diff --git a/htdocs/admin/company.php b/htdocs/admin/company.php index 62c3dbd73b7..94c2cd72b40 100644 --- a/htdocs/admin/company.php +++ b/htdocs/admin/company.php @@ -78,7 +78,7 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha')) dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TOWN", GETPOST("town",'nohtml'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP", GETPOST("zipcode",'alpha'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_STATE", GETPOST("state_id",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'aZ09'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL", GETPOST("tel",'alpha'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax",'alpha'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail",'alpha'),'chaine',0,'',$conf->entity); @@ -154,26 +154,26 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha')) } } - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'nohtml'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'nohtml'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_OBJECT", GETPOST("object",'nohtml'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("SOCIETE_FISCAL_MONTH_START",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("SOCIETE_FISCAL_MONTH_START",'int'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'aZ09'),'chaine',0,'',$conf->entity); // Local taxes - dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'aZ09'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'aZ09'),'chaine',0,'',$conf->entity); if($_POST["optionlocaltax1"]=="localtax1on") { @@ -183,9 +183,9 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha')) } else { - dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','aZ09'),'chaine',0,'',$conf->entity); } - dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", GETPOST("clt1",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", GETPOST("clt1",'aZ09'),'chaine',0,'',$conf->entity); } if($_POST["optionlocaltax2"]=="localtax2on") { @@ -195,9 +195,9 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha')) } else { - dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','aZ09'),'chaine',0,'',$conf->entity); } - dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", GETPOST("clt2",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", GETPOST("clt2",'aZ09'),'chaine',0,'',$conf->entity); } if ($action != 'updateedit' && ! $error) @@ -409,7 +409,7 @@ if ($action == 'edit' || $action == 'updateedit') // IDs of the company (country-specific) print ''; - print ''; + print ''; $langs->load("companies"); @@ -562,7 +562,7 @@ if ($action == 'edit' || $action == 'updateedit') print '
'; print '
'.$langs->trans("CompanyIds").''.$langs->trans("Value").'
'.$langs->trans("CompanyIds").''.$langs->trans("Value").'
'; print ''; - print ''; + print ''; print ''; print "\n"; @@ -595,7 +595,7 @@ if ($action == 'edit' || $action == 'updateedit') print '
'; print '
'.$langs->trans("VATManagement").''.$langs->trans("Description").''.$langs->trans("VATManagement").''.$langs->trans("Description").' 
'; print ''; - print ''; + print ''; print ''; print "\n"; diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index bc0031b5992..36152275a64 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -176,26 +176,26 @@ if (empty($reshook)) $object->entity = (GETPOSTISSET('entity')?GETPOST('entity', 'int'):$conf->entity); $object->socid = GETPOST("socid",'int'); - $object->lastname = GETPOST("lastname"); - $object->firstname = GETPOST("firstname"); - $object->civility_id = GETPOST("civility_id",'alpha'); - $object->poste = GETPOST("poste"); - $object->address = GETPOST("address"); - $object->zip = GETPOST("zipcode"); - $object->town = GETPOST("town"); + $object->lastname = GETPOST("lastname",'alpha'); + $object->firstname = GETPOST("firstname",'alpha'); + $object->civility_id = GETPOST("civility_id",'alpha'); + $object->poste = GETPOST("poste",'alpha'); + $object->address = GETPOST("address",'alpha'); + $object->zip = GETPOST("zipcode",'alpha'); + $object->town = GETPOST("town",'alpha'); $object->country_id = GETPOST("country_id",'int'); $object->state_id = GETPOST("state_id",'int'); - $object->skype = GETPOST("skype"); + $object->skype = GETPOST("skype",'alpha'); $object->email = GETPOST("email",'alpha'); - $object->phone_pro = GETPOST("phone_pro"); - $object->phone_perso = GETPOST("phone_perso"); - $object->phone_mobile = GETPOST("phone_mobile"); - $object->fax = GETPOST("fax"); + $object->phone_pro = GETPOST("phone_pro",'alpha'); + $object->phone_perso = GETPOST("phone_perso",'alpha'); + $object->phone_mobile = GETPOST("phone_mobile",'alpha'); + $object->fax = GETPOST("fax",'alpha'); $object->jabberid = GETPOST("jabberid",'alpha'); $object->no_email = GETPOST("no_email",'int'); $object->priv = GETPOST("priv",'int'); - $object->note_public = GETPOST("note_public"); - $object->note_private = GETPOST("note_private"); + $object->note_public = GETPOST("note_public",'none'); + $object->note_private = GETPOST("note_private",'none'); $object->statut = 1; //Defult status to Actif // Note: Correct date should be completed with location to have exact GM time of birth. @@ -340,33 +340,33 @@ if (empty($reshook)) $object->oldcopy = clone $object; - $object->old_lastname = GETPOST("old_lastname"); - $object->old_firstname = GETPOST("old_firstname"); + $object->old_lastname = GETPOST("old_lastname",'alpha'); + $object->old_firstname = GETPOST("old_firstname",'alpha'); $object->socid = GETPOST("socid",'int'); - $object->lastname = GETPOST("lastname"); - $object->firstname = GETPOST("firstname"); - $object->civility_id = GETPOST("civility_id",'alpha'); - $object->poste = GETPOST("poste"); + $object->lastname = GETPOST("lastname",'alpha'); + $object->firstname = GETPOST("firstname",'alpha'); + $object->civility_id = GETPOST("civility_id",'alpha'); + $object->poste = GETPOST("poste",'alpha'); - $object->address = GETPOST("address"); - $object->zip = GETPOST("zipcode"); - $object->town = GETPOST("town"); - $object->state_id = GETPOST("state_id",'int'); + $object->address = GETPOST("address",'alpha'); + $object->zip = GETPOST("zipcode",'alpha'); + $object->town = GETPOST("town",'alpha'); + $object->state_id = GETPOST("state_id",'int'); $object->fk_departement = GETPOST("state_id",'int'); // For backward compatibility $object->country_id = GETPOST("country_id",'int'); $object->email = GETPOST("email",'alpha'); $object->skype = GETPOST("skype",'alpha'); - $object->phone_pro = GETPOST("phone_pro"); - $object->phone_perso = GETPOST("phone_perso"); - $object->phone_mobile = GETPOST("phone_mobile"); - $object->fax = GETPOST("fax"); + $object->phone_pro = GETPOST("phone_pro",'alpha'); + $object->phone_perso = GETPOST("phone_perso",'alpha'); + $object->phone_mobile = GETPOST("phone_mobile",'alpha'); + $object->fax = GETPOST("fax",'alpha'); $object->jabberid = GETPOST("jabberid",'alpha'); $object->no_email = GETPOST("no_email",'int'); $object->priv = GETPOST("priv",'int'); - $object->note_public = GETPOST("note_public"); - $object->note_private = GETPOST("note_private"); + $object->note_public = GETPOST("note_public",'none'); + $object->note_private = GETPOST("note_private",'none'); // Fill array 'array_options' with data from add form $ret = $extrafields->setOptionalsFromPost($extralabels,$object); @@ -540,9 +540,9 @@ else // Name print ''; - print ''; + print ''; print ''; - print ''; + print ''; // Company if (empty($conf->global->SOCIETE_DISABLE_CONTACTS)) @@ -594,8 +594,8 @@ else if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->zip)) == 0) $object->zip = $objsoc->zip; // Predefined with third party if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->town)) == 0) $object->town = $objsoc->town; // Predefined with third party print ''; // Country @@ -635,7 +635,7 @@ else // EMail if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->email)) == 0) $object->email = $objsoc->email; // Predefined with third party print ''; - print ''; + print ''; if (! empty($conf->mailing->enabled)) { print ''; @@ -649,13 +649,13 @@ else // Instant message and no email print ''; - print ''; + print ''; // Skype if (! empty($conf->skype->enabled)) { print ''; - print ''; + print ''; } // Visibility diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 20ab5aad7a9..a75c9176893 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -549,10 +549,10 @@ function GETPOST($paramname, $check='none', $method=0, $filter=NULL, $options=NU case 'array': if (! is_array($out) || empty($out)) $out=array(); break; - case 'nohtml': + case 'nohtml': // Recommended for most scalar parameters $out=dol_string_nohtmltag($out, 0); break; - case 'alphanohtml': // Recommended for search params + case 'alphanohtml': // Recommended for search parameters if (! is_array($out)) { $out=trim($out); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 2ff276f36f7..629e0108045 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -101,6 +101,7 @@ function test_sql_and_script_inject($val, $type) // More on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet $inj += preg_match('/
'.$langs->transcountry("LocalTax1Management",$mysoc->country_code).''.$langs->trans("Description").''.$langs->transcountry("LocalTax1Management",$mysoc->country_code).''.$langs->trans("Description").' 
lastname).'" autofocus="autofocus">lastname).'" autofocus="autofocus">firstname).'">
firstname).'">
/ '; - print $formcompany->select_ziptown((GETPOST("zipcode")?GETPOST("zipcode"):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).' '; - print $formcompany->select_ziptown((GETPOST("town")?GETPOST("town"):$object->town),'town',array('zipcode','selectcountry_id','state_id')); + print $formcompany->select_ziptown((GETPOST("zipcode",'alpha')?GETPOST("zipcode",'alpha'):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).' '; + print $formcompany->select_ziptown((GETPOST("town",'alpha')?GETPOST("town",'alpha'):$object->town),'town',array('zipcode','selectcountry_id','state_id')); print '
email).'">email).'">
jabberid).'">
jabberid).'">
skype).'">
skype).'">