diff --git a/htdocs/adherents/note.php b/htdocs/adherents/note.php index 532dd6e4c59..7e445e41a37 100644 --- a/htdocs/adherents/note.php +++ b/htdocs/adherents/note.php @@ -146,7 +146,7 @@ if ($id) { print ''.$langs->trans("Company").''.dol_escape_htmltag($object->company).''; // Civility - print ''.$langs->trans("UserTitle").''.$object->getCivilityLabel().' '; + print ''.$langs->trans("UserTitle").''.$object->getCivilityLabel().''; print ''; print ""; diff --git a/htdocs/admin/dolistore/ajax/image.php b/htdocs/admin/dolistore/ajax/image.php index e601da43e06..6beb96a9e66 100644 --- a/htdocs/admin/dolistore/ajax/image.php +++ b/htdocs/admin/dolistore/ajax/image.php @@ -27,14 +27,17 @@ if (!defined('NOTOKENRENEWAL')) { * \ingroup admin * \brief Page des informations dolistore */ + require "../../../main.inc.php"; - -// CORE - -global $lang, $user, $conf; - - require_once DOL_DOCUMENT_ROOT.'/admin/dolistore/class/dolistore.class.php'; + + +/* + * View + */ + +top_httphead('image'); + $dolistore = new Dolistore(); $id_product = GETPOST('id_product', 'int'); @@ -51,7 +54,7 @@ try { ); //echo $url; $request = $api->executeRequest($url, array(CURLOPT_CUSTOMREQUEST => 'GET')); - header('Content-type:image'); + print $request['response']; } catch (PrestaShopWebserviceException $e) { // Here we are dealing with errors diff --git a/htdocs/blockedlog/ajax/authority.php b/htdocs/blockedlog/ajax/authority.php index 78f944f692a..2da0544e0a7 100644 --- a/htdocs/blockedlog/ajax/authority.php +++ b/htdocs/blockedlog/ajax/authority.php @@ -44,6 +44,13 @@ require_once DOL_DOCUMENT_ROOT.'/blockedlog/class/authority.class.php'; $user = new User($db); $user->fetch(1); //TODO conf user authority + +/* + * View + */ + +top_httphead(); + $auth = new BlockedLogAuthority($db); $signature = GETPOST('s'); diff --git a/htdocs/blockedlog/ajax/block-add.php b/htdocs/blockedlog/ajax/block-add.php index 53093f02d18..e2009a01da1 100644 --- a/htdocs/blockedlog/ajax/block-add.php +++ b/htdocs/blockedlog/ajax/block-add.php @@ -42,6 +42,13 @@ $id = GETPOST('id', 'int'); $element = GETPOST('element', 'alpha'); $action = GETPOST('action', 'aZ09'); + +/* + * View + */ + +top_httphead(); + if ($element === 'facture') { require_once DOL_DOCUMENT_ROOT.'/blockedlog/class/blockedlog.class.php'; require_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php'; diff --git a/htdocs/blockedlog/ajax/block-info.php b/htdocs/blockedlog/ajax/block-info.php index e6f9ea0de15..da27b8fc50e 100644 --- a/htdocs/blockedlog/ajax/block-info.php +++ b/htdocs/blockedlog/ajax/block-info.php @@ -54,6 +54,8 @@ $langs->loadLangs(array("admin")); * View */ +top_httphead(); + print '
'; print ''; diff --git a/htdocs/blockedlog/ajax/check_signature.php b/htdocs/blockedlog/ajax/check_signature.php index 4d59b56a981..60a763635c0 100644 --- a/htdocs/blockedlog/ajax/check_signature.php +++ b/htdocs/blockedlog/ajax/check_signature.php @@ -48,6 +48,12 @@ if (empty($conf->global->BLOCKEDLOG_AUTHORITY_URL)) { } +/* + * View + */ + +top_httphead(); + $auth = new BlockedLogAuthority($db); $auth->syncSignatureWithAuthority(); diff --git a/htdocs/comm/action/rapport/index.php b/htdocs/comm/action/rapport/index.php index 9b3f9a27140..4414981b6fb 100644 --- a/htdocs/comm/action/rapport/index.php +++ b/htdocs/comm/action/rapport/index.php @@ -29,7 +29,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php'; require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php'; -require_once DOL_DOCUMENT_ROOT.'/core/modules/action/rapport.pdf.php'; +require_once DOL_DOCUMENT_ROOT.'/core/modules/action/rapport.class.php'; // Load translation files required by the page $langs->loadLangs(array("agenda", "commercial")); diff --git a/htdocs/core/ajax/fetchKnowledgeRecord.php b/htdocs/core/ajax/fetchKnowledgeRecord.php index 0182887c225..179d8169465 100644 --- a/htdocs/core/ajax/fetchKnowledgeRecord.php +++ b/htdocs/core/ajax/fetchKnowledgeRecord.php @@ -66,6 +66,8 @@ $lang = GETPOST('lang', 'aZ09'); * View */ +top_httphead('application/json'); + if ($action == "getKnowledgeRecord") { $response = ''; $sql = "SELECT kr.rowid, kr.ref, kr.question, kr.answer,kr.url,ctc.code"; diff --git a/htdocs/core/ajax/fileupload.php b/htdocs/core/ajax/fileupload.php index 0e05036de02..53d65e4ab75 100644 --- a/htdocs/core/ajax/fileupload.php +++ b/htdocs/core/ajax/fileupload.php @@ -50,6 +50,13 @@ $element = GETPOST('element', 'alpha'); $upload_handler = new FileUpload(null, $fk_element, $element); + +/* + * View + */ + +top_httphead(); + header('Pragma: no-cache'); header('Cache-Control: no-store, no-cache, must-revalidate'); header('Content-Disposition: inline; filename="files.json"'); diff --git a/htdocs/core/ajax/onlineSign.php b/htdocs/core/ajax/onlineSign.php index 5f59abea0b5..8f3cb23b396 100644 --- a/htdocs/core/ajax/onlineSign.php +++ b/htdocs/core/ajax/onlineSign.php @@ -91,6 +91,8 @@ if (empty($SECUREKEY) || !dol_verifyHash($securekeyseed.$type.$ref.(!isModEnable * View */ +top_httphead(); + if ($action == "importSignature") { if (!empty($signature) && $signature[0] == "image/png;base64") { $signature = $signature[1]; diff --git a/htdocs/core/ajax/selectsearchbox.php b/htdocs/core/ajax/selectsearchbox.php index 54e3e1e4470..201a4b89991 100644 --- a/htdocs/core/ajax/selectsearchbox.php +++ b/htdocs/core/ajax/selectsearchbox.php @@ -25,6 +25,8 @@ // This script is called with a POST method or as an include. if (!isset($usedbyinclude) || empty($usedbyinclude)) { + top_httphead('application/json'); + if (!defined('NOTOKENRENEWAL')) { define('NOTOKENRENEWAL', 1); // Disables token renewal } diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 838aea25f53..a738bce9004 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -8635,7 +8635,7 @@ class Form print '
'.$langs->trans('Field').''.$langs->trans('Value').'
'; if (!empty($compatibleImportElementsList)) { - $res = @include dol_buildpath('core/tpl/ajax/objectlinked_lineimport.tpl.php'); + $res = @include dol_buildpath('core/tpl/objectlinked_lineimport.tpl.php'); } diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php index 612e555a6b0..441ddb60255 100644 --- a/htdocs/core/class/html.formfile.class.php +++ b/htdocs/core/class/html.formfile.class.php @@ -71,7 +71,7 @@ class FormFile * @param Object $object Object to use (when attachment is done on an element) * @param string $options Add an option column * @param integer $useajax Use fileupload ajax (0=never, 1=if enabled, 2=always whatever is option). - * Deprecated 2 should never be used and if 1 is used, option should no be enabled. + * Deprecated 2 should never be used and if 1 is used, option should not be enabled. * @param string $savingdocmask Mask to use to define output filename. For example 'XXXXX-__YYYYMMDD__-__file__' * @param integer $linkfiles 1=Also add form to link files, 0=Do not show form to link files * @param string $htmlname Name and id of HTML form ('formuserfile' by default, 'formuserfileecm' when used to upload a file in ECM) @@ -104,7 +104,8 @@ class FormFile // TODO: This does not support option savingdocmask // TODO: This break feature to upload links too // TODO: Thisdoes not work when param nooutput=1 - return $this->_formAjaxFileUpload($object); + //return $this->_formAjaxFileUpload($object); + return 'Feature too bugged so removed'; } else { //If there is no permission and the option to hide unauthorized actions is enabled, then nothing is printed if (!$perm && !empty($conf->global->MAIN_BUTTON_HIDE_UNAUTHORIZED)) { @@ -1919,37 +1920,6 @@ class FormFile // Fin de zone } - /** - * Show form to upload a new file with jquery fileupload. - * This form use the fileupload.php file. - * - * @param Object $object Object to use - * @return void - */ - private function _formAjaxFileUpload($object) - { - global $langs, $conf; - - // PHP post_max_size - $post_max_size = ini_get('post_max_size'); - $mul_post_max_size = substr($post_max_size, -1); - $mul_post_max_size = ($mul_post_max_size == 'M' ? 1048576 : ($mul_post_max_size == 'K' ? 1024 : ($mul_post_max_size == 'G' ? 1073741824 : 1))); - $post_max_size = $mul_post_max_size * (int) $post_max_size; - // PHP upload_max_filesize - $upload_max_filesize = ini_get('upload_max_filesize'); - $mul_upload_max_filesize = substr($upload_max_filesize, -1); - $mul_upload_max_filesize = ($mul_upload_max_filesize == 'M' ? 1048576 : ($mul_upload_max_filesize == 'K' ? 1024 : ($mul_upload_max_filesize == 'G' ? 1073741824 : 1))); - $upload_max_filesize = $mul_upload_max_filesize * (int) $upload_max_filesize; - // Max file size - $max_file_size = (($post_max_size < $upload_max_filesize) ? $post_max_size : $upload_max_filesize); - - // Include main - include DOL_DOCUMENT_ROOT.'/core/tpl/ajax/fileupload_main.tpl.php'; - - // Include template - include DOL_DOCUMENT_ROOT.'/core/tpl/ajax/fileupload_view.tpl.php'; - } - /** * Show array with linked files * diff --git a/htdocs/core/modules/action/rapport.pdf.php b/htdocs/core/modules/action/rapport.class.php similarity index 99% rename from htdocs/core/modules/action/rapport.pdf.php rename to htdocs/core/modules/action/rapport.class.php index 2b4ec29c880..61579399247 100644 --- a/htdocs/core/modules/action/rapport.pdf.php +++ b/htdocs/core/modules/action/rapport.class.php @@ -19,7 +19,7 @@ */ /** - * \file htdocs/core/modules/action/rapport.pdf.php + * \file htdocs/core/modules/action/rapport.class.php * \ingroup commercial * \brief File to build PDF with events */ diff --git a/htdocs/core/tpl/ajax/fileupload_main.tpl.php b/htdocs/core/tpl/ajax/fileupload_main.tpl.php deleted file mode 100644 index 8be24f7450f..00000000000 --- a/htdocs/core/tpl/ajax/fileupload_main.tpl.php +++ /dev/null @@ -1,96 +0,0 @@ - - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -// Protection to avoid direct call of template -if (empty($conf) || !is_object($conf)) { - print "Error, template page can't be called as URL"; - exit; -} - -?> - - - - diff --git a/htdocs/core/tpl/ajax/fileupload_view.tpl.php b/htdocs/core/tpl/ajax/fileupload_view.tpl.php deleted file mode 100644 index 22f8d687db0..00000000000 --- a/htdocs/core/tpl/ajax/fileupload_view.tpl.php +++ /dev/null @@ -1,147 +0,0 @@ - - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -// Protection to avoid direct call of template -if (empty($conf) || !is_object($conf)) { - print "Error, template page can't be called as URL"; - exit; -} - -?> - - - - -
- - - - -
-
- - - - trans('AddFiles'); ?> - 0) { - print ''; // MAX_FILE_SIZE must precede the field type=file - } - ?> - - - - - -
- -
- - - -
 
-
-
- -
-
- - -
- - - - - - - -
- diff --git a/htdocs/core/tpl/ajax/objectlinked_lineimport.tpl.php b/htdocs/core/tpl/objectlinked_lineimport.tpl.php similarity index 100% rename from htdocs/core/tpl/ajax/objectlinked_lineimport.tpl.php rename to htdocs/core/tpl/objectlinked_lineimport.tpl.php diff --git a/htdocs/mrp/ajax/ajax_bom.php b/htdocs/mrp/ajax/ajax_bom.php index 280a0c98cdd..54bfaf893ab 100644 --- a/htdocs/mrp/ajax/ajax_bom.php +++ b/htdocs/mrp/ajax/ajax_bom.php @@ -46,13 +46,15 @@ require '../../main.inc.php'; // Load $user and permissions require_once DOL_DOCUMENT_ROOT.'/bom/class/bom.class.php'; $idbom = GETPOST('idbom', 'alpha'); -$action = GETPOST('action', 'aZ09'); +//$action = GETPOST('action', 'aZ09'); /* * View */ +top_httphead('application/json'); + $object = new BOM($db); $result = $object->fetch($idbom); if ($result > 0) { diff --git a/htdocs/product/ajax/products.php b/htdocs/product/ajax/products.php index 74fa53dccb8..0e606932ce2 100644 --- a/htdocs/product/ajax/products.php +++ b/htdocs/product/ajax/products.php @@ -79,6 +79,8 @@ if ($action == 'fetch' && !empty($id)) { require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php'; + top_httphead('application/json'); + $outjson = array(); $object = new Product($db); diff --git a/htdocs/product/inventory/ajax/searchfrombarcode.php b/htdocs/product/inventory/ajax/searchfrombarcode.php index 68ffee43c23..2d29e1d9d2e 100644 --- a/htdocs/product/inventory/ajax/searchfrombarcode.php +++ b/htdocs/product/inventory/ajax/searchfrombarcode.php @@ -58,6 +58,13 @@ $warehousefound = 0; $warehouseid = 0; $objectreturn = array(); + +/* + * View + */ + +top_httphead('application/json'); + if ($action == "existbarcode" && !empty($barcode)) { if (!empty($mode) && $mode == "lotserial") { $sql = "SELECT ps.fk_entrepot, ps.fk_product, p.barcode, ps.reel, pb.batch"; diff --git a/htdocs/salaries/ajax/ajaxsalaries.php b/htdocs/salaries/ajax/ajaxsalaries.php index adea28ee8ce..0e0428b9074 100644 --- a/htdocs/salaries/ajax/ajaxsalaries.php +++ b/htdocs/salaries/ajax/ajaxsalaries.php @@ -52,6 +52,8 @@ restrictedArea($user, 'salaries'); * View */ +top_httphead('application/json'); + $fk_user = GETPOST('fk_user', 'int'); $return_arr = array(); diff --git a/htdocs/stripe/ajax/ajax.php b/htdocs/stripe/ajax/ajax.php index cf6ec53d580..fa5392349eb 100644 --- a/htdocs/stripe/ajax/ajax.php +++ b/htdocs/stripe/ajax/ajax.php @@ -59,6 +59,8 @@ if (empty($user->rights->takepos->run)) { * View */ +top_httphead('application/json'); + if ($action == 'getConnexionToken') { try { // Be sure to authenticate the endpoint for creating connection tokens. diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index dd0e6827ec1..e8631c5b28b 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -198,7 +198,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase || preg_match('/boxes\/box_/', $file['relativename']) || preg_match('/modules\/.*\/doc\/(doc|pdf)_/', $file['relativename']) || preg_match('/modules\/(import|mailings|printing)\//', $file['relativename']) - || in_array($file['name'], array('modules_boxes.php', 'rapport.pdf.php', 'TraceableDB.php'))) { + || in_array($file['name'], array('modules_boxes.php', 'TraceableDB.php'))) { // Check into Class files if (! in_array($file['name'], array( 'api.class.php', @@ -247,6 +247,20 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase } } + // Check we don't miss top_httphead() into any ajax pages + if (preg_match('/ajax\//', $file['relativename'])) { + print "Analyze ajax page ".$file['relativename']."\n"; + $ok=true; + $matches=array(); + preg_match_all('/top_httphead/', $filecontent, $matches, PREG_SET_ORDER); + if (count($matches) == 0) { + $ok=false; + } + //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; + $this->assertTrue($ok, 'Did not find top_httphead into the ajax page '.$file['relativename']); + //exit; + } + // Check if a var_dump has been forgotten if (!preg_match('/test\/phpunit/', $file['fullname'])) { $ok=true; @@ -463,7 +477,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase foreach ($matches as $key => $val) { //var_dump($val); if (!in_array($val[1], array( - "'replacestring'", "'htmlheader'", "'WEBSITE_HTML_HEADER'", "'WEBSITE_CSS_INLINE'", "'WEBSITE_JS_INLINE'", "'WEBSITE_MANIFEST_JSON'", "'PAGE_CONTENT'", "'WEBSITE_README'", + "'replacestring'", "'htmlheader'", "'WEBSITE_HTML_HEADER'", "'WEBSITE_CSS_INLINE'", "'WEBSITE_JS_INLINE'", "'WEBSITE_MANIFEST_JSON'", "'PAGE_CONTENT'", "'WEBSITE_README'", "'WEBSITE_LICENSE'", '"mysqldump"', '"postgresqldump"', "'db_pass_root'", "'db_pass'", '"pass"', '"pass1"', '"pass2"', '"password"', "'password'", '"MAIN_MAIL_SMTPS_PW"', '"MAIN_MAIL_SMTPS_PW_EMAILING"', '"MAIN_MAIL_SMTPS_PW_TICKET"'))) {