diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 89e3a9ea00d8c91fce422e929d86a127e3fd9297..ab75fce37e6eeb33b0402f7fc86a1bec215868af 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -380,7 +380,7 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)
break;
case 'aZ09':
$out=trim($out);
- if (preg_match('/[^a-z0-9_]+/i',$out)) $out='';
+ if (preg_match('/[^a-z0-9_\-]+/i',$out)) $out='';
break;
case 'array':
if (! is_array($out) || empty($out)) $out=array();
@@ -3104,7 +3104,7 @@ function dol_print_error($db='',$error='',$errors=null)
if ($_SERVER['DOCUMENT_ROOT']) // Mode web
{
$out.="<b>".$langs->trans("DatabaseTypeManager").":</b> ".$db->type."<br>\n";
- $out.="<b>".$langs->trans("RequestLastAccessInError").":</b> ".($db->lastqueryerror()?$db->lastqueryerror():$langs->trans("ErrorNoRequestInError"))."<br>\n";
+ $out.="<b>".$langs->trans("RequestLastAccessInError").":</b> ".($db->lastqueryerror()?dol_escape_htmltag($db->lastqueryerror()):$langs->trans("ErrorNoRequestInError"))."<br>\n";
$out.="<b>".$langs->trans("ReturnCodeLastAccessInError").":</b> ".($db->lasterrno()?$db->lasterrno():$langs->trans("ErrorNoRequestInError"))."<br>\n";
$out.="<b>".$langs->trans("InformationLastAccessInError").":</b> ".($db->lasterror()?$db->lasterror():$langs->trans("ErrorNoRequestInError"))."<br>\n";
$out.="<br>\n";
@@ -3112,7 +3112,9 @@ function dol_print_error($db='',$error='',$errors=null)
else // Mode CLI
{
$out.='> '.$langs->transnoentities("DatabaseTypeManager").":\n".$db->type."\n";
- $out.='> '.$langs->transnoentities("RequestLastAccessInError").":\n".($db->lastqueryerror()?$db->lastqueryerror():$langs->trans("ErrorNoRequestInError"))."\n";
+ $out.='> '.$langs->transnoentities("RequestLastAccessInError").":\n".($db->lastqueryerror()?dol_escape_htmltag($db->lastqueryerror()):$langs->trans("ErrorNoRequestInError"))."\n";
+ // To make detection of xss vulnerabilities or sql injection easier with a scanner, replace line with this one:
+ //$out.='> '.$langs->transnoentities("RequestLastAccessInError").":\n".($db->lastqueryerror()?$db->lastqueryerror:$langs->trans("ErrorNoRequestInError"))."\n";
$out.='> '.$langs->transnoentities("ReturnCodeLastAccessInError").":\n".($db->lasterrno()?$db->lasterrno():$langs->trans("ErrorNoRequestInError"))."\n";
$out.='> '.$langs->transnoentities("InformationLastAccessInError").":\n".($db->lasterror()?$db->lasterror():$langs->trans("ErrorNoRequestInError"))."\n";
diff --git a/htdocs/index.php b/htdocs/index.php
index 1431f73ca7d878f71707f5504b0ef456e423921d..5ab2fa68cd4d737b0734e785de7f20eb28233af9 100644
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -55,10 +55,10 @@ if (count($conf->modules) <= (empty($conf->global->MAIN_MIN_NB_ENABLED_MODULE_FO
if (GETPOST('addbox')) // Add box (when submit is done from a form when ajax disabled)
{
require_once DOL_DOCUMENT_ROOT.'/core/class/infobox.class.php';
- $zone=GETPOST('areacode');
- $userid=GETPOST('userid');
- $boxorder=GETPOST('boxorder');
- $boxorder.=GETPOST('boxcombo');
+ $zone=GETPOST('areacode', 'aZ09');
+ $userid=GETPOST('userid', 'int');
+ $boxorder=GETPOST('boxorder', 'aZ09');
+ $boxorder.=GETPOST('boxcombo', 'aZ09');
$result=InfoBox::saveboxorder($db,$zone,$boxorder,$userid);
if ($result > 0) setEventMessages($langs->trans("BoxAdded"), null);
diff --git a/htdocs/langs/en_US/agenda.lang b/htdocs/langs/en_US/agenda.lang
index 2b1b6bafb3ae5fd89db9aa031c55f0386ed32298..9e7af7b0d064aa8fee503979e7264cf58ad6365e 100644
--- a/htdocs/langs/en_US/agenda.lang
+++ b/htdocs/langs/en_US/agenda.lang
@@ -76,6 +76,7 @@ ProposalDeleted=Proposal deleted
OrderDeleted=Order deleted
InvoiceDeleted=Invoice deleted
##### End agenda events #####
+AgendaModelModule=Document templates for event
DateActionStart=Start date
DateActionEnd=End date
AgendaUrlOptions1=You can also add following parameters to filter output:
diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php
index 00714e7bfabca40bf31f29bfff227142c77b65e8..288a15c317edcaa85afa05ca75d8293a025ca957 100644
--- a/test/phpunit/SecurityTest.php
+++ b/test/phpunit/SecurityTest.php
@@ -147,7 +147,9 @@ class SecurityTest extends PHPUnit_Framework_TestCase
$_GET["param2"]='a/b#e(pr)qq-rr\cc';
$_GET["param3"]='"a/b#e(pr)qq-rr\cc'; // Same than param2 + "
$_GET["param4"]='../dir';
-
+ $_GET["param5"]="a_1-b";
+
+ // Test int
$result=GETPOST('id','int'); // Must return nothing
print __METHOD__." result=".$result."\n";
$this->assertEquals($result,'');
@@ -160,6 +162,7 @@ class SecurityTest extends PHPUnit_Framework_TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals($result,333);
+ // Test alpha
$result=GETPOST("param2",'alpha');
print __METHOD__." result=".$result."\n";
$this->assertEquals($result,$_GET["param2"]);
@@ -172,6 +175,27 @@ class SecurityTest extends PHPUnit_Framework_TestCase
print __METHOD__." result=".$result."\n";
$this->assertEquals($result,'');
+ // Test aZ09
+ $result=GETPOST("param1",'aZ09'); // Must return '' as there is a forbidden char ../
+ print __METHOD__." result=".$result."\n";
+ $this->assertEquals($result,$_GET["param1"]);
+
+ $result=GETPOST("param2",'aZ09'); // Must return '' as there is a forbidden char ../
+ print __METHOD__." result=".$result."\n";
+ $this->assertEquals($result,'');
+
+ $result=GETPOST("param3",'aZ09'); // Must return '' as there is a forbidden char ../
+ print __METHOD__." result=".$result."\n";
+ $this->assertEquals($result,'');
+
+ $result=GETPOST("param4",'aZ09'); // Must return '' as there is a forbidden char ../
+ print __METHOD__." result=".$result."\n";
+ $this->assertEquals($result,'');
+
+ $result=GETPOST("param5",'aZ09');
+ print __METHOD__." result=".$result."\n";
+ $this->assertEquals($result,$_GET["param5"]);
+
return $result;
}