From de5a2d738bc8e5a68a5fcbc0e283842005d6647c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 17 Jun 2020 18:39:25 +0200 Subject: [PATCH 1/5] FIX #14001 --- htdocs/product/composition/card.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/product/composition/card.php b/htdocs/product/composition/card.php index f67910cbef4..1fbbe2ecefa 100644 --- a/htdocs/product/composition/card.php +++ b/htdocs/product/composition/card.php @@ -70,7 +70,7 @@ if ($cancel) $action =''; if ($action == 'add_prod' && ($user->rights->produit->creer || $user->rights->service->creer)) { $error=0; - var_dump(GETPOST("max_prod", 'int')); + for ($i=0; $i < GETPOST("max_prod", 'int'); $i++) { $qty = price2num(GETPOST("prod_qty_".$i, 'alpha'), 'MS'); From 4cfe1fcd6bb3fb840f3085bc9dfb8d45fc2c9b93 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 18 Jun 2020 15:57:50 +0200 Subject: [PATCH 2/5] Typo --- htdocs/langs/en_US/withdrawals.lang | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/langs/en_US/withdrawals.lang b/htdocs/langs/en_US/withdrawals.lang index 5217d54d39a..c80db907a84 100644 --- a/htdocs/langs/en_US/withdrawals.lang +++ b/htdocs/langs/en_US/withdrawals.lang @@ -34,7 +34,7 @@ NoInvoiceToWithdraw=No invoice open for '%s' is waiting. Go on tab '%s' on invoi NoSupplierInvoiceToWithdraw=No supplier invoice with open 'Direct credit requests' is waiting. Go on tab '%s' on invoice card to make a request. ResponsibleUser=User Responsible WithdrawalsSetup=Direct debit payment setup -CreditTransferSetup=Crebit transfer setup +CreditTransferSetup=Credit transfer setup WithdrawStatistics=Direct debit payment statistics CreditTransferStatistics=Credit transfer statistics Rejects=Rejects From b9218a1c4cf963df1be93ceb37d1272e300427ad Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 18 Jun 2020 19:21:21 +0200 Subject: [PATCH 3/5] Debug v12 --- htdocs/societe/price.php | 127 ++++++++++++++++++++++----------------- 1 file changed, 71 insertions(+), 56 deletions(-) diff --git a/htdocs/societe/price.php b/htdocs/societe/price.php index 6d69e692a96..df8e966d0ce 100644 --- a/htdocs/societe/price.php +++ b/htdocs/societe/price.php @@ -55,6 +55,7 @@ $object = new Societe($db); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('thirdpartycustomerprice', 'globalcard')); +$error = 0; /* @@ -73,62 +74,70 @@ if (empty($reshook)) } if ($action == 'add_customer_price_confirm' && !$cancel && ($user->rights->produit->creer || $user->rights->service->creer)) { - $update_child_soc = GETPOST('updatechildprice'); - - // add price by customer - $prodcustprice->fk_soc = $socid; - $prodcustprice->fk_product = GETPOST('prodid', 'int'); - $prodcustprice->price = price2num(GETPOST("price"), 'MU'); - $prodcustprice->price_min = price2num(GETPOST("price_min"), 'MU'); - $prodcustprice->price_base_type = GETPOST("price_base_type", 'alpha'); - - $tva_tx_txt = GETPOST('tva_tx', 'alpha'); // tva_tx can be '8.5' or '8.5*' or '8.5 (XXX)' or '8.5* (XXX)' - - // We must define tva_tx, npr and local taxes - $vatratecode = ''; - $tva_tx = preg_replace('/[^0-9\.].*$/', '', $tva_tx_txt); // keep remove all after the numbers and dot - $npr = preg_match('/\*/', $tva_tx_txt) ? 1 : 0; - $localtax1 = 0; $localtax2 = 0; $localtax1_type = '0'; $localtax2_type = '0'; - // If value contains the unique code of vat line (new recommended method), we use it to find npr and local taxes - if (preg_match('/\((.*)\)/', $tva_tx_txt, $reg)) - { - // We look into database using code (we can't use get_localtax() because it depends on buyer that is not known). Same in update price. - $vatratecode = $reg[1]; - // Get record from code - $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; - $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; - $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; - $resql = $db->query($sql); - if ($resql) - { - $obj = $db->fetch_object($resql); - $npr = $obj->recuperableonly; - $localtax1 = $obj->localtax1; - $localtax2 = $obj->localtax2; - $localtax1_type = $obj->localtax1_type; - $localtax2_type = $obj->localtax2_type; - } + if (! (GETPOST('prodid', 'int') > 0)) { + $error++; + setEventMessages($langs->trans("ErrorFieldRequired", $langs->trans("Product")), null, 'errors'); + $action = 'add_customer_price'; } - $prodcustprice->default_vat_code = $vatratecode; - $prodcustprice->tva_tx = $tva_tx; - $prodcustprice->recuperableonly = $npr; - $prodcustprice->localtax1_tx = $localtax1; - $prodcustprice->localtax2_tx = $localtax2; - $prodcustprice->localtax1_type = $localtax1_type; - $prodcustprice->localtax2_type = $localtax2_type; + if (! $error) { + $update_child_soc = GETPOST('updatechildprice'); - $result = $prodcustprice->create($user, 0, $update_child_soc); + // add price by customer + $prodcustprice->fk_soc = $socid; + $prodcustprice->fk_product = GETPOST('prodid', 'int'); + $prodcustprice->price = price2num(GETPOST("price"), 'MU'); + $prodcustprice->price_min = price2num(GETPOST("price_min"), 'MU'); + $prodcustprice->price_base_type = GETPOST("price_base_type", 'alpha'); - if ($result < 0) { - setEventMessages($prodcustprice->error, $prodcustprice->errors, 'errors'); - } else { - setEventMessages($langs->trans('Save'), null, 'mesgs'); + $tva_tx_txt = GETPOST('tva_tx', 'alpha'); // tva_tx can be '8.5' or '8.5*' or '8.5 (XXX)' or '8.5* (XXX)' + + // We must define tva_tx, npr and local taxes + $vatratecode = ''; + $tva_tx = preg_replace('/[^0-9\.].*$/', '', $tva_tx_txt); // keep remove all after the numbers and dot + $npr = preg_match('/\*/', $tva_tx_txt) ? 1 : 0; + $localtax1 = 0; $localtax2 = 0; $localtax1_type = '0'; $localtax2_type = '0'; + // If value contains the unique code of vat line (new recommended method), we use it to find npr and local taxes + if (preg_match('/\((.*)\)/', $tva_tx_txt, $reg)) + { + // We look into database using code (we can't use get_localtax() because it depends on buyer that is not known). Same in update price. + $vatratecode = $reg[1]; + // Get record from code + $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; + $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; + $sql .= " AND t.code ='".$vatratecode."'"; + $resql = $db->query($sql); + if ($resql) + { + $obj = $db->fetch_object($resql); + $npr = $obj->recuperableonly; + $localtax1 = $obj->localtax1; + $localtax2 = $obj->localtax2; + $localtax1_type = $obj->localtax1_type; + $localtax2_type = $obj->localtax2_type; + } + } + + $prodcustprice->default_vat_code = $vatratecode; + $prodcustprice->tva_tx = $tva_tx; + $prodcustprice->recuperableonly = $npr; + $prodcustprice->localtax1_tx = $localtax1; + $prodcustprice->localtax2_tx = $localtax2; + $prodcustprice->localtax1_type = $localtax1_type; + $prodcustprice->localtax2_type = $localtax2_type; + + $result = $prodcustprice->create($user, 0, $update_child_soc); + + if ($result < 0) { + setEventMessages($prodcustprice->error, $prodcustprice->errors, 'errors'); + } else { + setEventMessages($langs->trans('Save'), null, 'mesgs'); + } + + $action = ''; } - - $action = ''; } if ($action == 'delete_customer_price' && ($user->rights->produit->creer || $user->rights->service->creer)) { @@ -253,6 +262,9 @@ if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES)) { if ($action == 'add_customer_price') { // Create mode + print '
'; + print ''."\n"; + print load_fiche_titre($langs->trans('PriceByCustomer')); print '
'; @@ -402,7 +414,8 @@ if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES)) { print '
'; } elseif ($action == 'showlog_customer_price') { - print ''."\n"; + print '
'; + print ''."\n"; $filter = array( 't.fk_product' => GETPOST('prodid', 'int'), 't.fk_soc' => $socid @@ -426,6 +439,7 @@ if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES)) { if (count($prodcustprice->lines) > 0) { print '
'; + print ''; print ''; print ''; @@ -514,6 +528,7 @@ if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES)) { print_barre_liste($langs->trans('PriceForEachProduct'), $page, $_SERVER['PHP_SELF'], $option, $sortfield, $sortorder, '', count($prodcustprice->lines), $nbtotalofrecords, ''); print ''; + print ''; print ''; print '
'; @@ -573,16 +588,16 @@ if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES)) { // Action if ($user->rights->produit->creer || $user->rights->service->creer) { - print ''; From b8c0ed13f3bf560f0f7f5c1c2c018f86febcc2a0 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 19 Jun 2020 00:25:59 +0200 Subject: [PATCH 4/5] Fix can't find link to generate barcode sheets --- htdocs/barcode/codeinit.php | 8 +++++++- htdocs/barcode/printsheet.php | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/htdocs/barcode/codeinit.php b/htdocs/barcode/codeinit.php index 1bfb1836a39..a75aaa5543d 100644 --- a/htdocs/barcode/codeinit.php +++ b/htdocs/barcode/codeinit.php @@ -193,7 +193,7 @@ llxHeader('', $langs->trans("MassBarcodeInit")); print load_fiche_titre($langs->trans("MassBarcodeInit"), '', 'title_setup.png'); print '
'; -print $langs->trans("MassBarcodeInitDesc").'
'; +print ''.$langs->trans("MassBarcodeInitDesc").'
'; print '
'; //print img_picto('','puce').' '.$langs->trans("PrintsheetForOneBarCode").'
'; @@ -317,6 +317,12 @@ if ($conf->product->enabled || $conf->product->service) } +print load_fiche_titre($langs->trans("BarCodePrintsheet"), '', 'generic'); +print '
'."\n"; +print $langs->trans("ClickHereToGoTo").' : '.$langs->trans("BarCodePrintsheet").''; + + + print ''; print '
'; diff --git a/htdocs/barcode/printsheet.php b/htdocs/barcode/printsheet.php index 5cd988a5bed..cf74a46bb2a 100644 --- a/htdocs/barcode/printsheet.php +++ b/htdocs/barcode/printsheet.php @@ -267,7 +267,7 @@ llxHeader('', $langs->trans("BarCodePrintsheet")); print load_fiche_titre($langs->trans("BarCodePrintsheet"), '', 'barcode'); print '
'; -print $langs->trans("PageToGenerateBarCodeSheets", $langs->transnoentitiesnoconv("BuildPageToPrint")).'
'; +print ''.$langs->trans("PageToGenerateBarCodeSheets", $langs->transnoentitiesnoconv("BuildPageToPrint")).'
'; print '
'; dol_htmloutput_errors($mesg); From 22ca5e067189bffe8066df26df923a386f044c08 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 19 Jun 2020 00:39:27 +0200 Subject: [PATCH 5/5] Fix XSS reported by C. Weiler in notice.php --- htdocs/public/notice.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/htdocs/public/notice.php b/htdocs/public/notice.php index 43344c376aa..9663bff3cf0 100644 --- a/htdocs/public/notice.php +++ b/htdocs/public/notice.php @@ -41,9 +41,8 @@ if (! GETPOST('transkey', 'alphanohtml') && ! GETPOST('transphrase', 'alphanohtm } else { - $langs->load("error"); - $langs->load("other"); + $langs->loadLangs(array("error", "other")); - if (GETPOST('transphrase', 'alphanohtml')) print GETPOST('transphrase', 'alphanohtml'); - if (GETPOST('transkey', 'alphanohtml')) print $langs->trans(GETPOST('transkey', 'alphanohtml')); + if (GETPOST('transphrase', 'alphanohtml')) print dol_escape_htmltag(GETPOST('transphrase', 'alphanohtml')); + elseif (GETPOST('transkey', 'alphanohtml')) print dol_escape_htmltag($langs->trans(GETPOST('transkey', 'alphanohtml'))); }
'; - print 'id.'&prodid='.$line->fk_product.'">'; + print ''; + print 'id.'&prodid='.$line->fk_product.'">'; print img_info(); print ''; print ' '; - print 'id.'&lineid='.$line->id.'">'; + print 'id.'&lineid='.$line->id.'">'; print img_edit('default', 0, 'style="vertical-align: middle;"'); print ''; print ' '; - print 'id.'&lineid='.$line->id.'">'; + print 'id.'&lineid='.$line->id.'">'; print img_delete('default', 'style="vertical-align: middle;"'); print ''; print '