From abe736c6a6080589fe03d6f7026af0a5b1c7561a Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 18 Jun 2017 19:42:59 +0200
Subject: [PATCH] Escape hml tags
---
htdocs/admin/tools/index.php | 2 +-
htdocs/bookmarks/bookmarks.lib.php | 2 +-
htdocs/core/ajax/ajaxdirpreview.php | 2 +-
htdocs/core/ajax/bankconciliate.php | 2 +-
htdocs/core/ajax/box.php | 2 +-
htdocs/core/ajax/constantonoff.php | 2 +-
htdocs/core/ajax/contacts.php | 8 ++++----
htdocs/core/ajax/extraparams.php | 18 +++++++++---------
htdocs/core/ajax/loadinplace.php | 2 +-
htdocs/core/ajax/objectonoff.php | 2 +-
htdocs/core/ajax/price.php | 2 +-
htdocs/core/ajax/row.php | 6 +++---
htdocs/core/ajax/saveinplace.php | 2 +-
htdocs/core/ajax/security.php | 6 +++---
htdocs/core/ajax/vatrates.php | 2 +-
htdocs/core/ajax/ziptown.php | 2 +-
htdocs/core/class/html.formother.class.php | 4 ++--
htdocs/core/lib/functions.lib.php | 7 ++-----
htdocs/core/lib/security2.lib.php | 6 +-----
htdocs/core/tpl/ajax/fileupload_main.tpl.php | 2 +-
htdocs/core/tpl/login.tpl.php | 6 +++++-
htdocs/core/tpl/passwordforgotten.tpl.php | 7 +++++--
htdocs/ecm/ajax/ecmdatabase.php | 2 +-
htdocs/expensereport/ajax/ajaxprojet.php | 2 +-
htdocs/externalsite/frames.php | 4 ++--
htdocs/fourn/ajax/getSupplierPrices.php | 18 +++++++++---------
htdocs/holiday/list.php | 12 ++++++------
htdocs/main.inc.php | 11 ++++++-----
htdocs/product/ajax/products.php | 2 +-
htdocs/product/stats/card.php | 2 +-
htdocs/public/paybox/paymentko.php | 2 +-
htdocs/public/paybox/paymentok.php | 2 +-
htdocs/public/paypal/paymentko.php | 6 +++---
htdocs/public/paypal/paymentok.php | 2 +-
htdocs/societe/ajax/company.php | 4 ++--
htdocs/societe/ajaxcompanies.php | 2 +-
htdocs/societe/ajaxcountries.php | 2 +-
htdocs/user/passwordforgotten.php | 3 ---
38 files changed, 84 insertions(+), 86 deletions(-)
diff --git a/htdocs/admin/tools/index.php b/htdocs/admin/tools/index.php
index 8da041d05da..b8dfad44e8f 100644
--- a/htdocs/admin/tools/index.php
+++ b/htdocs/admin/tools/index.php
@@ -38,7 +38,7 @@ if (! $user->admin)
$form = new Form($db);
$title=$langs->trans("SystemToolsArea");
-if (GETPOST('leftmenu') == 'admintools') $title=$langs->trans("ModulesSystemTools");
+if (GETPOST('leftmenu',"aZ09") == 'admintools') $title=$langs->trans("ModulesSystemTools");
llxHeader('', $title);
diff --git a/htdocs/bookmarks/bookmarks.lib.php b/htdocs/bookmarks/bookmarks.lib.php
index 3cee534e797..e6d3125abed 100644
--- a/htdocs/bookmarks/bookmarks.lib.php
+++ b/htdocs/bookmarks/bookmarks.lib.php
@@ -40,7 +40,7 @@ function printBookmarksList($aDb, $aLangs)
$langs->load("bookmarks");
- $url= $_SERVER["PHP_SELF"].(! empty($_SERVER["QUERY_STRING"])?'?'.$_SERVER["QUERY_STRING"]:'');
+ $url= $_SERVER["PHP_SELF"].(dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'');
$ret = '';
// Menu bookmark
diff --git a/htdocs/core/ajax/ajaxdirpreview.php b/htdocs/core/ajax/ajaxdirpreview.php
index 28f78e22ef4..bbc7647c802 100644
--- a/htdocs/core/ajax/ajaxdirpreview.php
+++ b/htdocs/core/ajax/ajaxdirpreview.php
@@ -139,7 +139,7 @@ if (! dol_is_dir($upload_dir))
}
print '<!-- ajaxdirpreview type='.$type.' -->'."\n";
-print '<!-- Page called with mode='.(isset($mode)?$mode:'').' type='.$type.' module='.$module.' url='.$url.' '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Page called with mode='.dol_escape_htmltag(isset($mode)?$mode:'').' type='.dol_escape_htmltag($type).' module='.dol_escape_htmltag($module).' url='.dol_escape_htmltag($url).' '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
$param=($sortfield?'&sortfield='.$sortfield:'').($sortorder?'&sortorder='.$sortorder:'');
diff --git a/htdocs/core/ajax/bankconciliate.php b/htdocs/core/ajax/bankconciliate.php
index 3a8a3e30687..76ab3045f93 100644
--- a/htdocs/core/ajax/bankconciliate.php
+++ b/htdocs/core/ajax/bankconciliate.php
@@ -45,7 +45,7 @@ $action=GETPOST('action');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
if (($user->rights->banque->modifier || $user->rights->banque->consolidate) && $action == 'dvnext')
{
diff --git a/htdocs/core/ajax/box.php b/htdocs/core/ajax/box.php
index 63f96a0c513..106822f998b 100644
--- a/htdocs/core/ajax/box.php
+++ b/htdocs/core/ajax/box.php
@@ -50,7 +50,7 @@ $userid=GETPOST('userid','int');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Add a box
if ($boxid > 0 && $zone !='' && $userid > 0)
diff --git a/htdocs/core/ajax/constantonoff.php b/htdocs/core/ajax/constantonoff.php
index 331a5e87513..f79753260d7 100644
--- a/htdocs/core/ajax/constantonoff.php
+++ b/htdocs/core/ajax/constantonoff.php
@@ -45,7 +45,7 @@ $name=GETPOST('name','alpha');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering the location of boxes
if (! empty($action) && ! empty($name))
diff --git a/htdocs/core/ajax/contacts.php b/htdocs/core/ajax/contacts.php
index c3788a8baeb..1c7c7a56e4b 100644
--- a/htdocs/core/ajax/contacts.php
+++ b/htdocs/core/ajax/contacts.php
@@ -41,20 +41,20 @@ $showempty = GETPOST('showempty','int');
top_httphead();
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (! empty($id) && ! empty($action) && ! empty($htmlname))
{
$form = new Form($db);
-
+
$return=array();
if (empty($showempty)) $showempty=0;
-
+
$return['value'] = $form->selectcontacts($id,'',$htmlname,$showempty,'','',0,'',true);
$return['num'] = $form->num;
$return['error'] = $form->error;
-
+
echo json_encode($return);
}
diff --git a/htdocs/core/ajax/extraparams.php b/htdocs/core/ajax/extraparams.php
index 510ef8a1cf8..f8a636e52a5 100644
--- a/htdocs/core/ajax/extraparams.php
+++ b/htdocs/core/ajax/extraparams.php
@@ -40,17 +40,17 @@ $type = GETPOST('type', 'alpha');
top_httphead();
-print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type))
{
$value = GETPOST('value','alpha');
$params=array();
-
+
dol_syslog("AjaxSetExtraParameters id=".$id." element=".$element." htmlelement=".$htmlelement." type=".$type." value=".$value, LOG_DEBUG);
-
+
$classpath = $subelement = $element;
-
+
// For compatibility
if ($element == 'order' || $element == 'commande') { $classpath = $subelement = 'commande'; }
else if ($element == 'propal') { $classpath = 'comm/propal'; $subelement = 'propal'; }
@@ -60,19 +60,19 @@ if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type))
else if ($element == 'deplacement') { $classpath = 'compta/deplacement'; $subelement = 'deplacement'; }
else if ($element == 'order_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.commande'; }
else if ($element == 'invoice_supplier') { $classpath = 'fourn'; $subelement = 'fournisseur.facture'; }
-
+
dol_include_once('/'.$classpath.'/class/'.$subelement.'.class.php');
-
+
if ($element == 'order_supplier') { $classname = 'CommandeFournisseur'; }
else if ($element == 'invoice_supplier') { $classname = 'FactureFournisseur'; }
else $classname = ucfirst($subelement);
-
+
$object = new $classname($db);
$object->fetch($id);
-
+
$params[$htmlelement] = array($type => $value);
$object->extraparams = array_merge($object->extraparams, $params);
-
+
$result=$object->setExtraParameters();
}
diff --git a/htdocs/core/ajax/loadinplace.php b/htdocs/core/ajax/loadinplace.php
index de3a4e57d19..7e9e541c768 100644
--- a/htdocs/core/ajax/loadinplace.php
+++ b/htdocs/core/ajax/loadinplace.php
@@ -41,7 +41,7 @@ $fk_element = GETPOST('fk_element','alpha');
top_httphead();
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (! empty($field) && ! empty($element) && ! empty($table_element) && ! empty($fk_element))
diff --git a/htdocs/core/ajax/objectonoff.php b/htdocs/core/ajax/objectonoff.php
index 6ac5abd3bbb..37173ed9943 100644
--- a/htdocs/core/ajax/objectonoff.php
+++ b/htdocs/core/ajax/objectonoff.php
@@ -42,7 +42,7 @@ $object = new GenericObject($db);
top_httphead();
-print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering new values
if (($action == 'set') && ! empty($id))
diff --git a/htdocs/core/ajax/price.php b/htdocs/core/ajax/price.php
index 5c891df14d5..d4a101fb497 100644
--- a/htdocs/core/ajax/price.php
+++ b/htdocs/core/ajax/price.php
@@ -39,7 +39,7 @@ $tva_tx = str_replace('*','',GETPOST('tva_tx','alpha'));
top_httphead();
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (! empty($output) && isset($amount) && isset($tva_tx))
diff --git a/htdocs/core/ajax/row.php b/htdocs/core/ajax/row.php
index 41d411f01fd..827ee92d525 100644
--- a/htdocs/core/ajax/row.php
+++ b/htdocs/core/ajax/row.php
@@ -17,8 +17,8 @@
/**
* \file htdocs/core/ajax/row.php
- * \brief File to return Ajax response on Row move.
- * This ajax page is called when doing an up or down drag and drop.
+ * \brief File to return Ajax response on Row move.
+ * This ajax page is called when doing an up or down drag and drop.
*/
if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disable token renewal
@@ -39,7 +39,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php';
top_httphead();
-print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering the location of boxes
if ((isset($_POST['roworder']) && ! empty($_POST['roworder'])) && (isset($_POST['table_element_line']) && ! empty($_POST['table_element_line']))
diff --git a/htdocs/core/ajax/saveinplace.php b/htdocs/core/ajax/saveinplace.php
index 48797dd0432..eb04379a778 100644
--- a/htdocs/core/ajax/saveinplace.php
+++ b/htdocs/core/ajax/saveinplace.php
@@ -54,7 +54,7 @@ savemethodname:
top_httphead();
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
//print_r($_POST);
// Load original field value
diff --git a/htdocs/core/ajax/security.php b/htdocs/core/ajax/security.php
index 28a53a87679..cc7335618d0 100644
--- a/htdocs/core/ajax/security.php
+++ b/htdocs/core/ajax/security.php
@@ -17,8 +17,8 @@
/**
* \file htdocs/core/ajax/security.php
- * \brief This ajax component is used to generated has keys for security purposes
- * like key to use into URL to protect them.
+ * \brief This ajax component is used to generated has keys for security purposes
+ * like key to use into URL to protect them.
*/
if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disables token renewal
@@ -38,7 +38,7 @@ require '../../main.inc.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Registering the location of boxes
if (isset($_GET['action']) && ! empty($_GET['action']))
diff --git a/htdocs/core/ajax/vatrates.php b/htdocs/core/ajax/vatrates.php
index fc30a13afec..ac9691bfa25 100644
--- a/htdocs/core/ajax/vatrates.php
+++ b/htdocs/core/ajax/vatrates.php
@@ -41,7 +41,7 @@ $productid = (GETPOST('productid','int')?GETPOST('productid','int'):0);
top_httphead();
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (! empty($id) && ! empty($action) && ! empty($htmlname))
diff --git a/htdocs/core/ajax/ziptown.php b/htdocs/core/ajax/ziptown.php
index 30e0211ece1..9fa475039d9 100644
--- a/htdocs/core/ajax/ziptown.php
+++ b/htdocs/core/ajax/ziptown.php
@@ -45,7 +45,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog("GET is ".join(',',$_GET).', MAIN_USE_ZIPTOWN_DICTIONNARY='.(empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)?'':$conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY));
//var_dump($_GET);
diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php
index 98720d335b9..1771b6f7a4c 100644
--- a/htdocs/core/class/html.formother.class.php
+++ b/htdocs/core/class/html.formother.class.php
@@ -1062,7 +1062,7 @@ class FormOther
async: false
});
// We force reload to be sure to get all boxes into list
- window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=delbox\';
+ window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=delbox\';
}
else
{
@@ -1084,7 +1084,7 @@ class FormOther
url: \''.DOL_URL_ROOT.'/core/ajax/box.php?boxorder=\'+boxorder+\'&boxid=\'+boxid+\'&zone='.$areacode.'&userid='.$user->id.'\',
async: false
});
- window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=addbox&boxid=\'+boxid;
+ window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=addbox&boxid=\'+boxid;
}
});';
if (! count($arrayboxtoactivatelabel)) $selectboxlist.='jQuery("#boxcombo").hide();';
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 97ce3c4f698..f9f9c8557ee 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -289,9 +289,6 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL)
case 'intcomma':
if (preg_match('/[^0-9,]+/i',$out)) $out='';
break;
- case 'intcomma':
- if (preg_match('/[^0-9,]+/i',$out)) $out='';
- break;
case 'alpha':
$out=trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
@@ -2931,8 +2928,8 @@ function dol_print_error($db='',$error='',$errors=null)
$out.="<b>".$langs->trans("Referer").":</b> ".(isset($_SERVER["HTTP_REFERER"])?dol_htmlentities($_SERVER["HTTP_REFERER"],ENT_COMPAT,'UTF-8'):'')."<br>\n";
$out.="<b>".$langs->trans("MenuManager").":</b> ".(isset($conf->standard_menu)?$conf->standard_menu:'')."<br>\n";
$out.="<br>\n";
- $syslog.="url=".$_SERVER["REQUEST_URI"];
- $syslog.=", query_string=".$_SERVER["QUERY_STRING"];
+ $syslog.="url=".dol_escape_htmltag($_SERVER["REQUEST_URI"]);
+ $syslog.=", query_string=".dol_escape_htmltag($_SERVER["QUERY_STRING"]);
}
else // Mode CLI
{
diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php
index fc05e2c9194..8c16ae8309a 100644
--- a/htdocs/core/lib/security2.lib.php
+++ b/htdocs/core/lib/security2.lib.php
@@ -144,10 +144,6 @@ function dol_loginfunction($langs,$conf,$mysoc)
$dol_url_root = DOL_URL_ROOT;
- $php_self = $_SERVER['PHP_SELF'];
- $php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
- if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
-
// Title
$appli=constant('DOL_APPLICATION_TITLE');
$title=$appli.' '.DOL_VERSION;
@@ -422,7 +418,7 @@ function encodedecode_dbpassconf($level=0)
fflush($fp);
fclose($fp);
clearstatcache();
-
+
// It's config file, so we set read permission for creator only.
// Should set permission to web user and groups for users used by batch
//@chmod($file, octdec('0600'));
diff --git a/htdocs/core/tpl/ajax/fileupload_main.tpl.php b/htdocs/core/tpl/ajax/fileupload_main.tpl.php
index b7437af4616..034e9ebc3fc 100644
--- a/htdocs/core/tpl/ajax/fileupload_main.tpl.php
+++ b/htdocs/core/tpl/ajax/fileupload_main.tpl.php
@@ -45,7 +45,7 @@ $(function () {
// Events
$('#fileupload').fileupload({
stop: function (e, data) {
- location.href='<?php echo $_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"]; ?>';
+ location.href='<?php echo dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]); ?>';
},
destroy: function (e, data) {
var that = $(this).data('fileupload');
diff --git a/htdocs/core/tpl/login.tpl.php b/htdocs/core/tpl/login.tpl.php
index 3772b44c9fc..608e508d717 100644
--- a/htdocs/core/tpl/login.tpl.php
+++ b/htdocs/core/tpl/login.tpl.php
@@ -31,6 +31,10 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
// If we force to use jmobile, then we reenable javascript
if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
+$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']);
+$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
+if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
+
// Javascript code on logon page only to detect user tz, dst_observed, dst_first, dst_second
$arrayofjs=array(
'/includes/jstz/jstz.min.js'.(empty($conf->dol_use_jmobile)?'':'?version='.urlencode(DOL_VERSION)),
@@ -80,7 +84,7 @@ $(document).ready(function () {
<tr class="vmenu"><td class="center">
<?php
if ($disablenofollow) echo '<a class="login_table_title" href="https://www.dolibarr.org" target="_blank">';
-echo dol_escape_htmltag($title);
+echo dol_escape_htmltag($title);
if ($disablenofollow) echo '</a>';
?>
</td></tr>
diff --git a/htdocs/core/tpl/passwordforgotten.tpl.php b/htdocs/core/tpl/passwordforgotten.tpl.php
index b641627b789..c05916d55a7 100644
--- a/htdocs/core/tpl/passwordforgotten.tpl.php
+++ b/htdocs/core/tpl/passwordforgotten.tpl.php
@@ -28,6 +28,9 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
// If we force to use jmobile, then we reenable javascript
if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
+$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']);
+$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
+
print top_htmlhead('',$langs->trans('SendNewPassword'));
?>
<!-- BEGIN PHP TEMPLATE PASSWORDFORGOTTEN.TPL.PHP -->
@@ -94,7 +97,7 @@ if (! empty($hookmanager->resArray['options'])) {
}
?>
-<?php if ($captcha) {
+<?php if ($captcha) {
// Add a variable param to force not using cache (jmobile)
$php_self = preg_replace('/[&\?]time=(\d+)/','',$php_self); // Remove param time
if (preg_match('/\?/',$php_self)) $php_self.='&time='.dol_print_date(dol_now(),'dayhourlog');
@@ -129,7 +132,7 @@ if (! empty($hookmanager->resArray['options'])) {
<div id="login_line2" style="clear: both">
<!-- Button Send password -->
-<br><input id="password" type="submit" <?php echo $disabled; ?> class="button" name="password" value="<?php echo $langs->trans('SendNewPassword'); ?>" tabindex="4" />
+<br><input type="submit" <?php echo $disabled; ?> class="button" name="password" value="<?php echo $langs->trans('SendNewPassword'); ?>" tabindex="4" />
<br>
<div align="center" style="margin-top: 8px;">
diff --git a/htdocs/ecm/ajax/ecmdatabase.php b/htdocs/ecm/ajax/ecmdatabase.php
index ac3a45d5683..6753a4299b0 100644
--- a/htdocs/ecm/ajax/ecmdatabase.php
+++ b/htdocs/ecm/ajax/ecmdatabase.php
@@ -39,7 +39,7 @@ $element = GETPOST('element', 'alpha');
top_httphead();
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
// Load original field value
if (isset($action) && ! empty($action))
diff --git a/htdocs/expensereport/ajax/ajaxprojet.php b/htdocs/expensereport/ajax/ajaxprojet.php
index 6b9dd7e062f..423677c5da5 100644
--- a/htdocs/expensereport/ajax/ajaxprojet.php
+++ b/htdocs/expensereport/ajax/ajaxprojet.php
@@ -46,7 +46,7 @@ require '../../main.inc.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',',$_GET));
diff --git a/htdocs/externalsite/frames.php b/htdocs/externalsite/frames.php
index adf9d547073..6005b8e55b6 100644
--- a/htdocs/externalsite/frames.php
+++ b/htdocs/externalsite/frames.php
@@ -34,8 +34,8 @@ if (empty($conf->global->EXTERNALSITE_URL))
llxFooter();
}
-$mainmenu=GETPOST('mainmenu', 'alpha');
-$leftmenu=GETPOST('leftmenu', 'alpha');
+$mainmenu=GETPOST('mainmenu', "aZ09");
+$leftmenu=GETPOST('leftmenu', "aZ09");
$idmenu=GETPOST('idmenu', 'int');
$theme=GETPOST('theme', 'alpha');
$codelang=GETPOST('lang', 'aZ09');
diff --git a/htdocs/fourn/ajax/getSupplierPrices.php b/htdocs/fourn/ajax/getSupplierPrices.php
index af3d728dc78..9a8c24c4eba 100644
--- a/htdocs/fourn/ajax/getSupplierPrices.php
+++ b/htdocs/fourn/ajax/getSupplierPrices.php
@@ -46,7 +46,7 @@ $langs->load('margins');
top_httphead();
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
if ($idprod > 0)
{
@@ -55,7 +55,7 @@ if ($idprod > 0)
$sorttouse = 's.nom, pfp.quantity, pfp.price';
if (GETPOST('bestpricefirst')) $sorttouse = 'pfp.unitprice, s.nom, pfp.quantity, pfp.price';
-
+
$productSupplierArray = $producttmp->list_product_fournisseur_price($idprod, $sorttouse); // We list all price per supplier, and then firstly with the lower quantity. So we can choose first one with enough quantity into list.
if ( is_array($productSupplierArray))
{
@@ -63,15 +63,15 @@ if ($idprod > 0)
{
$price = $productSupplier->fourn_price * (1 - $productSupplier->fourn_remise_percent / 100);
$unitprice = $productSupplier->fourn_unitprice * (1 - $productSupplier->fourn_remise_percent / 100);
-
+
$title = $productSupplier->fourn_name.' - '.$productSupplier->fourn_ref.' - ';
-
+
if ($productSupplier->fourn_qty == 1)
{
$title.= price($price,0,$langs,0,0,-1,$conf->currency)."/";
}
$title.= $productSupplier->fourn_qty.' '.($productSupplier->fourn_qty == 1 ? $langs->trans("Unit") : $langs->trans("Units"));
-
+
if ($productSupplier->fourn_qty > 1)
{
$title.=" - ";
@@ -84,19 +84,19 @@ if ($idprod > 0)
$title.= price($productSupplier->fourn_unitcharges,0,$langs,0,0,-1,$conf->currency);
$price += $productSupplier->fourn_unitcharges;
}
-
+
$label = price($price,0,$langs,0,0,-1,$conf->currency)."/".$langs->trans("Unit");
if ($productSupplier->fourn_ref) $label.=' ('.$productSupplier->fourn_ref.')';
-
+
$prices[] = array("id" => $productSupplier->product_fourn_price_id, "price" => price2num($price,0,'',0), "label" => $label, "title" => $title); // For price field, we must use price2num(), for label or title, price()
}
}
-
+
// Add price for costprice
$price=$producttmp->cost_price;
$prices[] = array("id" => 'costprice', "price" => price2num($price), "label" => $langs->trans("CostPrice").': '.price($price,0,$langs,0,0,-1,$conf->currency), "title" => $langs->trans("PMPValueShort").': '.price($price,0,$langs,0,0,-1,$conf->currency)); // For price field, we must use price2num(), for label or title, price()
- if(!empty($conf->stock->enabled))
+ if(!empty($conf->stock->enabled))
{
// Add price for pmp
$price=$producttmp->pmp;
diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php
index 1ab8fbd785f..9523d489256 100644
--- a/htdocs/holiday/list.php
+++ b/htdocs/holiday/list.php
@@ -66,7 +66,7 @@ $year_end = GETPOST('year_end');
$search_employe = GETPOST('search_employe');
$search_valideur = GETPOST('search_valideur');
$search_statut = GETPOST('select_statut');
-$type = GETPOST('type','int');
+$type = GETPOST('type','int');
// List of fields to search into when doing a "search in all"
$fieldstosearchall = array(
@@ -82,7 +82,7 @@ $fieldstosearchall = array(
* Actions
*/
-if (GETPOST("button_removefilter_x") || GETPOST("button_removefilter.x") || GETPOST("button_removefilter")) // Both test are required to be compatible with all browsers
+if (GETPOST("button_removefilter_x") || GETPOST("button_removefilter.x") || GETPOST("button_removefilter")) // All tests are required to be compatible with all browsers
{
$search_ref="";
$month_create="";
@@ -168,7 +168,7 @@ if($year_create > 0) {
}
} else {
if($month_create > 0) {
- $filter.= " AND date_format(cp.date_create, '%m') = '$month_create'";
+ $filter.= " AND date_format(cp.date_create, '%m') = '".$db->escape($month_create)."'";
}
}
@@ -313,7 +313,7 @@ print '</td>';
// DATE CREATE
print '<td class="liste_titre" align="center">';
-print '<input class="flat" type="text" size="1" maxlength="2" name="month_create" value="'.$month_create.'">';
+print '<input class="flat" type="text" size="1" maxlength="2" name="month_create" value="'.dol_escape_htmltag($month_create).'">';
$formother->select_year($year_create,'year_create',1, $min_year, 0);
print '</td>';
@@ -409,7 +409,7 @@ if (! empty($holiday->holiday))
$userstatic->login=$infos_CP['user_login'];
$userstatic->statut=$infos_CP['user_statut'];
$userstatic->photo=$infos_CP['user_photo'];
-
+
// Valideur
$approbatorstatic->id=$infos_CP['fk_validator'];
$approbatorstatic->lastname=$infos_CP['validator_lastname'];
@@ -417,7 +417,7 @@ if (! empty($holiday->holiday))
$approbatorstatic->login=$infos_CP['validator_login'];
$approbatorstatic->statut=$infos_CP['validator_statut'];
$approbatorstatic->photo=$infos_CP['validator_photo'];
-
+
$date = $infos_CP['date_create'];
print '<tr '.$bc[$var].'>';
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 7e52b454f97..2806f2d06a0 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -97,8 +97,9 @@ function test_sql_and_script_inject($val, $type)
$sql_inj += preg_match('/<script/i', $val);
if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
$sql_inj += preg_match('/base[\s]+href/si', $val);
- $sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
- $sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='>' onerror = alert(1)>
+ $sql_inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
+ $sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)>
+// $sql_inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
if ($type == 1)
{
$sql_inj += preg_match('/javascript:/i', $val);
@@ -1477,14 +1478,14 @@ function top_menu($head, $title='', $target='', $disablejs=0, $disablehead=0, $a
// Link to print main content area
if (empty($conf->global->MAIN_PRINT_DISABLELINK) && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER) && empty($conf->browser->phone))
{
- $qs=$_SERVER["QUERY_STRING"];
+ $qs=dol_escape_htmltag($_SERVER["QUERY_STRING"]);
foreach($_POST as $key=>$value) {
- if($key!=='action' && !is_array($value))$qs.='&'.$key.'='.urlencode($value);
+ if ($key!=='action' && !is_array($value)) $qs.='&'.$key.'='.urlencode($value);
}
$qs.=(($qs && $morequerystring)?'&':'').$morequerystring;
- $text ='<a href="'.$_SERVER["PHP_SELF"].'?'.$qs.($qs?'&':'').'optioncss=print" target="_blank">';
+ $text ='<a href="'.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.$qs.($qs?'&':'').'optioncss=print" target="_blank">';
$text.= img_picto(":".$langs->trans("PrintContentArea"), 'printer_top.png', 'class="printer"');
$text.='</a>';
$toprightmenu.=@Form::textwithtooltip('',$langs->trans("PrintContentArea"),2,1,$text,'login_block_elem',2);
diff --git a/htdocs/product/ajax/products.php b/htdocs/product/ajax/products.php
index 15541016963..8015f6f1172 100644
--- a/htdocs/product/ajax/products.php
+++ b/htdocs/product/ajax/products.php
@@ -57,7 +57,7 @@ $warehouseStatus = GETPOST('warehousestatus', 'alpha');
* View
*/
-// print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+// print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',', $_GET));
// print_r($_GET);
diff --git a/htdocs/product/stats/card.php b/htdocs/product/stats/card.php
index 7272524f9e3..76a4ce02b6e 100644
--- a/htdocs/product/stats/card.php
+++ b/htdocs/product/stats/card.php
@@ -69,7 +69,7 @@ if (! empty($id) || ! empty($ref) || GETPOST('id') == 'all')
{
llxHeader("",$langs->trans("ProductStatistics"));
- $type = GETPOST('type');
+ $type = GETPOST('type', 'intcomma');
$helpurl='';
if ($type == '0')
diff --git a/htdocs/public/paybox/paymentko.php b/htdocs/public/paybox/paymentko.php
index 09de4525b39..e4faf370126 100644
--- a/htdocs/public/paybox/paymentko.php
+++ b/htdocs/public/paybox/paymentko.php
@@ -62,7 +62,7 @@ $langs->load("paypal");
* View
*/
-dol_syslog("Callback url when a PayBox payment was canceled. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paybox');
+dol_syslog("Callback url when a PayBox payment was canceled. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paybox');
$tracepost = "";
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
diff --git a/htdocs/public/paybox/paymentok.php b/htdocs/public/paybox/paymentok.php
index 9c3030a86ba..bc3993560c6 100644
--- a/htdocs/public/paybox/paymentok.php
+++ b/htdocs/public/paybox/paymentok.php
@@ -70,7 +70,7 @@ if (empty($PAYBOXFULLTAG)) $PAYBOXFULLTAG=GETPOST('fulltag');
* View
*/
-dol_syslog("Callback url when a PayBox payment was done. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paybox');
+dol_syslog("Callback url when a PayBox payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paybox');
$tracepost = "";
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
diff --git a/htdocs/public/paypal/paymentko.php b/htdocs/public/paypal/paymentko.php
index 4bad572ed8b..c4b98843fa7 100644
--- a/htdocs/public/paypal/paymentko.php
+++ b/htdocs/public/paypal/paymentko.php
@@ -70,7 +70,7 @@ if (empty($PAYPALFULLTAG)) $PAYPALFULLTAG=GETPOST('fulltag');
* View
*/
-dol_syslog("Callback url when a PayPal payment was canceled. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paypal');
+dol_syslog("Callback url when a PayPal payment was canceled. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paypal');
$tracepost = "";
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
@@ -90,8 +90,8 @@ if (! empty($conf->global->PAYPAL_PAYONLINE_SENDEMAIL))
$FinalPaymentAmt = $_SESSION["Payment_Amount"];
// From env
$ipaddress = $_SESSION['ipaddress'];
-
-
+
+
$sendto=$conf->global->PAYPAL_PAYONLINE_SENDEMAIL;
$from=$conf->global->MAILING_EMAIL_FROM;
diff --git a/htdocs/public/paypal/paymentok.php b/htdocs/public/paypal/paymentok.php
index 90f13aa6f17..8c9e8471195 100644
--- a/htdocs/public/paypal/paymentok.php
+++ b/htdocs/public/paypal/paymentok.php
@@ -100,7 +100,7 @@ if (empty($PAYPALFULLTAG)) $PAYPALFULLTAG=GETPOST('fulltag');
* View
*/
-dol_syslog("Callback url when a PayPal payment was done. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paypal');
+dol_syslog("Callback url when a PayPal payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paypal');
$tracepost = "";
foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
diff --git a/htdocs/societe/ajax/company.php b/htdocs/societe/ajax/company.php
index 32f57f73c25..36751b709c0 100644
--- a/htdocs/societe/ajax/company.php
+++ b/htdocs/societe/ajax/company.php
@@ -43,7 +43,7 @@ $id=GETPOST('id', 'int');
* View
*/
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',', $_GET));
//print_r($_GET);
@@ -62,7 +62,7 @@ if (! empty($action) && $action == 'fetch' && ! empty($id))
$outlabel = '';
$outdesc = '';
$outtype = $object->type;
-
+
$outjson = array('ref' => $outref,'name' => $outname,'desc' => $outdesc,'type' => $outtype);
}
diff --git a/htdocs/societe/ajaxcompanies.php b/htdocs/societe/ajaxcompanies.php
index b3565a2ca26..0a7ea058ba7 100644
--- a/htdocs/societe/ajaxcompanies.php
+++ b/htdocs/societe/ajaxcompanies.php
@@ -44,7 +44,7 @@ require '../main.inc.php';
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',',$_GET));
diff --git a/htdocs/societe/ajaxcountries.php b/htdocs/societe/ajaxcountries.php
index 7eb22035d6b..b9d1bf5fc8c 100644
--- a/htdocs/societe/ajaxcountries.php
+++ b/htdocs/societe/ajaxcountries.php
@@ -45,7 +45,7 @@ $country=GETPOST('country', 'alpha');
//top_htmlhead("", "", 1); // Replaced with top_httphead. An ajax page does not need html header.
top_httphead();
-print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
dol_syslog(join(',',$_POST));
diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php
index cb38d1c9e49..92144f4be69 100644
--- a/htdocs/user/passwordforgotten.php
+++ b/htdocs/user/passwordforgotten.php
@@ -152,9 +152,6 @@ if ($action == 'buildnewpassword' && $username)
* View
*/
-$php_self = $_SERVER['PHP_SELF'];
-$php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
-
$dol_url_root = DOL_URL_ROOT;
// Title
--
GitLab