Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX edit contract of intervention broken by CSRF protection

Browse Source
This commit is contained in:
Laurent Destailleur 2024-09-25 19:37:01 +02:00
parent e8c45ace3b
commit 336b723ab8
3 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/class/html.form.class.php
View File

@ -293,7 +293,7 @@ class Form
// So we convert & into &amp; so a string like 'a &lt; <b>b</b><br>é<br>&lt;script&gt;alert('X');&lt;script&gt;' stay a correct html and is not converted by textarea component when wysiwyg is off.
$valuetoshow = str_replace('&', '&amp;', $valuetoshow);
$ret .= dol_htmlwithnojs(dol_string_neverthesehtmltags($valuetoshow, array('textarea')));
$ret .= '</textarea>';
$ret .= '</textarea><div class="clearboth"></div>';
} elseif ($typeofdata == 'day' || $typeofdata == 'datepicker') {
$addnowlink = empty($moreoptions['addnowlink']) ? 0 : $moreoptions['addnowlink'];
$adddateof = empty($moreoptions['adddateof']) ? '' : $moreoptions['adddateof'];

6
htdocs/fichinter/card.php
View File

@ -1367,14 +1367,14 @@ if ($action == 'create') {
print '<table class="nobordernopadding centpercent"><tr><td>';
print $langs->trans('Contract');
print '</td>';
if ($action != 'contrat') {
print '<td class="right"><a class="editfielda" href="'.$_SERVER["PHP_SELF"].'?action=contrat&amp;id='.$object->id.'">';
if ($action != 'editcontract') {
print '<td class="right"><a class="editfielda" href="'.$_SERVER["PHP_SELF"].'?action=editcontract&id='.$object->id.'">';
print img_edit($langs->trans('SetContract'), 1);
print '</a></td>';
}
print '</tr></table>';
print '</td><td>';
if ($action == 'contrat') {
if ($action == 'editcontract') {
$formcontract = new FormContract($db);
$formcontract->formSelectContract($_SERVER["PHP_SELF"].'?id='.$object->id, $object->socid, $object->fk_contrat, 'contratid', 0, 1, 1);
} else {

2
htdocs/main.inc.php
View File

@ -630,7 +630,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
$sensitiveget = false;
if ((GETPOSTISSET('massaction') || GETPOST('action', 'aZ09')) && getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 3) {
// All GET actions (except the listed exceptions that are usually post for pre-actions and not real action) and mass actions are processed as sensitive.
if (GETPOSTISSET('massaction') || !in_array(GETPOST('action', 'aZ09'), array('create', 'createsite', 'createcard', 'edit', 'editvalidator', 'file_manager', 'presend', 'presend_addmessage', 'preview', 'reconcile', 'specimen'))) { // We exclude some action that are not sensitive so legitimate
if (GETPOSTISSET('massaction') || !in_array(GETPOST('action', 'aZ09'), array('create', 'createsite', 'createcard', 'edit', 'editcontract', 'editvalidator', 'file_manager', 'presend', 'presend_addmessage', 'preview', 'reconcile', 'specimen'))) { // We exclude some action that are not sensitive so legitimate
$sensitiveget = true;
}
} elseif (getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 2) {