From 0f3a063c91f21aeb104c71a142b6a54e4416b283 Mon Sep 17 00:00:00 2001
From: Norbert Penel <homer8173@gmail.com>
Date: Wed, 5 Dec 2018 15:18:45 +0100
Subject: [PATCH 1/3] Events are not linked to products

when created from a product card, the events are not linked to the product
---
 htdocs/product/agenda.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/product/agenda.php b/htdocs/product/agenda.php
index 9eee66664d9..5ef9defc1d4 100644
--- a/htdocs/product/agenda.php
+++ b/htdocs/product/agenda.php
@@ -159,7 +159,7 @@ if ($id > 0 || $ref)
     if ((! empty($objproduct->id) || ! empty($objcon->id)) && $permok)
     {
         //$out.='<a href="'.DOL_URL_ROOT.'/comm/action/card.php?action=create';
-        if (get_class($objproduct) == 'Product') $out.='&amp;prodid='.$objproduct->id;
+        if (get_class($objproduct) == 'Product') $out.='&amp;prodid='.$objproduct->id.'&origin=product&originid='.$id;
         $out.=(! empty($objcon->id)?'&amp;contactid='.$objcon->id:'').'&amp;backtopage=1&amp;percentage=-1';
     	//$out.=$langs->trans("AddAnAction").' ';
     	//$out.=img_picto($langs->trans("AddAnAction"),'filenew');

From 699766223f66781c23e9c5c52488be4723ccacc6 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 16 Dec 2018 12:59:59 +0100
Subject: [PATCH 2/3] Fix phpcs

---
 htdocs/compta/cashcontrol/class/cashcontrol.class.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/compta/cashcontrol/class/cashcontrol.class.php b/htdocs/compta/cashcontrol/class/cashcontrol.class.php
index 3d3e97bab6f..d05a99ac709 100644
--- a/htdocs/compta/cashcontrol/class/cashcontrol.class.php
+++ b/htdocs/compta/cashcontrol/class/cashcontrol.class.php
@@ -125,8 +125,8 @@ class CashControl extends CommonObject
 		$sql .= ", ".$this->opening;
         $sql .= ", 0";										// Draft by default
 		$sql .= ", '".$this->db->idate(dol_now())."'";
-		$sql .= ", '".$this->posmodule."'";
-		$sql .= ", '".$this->posnumber."'";
+		$sql .= ", '".$this->db->escape($this->posmodule)."'";
+		$sql .= ", '".$this->db->escape($this->posnumber)."'";
 		$sql .= ")";
 
 		$this->db->begin();

From cca3b4870a06237a3210c9a6bc90ed58d59e9bd0 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 16 Dec 2018 13:36:51 +0100
Subject: [PATCH 3/3] FIX CVE-2018-19799

---
 htdocs/exports/export.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/htdocs/exports/export.php b/htdocs/exports/export.php
index 6d65418be3c..13d28189e95 100644
--- a/htdocs/exports/export.php
+++ b/htdocs/exports/export.php
@@ -1,5 +1,5 @@
 <?php
-/* Copyright (C) 2005-2011	Laurent Destailleur	<eldy@users.sourceforge.net>
+/* Copyright (C) 2005-2018	Laurent Destailleur	<eldy@users.sourceforge.net>
  * Copyright (C) 2005-2012	Regis Houssin		<regis.houssin@capnetworks.com>
  * Copyright (C) 2012		Marcos García		<marcosgdf@gmail.com>
  * Copyright (C) 2012		Charles-Fr BENKE	<charles.fr@benke.fr>
@@ -123,14 +123,14 @@ $entitytolang = array(
 
 $array_selected=isset($_SESSION["export_selected_fields"])?$_SESSION["export_selected_fields"]:array();
 $array_filtervalue=isset($_SESSION["export_filtered_fields"])?$_SESSION["export_filtered_fields"]:array();
-$datatoexport=GETPOST("datatoexport");
-$action=GETPOST('action', 'alpha');
-$confirm=GETPOST('confirm', 'alpha');
-$step=GETPOST("step")?GETPOST("step"):1;
-$export_name=GETPOST("export_name");
-$hexa=GETPOST("hexa");
-$exportmodelid=GETPOST("exportmodelid");
-$field=GETPOST("field");
+$datatoexport=GETPOST("datatoexport","aZ09");
+$action=GETPOST('action','alpha');
+$confirm=GETPOST('confirm','alpha');
+$step=GETPOST("step","int")?GETPOST("step","int"):1;
+$export_name=GETPOST("export_name","alphanohtml");
+$hexa=GETPOST("hexa","alpha");
+$exportmodelid=GETPOST("exportmodelid","int");
+$field=GETPOST("field","alpa");
 
 $objexport=new Export($db);
 $objexport->load_arrays($user,$datatoexport);