diff --git a/htdocs/admin/agenda_xcal.php b/htdocs/admin/agenda_xcal.php
index 0e66125ba7c585bd18be64ee365cd1b21eca3d33..1895eb5b15d7c88140264e7f62da137fb5488cd9 100644
--- a/htdocs/admin/agenda_xcal.php
+++ b/htdocs/admin/agenda_xcal.php
@@ -97,7 +97,7 @@ print "<td>".$langs->trans("Value")."</td>";
print "<td> </td>";
print "</tr>";
-print "<tr ".$bc[false].">";
+print '<tr class="oddeven">';
print '<td class="fieldrequired">'.$langs->trans("PasswordTogetVCalExport")."</td>";
print '<td><input required="required" type="text" class="flat" id="MAIN_AGENDA_XCAL_EXPORTKEY" name="MAIN_AGENDA_XCAL_EXPORTKEY" value="' . (GETPOST('MAIN_AGENDA_XCAL_EXPORTKEY','alpha')?GETPOST('MAIN_AGENDA_XCAL_EXPORTKEY','alpha'):$conf->global->MAIN_AGENDA_XCAL_EXPORTKEY) . '" size="40">';
if (! empty($conf->use_javascript_ajax))
@@ -106,13 +106,13 @@ print '</td>';
print "<td> </td>";
print "</tr>";
-print "<tr ".$bc[true].">";
+print '<tr class="oddeven">';
print "<td>".$langs->trans("PastDelayVCalExport")."</td>";
print "<td><input type=\"text\" class=\"flat\" name=\"MAIN_AGENDA_EXPORT_PAST_DELAY\" value=\"". (GETPOST('MAIN_AGENDA_EXPORT_PAST_DELAY','alpha')?GETPOST('MAIN_AGENDA_EXPORT_PAST_DELAY','alpha'):$conf->global->MAIN_AGENDA_EXPORT_PAST_DELAY) . "\" size=\"10\"> ".$langs->trans("days")."</td>";
print "<td> </td>";
print "</tr>";
-print "<tr ".$bc[false].">";
+print '<tr class="oddeven">';
print "<td>".$langs->trans("UseACacheDelay")."</td>";
print "<td><input type=\"text\" class=\"flat\" name=\"MAIN_AGENDA_EXPORT_CACHE\" value=\"". (GETPOST('MAIN_AGENDA_EXPORT_CACHE','alpha')?GETPOST('MAIN_AGENDA_EXPORT_CACHE','alpha'):$conf->global->MAIN_AGENDA_EXPORT_CACHE) . "\" size=\"10\"></td>";
print "<td> </td>";
@@ -128,8 +128,8 @@ print '<tr class="liste_titre">';
print '<td width="25%">'.$langs->trans("Parameter")."</td>";
print "<td>".$langs->trans("Value")."</td>";
print "</tr>";
-print "<tr ".$bc[false].">";
-print '<td class="fieldrequired">'.$langs->trans("FixTZ")."</td>";
+print '<tr class="oddeven">';
+print '<td>'.$langs->trans("FixTZ")."</td>";
print "<td>";
print '<input class="flat" type="text" size="4" name="AGENDA_EXPORT_FIX_TZ" value="'.$conf->global->AGENDA_EXPORT_FIX_TZ.'">';
print ' '.$langs->trans("FillThisOnlyIfRequired");
diff --git a/htdocs/cashdesk/affIndex.php b/htdocs/cashdesk/affIndex.php
index 6b1d13f719fe90458e60b475c5db9bd24b6d5c7d..b5432b94eec7e6fbae5e32b6a98b261292989adb 100644
--- a/htdocs/cashdesk/affIndex.php
+++ b/htdocs/cashdesk/affIndex.php
@@ -45,9 +45,6 @@ $langs->load("cashdesk");
$form = new Form($db);
-//header("Content-type: text/html; charset=UTF-8");
-//header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
$arrayofjs=array();
$arrayofcss=array('/cashdesk/css/style.css');
diff --git a/htdocs/cashdesk/facturation_dhtml.php b/htdocs/cashdesk/facturation_dhtml.php
index 8d4ebf8af31c282c5693f558d7a7119e688158c7..3046644c35e94976a15912c74a6fb23dde457cc1 100644
--- a/htdocs/cashdesk/facturation_dhtml.php
+++ b/htdocs/cashdesk/facturation_dhtml.php
@@ -39,8 +39,7 @@ if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
require '../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/cashdesk/include/environnement.php';
-//header("Content-type: text/html; charset=UTF-8");
-header("Content-type: text/html; charset=".$conf->file->character_set_client);
+top_httphead('text/html');
$search = GETPOST("code", "alpha");
diff --git a/htdocs/cashdesk/tpl/ticket.tpl.php b/htdocs/cashdesk/tpl/ticket.tpl.php
index 40be470c429916101756780430e7cb3b8a838b12..82b84ba3b56c10be0e9bd48b16be913b886ff1a3 100644
--- a/htdocs/cashdesk/tpl/ticket.tpl.php
+++ b/htdocs/cashdesk/tpl/ticket.tpl.php
@@ -20,7 +20,8 @@ include_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php';
$langs->load("main");
$langs->load('cashdesk');
-header("Content-type: text/html; charset=".$conf->file->character_set_client);
+
+top_httphead('text/html');
$facid=GETPOST('facid','int');
$object=new Facture($db);
diff --git a/htdocs/core/ajax/check_notifications.php b/htdocs/core/ajax/check_notifications.php
index fa3edd7a4be98c99a5af55ea61c3f41c5357f7a0..332626fbabd6f35d46558630763df40d9fa374f7 100644
--- a/htdocs/core/ajax/check_notifications.php
+++ b/htdocs/core/ajax/check_notifications.php
@@ -24,6 +24,13 @@ if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1');
require '../../main.inc.php';
+
+/*
+ * View
+ */
+
+top_httphead('text/html'); // TODO Use a json mime type
+
global $user, $db, $langs, $conf;
$time = (int) GETPOST('time'); // Use the time parameter that is always increased by time_update, even if call is late
diff --git a/htdocs/core/antispamimage.php b/htdocs/core/antispamimage.php
index a16844dd715b82a7953490cff16b46a11574288e..816763eeaf5904baa4af83847d7d3df2afa5348d 100644
--- a/htdocs/core/antispamimage.php
+++ b/htdocs/core/antispamimage.php
@@ -58,7 +58,8 @@ if (empty($img))
exit;
}
-header("Content-type: image/png");
+// Define mime type
+top_httphead('image/png');
$background_color = imagecolorallocate($img, 250, 250, 250);
$ecriture_color = imagecolorallocate($img, 0, 0, 0);
diff --git a/htdocs/core/js/datepicker.js.php b/htdocs/core/js/datepicker.js.php
index 02666409fc38bd825b0d1d475c7e9ef4053dff84..50c140f6f82ad331ee19044e343c976990e1ffa9 100644
--- a/htdocs/core/js/datepicker.js.php
+++ b/htdocs/core/js/datepicker.js.php
@@ -37,7 +37,7 @@ session_cache_limiter(FALSE);
require_once '../../main.inc.php';
// Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
// Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
else header('Cache-Control: no-cache');
diff --git a/htdocs/core/js/lib_head.js.php b/htdocs/core/js/lib_head.js.php
index 8909f446812243a82f1ca2ef5713ad51c6fdd387..e604f3281f9c098a0f9f92e8b9f7f3976cfbc395 100644
--- a/htdocs/core/js/lib_head.js.php
+++ b/htdocs/core/js/lib_head.js.php
@@ -39,7 +39,7 @@ session_cache_limiter(FALSE);
require_once '../../main.inc.php';
// Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
// Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
else header('Cache-Control: no-cache');
diff --git a/htdocs/core/js/lib_notification.js.php b/htdocs/core/js/lib_notification.js.php
index a3b90a35db6b46022673685dbc49dedab50af994..b640f4cc81b03f64942deb45157bab7f6b5842a7 100644
--- a/htdocs/core/js/lib_notification.js.php
+++ b/htdocs/core/js/lib_notification.js.php
@@ -33,21 +33,22 @@ if (! ($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root . '/' || $_SERVER['H
{
global $langs, $conf;
- // Define javascript type
- header('Content-type: text/javascript; charset=UTF-8');
-
+ top_httphead('text/javascript; charset=UTF-8');
+
$nowtime = time();
//$nowtimeprevious = floor($nowtime / 60) * 60; // auto_check_events_not_before is rounded to previous minute
// TODO Try to make a solution with only a javascript timer that is easier. Difficulty is to avoid notification twice when.
+ /* session already started into main
session_cache_limiter(FALSE);
header('Cache-Control: no-cache');
- session_start();
+ session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie
+ session_start();*/
if (! isset($_SESSION['auto_check_events_not_before']))
{
print 'console.log("_SESSION[auto_check_events_not_before] is not set");'."\n";
// Round to eliminate the seconds
- $_SESSION['auto_check_events_not_before'] = $nowtime; // auto_check_events_not_before is rounded to previous minute
+ $_SESSION['auto_check_events_not_before'] = $nowtime;
}
print 'var nowtime = ' . $nowtime . ';' . "\n";
print 'var login = \'' . $_SESSION['dol_login'] . '\';' . "\n";
diff --git a/htdocs/core/js/select2_locale.js.php b/htdocs/core/js/select2_locale.js.php
index 31c6a91bc7439360bd2e7b887e39cc6a13caeaaa..aa62b5a0ec14a187085f92fc93ebd55b28fd4147 100644
--- a/htdocs/core/js/select2_locale.js.php
+++ b/htdocs/core/js/select2_locale.js.php
@@ -37,7 +37,7 @@ session_cache_limiter(FALSE);
require_once '../../main.inc.php';
// Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
// Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
else header('Cache-Control: no-cache');
diff --git a/htdocs/core/js/timepicker.js.php b/htdocs/core/js/timepicker.js.php
index cc33a5a39337fa23876b32f1bd54c0aba86b7950..8342ac9e3acedd7cd4da3295835b8c196cdf7bd1 100644
--- a/htdocs/core/js/timepicker.js.php
+++ b/htdocs/core/js/timepicker.js.php
@@ -37,7 +37,7 @@ session_cache_limiter(FALSE);
require_once '../../main.inc.php';
// Define javascript type
-header('Content-type: text/javascript; charset=UTF-8');
+top_httphead('text/javascript; charset=UTF-8');
// Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
else header('Cache-Control: no-cache');
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index e3c6cb7d5cd0718d32d28cee5d295f68eb39be8e..8dbc705c5b24119c17b5e95a245c7741e8141d32 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -400,11 +400,11 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)
/**
- * Return a prefix to use for this Dolibarr instance for session or cookie names.
+ * Return a prefix to use for this Dolibarr instance, for session/cookie names or email id.
* This prefix is unique for instance and avoid conflict between multi-instances,
- * even when having two instances with one root dir or two instances in virtual servers
+ * even when having two instances with one root dir or two instances in virtual servers.
*
- * @param string $mode '' or 'email'
+ * @param string $mode '' (prefix for session name) or 'email' (prefix for email id)
* @return string A calculated prefix
*/
function dol_getprefix($mode='')
diff --git a/htdocs/document.php b/htdocs/document.php
index 02eb7193675312b9d15c1240c204f9478059c87f..4e4f18826efdeb29c07820bb030a9a7a60187cba 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -170,9 +170,9 @@ if (! file_exists($original_file_osencoded))
}
// Permissions are ok and file found, so we return it
+top_httphead($type);
header('Content-Description: File Transfer');
if ($encoding) header('Content-Encoding: '.$encoding);
-if ($type) header('Content-Type: '.$type.(preg_match('/text/',$type)?'; charset="'.$conf->file->character_set_client:''));
// Add MIME Content-Disposition from RFC 2183 (inline=automatically displayed, atachment=need user action to open)
if ($attachment) header('Content-Disposition: attachment; filename="'.$filename.'"');
else header('Content-Disposition: inline; filename="'.$filename.'"');
diff --git a/htdocs/install/inc.php b/htdocs/install/inc.php
index 840fa709ddf765068408483557ffce8b3ebd371c..6da4125a56ce081dbc008cddc719e3c6e3b805a3 100644
--- a/htdocs/install/inc.php
+++ b/htdocs/install/inc.php
@@ -384,7 +384,8 @@ function pHeader($subtitle,$next,$action='set',$param='',$forcejqueryurl='',$css
// We force the content charset
header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+ header("X-Content-Type-Options: nosniff");
+
print '<!DOCTYPE HTML>'."\n";
print '<html>'."\n";
print '<head>'."\n";
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index ab92df9ca12a671b85e03ed209b34ca2f15ceaef..11dccf47ade0772c65544d52059249868a56dc30 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -197,6 +197,7 @@ $sessionname='DOLSESSID_'.$prefix;
$sessiontimeout='DOLSESSTIMEOUT_'.$prefix;
if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$_COOKIE[$sessiontimeout]);
session_name($sessionname);
+session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie
session_start();
if (ini_get('register_globals')) // Deprecated in 5.3 and removed in 5.4. To solve bug in using $_SESSION
{
@@ -528,6 +529,7 @@ if (! defined('NOLOGIN'))
dol_syslog('User not found, connexion refused');
session_destroy();
session_name($sessionname);
+ session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie
session_start(); // Fixing the bug of register_globals here is useless since session is empty
if ($resultFetchUser == 0)
@@ -586,6 +588,7 @@ if (! defined('NOLOGIN'))
dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING);
session_destroy();
session_name($sessionname);
+ session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie
session_start(); // Fixing the bug of register_globals here is useless since session is empty
if ($resultFetchUser == 0)
@@ -967,19 +970,22 @@ if (! function_exists("llxHeader"))
/**
* Show HTTP header
*
+ * @param string $contenttype Content type. For example, 'text/html'
* @return void
*/
-function top_httphead()
+function top_httphead($contenttype='text/html')
{
global $conf;
- //header("Content-type: text/html; charset=UTF-8");
- header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+ if ($contenttype == 'text/html' ) header("Content-Type: text/html; charset=".$conf->file->character_set_client);
+ else header("Content-Type: ".$contenttype);
+ header("X-Content-Type-Options: nosniff");
+ header("X-Frame-Options: SAMEORIGIN");
+
// On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1.
- if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) {
+ /*if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) {
ob_start("ob_gzhandler");
- }
+ }*/
}
/**
diff --git a/htdocs/paybox/lib/paybox.lib.php b/htdocs/paybox/lib/paybox.lib.php
index 922679bcb86bc979ce6784288e60f7b542886192..ca5fd6a71ad9fb3e9a1f325eb50adc63ee357101 100644
--- a/htdocs/paybox/lib/paybox.lib.php
+++ b/htdocs/paybox/lib/paybox.lib.php
@@ -36,7 +36,8 @@ function llxHeaderPaybox($title, $head = "")
global $user, $conf, $langs;
header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+ header("X-Content-Type-Options: nosniff");
+
print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">';
//print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" http://www.w3.org/TR/1999/REC-html401-19991224/strict.dtd>';
print "\n";
@@ -171,7 +172,8 @@ function print_paybox_redirect($PRICE,$CURRENCY,$EMAIL,$urlok,$urlko,$TAG)
dol_syslog("PBX_TYPEPAIEMENT: $PBX_TYPEPAIEMENT", LOG_DEBUG);
header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+ header("X-Content-Type-Options: nosniff");
+
print '<html>'."\n";
print '<head>'."\n";
print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=".$conf->file->character_set_client."\">\n";
diff --git a/htdocs/paypal/lib/paypal.lib.php b/htdocs/paypal/lib/paypal.lib.php
index 4c1cb588f1f7d61e5d006d28bec33da3ca903a67..b1be8f566478c64436c7a015c061e1ffb3124dba 100644
--- a/htdocs/paypal/lib/paypal.lib.php
+++ b/htdocs/paypal/lib/paypal.lib.php
@@ -35,7 +35,8 @@ function llxHeaderPaypal($title, $head = "")
global $user, $conf, $langs;
header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+ header("X-Content-Type-Options: nosniff");
+
$appli='Dolibarr';
if (!empty($conf->global->MAIN_APPLICATION_TITLE)) $appli=$conf->global->MAIN_APPLICATION_TITLE;
diff --git a/htdocs/projet/jsgantt_language.js.php b/htdocs/projet/jsgantt_language.js.php
index f6b5799bda01d943e9856b87d5d6c81641dd461e..7aafd97fb452c0741f69891c1a5dd06ea4f2e82d 100644
--- a/htdocs/projet/jsgantt_language.js.php
+++ b/htdocs/projet/jsgantt_language.js.php
@@ -34,8 +34,8 @@ if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
require_once __DIR__.'/../main.inc.php';
-// Define css type
-header('Content-type: text/javascript');
+// Define mime type
+top_httphead('text/javascript');
global $langs;
?>
diff --git a/htdocs/support/inc.php b/htdocs/support/inc.php
index 869dace222dba665fd568a95a705528a0b649457..16aa40b246d7e7f1acad0547b5fb8c1287eba8b7 100644
--- a/htdocs/support/inc.php
+++ b/htdocs/support/inc.php
@@ -207,7 +207,8 @@ function pHeader($soutitre,$next,$action='none')
// On force contenu dans format sortie
header("Content-type: text/html; charset=".$conf->file->character_set_client);
-
+ header("X-Content-Type-Options: nosniff");
+
print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">'."\n";
print '<html manifest="'.DOL_URL_ROOT.'/cache.manifest">'."\n";
print '<head>'."\n";
diff --git a/htdocs/theme/eldy/style.css.php b/htdocs/theme/eldy/style.css.php
index 9de83c3bd97f561dd5128c7154ab7e561dfe7363..f923413da4c38e5fb5a5e0e0d190005f3f31e8fb 100644
--- a/htdocs/theme/eldy/style.css.php
+++ b/htdocs/theme/eldy/style.css.php
@@ -45,7 +45,7 @@ if (empty($user->id) && ! empty($_SESSION['dol_login'])) $user->fetch('',$_SESSI
// Define css type
-header('Content-type: text/css');
+top_httphead('text/css');
// Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
else header('Cache-Control: no-cache');
diff --git a/htdocs/theme/md/style.css.php b/htdocs/theme/md/style.css.php
index e6809a2c574a39cf0193fc5a654bb81f10e1d8c9..3bd33b0722533568cb42e15e2e556192dedee4e8 100644
--- a/htdocs/theme/md/style.css.php
+++ b/htdocs/theme/md/style.css.php
@@ -46,7 +46,7 @@ if (empty($user->id) && ! empty($_SESSION['dol_login'])) $user->fetch('',$_SESSI
// Define css type
-header('Content-type: text/css');
+top_httphead('text/css');
// Important: Following code is to avoid page request by browser and PHP CPU at each Dolibarr page access.
if (empty($dolibarr_nocache)) header('Cache-Control: max-age=3600, public, must-revalidate');
else header('Cache-Control: no-cache');
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index f69c7e4e4aaf3efc23d8594cb783611c7dbf1cac..4f1ef007f1ff7553d7c6530b7185148b048529eb 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -191,13 +191,13 @@ else // Open and return file
// Les drois sont ok et fichier trouve
if ($type)
{
+ top_httphead($type);
header('Content-Disposition: inline; filename="'.basename($original_file).'"');
- header('Content-type: '.$type);
}
else
{
+ top_httphead('image/png');
header('Content-Disposition: inline; filename="'.basename($original_file).'"');
- header('Content-type: image/png');
}
$original_file_osencoded=dol_osencode($original_file);