From f871ade5452630ad12bab6608eb53e18fcdb870e Mon Sep 17 00:00:00 2001 From: Florian Mortgat Date: Mon, 7 Dec 2020 15:15:41 +0100 Subject: [PATCH 1/3] FIX 12.0 - the stringent XSS prodection provided by 'alphanohtml' causes problems with some clients who used basic tags (bold, italic, underline) in product labels. Using 'restricthtml' instead could be a good compromise. --- htdocs/product/card.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 8b4654ba921..8659e5bcc23 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -201,7 +201,7 @@ if (empty($reshook)) { $error = 0; - if (!GETPOST('label', 'alphanohtml')) + if (!GETPOST('label', 'restricthtml')) { setEventMessages($langs->trans('ErrorFieldRequired', $langs->transnoentities('Label')), null, 'errors'); $action = "create"; @@ -225,7 +225,7 @@ if (empty($reshook)) $units = GETPOST('units', 'int'); $object->ref = $ref; - $object->label = GETPOST('label', 'alphanohtml'); + $object->label = GETPOST('label', 'restricthtml'); $object->price_base_type = GETPOST('price_base_type', 'aZ09'); if ($object->price_base_type == 'TTC') @@ -406,7 +406,7 @@ if (empty($reshook)) $object->oldcopy = clone $object; $object->ref = $ref; - $object->label = GETPOST('label', 'alphanohtml'); + $object->label = GETPOST('label', 'restricthtml'); $object->description = dol_htmlcleanlastbr(GETPOST('desc', 'none')); $object->url = GETPOST('url'); if (!empty($conf->global->MAIN_DISABLE_NOTES_TAB)) @@ -1005,7 +1005,7 @@ else print ''; // Label - print ''.$langs->trans("Label").''; + print ''.$langs->trans("Label").''; // On sell print ''.$langs->trans("Status").' ('.$langs->trans("Sell").')'; From 617c9f7ea93a30714c70238958a63cb1933c6592 Mon Sep 17 00:00:00 2001 From: Florian Mortgat Date: Tue, 8 Dec 2020 09:30:31 +0100 Subject: [PATCH 2/3] FIX: enable HTML in product labels depending on conf MAIN_SECURITY_ALLOW_UNSECURED_LABELS_WITH_HTML --- htdocs/product/card.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 8659e5bcc23..d6f62b34769 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -86,6 +86,9 @@ $accountancy_code_buy = GETPOST('accountancy_code_buy', 'alpha'); $accountancy_code_buy_intra = GETPOST('accountancy_code_buy_intra', 'alpha'); $accountancy_code_buy_export = GETPOST('accountancy_code_buy_export', 'alpha'); +// by default 'alphanohtml' (better security); hidden conf MAIN_SECURITY_ALLOW_UNSECURED_LABELS_WITH_HTML allows basic html +$label_security_check = empty($conf->global->MAIN_SECURITY_ALLOW_UNSECURED_LABELS_WITH_HTML) ? 'alphanohtml' : 'restricthtml'; + if (!empty($user->socid)) $socid = $user->socid; $object = new Product($db); @@ -201,7 +204,7 @@ if (empty($reshook)) { $error = 0; - if (!GETPOST('label', 'restricthtml')) + if (!GETPOST('label', $label_security_check)) { setEventMessages($langs->trans('ErrorFieldRequired', $langs->transnoentities('Label')), null, 'errors'); $action = "create"; @@ -225,7 +228,7 @@ if (empty($reshook)) $units = GETPOST('units', 'int'); $object->ref = $ref; - $object->label = GETPOST('label', 'restricthtml'); + $object->label = GETPOST('label', $label_security_check); $object->price_base_type = GETPOST('price_base_type', 'aZ09'); if ($object->price_base_type == 'TTC') @@ -406,7 +409,7 @@ if (empty($reshook)) $object->oldcopy = clone $object; $object->ref = $ref; - $object->label = GETPOST('label', 'restricthtml'); + $object->label = GETPOST('label', $label_security_check); $object->description = dol_htmlcleanlastbr(GETPOST('desc', 'none')); $object->url = GETPOST('url'); if (!empty($conf->global->MAIN_DISABLE_NOTES_TAB)) @@ -1005,7 +1008,7 @@ else print ''; // Label - print ''.$langs->trans("Label").''; + print ''.$langs->trans("Label").''; // On sell print ''.$langs->trans("Status").' ('.$langs->trans("Sell").')'; From 75b8794d72d529e219434a1554805c4715f89228 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 8 Dec 2020 22:23:24 +0100 Subject: [PATCH 3/3] Fix column must be NULL --- htdocs/install/mysql/migration/11.0.0-12.0.0.sql | 3 +++ 1 file changed, 3 insertions(+) diff --git a/htdocs/install/mysql/migration/11.0.0-12.0.0.sql b/htdocs/install/mysql/migration/11.0.0-12.0.0.sql index fddfb8c8097..425e47d3251 100644 --- a/htdocs/install/mysql/migration/11.0.0-12.0.0.sql +++ b/htdocs/install/mysql/migration/11.0.0-12.0.0.sql @@ -341,6 +341,9 @@ ALTER TABLE llx_expedition ADD COLUMN billed smallint DEFAULT 0; ALTER TABLE llx_commande_fournisseurdet ADD INDEX idx_commande_fournisseurdet_fk_commande (fk_commande); ALTER TABLE llx_commande_fournisseurdet ADD INDEX idx_commande_fournisseurdet_fk_product (fk_product); + +-- VMYSQL4.3 ALTER TABLE llx_c_shipment_mode MODIFY COLUMN tracking varchar(255) NULL; + INSERT INTO llx_c_shipment_mode (rowid,code,libelle,description,tracking,active) VALUES (9,'INPERSON', 'In person at your site', NULL, NULL, 0); INSERT INTO llx_c_shipment_mode (rowid,code,libelle,description,tracking,active) VALUES (10,'FEDEX', 'Fedex', NULL, 'https://www.fedex.com/apps/fedextrack/index.html?tracknumbers={TRACKID}', 0); INSERT INTO llx_c_shipment_mode (rowid,code,libelle,description,tracking,active) VALUES (11,'TNT', 'TNT', NULL, 'https://www.tnt.com/express/fr_fr/site/outils-expedition/suivi.html?searchType=con&cons=={TRACKID}', 0);