Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX XSS in company setup page

Browse Source
This commit is contained in:
Laurent Destailleur 2018-04-06 19:12:13 +02:00
parent 417c07a6e8
commit 1a321e19c8
4 changed files with 63 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
htdocs/admin/company.php
View File

@ -78,7 +78,7 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha'))
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TOWN", GETPOST("town",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP", GETPOST("zipcode",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_STATE", GETPOST("state_id",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'aZ09'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL", GETPOST("tel",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail",'alpha'),'chaine',0,'',$conf->entity);
@ -154,26 +154,26 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha'))
}
}
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_OBJECT", GETPOST("object",'nohtml'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("SOCIETE_FISCAL_MONTH_START",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("SOCIETE_FISCAL_MONTH_START",'int'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'aZ09'),'chaine',0,'',$conf->entity);
// Local taxes
dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'aZ09'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'aZ09'),'chaine',0,'',$conf->entity);
if($_POST["optionlocaltax1"]=="localtax1on")
{
@ -183,9 +183,9 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha'))
}
else
{
dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','aZ09'),'chaine',0,'',$conf->entity);
}
dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", GETPOST("clt1",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", GETPOST("clt1",'aZ09'),'chaine',0,'',$conf->entity);
}
if($_POST["optionlocaltax2"]=="localtax2on")
{
@ -195,9 +195,9 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha'))
}
else
{
dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','aZ09'),'chaine',0,'',$conf->entity);
}
dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", GETPOST("clt2",'alpha'),'chaine',0,'',$conf->entity);
dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", GETPOST("clt2",'aZ09'),'chaine',0,'',$conf->entity);
}
if ($action != 'updateedit' && ! $error)
@ -409,7 +409,7 @@ if ($action == 'edit' || $action == 'updateedit')
// IDs of the company (country-specific)
print '<table class="noborder" width="100%">';
print '<tr class="liste_titre"><td>'.$langs->trans("CompanyIds").'</td><td>'.$langs->trans("Value").'</td></tr>';
print '<tr class="liste_titre"><td class="titlefield">'.$langs->trans("CompanyIds").'</td><td>'.$langs->trans("Value").'</td></tr>';
$langs->load("companies");
@ -562,7 +562,7 @@ if ($action == 'edit' || $action == 'updateedit')
print '<br>';
print '<table class="noborder" width="100%">';
print '<tr class="liste_titre">';
print '<td class="titlefield">'.$langs->trans("VATManagement").'</td><td>'.$langs->trans("Description").'</td>';
print '<td width="140">'.$langs->trans("VATManagement").'</td><td>'.$langs->trans("Description").'</td>';
print '<td align="right">&nbsp;</td>';
print "</tr>\n";
@ -595,7 +595,7 @@ if ($action == 'edit' || $action == 'updateedit')
print '<br>';
print '<table class="noborder" width="100%">';
print '<tr class="liste_titre">';
print '<td>'.$langs->transcountry("LocalTax1Management",$mysoc->country_code).'</td><td>'.$langs->trans("Description").'</td>';
print '<td width="140">'.$langs->transcountry("LocalTax1Management",$mysoc->country_code).'</td><td>'.$langs->trans("Description").'</td>';
print '<td align="right">&nbsp;</td>';
print "</tr>\n";

74
htdocs/contact/card.php
View File

@ -176,26 +176,26 @@ if (empty($reshook))
$object->entity = (GETPOSTISSET('entity')?GETPOST('entity', 'int'):$conf->entity);
$object->socid = GETPOST("socid",'int');
$object->lastname = GETPOST("lastname");
$object->firstname = GETPOST("firstname");
$object->civility_id = GETPOST("civility_id",'alpha');
$object->poste = GETPOST("poste");
$object->address = GETPOST("address");
$object->zip = GETPOST("zipcode");
$object->town = GETPOST("town");
$object->lastname = GETPOST("lastname",'alpha');
$object->firstname = GETPOST("firstname",'alpha');
$object->civility_id = GETPOST("civility_id",'alpha');
$object->poste = GETPOST("poste",'alpha');
$object->address = GETPOST("address",'alpha');
$object->zip = GETPOST("zipcode",'alpha');
$object->town = GETPOST("town",'alpha');
$object->country_id = GETPOST("country_id",'int');
$object->state_id = GETPOST("state_id",'int');
$object->skype = GETPOST("skype");
$object->skype = GETPOST("skype",'alpha');
$object->email = GETPOST("email",'alpha');
$object->phone_pro = GETPOST("phone_pro");
$object->phone_perso = GETPOST("phone_perso");
$object->phone_mobile = GETPOST("phone_mobile");
$object->fax = GETPOST("fax");
$object->phone_pro = GETPOST("phone_pro",'alpha');
$object->phone_perso = GETPOST("phone_perso",'alpha');
$object->phone_mobile = GETPOST("phone_mobile",'alpha');
$object->fax = GETPOST("fax",'alpha');
$object->jabberid = GETPOST("jabberid",'alpha');
$object->no_email = GETPOST("no_email",'int');
$object->priv = GETPOST("priv",'int');
$object->note_public = GETPOST("note_public");
$object->note_private = GETPOST("note_private");
$object->note_public = GETPOST("note_public",'none');
$object->note_private = GETPOST("note_private",'none');
$object->statut = 1; //Defult status to Actif
// Note: Correct date should be completed with location to have exact GM time of birth.
@ -340,33 +340,33 @@ if (empty($reshook))
$object->oldcopy = clone $object;
$object->old_lastname = GETPOST("old_lastname");
$object->old_firstname = GETPOST("old_firstname");
$object->old_lastname = GETPOST("old_lastname",'alpha');
$object->old_firstname = GETPOST("old_firstname",'alpha');
$object->socid = GETPOST("socid",'int');
$object->lastname = GETPOST("lastname");
$object->firstname = GETPOST("firstname");
$object->civility_id = GETPOST("civility_id",'alpha');
$object->poste = GETPOST("poste");
$object->lastname = GETPOST("lastname",'alpha');
$object->firstname = GETPOST("firstname",'alpha');
$object->civility_id = GETPOST("civility_id",'alpha');
$object->poste = GETPOST("poste",'alpha');
$object->address = GETPOST("address");
$object->zip = GETPOST("zipcode");
$object->town = GETPOST("town");
$object->state_id = GETPOST("state_id",'int');
$object->address = GETPOST("address",'alpha');
$object->zip = GETPOST("zipcode",'alpha');
$object->town = GETPOST("town",'alpha');
$object->state_id = GETPOST("state_id",'int');
$object->fk_departement = GETPOST("state_id",'int'); // For backward compatibility
$object->country_id = GETPOST("country_id",'int');
$object->email = GETPOST("email",'alpha');
$object->skype = GETPOST("skype",'alpha');
$object->phone_pro = GETPOST("phone_pro");
$object->phone_perso = GETPOST("phone_perso");
$object->phone_mobile = GETPOST("phone_mobile");
$object->fax = GETPOST("fax");
$object->phone_pro = GETPOST("phone_pro",'alpha');
$object->phone_perso = GETPOST("phone_perso",'alpha');
$object->phone_mobile = GETPOST("phone_mobile",'alpha');
$object->fax = GETPOST("fax",'alpha');
$object->jabberid = GETPOST("jabberid",'alpha');
$object->no_email = GETPOST("no_email",'int');
$object->priv = GETPOST("priv",'int');
$object->note_public = GETPOST("note_public");
$object->note_private = GETPOST("note_private");
$object->note_public = GETPOST("note_public",'none');
$object->note_private = GETPOST("note_private",'none');
// Fill array 'array_options' with data from add form
$ret = $extrafields->setOptionalsFromPost($extralabels,$object);
@ -540,9 +540,9 @@ else
// Name
print '<tr><td class="titlefieldcreate fieldrequired"><label for="lastname">'.$langs->trans("Lastname").' / '.$langs->trans("Label").'</label></td>';
print '<td><input name="lastname" id="lastname" type="text" class="maxwidth100onsmartphone" maxlength="80" value="'.dol_escape_htmltag(GETPOST("lastname")?GETPOST("lastname"):$object->lastname).'" autofocus="autofocus"></td>';
print '<td><input name="lastname" id="lastname" type="text" class="maxwidth100onsmartphone" maxlength="80" value="'.dol_escape_htmltag(GETPOST("lastname",'alpha')?GETPOST("lastname",'alpha'):$object->lastname).'" autofocus="autofocus"></td>';
print '<td><label for="firstname">'.$langs->trans("Firstname").'</label></td>';
print '<td><input name="firstname" id="firstname"type="text" class="maxwidth100onsmartphone" maxlength="80" value="'.dol_escape_htmltag(GETPOST("firstname")?GETPOST("firstname"):$object->firstname).'"></td></tr>';
print '<td><input name="firstname" id="firstname"type="text" class="maxwidth100onsmartphone" maxlength="80" value="'.dol_escape_htmltag(GETPOST("firstname",'alpha')?GETPOST("firstname",'alpha'):$object->firstname).'"></td></tr>';
// Company
if (empty($conf->global->SOCIETE_DISABLE_CONTACTS))
@ -594,8 +594,8 @@ else
if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->zip)) == 0) $object->zip = $objsoc->zip; // Predefined with third party
if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->town)) == 0) $object->town = $objsoc->town; // Predefined with third party
print '<tr><td><label for="zipcode">'.$langs->trans("Zip").'</label> / <label for="town">'.$langs->trans("Town").'</label></td><td colspan="'.$colspan.'" class="maxwidthonsmartphone">';
print $formcompany->select_ziptown((GETPOST("zipcode")?GETPOST("zipcode"):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).'&nbsp;';
print $formcompany->select_ziptown((GETPOST("town")?GETPOST("town"):$object->town),'town',array('zipcode','selectcountry_id','state_id'));
print $formcompany->select_ziptown((GETPOST("zipcode",'alpha')?GETPOST("zipcode",'alpha'):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).'&nbsp;';
print $formcompany->select_ziptown((GETPOST("town",'alpha')?GETPOST("town",'alpha'):$object->town),'town',array('zipcode','selectcountry_id','state_id'));
print '</td></tr>';
// Country
@ -635,7 +635,7 @@ else
// EMail
if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->email)) == 0) $object->email = $objsoc->email; // Predefined with third party
print '<tr><td><label for="email">'.$langs->trans("Email").'</label></td>';
print '<td><input name="email" id="email" type="text" class="maxwidth100onsmartphone" value="'.(GETPOST("email",'alpha')?GETPOST("email",'alpha'):$object->email).'"></td>';
print '<td><input name="email" id="email" type="text" class="maxwidth100onsmartphone" value="'.dol_escape_htmltag(GETPOST("email",'alpha')?GETPOST("email",'alpha'):$object->email).'"></td>';
if (! empty($conf->mailing->enabled))
{
print '<td><label for="no_email">'.$langs->trans("No_Email").'</label></td>';
@ -649,13 +649,13 @@ else
// Instant message and no email
print '<tr><td><label for="jabberid">'.$langs->trans("IM").'</label></td>';
print '<td colspan="3"><input name="jabberid" id="jabberid" type="text" class="minwidth100" maxlength="80" value="'.(GETPOST("jabberid",'alpha')?GETPOST("jabberid",'alpha'):$object->jabberid).'"></td></tr>';
print '<td colspan="3"><input name="jabberid" id="jabberid" type="text" class="minwidth100" maxlength="80" value="'.dol_escape_htmltag(GETPOST("jabberid",'alpha')?GETPOST("jabberid",'alpha'):$object->jabberid).'"></td></tr>';
// Skype
if (! empty($conf->skype->enabled))
{
print '<tr><td><label for="skype">'.$langs->trans("Skype").'</label></td>';
print '<td colspan="3"><input name="skype" id="skype" type="text" class="minwidth100" maxlength="80" value="'.(GETPOST("skype",'alpha')?GETPOST("skype",'alpha'):$object->skype).'"></td></tr>';
print '<td colspan="3"><input name="skype" id="skype" type="text" class="minwidth100" maxlength="80" value="'.dol_escape_htmltag(GETPOST("skype",'alpha')?GETPOST("skype",'alpha'):$object->skype).'"></td></tr>';
}
// Visibility

4
htdocs/core/lib/functions.lib.php
View File

@ -549,10 +549,10 @@ function GETPOST($paramname, $check='none', $method=0, $filter=NULL, $options=NU
case 'array':
if (! is_array($out) || empty($out)) $out=array();
break;
case 'nohtml':
case 'nohtml': // Recommended for most scalar parameters
$out=dol_string_nohtmltag($out, 0);
break;
case 'alphanohtml': // Recommended for search params
case 'alphanohtml': // Recommended for search parameters
if (! is_array($out))
{
$out=trim($out);

2
htdocs/main.inc.php
View File

@ -101,6 +101,7 @@ function test_sql_and_script_inject($val, $type)
// More on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
$inj += preg_match('/<script/i', $val);
$inj += preg_match('/<iframe/i', $val);
$inj += preg_match('/<audio/i', $val);
$inj += preg_match('/Set\.constructor/i', $val); // ECMA script 6
if (! defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
$inj += preg_match('/base[\s]+href/si', $val);
@ -108,6 +109,7 @@ function test_sql_and_script_inject($val, $type)
$inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)>
$inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
$inj += preg_match('/onload\s*=/i', $val); // onload can be set on svg tag <svg/onload=alert(1)> or other tag like body <body onload=alert(1)>
$inj += preg_match('/onloadstart\s*=/i', $val); // onload can be set on audio tag <audio onloadstart=alert(1)>
$inj += preg_match('/onclick\s*=/i', $val); // onclick can be set on img text html tag like <img onclick = alert(1)>
$inj += preg_match('/onscroll\s*=/i', $val); // onscroll can be on textarea
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ...