diff --git a/htdocs/admin/company.php b/htdocs/admin/company.php index ce75d83505a..df72e1bde04 100644 --- a/htdocs/admin/company.php +++ b/htdocs/admin/company.php @@ -95,15 +95,15 @@ if (($action == 'update' && !GETPOST("cancel", 'alpha')) dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOM", GETPOST("nom", 'nohtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ADDRESS", GETPOST("MAIN_INFO_SOCIETE_ADDRESS", 'nohtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TOWN", GETPOST("MAIN_INFO_SOCIETE_TOWN", 'nohtml'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP", GETPOST("MAIN_INFO_SOCIETE_ZIP", 'alpha'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_REGION", GETPOST("region_code", 'alpha'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP", GETPOST("MAIN_INFO_SOCIETE_ZIP", 'alphanohtml'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_REGION", GETPOST("region_code", 'alphanohtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency", 'aZ09'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL", GETPOST("tel", 'alpha'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax", 'alpha'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail", 'alpha'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_WEB", GETPOST("web", 'alpha'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL", GETPOST("tel", 'alphanohtml'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax", 'alphanohtml'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail", 'alphanohtml'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_WEB", GETPOST("web", 'alphanohtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOTE", GETPOST("note", 'none'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_GENCOD", GETPOST("barcode", 'alpha'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_GENCOD", GETPOST("barcode", 'alphanohtml'), 'chaine', 0, '', $conf->entity); $dirforimage = $conf->mycompany->dir_output.'/logos/'; diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php index eed7f40910c..baeac243ce0 100644 --- a/htdocs/admin/const.php +++ b/htdocs/admin/const.php @@ -40,7 +40,7 @@ $update=GETPOST('update', 'alpha'); $delete=GETPOST('delete', 'none'); // Do not use alpha here $debug=GETPOST('debug', 'int'); $consts=GETPOST('const', 'array'); -$constname=GETPOST('constname', 'alpha'); +$constname=GETPOST('constname', 'alphanohtml'); $constvalue=GETPOST('constvalue', 'none'); // We shoul dbe able to send everything here $constnote=GETPOST('constnote', 'alpha'); diff --git a/htdocs/admin/defaultvalues.php b/htdocs/admin/defaultvalues.php index 29043720dee..d6981448ea6 100644 --- a/htdocs/admin/defaultvalues.php +++ b/htdocs/admin/defaultvalues.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2017-2020 Laurent Destailleur * Copyright (C) 2017-2018 Regis Houssin * * This program is free software; you can redistribute it and/or modify @@ -52,15 +52,15 @@ $pagenext = $page + 1; if (!$sortfield) $sortfield = 'page,param'; if (!$sortorder) $sortorder = 'ASC'; -$defaulturl = GETPOST('defaulturl'); -$defaultkey = GETPOST('defaultkey', 'alpha'); -$defaultvalue = GETPOST('defaultvalue'); +$defaulturl = GETPOST('defaulturl', 'alphanohtml'); +$defaultkey = GETPOST('defaultkey', 'alphanohtml'); +$defaultvalue = GETPOST('defaultvalue', 'none'); $defaulturl = preg_replace('/^\//', '', $defaulturl); -$urlpage = GETPOST('urlpage'); -$key = GETPOST('key'); -$value = GETPOST('value'); +$urlpage = GETPOST('urlpage', 'alphanohtml'); +$key = GETPOST('key', 'alphanohtml'); +$value = GETPOST('value', 'none'); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('admindefaultvalues', 'globaladmin')); @@ -210,9 +210,9 @@ print load_fiche_titre($langs->trans("DefaultValues"), $enabledisablehtml, 'titl print ''.$langs->trans("DefaultValuesDesc")."
\n"; print "
\n"; -if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.$contextpage; -if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.$limit; -if ($optioncss != '') $param .= '&optioncss='.$optioncss; +if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.urlencode($contextpage); +if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.urlencode($limit); +if ($optioncss != '') $param .= '&optioncss='.urlencode($optioncss); if ($defaulturl) $param .= '&defaulturl='.urlencode($defaulturl); if ($defaultkey) $param .= '&defaultkey='.urlencode($defaultkey); if ($defaultvalue) $param .= '&defaultvalue='.urlencode($defaultvalue); @@ -359,7 +359,7 @@ if ($result) // Page print ''; - if ($action != 'edit' || GETPOST('rowid') != $obj->rowid) print $obj->page; + if ($action != 'edit' || GETPOST('rowid', 'int') != $obj->rowid) print $obj->page; else print ''; print ''."\n"; @@ -378,7 +378,7 @@ if ($result) print ''; print ''; */ - if ($action != 'edit' || GETPOST('rowid') != $obj->rowid) print $obj->value; + if ($action != 'edit' || GETPOST('rowid') != $obj->rowid) print dol_escape_htmltag($obj->value); else print ''; print ''; } diff --git a/htdocs/admin/translation.php b/htdocs/admin/translation.php index 5e98d7c5503..c641be11a59 100644 --- a/htdocs/admin/translation.php +++ b/htdocs/admin/translation.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2007-2020 Laurent Destailleur * Copyright (C) 2009-2017 Regis Houssin * Copyright (C) 2017 Frédéric France * @@ -35,9 +35,9 @@ if (!$user->admin) accessforbidden(); $id = GETPOST('rowid', 'int'); $action = GETPOST('action', 'alpha'); -$langcode = GETPOST('langcode', 'alpha'); -$transkey = GETPOST('transkey', 'alpha'); -$transvalue = GETPOST('transvalue', 'alpha'); +$langcode = GETPOST('langcode', 'alphanohtml'); +$transkey = GETPOST('transkey', 'alphanohtml'); +$transvalue = GETPOST('transvalue', 'none'); $mode = GETPOST('mode', 'aZ09') ?GETPOST('mode', 'aZ09') : 'overwrite'; @@ -190,7 +190,6 @@ if ($action == 'delete') - /* * View */ @@ -231,9 +230,9 @@ print ''.$form->textwithpicto($langs->trans("Current print '
'; -if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.$contextpage; -if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.$limit; -if ($optioncss != '') $param.='&optioncss='.$optioncss; +if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.urlencode($contextpage); +if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.urlencode($limit); +if ($optioncss != '') $param.='&optioncss='.urlencode($optioncss); if ($langcode) $param.='&langcode='.urlencode($langcode); if ($transkey) $param.='&transkey='.urlencode($transkey); if ($transvalue) $param.='&transvalue='.urlencode($transvalue); @@ -348,11 +347,11 @@ if ($mode == 'overwrite') */ if ($action == 'edit' && $obj->rowid == GETPOST('rowid', 'int')) { - print ''; + print ''; } else { - print $obj->transvalue; + print dol_escape_htmltag($obj->transvalue); } print '';