPENID_URL').'</span>';
+	}*/
+
+	echo '</div>';
+}
 
 ?>
 
diff --git a/htdocs/langs/en_US/other.lang b/htdocs/langs/en_US/other.lang
index 91dd5ba4509..a43e97c1a02 100644
--- a/htdocs/langs/en_US/other.lang
+++ b/htdocs/langs/en_US/other.lang
@@ -272,7 +272,8 @@ ProjectCreatedByEmailCollector=Project created by email collector from email MSG
 TicketCreatedByEmailCollector=Ticket created by email collector from email MSGID %s
 OpeningHoursFormatDesc=Use a - to separate opening and closing hours.<br>Use a space to enter different ranges.<br>Example: 8-12 14-18
 SuffixSessionName=Suffix for session name
-
+LoginWith=Login with %s
+ 
 ##### Export #####
 ExportsArea=Exports area
 AvailableFormats=Available formats

From ee836305bae36eb21f379d1b2867a5adea06935c Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 19 Jan 2022 20:51:53 +0100
Subject: [PATCH 06/18] Fix state field

---
 htdocs/admin/oauthlogintokens.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/admin/oauthlogintokens.php b/htdocs/admin/oauthlogintokens.php
index 820ce847030..73a9139f856 100644
--- a/htdocs/admin/oauthlogintokens.php
+++ b/htdocs/admin/oauthlogintokens.php
@@ -180,7 +180,7 @@ if ($mode == 'setup' && $user->admin) {
 			$oauthstateanticsrf = bin2hex(random_bytes(128/8));
 			$_SESSION['oauthstateanticsrf'] = $shortscope.'-'.$oauthstateanticsrf;
 
-			$urltorenew = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?shortscope='.$shortscope.'&state='.$shortscope.$oauthstateanticsrf.'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
+			$urltorenew = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?shortscope='.$shortscope.'&state='.$shortscope.'-'.$oauthstateanticsrf.'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
 			$urltodelete = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?action=delete&token='.newToken().'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
 			$urltocheckperms = 'https://security.google.com/settings/security/permissions';
 		} elseif ($keyforsupportedoauth2array == 'OAUTH_STRIPE_TEST_NAME') {

From b09cb42e25e60fc432a1b6bc01ded082a2d2f458 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 19 Jan 2022 22:26:31 +0100
Subject: [PATCH 07/18] Decode extra params of id_token

---
 .../modules/oauth/google_oauthcallback.php    |  27 +-
 .../includes/OAuth/OAuth2/Service/Google.php  | 318 +++++++++---------
 2 files changed, 186 insertions(+), 159 deletions(-)

diff --git a/htdocs/core/modules/oauth/google_oauthcallback.php b/htdocs/core/modules/oauth/google_oauthcallback.php
index 520da0881e9..55a4394aa37 100644
--- a/htdocs/core/modules/oauth/google_oauthcallback.php
+++ b/htdocs/core/modules/oauth/google_oauthcallback.php
@@ -136,7 +136,32 @@ if (GETPOST('code')) {     // We are coming from oauth provider page.
 		// Result is stored into object managed by class DoliStorage into includes/OAuth/Common/Storage/DoliStorage.php, so into table llx_oauth_token
 		$token = $apiService->requestAccessToken(GETPOST('code'), $state);
 
-		// Note: The token contains a lot of information about the user.
+		// Note: The extraparams has the 'id_token' than contains a lot of information about the user.
+		$extraparams = $token->getExtraParams();
+		$jwt = explode('.', $extraparams['id_token']);
+
+		// Extract the middle part, base64 decode, then json_decode it
+		if (!empty($jwt[1])) {
+			$userinfo = json_decode(base64_decode($jwt[1]), true);
+
+			// TODO
+			// We should make the 5 steps of validation of id_token
+			// Verify that the ID token is properly signed by the issuer. Google-issued tokens are signed using one of the certificates found at the URI specified in the jwks_uri metadata value of the Discovery document.
+			// Verify that the value of the iss claim in the ID token is equal to https://accounts.google.com or accounts.google.com.
+			// Verify that the value of the aud claim in the ID token is equal to your app's client ID.
+			// Verify that the expiry time (exp claim) of the ID token has not passed.
+			// If you specified a hd parameter value in the request, verify that the ID token has a hd claim that matches an accepted G Suite hosted domain.
+
+			/*
+			$useremailuniq = $userinfo['sub'];
+			$useremail = $userinfo['email'];
+			$useremailverified = $userinfo['email_verified'];
+			$username = $userinfo['name'];
+			$userfamilyname = $userinfo['family_name'];
+			$usergivenname = $userinfo['given_name'];
+			$hd = $userinfo['hd'];
+			*/
+		}
 
 		setEventMessages($langs->trans('NewTokenStored'), null, 'mesgs');
 
diff --git a/htdocs/includes/OAuth/OAuth2/Service/Google.php b/htdocs/includes/OAuth/OAuth2/Service/Google.php
index 5ab0f8a474b..8cf6daf9a7e 100644
--- a/htdocs/includes/OAuth/OAuth2/Service/Google.php
+++ b/htdocs/includes/OAuth/OAuth2/Service/Google.php
@@ -13,194 +13,196 @@ use OAuth\Common\Http\Uri\Uri;
 
 class Google extends AbstractService
 {
-    /**
-     * Defined scopes - More scopes are listed here:
-     * https://developers.google.com/oauthplayground/
-     *
-     * Make a pull request if you need more scopes.
-     */
+	/**
+	 * Defined scopes - More scopes are listed here:
+	 * https://developers.google.com/oauthplayground/
+	 *
+	 * Make a pull request if you need more scopes.
+	 */
 
-    // Basic
-    const SCOPE_EMAIL                       = 'email';
-    const SCOPE_PROFILE                     = 'profile';
+	// Basic
+	const SCOPE_EMAIL                       = 'email';
+	const SCOPE_PROFILE                     = 'profile';
 
-    const SCOPE_USERINFO_EMAIL              = 'https://www.googleapis.com/auth/userinfo.email';
-    const SCOPE_USERINFO_PROFILE            = 'https://www.googleapis.com/auth/userinfo.profile';
+	const SCOPE_USERINFO_EMAIL              = 'https://www.googleapis.com/auth/userinfo.email';
+	const SCOPE_USERINFO_PROFILE            = 'https://www.googleapis.com/auth/userinfo.profile';
 
-    // Google+
-    const SCOPE_GPLUS_ME                    = 'https://www.googleapis.com/auth/plus.me';
-    const SCOPE_GPLUS_LOGIN                 = 'https://www.googleapis.com/auth/plus.login';
-    const SCOPE_GPLUS_CIRCLES_READ          = 'https://www.googleapis.com/auth/plus.circles.read';
-    const SCOPE_GPLUS_CIRCLES_WRITE         = 'https://www.googleapis.com/auth/plus.circles.write';
-    const SCOPE_GPLUS_STREAM_READ           = 'https://www.googleapis.com/auth/plus.stream.read';
-    const SCOPE_GPLUS_STREAM_WRITE          = 'https://www.googleapis.com/auth/plus.stream.write';
-    const SCOPE_GPLUS_MEDIA                 = 'https://www.googleapis.com/auth/plus.media.upload';
+	// Google+
+	const SCOPE_GPLUS_ME                    = 'https://www.googleapis.com/auth/plus.me';
+	const SCOPE_GPLUS_LOGIN                 = 'https://www.googleapis.com/auth/plus.login';
+	const SCOPE_GPLUS_CIRCLES_READ          = 'https://www.googleapis.com/auth/plus.circles.read';
+	const SCOPE_GPLUS_CIRCLES_WRITE         = 'https://www.googleapis.com/auth/plus.circles.write';
+	const SCOPE_GPLUS_STREAM_READ           = 'https://www.googleapis.com/auth/plus.stream.read';
+	const SCOPE_GPLUS_STREAM_WRITE          = 'https://www.googleapis.com/auth/plus.stream.write';
+	const SCOPE_GPLUS_MEDIA                 = 'https://www.googleapis.com/auth/plus.media.upload';
 
-    // Google Drive
-    const SCOPE_DOCUMENTSLIST               = 'https://docs.google.com/feeds/';
-    const SCOPE_SPREADSHEETS                = 'https://spreadsheets.google.com/feeds/';
-    const SCOPE_GOOGLEDRIVE                 = 'https://www.googleapis.com/auth/drive';
-    const SCOPE_DRIVE_APPS                  = 'https://www.googleapis.com/auth/drive.appdata';
-    const SCOPE_DRIVE_APPS_READ_ONLY        = 'https://www.googleapis.com/auth/drive.apps.readonly';
-    const SCOPE_GOOGLEDRIVE_FILES           = 'https://www.googleapis.com/auth/drive.file';
-    const SCOPE_DRIVE_METADATA_READ_ONLY    = 'https://www.googleapis.com/auth/drive.metadata.readonly';
-    const SCOPE_DRIVE_READ_ONLY             = 'https://www.googleapis.com/auth/drive.readonly';
-    const SCOPE_DRIVE_SCRIPTS               = 'https://www.googleapis.com/auth/drive.scripts';
+	// Google Drive
+	const SCOPE_DOCUMENTSLIST               = 'https://docs.google.com/feeds/';
+	const SCOPE_SPREADSHEETS                = 'https://spreadsheets.google.com/feeds/';
+	const SCOPE_GOOGLEDRIVE                 = 'https://www.googleapis.com/auth/drive';
+	const SCOPE_DRIVE_APPS                  = 'https://www.googleapis.com/auth/drive.appdata';
+	const SCOPE_DRIVE_APPS_READ_ONLY        = 'https://www.googleapis.com/auth/drive.apps.readonly';
+	const SCOPE_GOOGLEDRIVE_FILES           = 'https://www.googleapis.com/auth/drive.file';
+	const SCOPE_DRIVE_METADATA_READ_ONLY    = 'https://www.googleapis.com/auth/drive.metadata.readonly';
+	const SCOPE_DRIVE_READ_ONLY             = 'https://www.googleapis.com/auth/drive.readonly';
+	const SCOPE_DRIVE_SCRIPTS               = 'https://www.googleapis.com/auth/drive.scripts';
 
-    // Cloud Print
-    const SCOPE_CLOUD_PRINT                 = 'https://www.googleapis.com/auth/cloudprint';
+	// Cloud Print
+	const SCOPE_CLOUD_PRINT                 = 'https://www.googleapis.com/auth/cloudprint';
 
-    // Adwords
-    const SCOPE_ADSENSE                     = 'https://www.googleapis.com/auth/adsense';
-    const SCOPE_ADWORDS                     = 'https://www.googleapis.com/auth/adwords/';
-    const SCOPE_GAN                         = 'https://www.googleapis.com/auth/gan'; // google affiliate network...?
+	// Adwords
+	const SCOPE_ADSENSE                     = 'https://www.googleapis.com/auth/adsense';
+	const SCOPE_ADWORDS                     = 'https://www.googleapis.com/auth/adwords/';
+	const SCOPE_GAN                         = 'https://www.googleapis.com/auth/gan'; // google affiliate network...?
 
-    // Google Analytics
-    const SCOPE_ANALYTICS                   = 'https://www.googleapis.com/auth/analytics';
-    const SCOPE_ANALYTICS_EDIT              = 'https://www.googleapis.com/auth/analytics.edit';
-    const SCOPE_ANALYTICS_MANAGE_USERS      = 'https://www.googleapis.com/auth/analytics.manage.users';
-    const SCOPE_ANALYTICS_READ_ONLY         = 'https://www.googleapis.com/auth/analytics.readonly';
+	// Google Analytics
+	const SCOPE_ANALYTICS                   = 'https://www.googleapis.com/auth/analytics';
+	const SCOPE_ANALYTICS_EDIT              = 'https://www.googleapis.com/auth/analytics.edit';
+	const SCOPE_ANALYTICS_MANAGE_USERS      = 'https://www.googleapis.com/auth/analytics.manage.users';
+	const SCOPE_ANALYTICS_READ_ONLY         = 'https://www.googleapis.com/auth/analytics.readonly';
 
-    //Gmail
-    const SCOPE_GMAIL_MODIFY                = 'https://www.googleapis.com/auth/gmail.modify';
-    const SCOPE_GMAIL_READONLY              = 'https://www.googleapis.com/auth/gmail.readonly';
-    const SCOPE_GMAIL_COMPOSE               = 'https://www.googleapis.com/auth/gmail.compose';
-    const SCOPE_GMAIL_SEND                  = 'https://www.googleapis.com/auth/gmail.send';
-    const SCOPE_GMAIL_INSERT                = 'https://www.googleapis.com/auth/gmail.insert';
-    const SCOPE_GMAIL_LABELS                = 'https://www.googleapis.com/auth/gmail.labels';
-    const SCOPE_GMAIL_FULL                  = 'https://mail.google.com/';
+	//Gmail
+	const SCOPE_GMAIL_MODIFY                = 'https://www.googleapis.com/auth/gmail.modify';
+	const SCOPE_GMAIL_READONLY              = 'https://www.googleapis.com/auth/gmail.readonly';
+	const SCOPE_GMAIL_COMPOSE               = 'https://www.googleapis.com/auth/gmail.compose';
+	const SCOPE_GMAIL_SEND                  = 'https://www.googleapis.com/auth/gmail.send';
+	const SCOPE_GMAIL_INSERT                = 'https://www.googleapis.com/auth/gmail.insert';
+	const SCOPE_GMAIL_LABELS                = 'https://www.googleapis.com/auth/gmail.labels';
+	const SCOPE_GMAIL_FULL                  = 'https://mail.google.com/';
 
-    // Other services
-    const SCOPE_BOOKS                       = 'https://www.googleapis.com/auth/books';
-    const SCOPE_BLOGGER                     = 'https://www.googleapis.com/auth/blogger';
-    const SCOPE_CALENDAR                    = 'https://www.googleapis.com/auth/calendar';
-    const SCOPE_CALENDAR_READ_ONLY          = 'https://www.googleapis.com/auth/calendar.readonly';
-    const SCOPE_CONTACT                     = 'https://www.google.com/m8/feeds/';
-    const SCOPE_CONTACTS_RO                 = 'https://www.googleapis.com/auth/contacts.readonly';
-    const SCOPE_CHROMEWEBSTORE              = 'https://www.googleapis.com/auth/chromewebstore.readonly';
-    const SCOPE_GMAIL                       = 'https://mail.google.com/mail/feed/atom';
-    const SCOPE_GMAIL_IMAP_SMTP             = 'https://mail.google.com';
-    const SCOPE_PICASAWEB                   = 'https://picasaweb.google.com/data/';
-    const SCOPE_SITES                       = 'https://sites.google.com/feeds/';
-    const SCOPE_URLSHORTENER                = 'https://www.googleapis.com/auth/urlshortener';
-    const SCOPE_WEBMASTERTOOLS              = 'https://www.google.com/webmasters/tools/feeds/';
-    const SCOPE_TASKS                       = 'https://www.googleapis.com/auth/tasks';
+	// Other services
+	const SCOPE_BOOKS                       = 'https://www.googleapis.com/auth/books';
+	const SCOPE_BLOGGER                     = 'https://www.googleapis.com/auth/blogger';
+	const SCOPE_CALENDAR                    = 'https://www.googleapis.com/auth/calendar';
+	const SCOPE_CALENDAR_READ_ONLY          = 'https://www.googleapis.com/auth/calendar.readonly';
+	const SCOPE_CONTACT                     = 'https://www.google.com/m8/feeds/';
+	const SCOPE_CONTACTS_RO                 = 'https://www.googleapis.com/auth/contacts.readonly';
+	const SCOPE_CHROMEWEBSTORE              = 'https://www.googleapis.com/auth/chromewebstore.readonly';
+	const SCOPE_GMAIL                       = 'https://mail.google.com/mail/feed/atom';
+	const SCOPE_GMAIL_IMAP_SMTP             = 'https://mail.google.com';
+	const SCOPE_PICASAWEB                   = 'https://picasaweb.google.com/data/';
+	const SCOPE_SITES                       = 'https://sites.google.com/feeds/';
+	const SCOPE_URLSHORTENER                = 'https://www.googleapis.com/auth/urlshortener';
+	const SCOPE_WEBMASTERTOOLS              = 'https://www.google.com/webmasters/tools/feeds/';
+	const SCOPE_TASKS                       = 'https://www.googleapis.com/auth/tasks';
 
-    // Cloud services
-    const SCOPE_CLOUDSTORAGE                = 'https://www.googleapis.com/auth/devstorage.read_write';
-    const SCOPE_CONTENTFORSHOPPING          = 'https://www.googleapis.com/auth/structuredcontent'; // what even is this
-    const SCOPE_USER_PROVISIONING           = 'https://apps-apis.google.com/a/feeds/user/';
-    const SCOPE_GROUPS_PROVISIONING         = 'https://apps-apis.google.com/a/feeds/groups/';
-    const SCOPE_NICKNAME_PROVISIONING       = 'https://apps-apis.google.com/a/feeds/alias/';
+	// Cloud services
+	const SCOPE_CLOUDSTORAGE                = 'https://www.googleapis.com/auth/devstorage.read_write';
+	const SCOPE_CONTENTFORSHOPPING          = 'https://www.googleapis.com/auth/structuredcontent'; // what even is this
+	const SCOPE_USER_PROVISIONING           = 'https://apps-apis.google.com/a/feeds/user/';
+	const SCOPE_GROUPS_PROVISIONING         = 'https://apps-apis.google.com/a/feeds/groups/';
+	const SCOPE_NICKNAME_PROVISIONING       = 'https://apps-apis.google.com/a/feeds/alias/';
 
-    // Old
-    const SCOPE_ORKUT                       = 'https://www.googleapis.com/auth/orkut';
-    const SCOPE_GOOGLELATITUDE =
-        'https://www.googleapis.com/auth/latitude.all.best https://www.googleapis.com/auth/latitude.all.city';
-    const SCOPE_OPENID                      = 'openid';
+	// Old
+	const SCOPE_ORKUT                       = 'https://www.googleapis.com/auth/orkut';
+	const SCOPE_GOOGLELATITUDE =
+		'https://www.googleapis.com/auth/latitude.all.best https://www.googleapis.com/auth/latitude.all.city';
+	const SCOPE_OPENID                      = 'openid';
 
-    // YouTube
-    const SCOPE_YOUTUBE_GDATA               = 'https://gdata.youtube.com';
-    const SCOPE_YOUTUBE_ANALYTICS_MONETARY  = 'https://www.googleapis.com/auth/yt-analytics-monetary.readonly';
-    const SCOPE_YOUTUBE_ANALYTICS           = 'https://www.googleapis.com/auth/yt-analytics.readonly';
-    const SCOPE_YOUTUBE                     = 'https://www.googleapis.com/auth/youtube';
-    const SCOPE_YOUTUBE_READ_ONLY           = 'https://www.googleapis.com/auth/youtube.readonly';
-    const SCOPE_YOUTUBE_UPLOAD              = 'https://www.googleapis.com/auth/youtube.upload';
-    const SCOPE_YOUTUBE_PARTNER             = 'https://www.googleapis.com/auth/youtubepartner';
-    const SCOPE_YOUTUBE_PARTNER_AUDIT       = 'https://www.googleapis.com/auth/youtubepartner-channel-audit';
+	// YouTube
+	const SCOPE_YOUTUBE_GDATA               = 'https://gdata.youtube.com';
+	const SCOPE_YOUTUBE_ANALYTICS_MONETARY  = 'https://www.googleapis.com/auth/yt-analytics-monetary.readonly';
+	const SCOPE_YOUTUBE_ANALYTICS           = 'https://www.googleapis.com/auth/yt-analytics.readonly';
+	const SCOPE_YOUTUBE                     = 'https://www.googleapis.com/auth/youtube';
+	const SCOPE_YOUTUBE_READ_ONLY           = 'https://www.googleapis.com/auth/youtube.readonly';
+	const SCOPE_YOUTUBE_UPLOAD              = 'https://www.googleapis.com/auth/youtube.upload';
+	const SCOPE_YOUTUBE_PARTNER             = 'https://www.googleapis.com/auth/youtubepartner';
+	const SCOPE_YOUTUBE_PARTNER_AUDIT       = 'https://www.googleapis.com/auth/youtubepartner-channel-audit';
 
-    // Google Glass
-    const SCOPE_GLASS_TIMELINE              = 'https://www.googleapis.com/auth/glass.timeline';
-    const SCOPE_GLASS_LOCATION              = 'https://www.googleapis.com/auth/glass.location';
+	// Google Glass
+	const SCOPE_GLASS_TIMELINE              = 'https://www.googleapis.com/auth/glass.timeline';
+	const SCOPE_GLASS_LOCATION              = 'https://www.googleapis.com/auth/glass.location';
 
-    // Android Publisher
-    const SCOPE_ANDROID_PUBLISHER           = 'https://www.googleapis.com/auth/androidpublisher';
+	// Android Publisher
+	const SCOPE_ANDROID_PUBLISHER           = 'https://www.googleapis.com/auth/androidpublisher';
 
 
-    // Google Gsuite
+	// Google Gsuite
 	const SCOPE_ADMIN_DIRECTORY_USER =        "https://www.googleapis.com/auth/admin.directory.user";
 	const SCOPE_ADMIN_DIRECTORY_CUSTOMER =        "https://www.googleapis.com/auth/admin.directory.customer";
 
-    protected $accessType = 'online';
+	protected $accessType = 'online';
 
-    public function __construct(
-        CredentialsInterface $credentials,
-        ClientInterface $httpClient,
-        TokenStorageInterface $storage,
-        $scopes = array(),
-        UriInterface $baseApiUri = null
-    ) {
-        parent::__construct($credentials, $httpClient, $storage, $scopes, $baseApiUri, true);
+	public function __construct(
+		CredentialsInterface $credentials,
+		ClientInterface $httpClient,
+		TokenStorageInterface $storage,
+		$scopes = array(),
+		UriInterface $baseApiUri = null
+	) {
+		parent::__construct($credentials, $httpClient, $storage, $scopes, $baseApiUri, true);
 
-        if (null === $baseApiUri) {
-            $this->baseApiUri = new Uri('https://www.googleapis.com/oauth2/v1/');
-        }
-    }
+		if (null === $baseApiUri) {
+			$this->baseApiUri = new Uri('https://www.googleapis.com/oauth2/v1/');
+		}
+	}
 
-    public function setAccessType($accessType)
-    {
-        if (!in_array($accessType, array('online', 'offline'), true)) {
-            throw new InvalidAccessTypeException('Invalid accessType, expected either online or offline');
-        }
-        $this->accessType = $accessType;
-    }
+	public function setAccessType($accessType)
+	{
+		if (!in_array($accessType, array('online', 'offline'), true)) {
+			throw new InvalidAccessTypeException('Invalid accessType, expected either online or offline');
+		}
+		$this->accessType = $accessType;
+	}
 
-    // LDR CHANGE Add approval_prompt to force the prompt if value is set to 'force' so it force return of a "refresh token" in addition to "standard token"
-    public $approvalPrompt='auto';
-    public function setApprouvalPrompt($prompt)
-    {
-        if (!in_array($prompt, array('auto', 'force'), true)) {
-            // @todo Maybe could we rename this exception
-            throw new InvalidAccessTypeException('Invalid approuvalPrompt, expected either auto or force.');
-        }
-        $this->approvalPrompt = $prompt;
-    }
+	// LDR CHANGE Add approval_prompt to force the prompt if value is set to 'force' so it force return of a "refresh token" in addition to "standard token"
+	public $approvalPrompt='auto';
+	public function setApprouvalPrompt($prompt)
+	{
+		if (!in_array($prompt, array('auto', 'force'), true)) {
+			// @todo Maybe could we rename this exception
+			throw new InvalidAccessTypeException('Invalid approuvalPrompt, expected either auto or force.');
+		}
+		$this->approvalPrompt = $prompt;
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    public function getAuthorizationEndpoint()
-    {
-        // LDR CHANGE Add approval_prompt to force the prompt if value is set to 'force' so it force return of a "refresh token" in addition to "standard token"
-        //return new Uri('https://accounts.google.com/o/oauth2/auth?access_type='.$this->accessType);
-        return new Uri('https://accounts.google.com/o/oauth2/auth?'.($this->approvalPrompt?'approval_prompt='.$this->approvalPrompt.'&':'').'access_type='.$this->accessType);
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	public function getAuthorizationEndpoint()
+	{
+		// LDR CHANGE Add approval_prompt to force the prompt if value is set to 'force' so it force return of a "refresh token" in addition to "standard token"
+		//return new Uri('https://accounts.google.com/o/oauth2/auth?access_type='.$this->accessType);
+		$url = 'https://accounts.google.com/o/oauth2/auth?nonce='.bin2hex(random_bytes(64/8)).'&'.($this->approvalPrompt?'approval_prompt='.$this->approvalPrompt.'&':'').'access_type='.$this->accessType;
+		// TODO Add param hd and/or login_hint
+		return new Uri($url);
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    public function getAccessTokenEndpoint()
-    {
-        return new Uri('https://accounts.google.com/o/oauth2/token');
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	public function getAccessTokenEndpoint()
+	{
+		return new Uri('https://accounts.google.com/o/oauth2/token');
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function parseAccessTokenResponse($responseBody)
-    {
-        $data = json_decode($responseBody, true);
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function parseAccessTokenResponse($responseBody)
+	{
+		$data = json_decode($responseBody, true);
 
-        if (null === $data || !is_array($data)) {
-            throw new TokenResponseException('Unable to parse response.');
-        } elseif (isset($data['error'])) {
-            throw new TokenResponseException('Error in retrieving token: "' . $data['error'] . '"');
-        }
+		if (null === $data || !is_array($data)) {
+			throw new TokenResponseException('Unable to parse response.');
+		} elseif (isset($data['error'])) {
+			throw new TokenResponseException('Error in retrieving token: "' . $data['error'] . '"');
+		}
 
-        $token = new StdOAuth2Token();
-        $token->setAccessToken($data['access_token']);
-        $token->setLifetime($data['expires_in']);
+		$token = new StdOAuth2Token();
+		$token->setAccessToken($data['access_token']);
+		$token->setLifetime($data['expires_in']);
 
-        if (isset($data['refresh_token'])) {
-            $token->setRefreshToken($data['refresh_token']);
-            unset($data['refresh_token']);
-        }
+		if (isset($data['refresh_token'])) {
+			$token->setRefreshToken($data['refresh_token']);
+			unset($data['refresh_token']);
+		}
 
-        unset($data['access_token']);
-        unset($data['expires_in']);
+		unset($data['access_token']);
+		unset($data['expires_in']);
 
-        $token->setExtraParams($data);
+		$token->setExtraParams($data);
 
-        return $token;
-    }
+		return $token;
+	}
 }

From 3ae63cb111cb9de578fdc0501e5df7a72b2c2319 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 19 Jan 2022 22:49:53 +0100
Subject: [PATCH 08/18] Clean code

---
 .../core/modules/oauth/google_oauthcallback.php   | 15 ++++++++++-----
 htdocs/core/tpl/login.tpl.php                     | 13 ++++---------
 htdocs/includes/OAuth/OAuth2/Service/Google.php   |  4 ++--
 3 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/htdocs/core/modules/oauth/google_oauthcallback.php b/htdocs/core/modules/oauth/google_oauthcallback.php
index 55a4394aa37..2b2b253c40d 100644
--- a/htdocs/core/modules/oauth/google_oauthcallback.php
+++ b/htdocs/core/modules/oauth/google_oauthcallback.php
@@ -98,9 +98,6 @@ $apiService = $serviceFactory->createService('Google', $credentials, $storage, $
 // also note that a refresh token is sent only after a prompt
 $apiService->setAccessType('offline');
 
-$apiService->setApprouvalPrompt('force');
-
-//$apiService->setLoginHint(email); // If we know the email of Google account, we can set it to have it correctly selected on login prompt on multiaccount
 
 $langs->load("oauth");
 
@@ -178,14 +175,22 @@ if (GETPOST('code')) {     // We are coming from oauth provider page.
 	// to the OAuth provider login page
 	$_SESSION["backtourlsavedbeforeoauthjump"] = $backtourl;
 
+	if (!preg_match('/^forlogin/', $state)) {
+		$apiService->setApprouvalPrompt('force');
+	}
+
 	// This may create record into oauth_state before the header redirect.
 	// Creation of record with state in this tables depend on the Provider used (see its constructor).
-	if (GETPOST('state')) {
-		$url = $apiService->getAuthorizationUri(array('state'=>GETPOST('state')));
+	if ($state) {
+		$url = $apiService->getAuthorizationUri(array('state' => $state));
 	} else {
 		$url = $apiService->getAuthorizationUri(); // Parameter state will be randomly generated
 	}
 
+	// Add more param
+	$url .= '&nonce='.bin2hex(random_bytes(64/8));
+	// TODO Add param hd and/or login_hint
+
 	// we go on oauth provider authorization page
 	header('Location: '.$url);
 	exit();
diff --git a/htdocs/core/tpl/login.tpl.php b/htdocs/core/tpl/login.tpl.php
index 2645a76a8ab..d7e9bda13dd 100644
--- a/htdocs/core/tpl/login.tpl.php
+++ b/htdocs/core/tpl/login.tpl.php
@@ -331,21 +331,16 @@ if (isset($conf->file->main_authentication) && preg_match('/google/', $conf->fil
 	echo '<br>';
 	echo '<div class="center" style="margin-top: 4px;">';
 
-	$shortscope = 'userinfo_email,userinfo_profile';
-	$shortscope .= ',openid,email,profile';	// For openid connect
+	//$shortscope = 'userinfo_email,userinfo_profile';
+	$shortscope = 'openid,email,profile';	// For openid connect
 
 	$oauthstateanticsrf = bin2hex(random_bytes(128/8));
 	$_SESSION['oauthstateanticsrf'] = $shortscope.'-'.$oauthstateanticsrf;
-	$urltorenew = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?shortscope='.$shortscope.'&state='.$shortscope.$oauthstateanticsrf.'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php');
+	$urltorenew = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?shortscope='.$shortscope.'&state=forlogin-'.$shortscope.'-'.$oauthstateanticsrf;
 
 	$url = $urltorenew;
 
-	//if (!empty($url)) {
-		print img_picto('', 'google', 'class="pictofixedwidth"').'<a class="alogin" href="'.$url.'">'.$langs->trans("LoginWith", "Google").'</a>';
-	/*} else {
-		$langs->load("errors");
-		print '<span class="warning">'.$langs->trans("ErrorOpenIDSetupNotComplete", 'MAIN_AUTHENTICATION_OPENID_URL').'</span>';
-	}*/
+	print img_picto('', 'google', 'class="pictofixedwidth"').'<a class="alogin" href="'.$url.'">'.$langs->trans("LoginWith", "Google").'</a>';
 
 	echo '</div>';
 }
diff --git a/htdocs/includes/OAuth/OAuth2/Service/Google.php b/htdocs/includes/OAuth/OAuth2/Service/Google.php
index 8cf6daf9a7e..d2041979faa 100644
--- a/htdocs/includes/OAuth/OAuth2/Service/Google.php
+++ b/htdocs/includes/OAuth/OAuth2/Service/Google.php
@@ -163,8 +163,8 @@ class Google extends AbstractService
 	{
 		// LDR CHANGE Add approval_prompt to force the prompt if value is set to 'force' so it force return of a "refresh token" in addition to "standard token"
 		//return new Uri('https://accounts.google.com/o/oauth2/auth?access_type='.$this->accessType);
-		$url = 'https://accounts.google.com/o/oauth2/auth?nonce='.bin2hex(random_bytes(64/8)).'&'.($this->approvalPrompt?'approval_prompt='.$this->approvalPrompt.'&':'').'access_type='.$this->accessType;
-		// TODO Add param hd and/or login_hint
+		$url = 'https://accounts.google.com/o/oauth2/auth?'.($this->approvalPrompt?'approval_prompt='.$this->approvalPrompt.'&':'').'access_type='.$this->accessType;
+
 		return new Uri($url);
 	}
 

From 4be8cb5ded6c3a81b3aa095ad7e04d1c4de996d8 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 19 Jan 2022 23:01:50 +0100
Subject: [PATCH 09/18] Validate the oauthstateanticsrf value.

---
 .../modules/oauth/google_oauthcallback.php    | 90 ++++++++++---------
 1 file changed, 47 insertions(+), 43 deletions(-)

diff --git a/htdocs/core/modules/oauth/google_oauthcallback.php b/htdocs/core/modules/oauth/google_oauthcallback.php
index 2b2b253c40d..efafbde6aa0 100644
--- a/htdocs/core/modules/oauth/google_oauthcallback.php
+++ b/htdocs/core/modules/oauth/google_oauthcallback.php
@@ -119,56 +119,57 @@ if ($action == 'delete') {
 if (GETPOST('code')) {     // We are coming from oauth provider page.
 	dol_syslog("We are coming from the oauth provider page");
 
-	// TODO
-	// We should validate that the $sate is same than the one into $_SESSION['oauthstateanticsrf'], return error if not.
+	// We must validate that the $state is the same than the one into $_SESSION['oauthstateanticsrf'], return error if not.
+	if (isset($_SESSION['oauthstateanticsrf']) && $state == $_SESSION['oauthstateanticsrf']) {
+		print 'Value for state = '.dol_escape_htmltag($state).' differs from value in $_SESSION["oauthstateanticsrf"]. Code is refused.';
+	} else {
+		// This was a callback request from service, get the token
+		try {
+			//var_dump($_GET['code']);
+			//var_dump($state);
+			//var_dump($apiService);      // OAuth\OAuth2\Service\Google
 
+			// This request the token
+			// Result is stored into object managed by class DoliStorage into includes/OAuth/Common/Storage/DoliStorage.php, so into table llx_oauth_token
+			$token = $apiService->requestAccessToken(GETPOST('code'), $state);
 
-	// This was a callback request from service, get the token
-	try {
-		//var_dump($_GET['code']);
-		//var_dump($state);
-		//var_dump($apiService);      // OAuth\OAuth2\Service\Google
+			// Note: The extraparams has the 'id_token' than contains a lot of information about the user.
+			$extraparams = $token->getExtraParams();
+			$jwt = explode('.', $extraparams['id_token']);
 
-		// This request the token
-		// Result is stored into object managed by class DoliStorage into includes/OAuth/Common/Storage/DoliStorage.php, so into table llx_oauth_token
-		$token = $apiService->requestAccessToken(GETPOST('code'), $state);
+			// Extract the middle part, base64 decode, then json_decode it
+			if (!empty($jwt[1])) {
+				$userinfo = json_decode(base64_decode($jwt[1]), true);
 
-		// Note: The extraparams has the 'id_token' than contains a lot of information about the user.
-		$extraparams = $token->getExtraParams();
-		$jwt = explode('.', $extraparams['id_token']);
+				// TODO
+				// We should make the 5 steps of validation of id_token
+				// Verify that the ID token is properly signed by the issuer. Google-issued tokens are signed using one of the certificates found at the URI specified in the jwks_uri metadata value of the Discovery document.
+				// Verify that the value of the iss claim in the ID token is equal to https://accounts.google.com or accounts.google.com.
+				// Verify that the value of the aud claim in the ID token is equal to your app's client ID.
+				// Verify that the expiry time (exp claim) of the ID token has not passed.
+				// If you specified a hd parameter value in the request, verify that the ID token has a hd claim that matches an accepted G Suite hosted domain.
 
-		// Extract the middle part, base64 decode, then json_decode it
-		if (!empty($jwt[1])) {
-			$userinfo = json_decode(base64_decode($jwt[1]), true);
+				/*
+				$useremailuniq = $userinfo['sub'];
+				$useremail = $userinfo['email'];
+				$useremailverified = $userinfo['email_verified'];
+				$username = $userinfo['name'];
+				$userfamilyname = $userinfo['family_name'];
+				$usergivenname = $userinfo['given_name'];
+				$hd = $userinfo['hd'];
+				*/
+			}
 
-			// TODO
-			// We should make the 5 steps of validation of id_token
-			// Verify that the ID token is properly signed by the issuer. Google-issued tokens are signed using one of the certificates found at the URI specified in the jwks_uri metadata value of the Discovery document.
-			// Verify that the value of the iss claim in the ID token is equal to https://accounts.google.com or accounts.google.com.
-			// Verify that the value of the aud claim in the ID token is equal to your app's client ID.
-			// Verify that the expiry time (exp claim) of the ID token has not passed.
-			// If you specified a hd parameter value in the request, verify that the ID token has a hd claim that matches an accepted G Suite hosted domain.
+			setEventMessages($langs->trans('NewTokenStored'), null, 'mesgs');
 
-			/*
-			$useremailuniq = $userinfo['sub'];
-			$useremail = $userinfo['email'];
-			$useremailverified = $userinfo['email_verified'];
-			$username = $userinfo['name'];
-			$userfamilyname = $userinfo['family_name'];
-			$usergivenname = $userinfo['given_name'];
-			$hd = $userinfo['hd'];
-			*/
+			$backtourl = $_SESSION["backtourlsavedbeforeoauthjump"];
+			unset($_SESSION["backtourlsavedbeforeoauthjump"]);
+
+			header('Location: '.$backtourl);
+			exit();
+		} catch (Exception $e) {
+			print $e->getMessage();
 		}
-
-		setEventMessages($langs->trans('NewTokenStored'), null, 'mesgs');
-
-		$backtourl = $_SESSION["backtourlsavedbeforeoauthjump"];
-		unset($_SESSION["backtourlsavedbeforeoauthjump"]);
-
-		header('Location: '.$backtourl);
-		exit();
-	} catch (Exception $e) {
-		print $e->getMessage();
 	}
 } else {
 	// If we enter this page without 'code' parameter, we arrive here. this is the case when we want to get the redirect
@@ -190,6 +191,9 @@ if (GETPOST('code')) {     // We are coming from oauth provider page.
 	// Add more param
 	$url .= '&nonce='.bin2hex(random_bytes(64/8));
 	// TODO Add param hd and/or login_hint
+	if (!preg_match('/^forlogin/', $state)) {
+		//$url .= 'hd=xxx';
+	}
 
 	// we go on oauth provider authorization page
 	header('Location: '.$url);
@@ -201,6 +205,6 @@ if (GETPOST('code')) {     // We are coming from oauth provider page.
  * View
  */
 
-// No view at all, just actions, so we never reach this line, except on error.
+// No view at all, just actions, so we never reach this line.
 
 $db->close();

From a5de93cf44b9b29ba4b7cdce2a2267b5c81bec9f Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 19 Jan 2022 23:01:50 +0100
Subject: [PATCH 10/18] Validate the oauthstateanticsrf value.

---
 .../modules/oauth/google_oauthcallback.php    | 91 ++++++++++---------
 1 file changed, 48 insertions(+), 43 deletions(-)

diff --git a/htdocs/core/modules/oauth/google_oauthcallback.php b/htdocs/core/modules/oauth/google_oauthcallback.php
index 2b2b253c40d..9fbc38ef156 100644
--- a/htdocs/core/modules/oauth/google_oauthcallback.php
+++ b/htdocs/core/modules/oauth/google_oauthcallback.php
@@ -119,56 +119,58 @@ if ($action == 'delete') {
 if (GETPOST('code')) {     // We are coming from oauth provider page.
 	dol_syslog("We are coming from the oauth provider page");
 
-	// TODO
-	// We should validate that the $sate is same than the one into $_SESSION['oauthstateanticsrf'], return error if not.
+	// We must validate that the $state is the same than the one into $_SESSION['oauthstateanticsrf'], return error if not.
+	if (isset($_SESSION['oauthstateanticsrf']) && $state != $_SESSION['oauthstateanticsrf']) {
+		print 'Value for state = '.dol_escape_htmltag($state).' differs from value in $_SESSION["oauthstateanticsrf"]. Code is refused.';
+		unset($_SESSION['oauthstateanticsrf']);
+	} else {
+		// This was a callback request from service, get the token
+		try {
+			//var_dump($_GET['code']);
+			//var_dump($state);
+			//var_dump($apiService);      // OAuth\OAuth2\Service\Google
 
+			// This request the token
+			// Result is stored into object managed by class DoliStorage into includes/OAuth/Common/Storage/DoliStorage.php, so into table llx_oauth_token
+			$token = $apiService->requestAccessToken(GETPOST('code'), $state);
 
-	// This was a callback request from service, get the token
-	try {
-		//var_dump($_GET['code']);
-		//var_dump($state);
-		//var_dump($apiService);      // OAuth\OAuth2\Service\Google
+			// Note: The extraparams has the 'id_token' than contains a lot of information about the user.
+			$extraparams = $token->getExtraParams();
+			$jwt = explode('.', $extraparams['id_token']);
 
-		// This request the token
-		// Result is stored into object managed by class DoliStorage into includes/OAuth/Common/Storage/DoliStorage.php, so into table llx_oauth_token
-		$token = $apiService->requestAccessToken(GETPOST('code'), $state);
+			// Extract the middle part, base64 decode, then json_decode it
+			if (!empty($jwt[1])) {
+				$userinfo = json_decode(base64_decode($jwt[1]), true);
 
-		// Note: The extraparams has the 'id_token' than contains a lot of information about the user.
-		$extraparams = $token->getExtraParams();
-		$jwt = explode('.', $extraparams['id_token']);
+				// TODO
+				// We should make the 5 steps of validation of id_token
+				// Verify that the ID token is properly signed by the issuer. Google-issued tokens are signed using one of the certificates found at the URI specified in the jwks_uri metadata value of the Discovery document.
+				// Verify that the value of the iss claim in the ID token is equal to https://accounts.google.com or accounts.google.com.
+				// Verify that the value of the aud claim in the ID token is equal to your app's client ID.
+				// Verify that the expiry time (exp claim) of the ID token has not passed.
+				// If you specified a hd parameter value in the request, verify that the ID token has a hd claim that matches an accepted G Suite hosted domain.
 
-		// Extract the middle part, base64 decode, then json_decode it
-		if (!empty($jwt[1])) {
-			$userinfo = json_decode(base64_decode($jwt[1]), true);
+				/*
+				$useremailuniq = $userinfo['sub'];
+				$useremail = $userinfo['email'];
+				$useremailverified = $userinfo['email_verified'];
+				$username = $userinfo['name'];
+				$userfamilyname = $userinfo['family_name'];
+				$usergivenname = $userinfo['given_name'];
+				$hd = $userinfo['hd'];
+				*/
+			}
 
-			// TODO
-			// We should make the 5 steps of validation of id_token
-			// Verify that the ID token is properly signed by the issuer. Google-issued tokens are signed using one of the certificates found at the URI specified in the jwks_uri metadata value of the Discovery document.
-			// Verify that the value of the iss claim in the ID token is equal to https://accounts.google.com or accounts.google.com.
-			// Verify that the value of the aud claim in the ID token is equal to your app's client ID.
-			// Verify that the expiry time (exp claim) of the ID token has not passed.
-			// If you specified a hd parameter value in the request, verify that the ID token has a hd claim that matches an accepted G Suite hosted domain.
+			setEventMessages($langs->trans('NewTokenStored'), null, 'mesgs');
 
-			/*
-			$useremailuniq = $userinfo['sub'];
-			$useremail = $userinfo['email'];
-			$useremailverified = $userinfo['email_verified'];
-			$username = $userinfo['name'];
-			$userfamilyname = $userinfo['family_name'];
-			$usergivenname = $userinfo['given_name'];
-			$hd = $userinfo['hd'];
-			*/
+			$backtourl = $_SESSION["backtourlsavedbeforeoauthjump"];
+			unset($_SESSION["backtourlsavedbeforeoauthjump"]);
+
+			header('Location: '.$backtourl);
+			exit();
+		} catch (Exception $e) {
+			print $e->getMessage();
 		}
-
-		setEventMessages($langs->trans('NewTokenStored'), null, 'mesgs');
-
-		$backtourl = $_SESSION["backtourlsavedbeforeoauthjump"];
-		unset($_SESSION["backtourlsavedbeforeoauthjump"]);
-
-		header('Location: '.$backtourl);
-		exit();
-	} catch (Exception $e) {
-		print $e->getMessage();
 	}
 } else {
 	// If we enter this page without 'code' parameter, we arrive here. this is the case when we want to get the redirect
@@ -190,6 +192,9 @@ if (GETPOST('code')) {     // We are coming from oauth provider page.
 	// Add more param
 	$url .= '&nonce='.bin2hex(random_bytes(64/8));
 	// TODO Add param hd and/or login_hint
+	if (!preg_match('/^forlogin/', $state)) {
+		//$url .= 'hd=xxx';
+	}
 
 	// we go on oauth provider authorization page
 	header('Location: '.$url);
@@ -201,6 +206,6 @@ if (GETPOST('code')) {     // We are coming from oauth provider page.
  * View
  */
 
-// No view at all, just actions, so we never reach this line, except on error.
+// No view at all, just actions, so we never reach this line.
 
 $db->close();

From de30b68f9e7241a8b0c1c5d7f5519d98de84baa1 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 20 Jan 2022 16:32:30 +0100
Subject: [PATCH 11/18] Code comment

---
 htdocs/admin/agenda.php                                |  1 +
 htdocs/core/class/CSMSFile.class.php                   | 10 +++++++---
 .../interface_50_modAgenda_ActionsAuto.class.php       |  6 ++++--
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/htdocs/admin/agenda.php b/htdocs/admin/agenda.php
index 730983ad090..a730f199213 100644
--- a/htdocs/admin/agenda.php
+++ b/htdocs/admin/agenda.php
@@ -192,6 +192,7 @@ if (!empty($triggers)) {
 			}
 
 			if ($search_event === '' || preg_match('/'.preg_quote($search_event, '/').'/i', $trigger['code'])) {
+				print '<!-- '.$trigger['position'].' -->';
 				print '<tr class="oddeven">';
 				print '<td>'.$trigger['code'].'</td>';
 				print '<td>'.$trigger['label'].'</td>';
diff --git a/htdocs/core/class/CSMSFile.class.php b/htdocs/core/class/CSMSFile.class.php
index 8d5bcf7dc50..3f082ba6d53 100644
--- a/htdocs/core/class/CSMSFile.class.php
+++ b/htdocs/core/class/CSMSFile.class.php
@@ -29,8 +29,9 @@
 
 /**
  *		Class to send SMS
- *      Usage: $smsfile = new CSMSFile($subject,$sendto,$replyto,$message,$filepath,$mimetype,$filename,$cc,$ccc,$deliveryreceipt,$msgishtml,$errors_to);
- *             $smsfile->sendfile();
+ *      Usage:	$smsfile = new CSMSFile($subject,$sendto,$replyto,$message,$filepath,$mimetype,$filename,$cc,$ccc,$deliveryreceipt,$msgishtml,$errors_to);
+ *      		$smsfile->socid=...; $smsfile->contact_id=...; $smsfile->member_id=...; $smsfile->fk_project=...;
+ *             	$smsfile->sendfile();
  */
 class CSMSFile
 {
@@ -48,7 +49,8 @@ class CSMSFile
 	public $nostop;
 
 	public $socid;
-	public $contactid;
+	public $contact_id;
+	public $member_id;
 
 	public $fk_project;
 
@@ -135,6 +137,7 @@ class CSMSFile
 
 				$sms->socid = $this->socid;
 				$sms->contact_id = $this->contact_id;
+				$sms->member_id = $this->member_id;
 				$sms->project = $this->fk_project;
 
 				$res = $sms->SmsSend();
@@ -167,6 +170,7 @@ class CSMSFile
 
 					$sms->socid = $this->socid;
 					$sms->contact_id = $this->contact_id;
+					$sms->member_id = $this->member_id;
 					$sms->fk_project = $this->fk_project;
 
 					$res = $sms->SmsSend();
diff --git a/htdocs/core/triggers/interface_50_modAgenda_ActionsAuto.class.php b/htdocs/core/triggers/interface_50_modAgenda_ActionsAuto.class.php
index d441d364f4b..2ff5d3f9c43 100644
--- a/htdocs/core/triggers/interface_50_modAgenda_ActionsAuto.class.php
+++ b/htdocs/core/triggers/interface_50_modAgenda_ActionsAuto.class.php
@@ -66,7 +66,7 @@ class InterfaceActionsAuto extends DolibarrTriggers
 	 *      $object->elementtype (->element of object to link action to)
 	 *      $object->module (if defined, elementtype in llx_actioncomm will be elementtype@module)
 	 *
-	 * @param string		$action		Event action code ('CONTRACT_MODIFY', 'RECRUITMENTCANDIDATURE_MODIFIY', ...)
+	 * @param string		$action		Event action code ('CONTRACT_MODIFY', 'RECRUITMENTCANDIDATURE_MODIFIY', or example by external module: 'SENTBYSMS'...)
 	 * @param Object		$object     Object
 	 * @param User		    $user       Object user
 	 * @param Translate 	$langs      Object langs
@@ -88,6 +88,7 @@ class InterfaceActionsAuto extends DolibarrTriggers
 		//var_dump($action.' - '.$conf->global->$key);exit;
 
 		// Do not log events not enabled for this action
+		// GUI allow to set this option only if entry exists into table llx_c_action_trigger
 		if (empty($conf->global->$key)) {
 			return 0;
 		}
@@ -887,8 +888,9 @@ class InterfaceActionsAuto extends DolibarrTriggers
 		} else {
 			// TODO Merge all previous cases into this generic one
 			// $action = BILL_DELETE, TICKET_CREATE, TICKET_MODIFY, TICKET_DELETE, CONTACT_SENTBYMAIL, RECRUITMENTCANDIDATURE_MODIFY, ...
+			// Can also be a value defined by an external module like SENTBYSMS, COMPANY_SENTBYSMS, MEMBER_SENTBYSMS, ...
 			// Note: We are here only if $conf->global->MAIN_AGENDA_ACTIONAUTO_action is on (tested at begining of this function).
-			// Note that these key can be set in agenda setup, only if defined into c_action_trigger
+			// Note that these key can be set in agenda setup, only if defined into llx_c_action_trigger
 			// Load translation files required by the page
 			if (empty($object->actionmsg2)) {
 				$langs->loadLangs(array("agenda", "other"));

From b2f6de06d5227d4023a883c8084c6cc2236b25e7 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 20 Jan 2022 18:09:30 +0100
Subject: [PATCH 12/18] Fix the localtax were not saved on price when no code
 was set

---
 htdocs/core/lib/functions.lib.php |   2 +-
 htdocs/product/price.php          | 182 +++++++++++++++++++++++++-----
 htdocs/theme/eldy/global.inc.php  |   2 +-
 htdocs/theme/md/style.css.php     |   2 +-
 4 files changed, 154 insertions(+), 34 deletions(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 975e1f20a88..ce8e02e9cee 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -1897,7 +1897,7 @@ function dol_banner_tab($object, $paramid, $morehtml = '', $shownav = 1, $fieldi
 
 	if ($object->element == 'product') {
 		$width = 80;
-		$cssclass = 'photoref';
+		$cssclass = 'photowithmargin photoref';
 		$showimage = $object->is_photo_available($conf->product->multidir_output[$entity]);
 		$maxvisiblephotos = (isset($conf->global->PRODUCT_MAX_VISIBLE_PHOTO) ? $conf->global->PRODUCT_MAX_VISIBLE_PHOTO : 5);
 		if ($conf->browser->layout == 'phone') {
diff --git a/htdocs/product/price.php b/htdocs/product/price.php
index 4c14add3660..d21574e696e 100644
--- a/htdocs/product/price.php
+++ b/htdocs/product/price.php
@@ -143,15 +143,35 @@ if (empty($reshook)) {
 			$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
 			$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
 			$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
-			$sql .= " AND t.code ='".$db->escape($vatratecode)."'";
+			$sql .= " AND t.code = '".$db->escape($vatratecode)."'";
 			$resql = $db->query($sql);
 			if ($resql) {
 				$obj = $db->fetch_object($resql);
-				$npr = $obj->recuperableonly;
-				$localtax1 = $obj->localtax1;
-				$localtax2 = $obj->localtax2;
-				$localtax1_type = $obj->localtax1_type;
-				$localtax2_type = $obj->localtax2_type;
+				if ($obj) {
+					$npr = $obj->recuperableonly;
+					$localtax1 = $obj->localtax1;
+					$localtax2 = $obj->localtax2;
+					$localtax1_type = $obj->localtax1_type;
+					$localtax2_type = $obj->localtax2_type;
+				}
+			}
+		} else {
+			// Get record with empty code
+			$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
+			$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
+			$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
+			$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
+			$sql .= " AND t.code = ''";
+			$resql = $db->query($sql);
+			if ($resql) {
+				$obj = $db->fetch_object($resql);
+				if ($obj) {
+					$npr = $obj->recuperableonly;
+					$localtax1 = $obj->localtax1;
+					$localtax2 = $obj->localtax2;
+					$localtax1_type = $obj->localtax1_type;
+					$localtax2_type = $obj->localtax2_type;
+				}
 			}
 		}
 
@@ -258,11 +278,37 @@ if (empty($reshook)) {
 					$resql = $db->query($sql);
 					if ($resql) {
 						$obj = $db->fetch_object($resql);
-						$npr = $obj->recuperableonly;
-						$localtax1 = $obj->localtax1;
-						$localtax2 = $obj->localtax2;
-						$localtax1_type = $obj->localtax1_type;
-						$localtax2_type = $obj->localtax2_type;
+						if ($obj) {
+							$npr = $obj->recuperableonly;
+							$localtax1 = $obj->localtax1;
+							$localtax2 = $obj->localtax2;
+							$localtax1_type = $obj->localtax1_type;
+							$localtax2_type = $obj->localtax2_type;
+						}
+
+						// If spain, we don't use the localtax found into tax record in database with same code, but using the get_localtax rule.
+						if (in_array($mysoc->country_code, array('ES'))) {
+							$localtax1 = get_localtax($tva_tx, 1);
+							$localtax2 = get_localtax($tva_tx, 2);
+						}
+					}
+				} else {
+					// Get record with empty code
+					$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
+					$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
+					$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
+					$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
+					$sql .= " AND t.code = ''";
+					$resql = $db->query($sql);
+					if ($resql) {
+						$obj = $db->fetch_object($resql);
+						if ($obj) {
+							$npr = $obj->recuperableonly;
+							$localtax1 = $obj->localtax1;
+							$localtax2 = $obj->localtax2;
+							$localtax1_type = $obj->localtax1_type;
+							$localtax2_type = $obj->localtax2_type;
+						}
 					}
 				}
 
@@ -311,19 +357,40 @@ if (empty($reshook)) {
 				$resql = $db->query($sql);
 				if ($resql) {
 					$obj = $db->fetch_object($resql);
-					$npr = $obj->recuperableonly;
-					$localtax1 = $obj->localtax1;
-					$localtax2 = $obj->localtax2;
-					$localtax1_type = $obj->localtax1_type;
-					$localtax2_type = $obj->localtax2_type;
+					if ($obj) {
+						$npr = $obj->recuperableonly;
+						$localtax1 = $obj->localtax1;
+						$localtax2 = $obj->localtax2;
+						$localtax1_type = $obj->localtax1_type;
+						$localtax2_type = $obj->localtax2_type;
+					}
 
-					// If spain, we don't use the localtax found into tax record in database with same code, but using the get_localtax rule
+					// If spain, we don't use the localtax found into tax record in database with same code, but using the get_localtax rule.
 					if (in_array($mysoc->country_code, array('ES'))) {
 						$localtax1 = get_localtax($tva_tx, 1);
 						$localtax2 = get_localtax($tva_tx, 2);
 					}
 				}
+			} else {
+				// Get record with empty code
+				$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
+				$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
+				$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
+				$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
+				$sql .= " AND t.code = ''";
+				$resql = $db->query($sql);
+				if ($resql) {
+					$obj = $db->fetch_object($resql);
+					if ($obj) {
+						$npr = $obj->recuperableonly;
+						$localtax1 = $obj->localtax1;
+						$localtax2 = $obj->localtax2;
+						$localtax1_type = $obj->localtax1_type;
+						$localtax2_type = $obj->localtax2_type;
+					}
+				}
 			}
+
 			$pricestoupdate[0] = array(
 				'price' => $newprice,
 				'price_min' => $newprice_min,
@@ -534,11 +601,37 @@ if (empty($reshook)) {
 			$resql = $db->query($sql);
 			if ($resql) {
 				$obj = $db->fetch_object($resql);
-				$npr = $obj->recuperableonly;
-				$localtax1 = $obj->localtax1;
-				$localtax2 = $obj->localtax2;
-				$localtax1_type = $obj->localtax1_type;
-				$localtax2_type = $obj->localtax2_type;
+				if ($obj) {
+					$npr = $obj->recuperableonly;
+					$localtax1 = $obj->localtax1;
+					$localtax2 = $obj->localtax2;
+					$localtax1_type = $obj->localtax1_type;
+					$localtax2_type = $obj->localtax2_type;
+				}
+
+				// If spain, we don't use the localtax found into tax record in database with same code, but using the get_localtax rule.
+				if (in_array($mysoc->country_code, array('ES'))) {
+					$localtax1 = get_localtax($tva_tx, 1);
+					$localtax2 = get_localtax($tva_tx, 2);
+				}
+			}
+		} else {
+			// Get record with empty code
+			$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
+			$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
+			$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
+			$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
+			$sql .= " AND t.code = ''";
+			$resql = $db->query($sql);
+			if ($resql) {
+				$obj = $db->fetch_object($resql);
+				if ($obj) {
+					$npr = $obj->recuperableonly;
+					$localtax1 = $obj->localtax1;
+					$localtax2 = $obj->localtax2;
+					$localtax1_type = $obj->localtax1_type;
+					$localtax2_type = $obj->localtax2_type;
+				}
 			}
 		}
 
@@ -627,11 +720,37 @@ if (empty($reshook)) {
 			$resql = $db->query($sql);
 			if ($resql) {
 				$obj = $db->fetch_object($resql);
-				$npr = $obj->recuperableonly;
-				$localtax1 = $obj->localtax1;
-				$localtax2 = $obj->localtax2;
-				$localtax1_type = $obj->localtax1_type;
-				$localtax2_type = $obj->localtax2_type;
+				if ($obj) {
+					$npr = $obj->recuperableonly;
+					$localtax1 = $obj->localtax1;
+					$localtax2 = $obj->localtax2;
+					$localtax1_type = $obj->localtax1_type;
+					$localtax2_type = $obj->localtax2_type;
+				}
+
+				// If spain, we don't use the localtax found into tax record in database with same code, but using the get_localtax rule.
+				if (in_array($mysoc->country_code, array('ES'))) {
+					$localtax1 = get_localtax($tva_tx, 1);
+					$localtax2 = get_localtax($tva_tx, 2);
+				}
+			}
+		} else {
+			// Get record with empty code
+			$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
+			$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
+			$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
+			$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
+			$sql .= " AND t.code = ''";
+			$resql = $db->query($sql);
+			if ($resql) {
+				$obj = $db->fetch_object($resql);
+				if ($obj) {
+					$npr = $obj->recuperableonly;
+					$localtax1 = $obj->localtax1;
+					$localtax2 = $obj->localtax2;
+					$localtax1_type = $obj->localtax1_type;
+					$localtax2_type = $obj->localtax2_type;
+				}
 			}
 		}
 
@@ -829,22 +948,23 @@ if (!empty($conf->global->PRODUIT_MULTIPRICES) || !empty($conf->global->PRODUIT_
 			}
 
 			// TVA
+			print '<!-- Default VAT Rate -->';
 			print '<tr><td class="titlefieldcreate">'.$langs->trans("DefaultTaxRate").'</td><td>';
 
 			$positiverates = '';
 			if (price2num($object->tva_tx)) {
-				$positiverates .= ($positiverates ? '/' : '').price2num($object->tva_tx);
+				$positiverates .= ($positiverates ? '<span class="opacitymedium">/</span>' : '').price2num($object->tva_tx);
 			}
 			if (price2num($object->localtax1_type)) {
-				$positiverates .= ($positiverates ? '/' : '').price2num($object->localtax1_tx);
+				$positiverates .= ($positiverates ? '<span class="opacitymedium">/</span>' : '').price2num($object->localtax1_tx);
 			}
 			if (price2num($object->localtax2_type)) {
-				$positiverates .= ($positiverates ? '/' : '').price2num($object->localtax2_tx);
+				$positiverates .= ($positiverates ? '<span class="opacitymedium">/</span>' : '').price2num($object->localtax2_tx);
 			}
 			if (empty($positiverates)) {
 				$positiverates = '0';
 			}
-			echo vatrate($positiverates.($object->default_vat_code ? ' ('.$object->default_vat_code.')' : ''), '%', $object->tva_npr);
+			print vatrate($positiverates.($object->default_vat_code ? ' ('.$object->default_vat_code.')' : ''), true, $object->tva_npr, 1);
 			/*
 			if ($object->default_vat_code)
 			{
diff --git a/htdocs/theme/eldy/global.inc.php b/htdocs/theme/eldy/global.inc.php
index 0ffc4e84786..a830002d197 100644
--- a/htdocs/theme/eldy/global.inc.php
+++ b/htdocs/theme/eldy/global.inc.php
@@ -4558,7 +4558,7 @@ label.radioprivate {
 /*	margin-bottom: 2px;
 	margin-top: 2px; */
 }
-div.divphotoref > a > .photowithmargin {		/* Margin right for photo not inside a div.photoref frame only */
+div.divphotoref > img.photowithmargin, div.divphotoref > a > .photowithmargin {		/* Margin right for photo not inside a div.photoref frame only */
 	margin-right: 15px;
 }
 .photowithborder {
diff --git a/htdocs/theme/md/style.css.php b/htdocs/theme/md/style.css.php
index 1d794d60de1..6d052a2dc03 100644
--- a/htdocs/theme/md/style.css.php
+++ b/htdocs/theme/md/style.css.php
@@ -4492,7 +4492,7 @@ label.radioprivate {
 /*	margin-bottom: 2px;
 	margin-top: 2px; */
 }
-div.divphotoref > a > .photowithmargin {		/* Margin right for photo not inside a div.photoref frame only */
+div.divphotoref > img.photowithmargin, div.divphotoref > a > .photowithmargin {		/* Margin right for photo not inside a div.photoref frame only */
 	margin-right: 15px;
 }
 .photowithborder {

From 8c3b28b0d0e7f721bc215a4d018dbc957a28914a Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 20 Jan 2022 18:50:18 +0100
Subject: [PATCH 13/18] Introduce method for future

---
 htdocs/core/db/DoliDB.class.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/htdocs/core/db/DoliDB.class.php b/htdocs/core/db/DoliDB.class.php
index fdbb755637a..4476228d509 100644
--- a/htdocs/core/db/DoliDB.class.php
+++ b/htdocs/core/db/DoliDB.class.php
@@ -70,6 +70,18 @@ abstract class DoliDB implements Database
 	/** @var string */
 	public $error;
 
+
+
+	/**
+	 *	Return the DB prefix
+	 *
+	 *	@return string		The DB prefix
+	 */
+	public function prefix()
+	{
+		return (empty($this->prefix_db) ? MAIN_DB_PREFIX : $this->prefix_db);
+	}
+
 	/**
 	 *	Format a SQL IF
 	 *

From d9b0af616e4ad5b56adf9a0a3edbf676a8236628 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 20 Jan 2022 18:09:30 +0100
Subject: [PATCH 14/18] Fix the localtax were not saved on price when no code
 was set

---
 htdocs/core/lib/functions.lib.php |   2 +-
 htdocs/product/price.php          | 182 +++++++++++++++++++++++++-----
 htdocs/theme/eldy/global.inc.php  |   2 +-
 htdocs/theme/md/style.css.php     |   2 +-
 4 files changed, 154 insertions(+), 34 deletions(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 535eb7f226e..76ac0df05b1 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -1897,7 +1897,7 @@ function dol_banner_tab($object, $paramid, $morehtml = '', $shownav = 1, $fieldi
 
 	if ($object->element == 'product') {
 		$width = 80;
-		$cssclass = 'photoref';
+		$cssclass = 'photowithmargin photoref';
 		$showimage = $object->is_photo_available($conf->product->multidir_output[$entity]);
 		$maxvisiblephotos = (isset($conf->global->PRODUCT_MAX_VISIBLE_PHOTO) ? $conf->global->PRODUCT_MAX_VISIBLE_PHOTO : 5);
 		if ($conf->browser->layout == 'phone') {
diff --git a/htdocs/product/price.php b/htdocs/product/price.php
index 4c14add3660..d21574e696e 100644
--- a/htdocs/product/price.php
+++ b/htdocs/product/price.php
@@ -143,15 +143,35 @@ if (empty($reshook)) {
 			$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
 			$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
 			$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
-			$sql .= " AND t.code ='".$db->escape($vatratecode)."'";
+			$sql .= " AND t.code = '".$db->escape($vatratecode)."'";
 			$resql = $db->query($sql);
 			if ($resql) {
 				$obj = $db->fetch_object($resql);
-				$npr = $obj->recuperableonly;
-				$localtax1 = $obj->localtax1;
-				$localtax2 = $obj->localtax2;
-				$localtax1_type = $obj->localtax1_type;
-				$localtax2_type = $obj->localtax2_type;
+				if ($obj) {
+					$npr = $obj->recuperableonly;
+					$localtax1 = $obj->localtax1;
+					$localtax2 = $obj->localtax2;
+					$localtax1_type = $obj->localtax1_type;
+					$localtax2_type = $obj->localtax2_type;
+				}
+			}
+		} else {
+			// Get record with empty code
+			$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
+			$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
+			$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
+			$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
+			$sql .= " AND t.code = ''";
+			$resql = $db->query($sql);
+			if ($resql) {
+				$obj = $db->fetch_object($resql);
+				if ($obj) {
+					$npr = $obj->recuperableonly;
+					$localtax1 = $obj->localtax1;
+					$localtax2 = $obj->localtax2;
+					$localtax1_type = $obj->localtax1_type;
+					$localtax2_type = $obj->localtax2_type;
+				}
 			}
 		}
 
@@ -258,11 +278,37 @@ if (empty($reshook)) {
 					$resql = $db->query($sql);
 					if ($resql) {
 						$obj = $db->fetch_object($resql);
-						$npr = $obj->recuperableonly;
-						$localtax1 = $obj->localtax1;
-						$localtax2 = $obj->localtax2;
-						$localtax1_type = $obj->localtax1_type;
-						$localtax2_type = $obj->localtax2_type;
+						if ($obj) {
+							$npr = $obj->recuperableonly;
+							$localtax1 = $obj->localtax1;
+							$localtax2 = $obj->localtax2;
+							$localtax1_type = $obj->localtax1_type;
+							$localtax2_type = $obj->localtax2_type;
+						}
+
+						// If spain, we don't use the localtax found into tax record in database with same code, but using the get_localtax rule.
+						if (in_array($mysoc->country_code, array('ES'))) {
+							$localtax1 = get_localtax($tva_tx, 1);
+							$localtax2 = get_localtax($tva_tx, 2);
+						}
+					}
+				} else {
+					// Get record with empty code
+					$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
+					$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
+					$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
+					$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
+					$sql .= " AND t.code = ''";
+					$resql = $db->query($sql);
+					if ($resql) {
+						$obj = $db->fetch_object($resql);
+						if ($obj) {
+							$npr = $obj->recuperableonly;
+							$localtax1 = $obj->localtax1;
+							$localtax2 = $obj->localtax2;
+							$localtax1_type = $obj->localtax1_type;
+							$localtax2_type = $obj->localtax2_type;
+						}
 					}
 				}
 
@@ -311,19 +357,40 @@ if (empty($reshook)) {
 				$resql = $db->query($sql);
 				if ($resql) {
 					$obj = $db->fetch_object($resql);
-					$npr = $obj->recuperableonly;
-					$localtax1 = $obj->localtax1;
-					$localtax2 = $obj->localtax2;
-					$localtax1_type = $obj->localtax1_type;
-					$localtax2_type = $obj->localtax2_type;
+					if ($obj) {
+						$npr = $obj->recuperableonly;
+						$localtax1 = $obj->localtax1;
+						$localtax2 = $obj->localtax2;
+						$localtax1_type = $obj->localtax1_type;
+						$localtax2_type = $obj->localtax2_type;
+					}
 
-					// If spain, we don't use the localtax found into tax record in database with same code, but using the get_localtax rule
+					// If spain, we don't use the localtax found into tax record in database with same code, but using the get_localtax rule.
 					if (in_array($mysoc->country_code, array('ES'))) {
 						$localtax1 = get_localtax($tva_tx, 1);
 						$localtax2 = get_localtax($tva_tx, 2);
 					}
 				}
+			} else {
+				// Get record with empty code
+				$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
+				$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
+				$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
+				$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
+				$sql .= " AND t.code = ''";
+				$resql = $db->query($sql);
+				if ($resql) {
+					$obj = $db->fetch_object($resql);
+					if ($obj) {
+						$npr = $obj->recuperableonly;
+						$localtax1 = $obj->localtax1;
+						$localtax2 = $obj->localtax2;
+						$localtax1_type = $obj->localtax1_type;
+						$localtax2_type = $obj->localtax2_type;
+					}
+				}
 			}
+
 			$pricestoupdate[0] = array(
 				'price' => $newprice,
 				'price_min' => $newprice_min,
@@ -534,11 +601,37 @@ if (empty($reshook)) {
 			$resql = $db->query($sql);
 			if ($resql) {
 				$obj = $db->fetch_object($resql);
-				$npr = $obj->recuperableonly;
-				$localtax1 = $obj->localtax1;
-				$localtax2 = $obj->localtax2;
-				$localtax1_type = $obj->localtax1_type;
-				$localtax2_type = $obj->localtax2_type;
+				if ($obj) {
+					$npr = $obj->recuperableonly;
+					$localtax1 = $obj->localtax1;
+					$localtax2 = $obj->localtax2;
+					$localtax1_type = $obj->localtax1_type;
+					$localtax2_type = $obj->localtax2_type;
+				}
+
+				// If spain, we don't use the localtax found into tax record in database with same code, but using the get_localtax rule.
+				if (in_array($mysoc->country_code, array('ES'))) {
+					$localtax1 = get_localtax($tva_tx, 1);
+					$localtax2 = get_localtax($tva_tx, 2);
+				}
+			}
+		} else {
+			// Get record with empty code
+			$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
+			$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
+			$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
+			$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
+			$sql .= " AND t.code = ''";
+			$resql = $db->query($sql);
+			if ($resql) {
+				$obj = $db->fetch_object($resql);
+				if ($obj) {
+					$npr = $obj->recuperableonly;
+					$localtax1 = $obj->localtax1;
+					$localtax2 = $obj->localtax2;
+					$localtax1_type = $obj->localtax1_type;
+					$localtax2_type = $obj->localtax2_type;
+				}
 			}
 		}
 
@@ -627,11 +720,37 @@ if (empty($reshook)) {
 			$resql = $db->query($sql);
 			if ($resql) {
 				$obj = $db->fetch_object($resql);
-				$npr = $obj->recuperableonly;
-				$localtax1 = $obj->localtax1;
-				$localtax2 = $obj->localtax2;
-				$localtax1_type = $obj->localtax1_type;
-				$localtax2_type = $obj->localtax2_type;
+				if ($obj) {
+					$npr = $obj->recuperableonly;
+					$localtax1 = $obj->localtax1;
+					$localtax2 = $obj->localtax2;
+					$localtax1_type = $obj->localtax1_type;
+					$localtax2_type = $obj->localtax2_type;
+				}
+
+				// If spain, we don't use the localtax found into tax record in database with same code, but using the get_localtax rule.
+				if (in_array($mysoc->country_code, array('ES'))) {
+					$localtax1 = get_localtax($tva_tx, 1);
+					$localtax2 = get_localtax($tva_tx, 2);
+				}
+			}
+		} else {
+			// Get record with empty code
+			$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
+			$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
+			$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
+			$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
+			$sql .= " AND t.code = ''";
+			$resql = $db->query($sql);
+			if ($resql) {
+				$obj = $db->fetch_object($resql);
+				if ($obj) {
+					$npr = $obj->recuperableonly;
+					$localtax1 = $obj->localtax1;
+					$localtax2 = $obj->localtax2;
+					$localtax1_type = $obj->localtax1_type;
+					$localtax2_type = $obj->localtax2_type;
+				}
 			}
 		}
 
@@ -829,22 +948,23 @@ if (!empty($conf->global->PRODUIT_MULTIPRICES) || !empty($conf->global->PRODUIT_
 			}
 
 			// TVA
+			print '<!-- Default VAT Rate -->';
 			print '<tr><td class="titlefieldcreate">'.$langs->trans("DefaultTaxRate").'</td><td>';
 
 			$positiverates = '';
 			if (price2num($object->tva_tx)) {
-				$positiverates .= ($positiverates ? '/' : '').price2num($object->tva_tx);
+				$positiverates .= ($positiverates ? '<span class="opacitymedium">/</span>' : '').price2num($object->tva_tx);
 			}
 			if (price2num($object->localtax1_type)) {
-				$positiverates .= ($positiverates ? '/' : '').price2num($object->localtax1_tx);
+				$positiverates .= ($positiverates ? '<span class="opacitymedium">/</span>' : '').price2num($object->localtax1_tx);
 			}
 			if (price2num($object->localtax2_type)) {
-				$positiverates .= ($positiverates ? '/' : '').price2num($object->localtax2_tx);
+				$positiverates .= ($positiverates ? '<span class="opacitymedium">/</span>' : '').price2num($object->localtax2_tx);
 			}
 			if (empty($positiverates)) {
 				$positiverates = '0';
 			}
-			echo vatrate($positiverates.($object->default_vat_code ? ' ('.$object->default_vat_code.')' : ''), '%', $object->tva_npr);
+			print vatrate($positiverates.($object->default_vat_code ? ' ('.$object->default_vat_code.')' : ''), true, $object->tva_npr, 1);
 			/*
 			if ($object->default_vat_code)
 			{
diff --git a/htdocs/theme/eldy/global.inc.php b/htdocs/theme/eldy/global.inc.php
index 0ffc4e84786..a830002d197 100644
--- a/htdocs/theme/eldy/global.inc.php
+++ b/htdocs/theme/eldy/global.inc.php
@@ -4558,7 +4558,7 @@ label.radioprivate {
 /*	margin-bottom: 2px;
 	margin-top: 2px; */
 }
-div.divphotoref > a > .photowithmargin {		/* Margin right for photo not inside a div.photoref frame only */
+div.divphotoref > img.photowithmargin, div.divphotoref > a > .photowithmargin {		/* Margin right for photo not inside a div.photoref frame only */
 	margin-right: 15px;
 }
 .photowithborder {
diff --git a/htdocs/theme/md/style.css.php b/htdocs/theme/md/style.css.php
index 1d794d60de1..6d052a2dc03 100644
--- a/htdocs/theme/md/style.css.php
+++ b/htdocs/theme/md/style.css.php
@@ -4492,7 +4492,7 @@ label.radioprivate {
 /*	margin-bottom: 2px;
 	margin-top: 2px; */
 }
-div.divphotoref > a > .photowithmargin {		/* Margin right for photo not inside a div.photoref frame only */
+div.divphotoref > img.photowithmargin, div.divphotoref > a > .photowithmargin {		/* Margin right for photo not inside a div.photoref frame only */
 	margin-right: 15px;
 }
 .photowithborder {

From 050b5314035f86b1ae5183e456a40f5fc0c1fbc0 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 20 Jan 2022 19:01:04 +0100
Subject: [PATCH 15/18] Fix troubles in select_language when selected is array

---
 htdocs/core/class/html.formadmin.class.php | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/htdocs/core/class/html.formadmin.class.php b/htdocs/core/class/html.formadmin.class.php
index 3240d64c893..99ce3bb0201 100644
--- a/htdocs/core/class/html.formadmin.class.php
+++ b/htdocs/core/class/html.formadmin.class.php
@@ -73,15 +73,19 @@ class FormAdmin
 
 		$langs_available = $langs->get_available_languages(DOL_DOCUMENT_ROOT, 12, 0, $mainlangonly);
 
-		// If the language to select is not inside the list of available language and empty value is not available, we must find
-		// an alternative as the language code to pre-select (to avoid to have first element in list pre-selected).
-		if ($selected && !array_key_exists($selected, $langs_available) && empty($showempty)) {
-			$tmparray = explode('_', $selected);
-			if (!empty($tmparray[1])) {
-				$selected = getLanguageCodeFromCountryCode($tmparray[1]);
-			}
-			if (empty($selected)) {
-				$selected = $langs->defaultlang;
+		// If empty value is not allowed and the language to select is not inside the list of available language and we must find
+		// an alternative of the language code to pre-select (to avoid to have first element in list pre-selected).
+		if ($selected && empty($showempty)) {
+			if (!is_array($selected) && !array_key_exists($selected, $langs_available)) {
+				$tmparray = explode('_', $selected);
+				if (!empty($tmparray[1])) {
+					$selected = getLanguageCodeFromCountryCode($tmparray[1]);
+				}
+				if (empty($selected)) {
+					$selected = $langs->defaultlang;
+				}
+			} else {
+				// If the preselected value is an array, we do not try to find alternative to preselect
 			}
 		}
 

From 0a8eb3ee00b4e2aa607660b661160705ffcf60e0 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 20 Jan 2022 20:03:24 +0100
Subject: [PATCH 16/18] Doc

---
 SECURITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 4e7e5fa933a..cadd4a23791 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -67,7 +67,7 @@ Scope is the web application (back office) and the APIs.
 * Remote code execution (RCE)
 * Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
 * Code injections (HTML, JS, SQL, PHP, ...)
-* Cross-Site Scripting (XSS), except from setup page of module "External web site" (allowing any content here, editable by admin user only, is accepted on purpose or into module "Web site" when permission to edit website content is allowed).
+* Cross-Site Scripting (XSS), except from setup page of module "External web site" (allowing any content here, editable by admin user only, is accepted on purpose) and except into module "Web site" when permission to edit website content is allowed (injecting any data in this case is allowed too).
 * Cross-Site Requests Forgery (CSRF) with real security impact (when using GET URLs, CSRF are qualified only for creating, updating or deleting data from pages restricted to admin users)
 * Open redirect
 * Broken authentication & session management

From beee7fc5d3f2a88ae12520eeb91aff3bac5151ae Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 20 Jan 2022 20:03:58 +0100
Subject: [PATCH 17/18] Fix #yogosha8484

---
 htdocs/core/lib/geturl.lib.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/core/lib/geturl.lib.php b/htdocs/core/lib/geturl.lib.php
index 79ed4821ac8..50ae7c33561 100644
--- a/htdocs/core/lib/geturl.lib.php
+++ b/htdocs/core/lib/geturl.lib.php
@@ -215,7 +215,7 @@ function getURLContent($url, $postorget = 'GET', $param = '', $followlocation =
 			}
 
 			// Common check on ip (local and external)
-			$arrayofmetadataserver = array('100.100.100.200' => 'Alibaba', '192.0.0.192'=> 'Oracle');
+			$arrayofmetadataserver = array('100.100.100.200' => 'Alibaba', '192.0.0.192'=> 'Oracle', '192.80.8.124'=>'Packet');
 			foreach ($arrayofmetadataserver as $ipofmetadataserver => $nameofmetadataserver) {
 				if ($iptocheck == $ipofmetadataserver) {
 					$info['http_code'] = 400;

From 8c22de698265889efbe06d9f443b174c8cd548aa Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 21 Jan 2022 16:15:38 +0100
Subject: [PATCH 18/18] Comment

---
 htdocs/projet/tasks/note.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/projet/tasks/note.php b/htdocs/projet/tasks/note.php
index 3d1ec610b48..5f3d74a3c68 100644
--- a/htdocs/projet/tasks/note.php
+++ b/htdocs/projet/tasks/note.php
@@ -47,7 +47,6 @@ if (!$user->rights->projet->lire) {
 
 $hookmanager->initHooks(array('projettasknote'));
 
-//$result = restrictedArea($user, 'projet', $id, '', 'task'); // TODO ameliorer la verification
 
 $object = new Task($db);
 $projectstatic = new Project($db);
@@ -89,6 +88,7 @@ if ($id > 0 || $ref) {
 	$object->fetch($id, $ref);
 }
 
+//$result = restrictedArea($user, 'projet', $id, '', 'task'); // TODO ameliorer la verification
 restrictedArea($user, 'projet', $object->fk_project, 'projet&project');
 
 $permissionnote = ($user->rights->projet->creer || $user->rights->projet->all->creer);