mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-12-06 17:48:25 +01:00
FIX Debug v17
This commit is contained in:
Laurent Destailleur
@@ -399,7 +399,7 @@ if ($resql) {
|
|||||||
}
|
}
|
||||||
print "</select>";
|
print "</select>";
|
||||||
print ajax_combobox("chartofaccounts");
|
print ajax_combobox("chartofaccounts");
|
||||||
print '<input type="'.(empty($conf->use_javascript_ajax) ? 'submit' : 'button').'" class="button button-edit" name="change_chart" id="change_chart" value="'.dol_escape_htmltag($langs->trans("ChangeAndLoad")).'">';
|
print '<input type="'.(empty($conf->use_javascript_ajax) ? 'submit' : 'button').'" class="button button-edit small" name="change_chart" id="change_chart" value="'.dol_escape_htmltag($langs->trans("ChangeAndLoad")).'">';
|
||||||
|
|
||||||
print '<br>';
|
print '<br>';
|
||||||
|
|
||||||
@@ -436,7 +436,7 @@ if ($resql) {
|
|||||||
}
|
}
|
||||||
if (!empty($arrayfields['aa.account_parent']['checked'])) {
|
if (!empty($arrayfields['aa.account_parent']['checked'])) {
|
||||||
print '<td class="liste_titre">';
|
print '<td class="liste_titre">';
|
||||||
print $formaccounting->select_account($search_accountparent, 'search_accountparent', 2);
|
print $formaccounting->select_account($search_accountparent, 'search_accountparent', 2, array(), 0, 0, 'maxwidth150');
|
||||||
print '</td>';
|
print '</td>';
|
||||||
}
|
}
|
||||||
if (!empty($arrayfields['aa.pcg_type']['checked'])) {
|
if (!empty($arrayfields['aa.pcg_type']['checked'])) {
|
||||||
|
|||||||
@@ -110,18 +110,22 @@ print '<table class="border centpercent">';
|
|||||||
// Select the category
|
// Select the category
|
||||||
print '<tr><td class="titlefield">'.$langs->trans("AccountingCategory").'</td>';
|
print '<tr><td class="titlefield">'.$langs->trans("AccountingCategory").'</td>';
|
||||||
print '<td>';
|
print '<td>';
|
||||||
$formaccounting->select_accounting_category($cat_id, 'account_category', 1, 0, 0, 1);
|
$formaccounting->select_accounting_category($cat_id, 'account_category', 1, 0, 0, 0);
|
||||||
print '<input type="submit" class="button" value="'.$langs->trans("Select").'">';
|
print '<input type="submit" class="button small" value="'.$langs->trans("Select").'">';
|
||||||
print '</td></tr>';
|
print '</td></tr>';
|
||||||
|
|
||||||
|
print '</table>';
|
||||||
|
|
||||||
|
print dol_get_fiche_end();
|
||||||
|
|
||||||
|
|
||||||
// Select the accounts
|
// Select the accounts
|
||||||
if (!empty($cat_id)) {
|
if (!empty($cat_id)) {
|
||||||
$return = $accountingcategory->getAccountsWithNoCategory($cat_id);
|
$return = $accountingcategory->getAccountsWithNoCategory($cat_id);
|
||||||
if ($return < 0) {
|
if ($return < 0) {
|
||||||
setEventMessages(null, $accountingcategory->errors, 'errors');
|
setEventMessages(null, $accountingcategory->errors, 'errors');
|
||||||
}
|
}
|
||||||
print '<tr><td>'.$langs->trans("AddAccountFromBookKeepingWithNoCategories").'</td>';
|
print '<br>';
|
||||||
print '<td>';
|
|
||||||
|
|
||||||
$arraykeyvalue = array();
|
$arraykeyvalue = array();
|
||||||
foreach ($accountingcategory->lines_cptbk as $key => $val) {
|
foreach ($accountingcategory->lines_cptbk as $key => $val) {
|
||||||
@@ -130,8 +134,9 @@ if (!empty($cat_id)) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (is_array($accountingcategory->lines_cptbk) && count($accountingcategory->lines_cptbk) > 0) {
|
if (is_array($accountingcategory->lines_cptbk) && count($accountingcategory->lines_cptbk) > 0) {
|
||||||
print $form->multiselectarray('cpt_bk', $arraykeyvalue, GETPOST('cpt_bk', 'array'), null, null, null, null, "90%");
|
print img_picto($langs->trans("AccountingAccount"), 'accounting_account', 'class="pictofixedwith"');
|
||||||
print '<br>';
|
print $form->multiselectarray('cpt_bk', $arraykeyvalue, GETPOST('cpt_bk', 'array'), null, null, '', 0, "80%", '', '', $langs->transnoentitiesnoconv("AddAccountFromBookKeepingWithNoCategories"));
|
||||||
|
//print '<br>';
|
||||||
/*print '<select class="flat minwidth200" size="8" name="cpt_bk[]" multiple>';
|
/*print '<select class="flat minwidth200" size="8" name="cpt_bk[]" multiple>';
|
||||||
foreach ( $accountingcategory->lines_cptbk as $cpt ) {
|
foreach ( $accountingcategory->lines_cptbk as $cpt ) {
|
||||||
print '<option value="' . length_accountg($cpt->numero_compte) . '">' . length_accountg($cpt->numero_compte) . ' (' . $cpt->label_compte . ' ' . $cpt->doc_ref . ')</option>';
|
print '<option value="' . length_accountg($cpt->numero_compte) . '">' . length_accountg($cpt->numero_compte) . ' (' . $cpt->label_compte . ' ' . $cpt->doc_ref . ')</option>';
|
||||||
@@ -139,20 +144,16 @@ if (!empty($cat_id)) {
|
|||||||
print '</select><br>';
|
print '</select><br>';
|
||||||
print ajax_combobox('cpt_bk');
|
print ajax_combobox('cpt_bk');
|
||||||
*/
|
*/
|
||||||
print '<input type="submit" class="button button-add" id="" class="action-delete" value="'.$langs->trans("Add").'"> ';
|
print '<input type="submit" class="button button-add small" id="" class="action-delete" value="'.$langs->trans("Add").'"> ';
|
||||||
}
|
}
|
||||||
print '</td></tr>';
|
|
||||||
}
|
}
|
||||||
|
|
||||||
print '</table>';
|
|
||||||
|
|
||||||
print dol_get_fiche_end();
|
|
||||||
|
|
||||||
print '</form>';
|
print '</form>';
|
||||||
|
|
||||||
|
|
||||||
if ($action == 'display' || $action == 'delete') {
|
if ($action == 'display' || $action == 'delete') {
|
||||||
print "<table class='noborder' width='100%'>\n";
|
print '<br>';
|
||||||
|
print '<table class="noborder centpercent">'."\n";
|
||||||
print '<tr class="liste_titre">';
|
print '<tr class="liste_titre">';
|
||||||
print '<td class="liste_titre">'.$langs->trans("AccountAccounting")."</td>";
|
print '<td class="liste_titre">'.$langs->trans("AccountAccounting")."</td>";
|
||||||
print '<td class="liste_titre" colspan="2">'.$langs->trans("Label")."</td>";
|
print '<td class="liste_titre" colspan="2">'.$langs->trans("Label")."</td>";
|
||||||
@@ -177,6 +178,8 @@ if ($action == 'display' || $action == 'delete') {
|
|||||||
print "</td>";
|
print "</td>";
|
||||||
print "</tr>\n";
|
print "</tr>\n";
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
print '<tr><td colspan="3"><span class="opacitymedium">'.$langs->trans("NoRecordFound").'</span></td></tr>';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -605,7 +605,7 @@ if ($resql) {
|
|||||||
if ($showfield) {
|
if ($showfield) {
|
||||||
if ($value == 'country') {
|
if ($value == 'country') {
|
||||||
print '<td class="liste_titre">';
|
print '<td class="liste_titre">';
|
||||||
print $form->select_country($search_country_id, 'search_country_id', '', 28, 'maxwidth200 maxwidthonsmartphone');
|
print $form->select_country($search_country_id, 'search_country_id', '', 28, 'maxwidth150 maxwidthonsmartphone');
|
||||||
print '</td>';
|
print '</td>';
|
||||||
$filterfound++;
|
$filterfound++;
|
||||||
} else {
|
} else {
|
||||||
@@ -725,11 +725,11 @@ if ($resql) {
|
|||||||
print '<td></td>';
|
print '<td></td>';
|
||||||
print '<td></td>';
|
print '<td></td>';
|
||||||
print '<td class="center">';
|
print '<td class="center">';
|
||||||
|
print '<div name="'.(!empty($obj->rowid) ? $obj->rowid : $obj->code).'"></div>';
|
||||||
print '<input type="hidden" name="page" value="'.$page.'">';
|
print '<input type="hidden" name="page" value="'.$page.'">';
|
||||||
print '<input type="hidden" name="rowid" value="'.$rowid.'">';
|
print '<input type="hidden" name="rowid" value="'.$rowid.'">';
|
||||||
print '<input type="submit" class="button button-edit" name="actionmodify" value="'.$langs->trans("Modify").'">';
|
print '<input type="submit" class="button button-edit smallpaddingimp" name="actionmodify" value="'.$langs->trans("Modify").'">';
|
||||||
print '<div name="'.(!empty($obj->rowid) ? $obj->rowid : $obj->code).'"></div>';
|
print '<input type="submit" class="button button-cancel smallpaddingimp" name="actioncancel" value="'.$langs->trans("Cancel").'">';
|
||||||
print '<input type="submit" class="button button-cancel" name="actioncancel" value="'.$langs->trans("Cancel").'">';
|
|
||||||
print '</td>';
|
print '</td>';
|
||||||
print '<td></td>';
|
print '<td></td>';
|
||||||
} else {
|
} else {
|
||||||
@@ -887,10 +887,10 @@ function fieldListAccountingCategories($fieldlist, $obj = '', $tabname = '', $co
|
|||||||
if ($context == 'add') {
|
if ($context == 'add') {
|
||||||
$fieldname = 'country_id';
|
$fieldname = 'country_id';
|
||||||
$preselectcountrycode = GETPOSTISSET('country_id') ? GETPOST('country_id', 'int') : $mysoc->country_code;
|
$preselectcountrycode = GETPOSTISSET('country_id') ? GETPOST('country_id', 'int') : $mysoc->country_code;
|
||||||
print $form->select_country($preselectcountrycode, $fieldname, '', 28, 'maxwidth200 maxwidthonsmartphone');
|
print $form->select_country($preselectcountrycode, $fieldname, '', 28, 'maxwidth150 maxwidthonsmartphone');
|
||||||
} else {
|
} else {
|
||||||
$preselectcountrycode = (empty($obj->country_code) ? (empty($obj->country) ? $mysoc->country_code : $obj->country) : $obj->country_code);
|
$preselectcountrycode = (empty($obj->country_code) ? (empty($obj->country) ? $mysoc->country_code : $obj->country) : $obj->country_code);
|
||||||
print $form->select_country($preselectcountrycode, $fieldname, '', 28, 'maxwidth200 maxwidthonsmartphone');
|
print $form->select_country($preselectcountrycode, $fieldname, '', 28, 'maxwidth150 maxwidthonsmartphone');
|
||||||
}
|
}
|
||||||
print '</td>';
|
print '</td>';
|
||||||
} elseif ($fieldlist[$field] == 'country_id') {
|
} elseif ($fieldlist[$field] == 'country_id') {
|
||||||
|
|||||||
@@ -270,12 +270,16 @@ class FormAccounting extends Form
|
|||||||
}
|
}
|
||||||
while ($i < $num) {
|
while ($i < $num) {
|
||||||
$obj = $this->db->fetch_object($resql);
|
$obj = $this->db->fetch_object($resql);
|
||||||
|
|
||||||
|
$titletoshowhtml = ($maxlen ? dol_trunc($obj->type, $maxlen) : $obj->type).($obj->range_account ? ' <span class="opacitymedium">('.$obj->range_account.')</span>' : '');
|
||||||
|
$titletoshow = ($maxlen ? dol_trunc($obj->type, $maxlen) : $obj->type).($obj->range_account ? ' ('.$obj->range_account.')' : '');
|
||||||
|
|
||||||
$out .= '<option value="'.$obj->rowid.'"';
|
$out .= '<option value="'.$obj->rowid.'"';
|
||||||
if ($obj->rowid == $selected) {
|
if ($obj->rowid == $selected) {
|
||||||
$out .= ' selected';
|
$out .= ' selected';
|
||||||
}
|
}
|
||||||
|
$out .= ' data-html="'.dol_escape_htmltag(dol_string_onlythesehtmltags($titletoshowhtml, 1, 1, 0, 0, array('span'))).'"';
|
||||||
$out .= '>';
|
$out .= '>';
|
||||||
$titletoshow = dol_string_nohtmltag(($maxlen ? dol_trunc($obj->type, $maxlen) : $obj->type).' ('.$obj->range_account.')');
|
|
||||||
$out .= dol_escape_htmltag($titletoshow);
|
$out .= dol_escape_htmltag($titletoshow);
|
||||||
$out .= '</option>';
|
$out .= '</option>';
|
||||||
$i++;
|
$i++;
|
||||||
|
|||||||
@@ -6914,24 +6914,27 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto =
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Clean a string to keep only desirable HTML tags.
|
* Clean a string to keep only desirable HTML tags.
|
||||||
* WARNING: This also clean HTML comments (used to obfuscate tag name).
|
* WARNING: This also clean HTML comments (because they can be used to obfuscate tag name).
|
||||||
*
|
*
|
||||||
* @param string $stringtoclean String to clean
|
* @param string $stringtoclean String to clean
|
||||||
* @param int $cleanalsosomestyles Remove absolute/fixed positioning from inline styles
|
* @param int $cleanalsosomestyles Remove absolute/fixed positioning from inline styles
|
||||||
* @param int $removeclassattribute 1=Remove the class attribute from tags
|
* @param int $removeclassattribute 1=Remove the class attribute from tags
|
||||||
* @param int $cleanalsojavascript Remove also occurence of 'javascript:'.
|
* @param int $cleanalsojavascript Remove also occurence of 'javascript:'.
|
||||||
* @param int $allowiframe Allow iframe tags.
|
* @param int $allowiframe Allow iframe tags.
|
||||||
|
* @param array $allowed_tags List of allowed tags to replace the default list
|
||||||
* @return string String cleaned
|
* @return string String cleaned
|
||||||
*
|
*
|
||||||
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_neverthesehtmltags()
|
* @see dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_neverthesehtmltags()
|
||||||
*/
|
*/
|
||||||
function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $removeclassattribute = 1, $cleanalsojavascript = 0, $allowiframe = 0)
|
function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $removeclassattribute = 1, $cleanalsojavascript = 0, $allowiframe = 0, $allowed_tags = array())
|
||||||
{
|
{
|
||||||
|
if (empty($allowed_tags)) {
|
||||||
$allowed_tags = array(
|
$allowed_tags = array(
|
||||||
"html", "head", "meta", "body", "article", "a", "abbr", "b", "blockquote", "br", "cite", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link",
|
"html", "head", "meta", "body", "article", "a", "abbr", "b", "blockquote", "br", "cite", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link",
|
||||||
"ol", "p", "q", "s", "section", "span", "strike", "strong", "title", "table", "tr", "th", "td", "u", "ul", "sup", "sub", "blockquote", "pre", "h1", "h2", "h3", "h4", "h5", "h6",
|
"ol", "p", "q", "s", "section", "span", "strike", "strong", "title", "table", "tr", "th", "td", "u", "ul", "sup", "sub", "blockquote", "pre", "h1", "h2", "h3", "h4", "h5", "h6"
|
||||||
"comment" // this tags is added to manage comment <!--...--> that are replaced into <comment>...</comment>
|
|
||||||
);
|
);
|
||||||
|
}
|
||||||
|
$allowed_tags[] = "comment"; // this tags is added to manage comment <!--...--> that are replaced into <comment>...</comment>
|
||||||
if ($allowiframe) {
|
if ($allowiframe) {
|
||||||
$allowed_tags[] = "iframe";
|
$allowed_tags[] = "iframe";
|
||||||
}
|
}
|
||||||
@@ -6949,7 +6952,7 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1,
|
|||||||
$stringtoclean = preg_replace('/:/i', ':', $stringtoclean);
|
$stringtoclean = preg_replace('/:/i', ':', $stringtoclean);
|
||||||
$stringtoclean = preg_replace('/:|�+58|:/i', '', $stringtoclean); // refused string ':' encoded (no reason to have a : encoded like this) to disable 'javascript:...'
|
$stringtoclean = preg_replace('/:|�+58|:/i', '', $stringtoclean); // refused string ':' encoded (no reason to have a : encoded like this) to disable 'javascript:...'
|
||||||
|
|
||||||
$temp = strip_tags($stringtoclean, $allowed_tags_string); // Warning: This remove also undesired </> changing string obfuscated with </> that pass injection detection into harmfull string
|
$temp = strip_tags($stringtoclean, $allowed_tags_string); // Warning: This remove also undesired </>, so may changes string obfuscated with </> that pass the injection detection into a harmfull string
|
||||||
|
|
||||||
if ($cleanalsosomestyles) { // Clean for remaining html tags
|
if ($cleanalsosomestyles) { // Clean for remaining html tags
|
||||||
$temp = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/i', '', $temp); // Note: If hacker try to introduce css comment into string to bypass this regex, the string must also be encoded by the dol_htmlentitiesbr during output so it become harmless
|
$temp = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/i', '', $temp); // Note: If hacker try to introduce css comment into string to bypass this regex, the string must also be encoded by the dol_htmlentitiesbr during output so it become harmless
|
||||||
|
|||||||
Reference in New Issue
Block a user