Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implements MAIN_SECURITY_ALLOW_UNSECURED_REF_LABELS for product refs and labels.

Browse Source
This commit is contained in:
mgabriel 2023-01-26 11:00:00 +01:00
parent d36acc63dd
commit 35b05cfc7b
2 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
htdocs/product/card.php
View File

@ -93,7 +93,11 @@ $refalreadyexists = 0;
// Get parameters
$id = GETPOST('id', 'int');
$ref = (GETPOSTISSET('ref') ? GETPOST('ref', 'alpha') : null);
if (!empty($conf->global->MAIN_SECURITY_ALLOW_UNSECURED_REF_LABELS)) {
$ref = (GETPOSTISSET('ref') ? GETPOST('ref', 'nohtml') : null);
} else {
$ref = (GETPOSTISSET('ref') ? GETPOST('ref', 'alpha') : null);
}
$type = (GETPOSTISSET('type') ? GETPOST('type', 'int') : Product::TYPE_PRODUCT);
$action = (GETPOST('action', 'alpha') ? GETPOST('action', 'alpha') : 'view');
$cancel = GETPOST('cancel', 'alpha');
@ -113,7 +117,11 @@ $accountancy_code_buy_export = GETPOST('accountancy_code_buy_export', 'alpha');
$checkmandatory = GETPOST('accountancy_code_buy_export', 'alpha');
// by default 'alphanohtml' (better security); hidden conf MAIN_SECURITY_ALLOW_UNSECURED_LABELS_WITH_HTML allows basic html
$label_security_check = empty($conf->global->MAIN_SECURITY_ALLOW_UNSECURED_LABELS_WITH_HTML) ? 'alphanohtml' : 'restricthtml';
if (!empty($conf->global->MAIN_SECURITY_ALLOW_UNSECURED_REF_LABELS)) {
$label_security_check = 'nohtml';
} else {
$label_security_check = empty($conf->global->MAIN_SECURITY_ALLOW_UNSECURED_LABELS_WITH_HTML) ? 'alphanohtml' : 'restricthtml';
}
if (!empty($user->socid)) {
$socid = $user->socid;

18
htdocs/product/class/product.class.php
View File

@ -572,7 +572,11 @@ class Product extends CommonObject
*/
public function check()
{
$this->ref = dol_sanitizeFileName(stripslashes($this->ref));
if (!empty($conf->global->MAIN_SECURITY_ALLOW_UNSECURED_REF_LABELS)) {
$this->ref = trim($this->ref);
} else {
$this->ref = dol_sanitizeFileName(stripslashes($this->ref));
}
$err = 0;
if (dol_strlen(trim($this->ref)) == 0) {
@ -604,7 +608,11 @@ class Product extends CommonObject
$error = 0;
// Clean parameters
$this->ref = dol_sanitizeFileName(dol_string_nospecial(trim($this->ref)));
if (!empty($conf->global->MAIN_SECURITY_ALLOW_UNSECURED_REF_LABELS)) {
$this->ref = trim($this->ref);
} else {
$this->ref = dol_sanitizeFileName(dol_string_nospecial(trim($this->ref)));
}
$this->label = trim($this->label);
$this->price_ttc = price2num($this->price_ttc);
$this->price = price2num($this->price);
@ -999,7 +1007,11 @@ class Product extends CommonObject
}
// Clean parameters
$this->ref = dol_string_nospecial(trim($this->ref));
if (!empty($conf->global->MAIN_SECURITY_ALLOW_UNSECURED_REF_LABELS)) {
$this->ref = trim($this->ref);
} else {
$this->ref = dol_string_nospecial(trim($this->ref));
}
$this->label = trim($this->label);
$this->description = trim($this->description);
$this->note_private = (isset($this->note_private) ? trim($this->note_private) : null);