diff --git a/htdocs/accountancy/class/bookkeeping.class.php b/htdocs/accountancy/class/bookkeeping.class.php index 6204782b166..b30a61194e0 100644 --- a/htdocs/accountancy/class/bookkeeping.class.php +++ b/htdocs/accountancy/class/bookkeeping.class.php @@ -3539,7 +3539,7 @@ class BookKeeping extends CommonObject */ public function newCloneMass($toselect, $code_journal, $docdate) { - global $langs; + global $langs, $user; $error = 0; $this->db->begin(); @@ -3593,22 +3593,55 @@ class BookKeeping extends CommonObject if ($bookKeeping->fetch($toselectid)) { $code_journal = getDolGlobalString('ACCOUNTING_CLONING_ENABLE_INPUT_JOURNAL') ? $code_journal : $bookKeeping->code_journal; $journal_label = getDolGlobalString('ACCOUNTING_CLONING_ENABLE_INPUT_JOURNAL') ? $accountingJournal->label : $bookKeeping->journal_label; - $sql = "SELECT piece_num, label_operation, numero_compte, label_compte, doc_type, code_journal, fk_user_author, doc_ref, fk_doc, fk_docdet, debit, credit, journal_label, sens, montant "; - $sql .= "FROM " . MAIN_DB_PREFIX . "accounting_bookkeeping WHERE rowid = " . ((int) $toselectid); + $sql = "SELECT piece_num, label_operation, numero_compte, label_compte, subledger_account, subledger_label, doc_type, code_journal, fk_user_author, doc_ref, fk_doc, fk_docdet, debit, credit, journal_label, sens, montant"; + $sql .= " FROM ".$this->db->prefix()."accounting_bookkeeping WHERE rowid = " . ((int) $toselectid); $resql = $this->db->query($sql); if ($resql) { while ($obj = $this->db->fetch_object($resql)) { $docRef = $langs->trans("CloneOf", $obj->doc_ref); - $sql_insert = "INSERT INTO ".$this->db->prefix()."accounting_bookkeeping"; - $sql_insert .= " (piece_num, label_operation, numero_compte, label_compte, doc_type, code_journal, doc_date,"; - $sql_insert .= " fk_user_author, doc_ref, fk_doc, fk_docdet, debit, credit, journal_label, sens, montant"; + $sql_insert = "INSERT INTO ".$this->db->prefix()."accounting_bookkeeping ("; + $sql_insert .= " piece_num"; + $sql_insert .= ", label_operation"; + $sql_insert .= ", numero_compte"; + $sql_insert .= ", label_compte"; + $sql_insert .= ", subledger_account"; + $sql_insert .= ", subledger_label"; + $sql_insert .= ", doc_type"; + $sql_insert .= ", code_journal"; + $sql_insert .= ", doc_date"; + $sql_insert .= ", date_creation"; + $sql_insert .= ", fk_user_author"; + $sql_insert .= ", doc_ref"; + $sql_insert .= ", fk_doc"; + $sql_insert .= ", fk_docdet"; + $sql_insert .= ", debit"; + $sql_insert .= ", credit"; + $sql_insert .= ", journal_label"; + $sql_insert .= ", sens"; + $sql_insert .= ", montant"; $sql_insert .= ")"; - $sql_insert .= " VALUES (" . ((int) $pieceNumNext) . ", '" . $this->db->escape($obj->label_operation) . "', '" . $this->db->escape($obj->numero_compte) . "',"; - $sql_insert .= " '" . $this->db->escape($obj->label_compte) . "', '" . $this->db->escape($obj->doc_type) . "', '" . $this->db->escape($code_journal) . "', '" . $this->db->idate($docdate)."',"; - $sql_insert .= " '" . $this->db->escape($obj->fk_user_author) . "', '" . $this->db->escape($docRef) . "', " . ((int) $obj->fk_doc) . ", " . ((int) $obj->fk_docdet) . ","; - $sql_insert .= " " . (float) $obj->debit . ", " . (float) $obj->credit . ", '" . $this->db->escape($journal_label) . "', '" . $this->db->escape($obj->sens) . "', " . (float) $obj->montant; + $sql_insert .= " VALUES ("; + $sql_insert .= $pieceNumNext; + $sql_insert .= ", '" . $this->db->escape($obj->label_operation) . "'"; + $sql_insert .= ", '" . $this->db->escape($obj->numero_compte) . "'"; + $sql_insert .= ", '" . $this->db->escape($obj->label_compte) . "'"; + $sql_insert .= ", '" . $this->db->escape($obj->subledger_account) . "'"; + $sql_insert .= ", '" . $this->db->escape($obj->subledger_label) . "'"; + $sql_insert .= ", ''"; + $sql_insert .= ", '" . $this->db->escape($code_journal) . "'"; + $sql_insert .= ", '" . $this->db->idate($docdate)."'"; + $sql_insert .= ", '" . $this->db->idate($now)."'"; + $sql_insert .= ", ".($user->id > 0 ? ((int) $user->id) : "NULL"); + $sql_insert .= ", '" . $this->db->escape($docRef) . "'"; + $sql_insert .= ", 0"; + $sql_insert .= ", 0"; + $sql_insert .= ", " . (float) $obj->debit; + $sql_insert .= ", " . (float) $obj->credit; + $sql_insert .= ", '" . $this->db->escape($journal_label) . "'"; + $sql_insert .= ", '" . $this->db->escape($obj->sens) . "'"; + $sql_insert .= ", " . (float) $obj->montant; $sql_insert .= ")"; $resqlInsert = $this->db->query($sql_insert); diff --git a/htdocs/admin/remotestore/class/externalModules.class.php b/htdocs/admin/remotestore/class/externalModules.class.php index 57a4d062c74..46f0b8c38f3 100644 --- a/htdocs/admin/remotestore/class/externalModules.class.php +++ b/htdocs/admin/remotestore/class/externalModules.class.php @@ -997,7 +997,7 @@ class ExternalModules // Check if there is a known ID $reg = array(); $id = 0; - if (!empty($package['dolistore-download']) && preg_match('/www\.dolistore\.com\/product\.php\?id=(\d+)/', $package['dolistore-download'], $reg)) { + if (!empty($package['dolistore-download']) && preg_match('/www\.dolistore\.com\/product\.php\?id=(\d+)/', (string) $package['dolistore-download'], $reg)) { $id = $reg[1]; } diff --git a/htdocs/core/actions_setnotes.inc.php b/htdocs/core/actions_setnotes.inc.php index ac8c65a0670..c536e383870 100644 --- a/htdocs/core/actions_setnotes.inc.php +++ b/htdocs/core/actions_setnotes.inc.php @@ -47,7 +47,9 @@ if ($action == 'setnote_public' && !empty($permissionnote) && !GETPOST('cancel', $object->fetch($id); // Fetch may not be already done } - $result_update = $object->update_note(dol_html_entity_decode(GETPOST('note_public', 'restricthtml'), ENT_QUOTES | ENT_HTML5, 'UTF-8', 1), '_public'); + $notePublic = GETPOST('note_public', 'restricthtml'); + + $result_update = $object->update_note(dol_html_entity_decode($notePublic, ENT_QUOTES | ENT_HTML5, 'UTF-8', 1), '_public'); if ($result_update < 0) { setEventMessages($object->error, $object->errors, 'errors'); @@ -82,10 +84,6 @@ if ($action == 'setnote_public' && !empty($permissionnote) && !GETPOST('cancel', if ($resultGenDoc < 0) { setEventMessages($object->error, $object->errors, 'warnings'); } - - if ($result < 0) { - dol_print_error($db, $object->error, $object->errors); - } } } } elseif ($action == 'setnote_private' && !empty($permissionnote) && !GETPOST('cancel', 'alpha')) { // Set public note @@ -97,7 +95,10 @@ if ($action == 'setnote_public' && !empty($permissionnote) && !GETPOST('cancel', if (empty($object->id)) { $object->fetch($id); // Fetch may not be already done } - $result = $object->update_note(dol_html_entity_decode(GETPOST('note_private', 'restricthtml'), ENT_QUOTES | ENT_HTML5, 'UTF-8', 1), '_private'); + + $notePrivate = GETPOST('note_private', 'restricthtml'); + + $result = $object->update_note(dol_html_entity_decode($notePrivate, ENT_QUOTES | ENT_HTML5, 'UTF-8', 1), '_private'); if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); } diff --git a/htdocs/core/boxes/box_last_knowledgerecord.php b/htdocs/core/boxes/box_last_knowledgerecord.php index 325c8cb8683..41f9f847445 100644 --- a/htdocs/core/boxes/box_last_knowledgerecord.php +++ b/htdocs/core/boxes/box_last_knowledgerecord.php @@ -93,7 +93,7 @@ class box_last_knowledgerecord extends ModeleBoxes if ($user->hasRight('knowledgemanagement', 'knowledgerecord', 'read')) { $sql = 'SELECT k.rowid as id, k.date_creation, k.ref, k.lang, k.question, k.status as status'; $sql .= " FROM ".MAIN_DB_PREFIX."knowledgemanagement_knowledgerecord as k"; - $sql .= " WHERE k.entity IN (".getEntity('knowledgemanagement').")"; + $sql .= " WHERE k.entity IN (".getEntity('knowledgerecord').")"; if ($user->socid) { $sql .= " AND k.fk_soc= ".((int) $user->socid); diff --git a/htdocs/core/boxes/box_last_modified_knowledgerecord.php b/htdocs/core/boxes/box_last_modified_knowledgerecord.php index a160bf482c4..3e1d48897b6 100644 --- a/htdocs/core/boxes/box_last_modified_knowledgerecord.php +++ b/htdocs/core/boxes/box_last_modified_knowledgerecord.php @@ -94,7 +94,7 @@ class box_last_modified_knowledgerecord extends ModeleBoxes $sql = 'SELECT k.rowid as id, k.date_creation, GREATEST(k.tms, kef.tms) as date_modification, k.ref, k.lang, k.question, k.status as status'; $sql .= " FROM ".MAIN_DB_PREFIX."knowledgemanagement_knowledgerecord as k"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."knowledgemanagement_knowledgerecord_extrafields as kef ON kef.fk_object = k.rowid"; - $sql .= " WHERE k.entity IN (".getEntity('knowledgemanagement').")"; + $sql .= " WHERE k.entity IN (".getEntity('knowledgerecord').")"; if ($user->socid) { $sql .= " AND k.fk_soc= ".((int) $user->socid); diff --git a/htdocs/core/boxes/box_last_ticket.php b/htdocs/core/boxes/box_last_ticket.php index f251cd944bf..0703c3fd652 100644 --- a/htdocs/core/boxes/box_last_ticket.php +++ b/htdocs/core/boxes/box_last_ticket.php @@ -83,9 +83,9 @@ class box_last_ticket extends ModeleBoxes $sql .= " type.label as type_label, category.label as category_label, severity.label as severity_label,"; $sql .= " s.nom as company_name, s.email as socemail, s.client, s.fournisseur"; $sql .= " FROM ".MAIN_DB_PREFIX."ticket as t"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_ticket_type as type ON type.code=t.type_code"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_ticket_category as category ON category.code=t.category_code"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_ticket_severity as severity ON severity.code=t.severity_code"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_ticket_type as type ON type.code = t.type_code AND type.entity = t.entity"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_ticket_category as category ON category.code = t.category_code AND category.entity = t.entity"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_ticket_severity as severity ON severity.code = t.severity_code AND severity.entity = t.entity"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid=t.fk_soc"; $sql .= " WHERE t.entity IN (".getEntity('ticket').")"; // $sql.= " AND e.rowid = er.fk_event"; diff --git a/htdocs/core/class/doleditor.class.php b/htdocs/core/class/doleditor.class.php index a65a73ff76f..15cf6a59c9d 100644 --- a/htdocs/core/class/doleditor.class.php +++ b/htdocs/core/class/doleditor.class.php @@ -207,8 +207,12 @@ class DolEditor $fullpage = false; + // syntax is [] for attributes and {} for value inside style $extraAllowedContent = 'a[target];'; $extraAllowedContent .= 'section[contenteditable,id];'; + $extraAllowedContent .= 'table{border-spacing};'; + $extraAllowedContent .= 'td{padding};'; + $extraAllowedContent .= 'p{margin-left,margin-right,margin-top,margin-bottom,padding,line-height};'; $extraAllowedContent .= 'div{background-color,color,display,float,height,margin,margin-top,margin-bottom,padding,padding-left,padding-right,padding-top,padding-bottom,width,border-top-left-radius,border-top-right-radius,border-bottom-left-radius,border-bottom-right-radius,box-shadow}'; if (is_string($restrictContent)) { diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 367bfceec3f..ebb2580f3b5 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -9201,6 +9201,12 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = ' do { $oldstringtoclean = $out; + $outishtml = 0; + if (dol_textishtml($out)) { + $outishtml = 1; + } + + // HTML sanitizer by DOMDocument if (!empty($out) && getDolGlobalString('MAIN_RESTRICTHTML_ONLY_VALID_HTML') && $check != 'restricthtmlallowunvalid') { try { libxml_use_internal_errors(false); // Avoid to fill memory with xml errors @@ -9217,7 +9223,7 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = ' // like 'abc' that wrongly ends up, without the trick, with '

abc

' // Add also a trick to solve utf8 lost. // I don't know what the xml encoding is the trick for - if (dol_textishtml($out)) { + if ($outishtml) { //$out = '
'.$out.'
'; $out = '
' . $out . '
'; //$out = '
'.$out.'
'; @@ -9240,6 +9246,10 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = ' // $out = preg_replace('/^<\?xml encoding="UTF-8">
/', '', $out); // $out = preg_replace('/<\/div>$/', '', $out); // var_dump('rrrrrrrrrrrrrrrrrrrrrrrrrrrrr'.$out); + + if (!$outishtml) { // If $out was not HTML content we made before a dol_nl2br so we must do the opposite operation now + $out = str_replace('
', '', $out); + } } catch (Exception $e) { // If error, invalid HTML string with no way to clean it //print $e->getMessage(); @@ -9247,8 +9257,10 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = ' } } - if (!empty($out) && getDolGlobalString('MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY') && !in_array($check, array('restricthtmlallowunvalid', 'restricthtmlallowlinkscript'))) { - // Tidy can't be used for restricthtmlallowunvalid and restricthtmlallowlinkscript + // HTML sanitizer by Tidy + // Tidy can't be used for restricthtmlallowunvalid and restricthtmlallowlinkscript + // Tidy can't be used for non html text content as it is corrupting the new lines fields. + if (!empty($out) && getDolGlobalString('MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY') && !in_array($check, array('restricthtmlallowunvalid', 'restricthtmlallowlinkscript')) && $outishtml) { // TODO Try to implement a hack for restricthtmlallowlinkscript by renaming tag and