From 56710ce9b79a97df093f586c90bdaf6cce6a5808 Mon Sep 17 00:00:00 2001 From: "Laurent Destailleur (aka Eldy)" Date: Wed, 8 Jan 2025 17:41:45 +0100 Subject: [PATCH 01/33] FIX CVE-2024-55227 and CVE-2024-55228 CSRF when MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY is on (hidden option not on by default) --- .../class/accountingjournal.class.php | 4 +- .../accountancy/class/bookkeeping.class.php | 4 +- htdocs/adherents/class/adherent.class.php | 4 +- .../adherents/class/adherent_type.class.php | 2 +- htdocs/admin/user.php | 10 ++-- htdocs/asset/class/asset.class.php | 4 +- htdocs/asset/class/assetmodel.class.php | 4 +- htdocs/bom/class/bom.class.php | 4 +- htdocs/bom/class/bomline.class.php | 4 +- htdocs/bookcal/class/availabilities.class.php | 4 +- htdocs/bookcal/class/calendar.class.php | 4 +- htdocs/bookmarks/class/bookmark.class.php | 4 +- htdocs/categories/class/categorie.class.php | 4 +- htdocs/comm/action/class/actioncomm.class.php | 6 +- htdocs/comm/mailing/class/mailing.class.php | 4 +- htdocs/comm/propal/class/propal.class.php | 4 +- htdocs/commande/class/commande.class.php | 4 +- htdocs/compta/bank/class/account.class.php | 4 +- .../bank/class/paymentvarious.class.php | 4 +- .../cashcontrol/class/cashcontrol.class.php | 4 +- htdocs/compta/facture/class/facture.class.php | 4 +- .../cheque/class/remisecheque.class.php | 4 +- .../compta/paiement/class/paiement.class.php | 4 +- .../sociales/class/chargesociales.class.php | 4 +- htdocs/compta/tva/class/tva.class.php | 4 +- htdocs/contact/class/contact.class.php | 4 +- htdocs/contrat/class/contrat.class.php | 4 +- htdocs/contrat/class/contratligne.class.php | 2 +- htdocs/core/class/fiscalyear.class.php | 4 +- htdocs/core/class/timespent.class.php | 4 +- htdocs/core/lib/functions.lib.php | 57 +++++++++++++++--- htdocs/cron/class/cronjob.class.php | 4 +- htdocs/delivery/class/delivery.class.php | 2 +- htdocs/ecm/class/ecmfiles.class.php | 4 +- .../class/emailcollector.class.php | 4 +- .../class/emailcollectoraction.class.php | 4 +- .../class/emailcollectorfilter.class.php | 4 +- .../class/conferenceorbooth.class.php | 4 +- .../class/conferenceorboothattendee.class.php | 4 +- htdocs/expedition/class/expedition.class.php | 4 +- .../class/expensereport.class.php | 4 +- htdocs/fichinter/class/fichinter.class.php | 4 +- .../class/fournisseur.commande.class.php | 4 +- .../fourn/class/fournisseur.facture.class.php | 4 +- .../fourn/class/fournisseur.product.class.php | 4 +- htdocs/fourn/class/paiementfourn.class.php | 4 +- htdocs/holiday/class/holiday.class.php | 4 +- htdocs/hrm/class/establishment.class.php | 4 +- htdocs/hrm/class/evaluation.class.php | 4 +- htdocs/hrm/class/evaluationdet.class.php | 4 +- htdocs/hrm/class/job.class.php | 4 +- htdocs/hrm/class/skill.class.php | 4 +- htdocs/hrm/class/skilldet.class.php | 4 +- htdocs/hrm/class/skillrank.class.php | 4 +- .../class/intracommreport.class.php | 4 +- .../class/knowledgerecord.class.php | 4 +- htdocs/loan/class/loan.class.php | 4 +- .../template/class/myobject.class.php | 4 +- htdocs/mrp/class/mo.class.php | 4 +- .../class/opensurveysondage.class.php | 4 +- .../partnership/class/partnership.class.php | 4 +- .../class/partnership_type.class.php | 4 +- .../class/productfournisseurprice.class.php | 4 +- .../inventory/class/inventory.class.php | 4 +- htdocs/product/stock/class/entrepot.class.php | 4 +- .../product/stock/class/productlot.class.php | 4 +- .../class/stocktransfer.class.php | 4 +- .../class/stocktransferline.class.php | 4 +- htdocs/projet/class/project.class.php | 4 +- htdocs/projet/class/task.class.php | 4 +- htdocs/reception/class/reception.class.php | 4 +- .../class/recruitmentcandidature.class.php | 4 +- .../class/recruitmentjobposition.class.php | 4 +- htdocs/resource/class/dolresource.class.php | 4 +- htdocs/salaries/class/paymentsalary.class.php | 4 +- htdocs/salaries/class/salary.class.php | 4 +- .../class/companypaymentmode.class.php | 4 +- htdocs/societe/class/societe.class.php | 4 +- htdocs/societe/class/societeaccount.class.php | 4 +- .../class/supplier_proposal.class.php | 4 +- htdocs/ticket/class/cticketcategory.class.php | 4 +- htdocs/ticket/class/ticket.class.php | 4 +- htdocs/user/card.php | 4 +- htdocs/user/class/user.class.php | 4 +- htdocs/user/class/usergroup.class.php | 2 +- htdocs/webhook/class/target.class.php | 4 +- htdocs/website/class/websitepage.class.php | 4 +- .../workstation/class/workstation.class.php | 4 +- htdocs/zapier/class/hook.class.php | 4 +- test/phpunit/SecurityTest.php | 60 ++++++++++++++++--- test/phpunit/test.php | 46 ++++++++++++++ 91 files changed, 326 insertions(+), 189 deletions(-) create mode 100755 test/phpunit/test.php diff --git a/htdocs/accountancy/class/accountingjournal.class.php b/htdocs/accountancy/class/accountingjournal.class.php index 4135e982d14..3cc0aa41007 100644 --- a/htdocs/accountancy/class/accountingjournal.class.php +++ b/htdocs/accountancy/class/accountingjournal.class.php @@ -189,9 +189,9 @@ class AccountingJournal extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowAccountingJournal"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip"'; } diff --git a/htdocs/accountancy/class/bookkeeping.class.php b/htdocs/accountancy/class/bookkeeping.class.php index f8573c3f75e..f34694ef5bc 100644 --- a/htdocs/accountancy/class/bookkeeping.class.php +++ b/htdocs/accountancy/class/bookkeeping.class.php @@ -529,9 +529,9 @@ class BookKeeping extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowTransaction"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index a401823fc3c..42c1f192825 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -2382,9 +2382,9 @@ class Adherent extends CommonObject if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $langs->load("users"); $label = $langs->trans("ShowUser"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } diff --git a/htdocs/adherents/class/adherent_type.class.php b/htdocs/adherents/class/adherent_type.class.php index 2947f20b158..cf33af23343 100644 --- a/htdocs/adherents/class/adherent_type.class.php +++ b/htdocs/adherents/class/adherent_type.class.php @@ -780,7 +780,7 @@ class AdherentType extends CommonObject } } $linkstart = ''; $linkend = ''; diff --git a/htdocs/admin/user.php b/htdocs/admin/user.php index bbc06499e6e..0c957617ce1 100644 --- a/htdocs/admin/user.php +++ b/htdocs/admin/user.php @@ -163,9 +163,9 @@ print ''; print ''; print ''.$langs->trans("UserMailRequired").''; -print ' '; +print ' '; -print ''; +print ''; if ($conf->use_javascript_ajax) { print ajax_constantonoff('USER_MAIL_REQUIRED'); } else { @@ -181,9 +181,9 @@ print ''; print ''; print ''.$langs->trans("UserHideInactive").''; -print ' '; +print ' '; -print ''; +print ''; if ($conf->use_javascript_ajax) { print ajax_constantonoff('USER_HIDE_INACTIVE_IN_COMBOBOX'); } else { @@ -325,7 +325,7 @@ foreach ($dirmodels as $reldir) { if ($module->type == 'pdf') { print ''.img_object($langs->trans("Preview"), 'pdf').''; } else { - print img_object($langs->trans("PreviewNotAvailable"), 'generic'); + print img_object($langs->transnoentitiesnoconv("PreviewNotAvailable"), 'generic'); } print ''; diff --git a/htdocs/asset/class/asset.class.php b/htdocs/asset/class/asset.class.php index 9dc62995ffc..75566f379a7 100644 --- a/htdocs/asset/class/asset.class.php +++ b/htdocs/asset/class/asset.class.php @@ -1408,9 +1408,9 @@ class Asset extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowAsset"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/asset/class/assetmodel.class.php b/htdocs/asset/class/assetmodel.class.php index 753b89a4a35..56852c052d6 100644 --- a/htdocs/asset/class/assetmodel.class.php +++ b/htdocs/asset/class/assetmodel.class.php @@ -619,9 +619,9 @@ class AssetModel extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowAssetModel"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/bom/class/bom.class.php b/htdocs/bom/class/bom.class.php index b6fa70ade31..f204993c892 100644 --- a/htdocs/bom/class/bom.class.php +++ b/htdocs/bom/class/bom.class.php @@ -1159,9 +1159,9 @@ class BOM extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowBillOfMaterials"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/bom/class/bomline.class.php b/htdocs/bom/class/bomline.class.php index 92328b09fcd..5ebd98a756c 100644 --- a/htdocs/bom/class/bomline.class.php +++ b/htdocs/bom/class/bomline.class.php @@ -387,9 +387,9 @@ class BOMLine extends CommonObjectLine if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowBillOfMaterialsLine"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/bookcal/class/availabilities.class.php b/htdocs/bookcal/class/availabilities.class.php index 1c5b7c78424..d072343caae 100644 --- a/htdocs/bookcal/class/availabilities.class.php +++ b/htdocs/bookcal/class/availabilities.class.php @@ -756,9 +756,9 @@ class Availabilities extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowAvailabilities"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/bookcal/class/calendar.class.php b/htdocs/bookcal/class/calendar.class.php index a1acf818ba9..c96fbe2da34 100644 --- a/htdocs/bookcal/class/calendar.class.php +++ b/htdocs/bookcal/class/calendar.class.php @@ -742,9 +742,9 @@ class Calendar extends CommonObject if (empty($notooltip)) { if (getDolGlobalInt('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowCalendar"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/bookmarks/class/bookmark.class.php b/htdocs/bookmarks/class/bookmark.class.php index a386876a7d6..f58d1839389 100644 --- a/htdocs/bookmarks/class/bookmark.class.php +++ b/htdocs/bookmarks/class/bookmark.class.php @@ -319,9 +319,9 @@ class Bookmark extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowBookmark"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index 09e0cb52c47..21a642afd22 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -1811,9 +1811,9 @@ class Categorie extends CommonObject if (empty($notooltip)) { if (getDolGlobalInt('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowMyObject"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.' '.$forced_color.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ' class="'.$forced_color.($morecss ? ' '.$morecss : '').'"'; diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 249e342d5fc..a96ec4e0e82 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -1658,6 +1658,7 @@ class ActionComm extends CommonObject $datas['note'] .= (dol_textishtml($texttoshow) ? str_replace(array("\r", "\n"), "", $texttoshow) : str_replace(array("\r", "\n"), '
', $texttoshow)); $datas['note'] .= ''; } + // show categories for this record only in ajax to not overload lists if (isModEnabled('category') && !$nofetch) { require_once DOL_DOCUMENT_ROOT . '/categories/class/categorie.class.php'; @@ -1767,6 +1768,7 @@ class ActionComm extends CommonObject $tooltip .= (dol_textishtml($texttoshow) ? str_replace(array("\r", "\n"), "", $texttoshow) : str_replace(array("\r", "\n"), '
', $texttoshow)); $tooltip .= ''; } + $linkclose = ''; $classfortooltip = 'classfortooltip'; $dataparams = ''; @@ -1784,9 +1786,9 @@ class ActionComm extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowAction"); - $linkclose .= ' alt="'.dol_escape_htmltag($tooltip, 1).'"'; + $linkclose .= ' alt="'.dolPrintHTMLForAttribute($tooltip).'"'; } - $linkclose .= ($tooltip ? ' title="'.dol_escape_htmltag($tooltip, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($tooltip ? ' title="'.dolPrintHTMLForAttribute($tooltip).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classname.' '.$classfortooltip.'"'; } else { $linkclose .= ' class="'.$classname.'"'; diff --git a/htdocs/comm/mailing/class/mailing.class.php b/htdocs/comm/mailing/class/mailing.class.php index facaec0753f..d86745f21e9 100644 --- a/htdocs/comm/mailing/class/mailing.class.php +++ b/htdocs/comm/mailing/class/mailing.class.php @@ -852,9 +852,9 @@ class Mailing extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowEMailing"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 31bb5a8dd73..077f2446540 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -3831,9 +3831,9 @@ class Propal extends CommonObject if (empty($notooltip) && $user->hasRight('propal', 'lire')) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("Proposal"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.'"'; } diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 069b76a9c88..26efa02d0d5 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -3898,9 +3898,9 @@ class Commande extends CommonOrder if (empty($notooltip) && $user->hasRight('commande', 'lire')) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("Order"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.'"'; $target_value = array('_self', '_blank', '_parent', '_top'); diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index 73ee30a83fe..37050661838 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -1597,9 +1597,9 @@ class Account extends CommonObject if (empty($notooltip)) { if (getDolGlobalInt('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("BankAccount"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/compta/bank/class/paymentvarious.class.php b/htdocs/compta/bank/class/paymentvarious.class.php index 1fa01691f34..b474592d93d 100644 --- a/htdocs/compta/bank/class/paymentvarious.class.php +++ b/htdocs/compta/bank/class/paymentvarious.class.php @@ -724,9 +724,9 @@ class PaymentVarious extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowMyObject"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/compta/cashcontrol/class/cashcontrol.class.php b/htdocs/compta/cashcontrol/class/cashcontrol.class.php index d2bbbf5b545..0e71db22c62 100644 --- a/htdocs/compta/cashcontrol/class/cashcontrol.class.php +++ b/htdocs/compta/cashcontrol/class/cashcontrol.class.php @@ -463,9 +463,9 @@ class CashControl extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowMyObject"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index a3e40af94e9..a3e4ef47bef 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -2109,9 +2109,9 @@ class Facture extends CommonInvoice if (empty($notooltip) && $user->hasRight("facture", "read")) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("Invoice"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.'"'; } diff --git a/htdocs/compta/paiement/cheque/class/remisecheque.class.php b/htdocs/compta/paiement/cheque/class/remisecheque.class.php index 17527a26591..fae7d4894aa 100644 --- a/htdocs/compta/paiement/cheque/class/remisecheque.class.php +++ b/htdocs/compta/paiement/cheque/class/remisecheque.class.php @@ -964,9 +964,9 @@ class RemiseCheque extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowCheckReceipt"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/compta/paiement/class/paiement.class.php b/htdocs/compta/paiement/class/paiement.class.php index cbe1c9b4111..29b19528619 100644 --- a/htdocs/compta/paiement/class/paiement.class.php +++ b/htdocs/compta/paiement/class/paiement.class.php @@ -1415,9 +1415,9 @@ class Paiement extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("Payment"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/compta/sociales/class/chargesociales.class.php b/htdocs/compta/sociales/class/chargesociales.class.php index fcfffab7b7c..7e64a35e963 100644 --- a/htdocs/compta/sociales/class/chargesociales.class.php +++ b/htdocs/compta/sociales/class/chargesociales.class.php @@ -688,9 +688,9 @@ class ChargeSociales extends CommonObject if (empty($notooltip) && $user->hasRight("facture", "read")) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("SocialContribution"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip"'; } diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php index 9ed504b6a13..1b68ceaf8ae 100644 --- a/htdocs/compta/tva/class/tva.class.php +++ b/htdocs/compta/tva/class/tva.class.php @@ -783,9 +783,9 @@ class Tva extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowMyObject"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index 082639332be..1e19a39b9f6 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -1571,9 +1571,9 @@ class Contact extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowContact"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index 0f83d2dc1f4..ea22c7c335b 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -2133,9 +2133,9 @@ class Contrat extends CommonObject if (empty($notooltip) && $user->hasRight('contrat', 'lire')) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowContract"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.'"'; } $linkstart = ''; $linkend = ''; diff --git a/htdocs/core/class/fiscalyear.class.php b/htdocs/core/class/fiscalyear.class.php index 0edc34a55a3..49199c22397 100644 --- a/htdocs/core/class/fiscalyear.class.php +++ b/htdocs/core/class/fiscalyear.class.php @@ -355,9 +355,9 @@ class Fiscalyear extends CommonObject if (empty($notooltip) && $user->hasRight('accounting', 'fiscalyear', 'write')) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("FiscalPeriod"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= $dataparams.' class="'.$classfortooltip.'"'; } diff --git a/htdocs/core/class/timespent.class.php b/htdocs/core/class/timespent.class.php index d0736d63a9c..8619d3c182e 100644 --- a/htdocs/core/class/timespent.class.php +++ b/htdocs/core/class/timespent.class.php @@ -757,9 +757,9 @@ class TimeSpent extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowTimeSpent"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index e6ad6bab5c4..64d1f2137fa 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -2010,6 +2010,7 @@ function dolPrintText($s) /** * Return a string (that can be on several lines) ready to be output on a HTML page. * To output a text inside an attribute, you can use dolPrintHTMLForAttribute() or dolPrintHTMLForTextArea() inside a textarea + * With dolPrintHTML(), only content not already in HTML is encoded with HTML. * * @param string $s String to print * @param int $allowiframe Allow iframe tags @@ -2023,6 +2024,7 @@ function dolPrintHTML($s, $allowiframe = 0) /** * Return a string ready to be output on an HTML attribute (alt, title, data-html, ...) + * With dolPrintHTMLForAttribute(), the content is HTML encode, even if it is already HTML content. * * @param string $s String to print * @return string String ready for HTML output @@ -2032,7 +2034,7 @@ function dolPrintHTMLForAttribute($s) { // The dol_htmlentitiesbr will convert simple text into html // The dol_escape_htmltag will escape html chars. - return dol_escape_htmltag(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 0, 0, 0, array('br', 'b', 'font', 'span')), 1, -1, '', 0, 1); + return dol_escape_htmltag(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 0, 0, 0, array('br', 'b', 'font', 'hr', 'span')), 1, -1, '', 0, 1); } /** @@ -2071,7 +2073,7 @@ function dolPrintPassword($s) * @param string $stringtoescape String to escape * @param int $keepb 1=Replace b tags with escaped value (except if in $noescapetags), 0=Remove them completely * @param int $keepn 1=Preserve \r\n strings, 0=Replace them with escaped value, -1=Remove them. Set to 1 when escaping for a '; + print ''; + + // Go Source Invoice (useful when there are many invoices) + if ($action != 'add_paiement' && getDolGlobalString('FACTURE_PAYMENTS_SHOW_LINK_TO_INPUT_ORIGIN_IS_MORE_THAN')) { + print ''; + print ''; + print ''.$langs->trans("GoSourceInvoice").''; print ''; + } - // Payment mode - print ''.$langs->trans('PaymentMode').''; - $form->select_types_paiements((GETPOST('paiementcode') ? GETPOST('paiementcode') : $facture->mode_reglement_code), 'paiementcode', '', 2); - print "\n"; - print ''; + print ''; - // Bank account - print ''; - if (isModEnabled("bank")) { - if ($facture->type != 2) { - print ''.$langs->trans('AccountToCredit').''; - } + print dol_get_fiche_end(); + + + /* + * List of unpaid invoices + */ + + $sql = 'SELECT f.rowid as facid, f.ref, f.total_ht, f.total_tva, f.total_ttc, f.multicurrency_code, f.multicurrency_total_ht, f.multicurrency_total_tva, f.multicurrency_total_ttc, f.type,'; + $sql .= ' f.datef as df, f.fk_soc as socid, f.date_lim_reglement as dlr'; + $sql .= ' FROM '.MAIN_DB_PREFIX.'facture as f'; + $sql .= ' WHERE f.entity IN ('.getEntity('facture').')'; + $sql .= ' AND (f.fk_soc = '.((int) $facture->socid); + // Can pay invoices of all child of parent company + if (getDolGlobalString('FACTURE_PAYMENTS_ON_DIFFERENT_THIRDPARTIES_BILLS') && !empty($facture->thirdparty->parent)) { + $sql .= ' OR f.fk_soc IN (SELECT rowid FROM '.MAIN_DB_PREFIX.'societe WHERE parent = '.((int) $facture->thirdparty->parent).')'; + } + // Can pay invoices of all child of myself + if (getDolGlobalString('FACTURE_PAYMENTS_ON_SUBSIDIARY_COMPANIES')) { + $sql .= ' OR f.fk_soc IN (SELECT rowid FROM '.MAIN_DB_PREFIX.'societe WHERE parent = '.((int) $facture->thirdparty->id).')'; + } + $sql .= ') AND f.paye = 0'; + $sql .= ' AND f.fk_statut = 1'; // Statut=0 => not validated, Statut=2 => canceled + if ($facture->type != Facture::TYPE_CREDIT_NOTE) { + $sql .= ' AND type IN (0,1,3,5)'; // Standard invoice, replacement, deposit, situation + } else { + $sql .= ' AND type = 2'; // If paying back a credit note, we show all credit notes + } + // Sort invoices by date and serial number: the older one comes first + $sql .= ' ORDER BY f.datef ASC, f.ref ASC'; + + $resql = $db->query($sql); + if ($resql) { + $num = $db->num_rows($resql); + if ($num > 0) { + $arraytitle = $langs->trans('Invoice'); if ($facture->type == 2) { - print ''.$langs->trans('AccountToDebit').''; + $arraytitle = $langs->trans("CreditNotes"); + } + $alreadypayedlabel = $langs->trans('Received'); + $multicurrencyalreadypayedlabel = $langs->trans('MulticurrencyReceived'); + if ($facture->type == 2) { + $alreadypayedlabel = $langs->trans("PaidBack"); + $multicurrencyalreadypayedlabel = $langs->trans("MulticurrencyPaidBack"); + } + $remaindertopay = $langs->trans('RemainderToTake'); + $multicurrencyremaindertopay = $langs->trans('MulticurrencyRemainderToTake'); + if ($facture->type == 2) { + $remaindertopay = $langs->trans("RemainderToPayBack"); + $multicurrencyremaindertopay = $langs->trans("MulticurrencyRemainderToPayBack"); } - print ''; - print img_picto('', 'bank_account', 'class="pictofixedwidth"'); - print $form->select_comptes($accountid, 'accountid', 0, '', 2, '', (isModEnabled('multicurrency') ? 1 : 0), 'widthcentpercentminusx maxwidth500', 1); - print ''; - } else { - print ' '; - } - print "\n"; + $i = 0; + //print ''; + print '
'; - // Bank check number - print ''.$langs->trans('Numero'); - print ' ('.$langs->trans("ChequeOrTransferNumber").')'; - print ''; - print ''; + print '
'; // You can use div-table-responsive-no-min if you don't need reserved height for your table + print ''; - // Check transmitter - print ''; - print ''; + print ''; + print ''; + print ''; + print ''; + if (isModEnabled('multicurrency')) { + print ''; + print ''; + print ''; + print ''; + print ''; + } + print ''; + print ''; + print ''; + print ''; - // Bank name - print ''; - print ''; + $parameters = array(); + $reshook = $hookmanager->executeHooks('printFieldListTitle', $parameters, $facture, $action); // Note that $action and $object may have been modified by hook - // Comments - print ''; - print ''; + print ''; + print "\n"; - // Go Source Invoice (useful when there are many invoices) - if ($action != 'add_paiement' && getDolGlobalString('FACTURE_PAYMENTS_SHOW_LINK_TO_INPUT_ORIGIN_IS_MORE_THAN')) { - print ''; - print ''; - } + $total_ttc = 0; + $totalrecu = 0; + $totalrecucreditnote = 0; + $totalrecudeposits = 0; + $sign = 1; - print '
'.$langs->trans('CheckTransmitter'); - print ' ('.$langs->trans("ChequeMaker").')'; - print '
'.$arraytitle.''.$langs->trans('Date').''.$langs->trans('DateMaxPayment').''.$langs->trans('Currency').''.$langs->trans('MulticurrencyAmountTTC').''.$multicurrencyalreadypayedlabel.''.$multicurrencyremaindertopay.''.$langs->trans('MulticurrencyPaymentAmount').''.$langs->trans('AmountTTC').''.$alreadypayedlabel.''.$remaindertopay.''.$langs->trans('PaymentAmount').'
'.$langs->trans('Bank'); - print ' ('.$langs->trans("ChequeBank").')'; - print '
'.$langs->trans('Comments').''; - print ''; - print '
 
'; - print ''.$langs->trans("GoSourceInvoice").''; - print '
'; + while ($i < $num) { + $objp = $db->fetch_object($resql); - print dol_get_fiche_end(); - - - /* - * List of unpaid invoices - */ - - $sql = 'SELECT f.rowid as facid, f.ref, f.total_ht, f.total_tva, f.total_ttc, f.multicurrency_code, f.multicurrency_total_ht, f.multicurrency_total_tva, f.multicurrency_total_ttc, f.type,'; - $sql .= ' f.datef as df, f.fk_soc as socid, f.date_lim_reglement as dlr'; - $sql .= ' FROM '.MAIN_DB_PREFIX.'facture as f'; - $sql .= ' WHERE f.entity IN ('.getEntity('facture').')'; - $sql .= ' AND (f.fk_soc = '.((int) $facture->socid); - // Can pay invoices of all child of parent company - if (getDolGlobalString('FACTURE_PAYMENTS_ON_DIFFERENT_THIRDPARTIES_BILLS') && !empty($facture->thirdparty->parent)) { - $sql .= ' OR f.fk_soc IN (SELECT rowid FROM '.MAIN_DB_PREFIX.'societe WHERE parent = '.((int) $facture->thirdparty->parent).')'; - } - // Can pay invoices of all child of myself - if (getDolGlobalString('FACTURE_PAYMENTS_ON_SUBSIDIARY_COMPANIES')) { - $sql .= ' OR f.fk_soc IN (SELECT rowid FROM '.MAIN_DB_PREFIX.'societe WHERE parent = '.((int) $facture->thirdparty->id).')'; - } - $sql .= ') AND f.paye = 0'; - $sql .= ' AND f.fk_statut = 1'; // Statut=0 => not validated, Statut=2 => canceled - if ($facture->type != Facture::TYPE_CREDIT_NOTE) { - $sql .= ' AND type IN (0,1,3,5)'; // Standard invoice, replacement, deposit, situation - } else { - $sql .= ' AND type = 2'; // If paying back a credit note, we show all credit notes - } - // Sort invoices by date and serial number: the older one comes first - $sql .= ' ORDER BY f.datef ASC, f.ref ASC'; - - $resql = $db->query($sql); - if ($resql) { - $num = $db->num_rows($resql); - if ($num > 0) { - $arraytitle = $langs->trans('Invoice'); - if ($facture->type == 2) { - $arraytitle = $langs->trans("CreditNotes"); - } - $alreadypayedlabel = $langs->trans('Received'); - $multicurrencyalreadypayedlabel = $langs->trans('MulticurrencyReceived'); - if ($facture->type == 2) { - $alreadypayedlabel = $langs->trans("PaidBack"); - $multicurrencyalreadypayedlabel = $langs->trans("MulticurrencyPaidBack"); - } - $remaindertopay = $langs->trans('RemainderToTake'); - $multicurrencyremaindertopay = $langs->trans('MulticurrencyRemainderToTake'); - if ($facture->type == 2) { - $remaindertopay = $langs->trans("RemainderToPayBack"); - $multicurrencyremaindertopay = $langs->trans("MulticurrencyRemainderToPayBack"); - } - - $i = 0; - //print ''; - print '
'; - - print '
'; // You can use div-table-responsive-no-min if you don't need reserved height for your table - print ''; - - print ''; - print ''; - print ''; - print ''; - if (isModEnabled('multicurrency')) { - print ''; - print ''; - print ''; - print ''; - print ''; - } - print ''; - print ''; - print ''; - print ''; - - $parameters = array(); - $reshook = $hookmanager->executeHooks('printFieldListTitle', $parameters, $facture, $action); // Note that $action and $object may have been modified by hook - - print ''; - print "\n"; - - $total_ttc = 0; - $totalrecu = 0; - $totalrecucreditnote = 0; - $totalrecudeposits = 0; $sign = 1; + if ($facture->type == Facture::TYPE_CREDIT_NOTE) { + $sign = -1; + } - while ($i < $num) { - $objp = $db->fetch_object($resql); + $soc = new Societe($db); + $soc->fetch($objp->socid); - $sign = 1; - if ($facture->type == Facture::TYPE_CREDIT_NOTE) { - $sign = -1; + $invoice = new Facture($db); + $invoice->fetch($objp->facid); + $paiement = $invoice->getSommePaiement(); + $creditnotes = $invoice->getSumCreditNotesUsed(); + $deposits = $invoice->getSumDepositsUsed(); + $alreadypayed = price2num($paiement + $creditnotes + $deposits, 'MT'); + $remaintopay = price2num($invoice->total_ttc - $paiement - $creditnotes - $deposits, 'MT'); + + // Multicurrency Price + $tooltiponmulticurrencyfullamount = ''; + $multicurrency_remaintopay = ''; + $multicurrency_payment = 0; + $multicurrency_creditnotes = 0; + $multicurrency_deposits = 0; + if (isModEnabled('multicurrency')) { + $multicurrency_payment = $invoice->getSommePaiement(1); + $multicurrency_creditnotes = $invoice->getSumCreditNotesUsed(1); + $multicurrency_deposits = $invoice->getSumDepositsUsed(1); + $multicurrency_alreadypayed = price2num($multicurrency_payment + $multicurrency_creditnotes + $multicurrency_deposits, 'MT'); + $multicurrency_remaintopay = price2num($invoice->multicurrency_total_ttc - $multicurrency_payment - $multicurrency_creditnotes - $multicurrency_deposits, 'MT'); + // Multicurrency full amount tooltip + $tooltiponmulticurrencyfullamount = $langs->trans('AmountHT') . ": " . price($objp->multicurrency_total_ht, 0, $langs, 0, -1, -1, $objp->multicurrency_code) . "
"; + $tooltiponmulticurrencyfullamount .= $langs->trans('AmountVAT') . ": " . price($objp->multicurrency_total_tva, 0, $langs, 0, -1, -1, $objp->multicurrency_code) . "
"; + $tooltiponmulticurrencyfullamount .= $langs->trans('AmountTTC') . ": " . price($objp->multicurrency_total_ttc, 0, $langs, 0, -1, -1, $objp->multicurrency_code) . "
"; + } + + // Full amount tooltip + $tooltiponfullamount = $langs->trans('AmountHT') . ": " . price($objp->total_ht, 0, $langs, 0, -1, -1, $conf->currency) . "
"; + $tooltiponfullamount .= $langs->trans('AmountVAT') . ": " . price($objp->total_tva, 0, $langs, 0, -1, -1, $conf->currency) . "
"; + $tooltiponfullamount .= $langs->trans('AmountTTC') . ": " . price($objp->total_ttc, 0, $langs, 0, -1, -1, $conf->currency) . "
"; + + print ''; + + print '\n"; + + // Date + print '\n"; + + // Due date + if ($objp->dlr > 0) { + print ''; + } else { + print ''; + } - $invoice = new Facture($db); - $invoice->fetch($objp->facid); - $paiement = $invoice->getSommePaiement(); - $creditnotes = $invoice->getSumCreditNotesUsed(); - $deposits = $invoice->getSumDepositsUsed(); - $alreadypayed = price2num($paiement + $creditnotes + $deposits, 'MT'); - $remaintopay = price2num($invoice->total_ttc - $paiement - $creditnotes - $deposits, 'MT'); + // Currency + if (isModEnabled('multicurrency')) { + print '\n"; + } - // Multicurrency Price - $tooltiponmulticurrencyfullamount = ''; - $multicurrency_remaintopay = ''; - $multicurrency_payment = 0; - $multicurrency_creditnotes = 0; - $multicurrency_deposits = 0; - if (isModEnabled('multicurrency')) { - $multicurrency_payment = $invoice->getSommePaiement(1); - $multicurrency_creditnotes = $invoice->getSumCreditNotesUsed(1); - $multicurrency_deposits = $invoice->getSumDepositsUsed(1); - $multicurrency_alreadypayed = price2num($multicurrency_payment + $multicurrency_creditnotes + $multicurrency_deposits, 'MT'); - $multicurrency_remaintopay = price2num($invoice->multicurrency_total_ttc - $multicurrency_payment - $multicurrency_creditnotes - $multicurrency_deposits, 'MT'); - // Multicurrency full amount tooltip - $tooltiponmulticurrencyfullamount = $langs->trans('AmountHT') . ": " . price($objp->multicurrency_total_ht, 0, $langs, 0, -1, -1, $objp->multicurrency_code) . "
"; - $tooltiponmulticurrencyfullamount .= $langs->trans('AmountVAT') . ": " . price($objp->multicurrency_total_tva, 0, $langs, 0, -1, -1, $objp->multicurrency_code) . "
"; - $tooltiponmulticurrencyfullamount .= $langs->trans('AmountTTC') . ": " . price($objp->multicurrency_total_ttc, 0, $langs, 0, -1, -1, $objp->multicurrency_code) . "
"; - } - - // Full amount tooltip - $tooltiponfullamount = $langs->trans('AmountHT') . ": " . price($objp->total_ht, 0, $langs, 0, -1, -1, $conf->currency) . "
"; - $tooltiponfullamount .= $langs->trans('AmountVAT') . ": " . price($objp->total_tva, 0, $langs, 0, -1, -1, $conf->currency) . "
"; - $tooltiponfullamount .= $langs->trans('AmountTTC') . ": " . price($objp->total_ttc, 0, $langs, 0, -1, -1, $conf->currency) . "
"; - - print ''; - - print '\n"; - - // Date - print '\n"; - - // Due date - if ($objp->dlr > 0) { - print ''; - } else { - print ''; - } - - // Currency - if (isModEnabled('multicurrency')) { - print '\n"; - } - - // Multicurrency full amount - if (isModEnabled('multicurrency')) { - print ''; - - // Multicurrency Price - print ''; - - // Multicurrency remain to pay - print ''; - - print '"; - } - - // Full amount - print ''; - - // Received + already paid - print ''; - // Remain to take or to pay back + // Multicurrency Price print ''; - //$test= price(price2num($objp->total_ttc - $paiement - $creditnotes - $deposits)); - // Amount + // Multicurrency remain to pay + print ''; + print '"; - - $parameters = array(); - $reshook = $hookmanager->executeHooks('printFieldListValue', $parameters, $objp, $action); // Note that $action and $object may have been modified by hook - - // Warning - print ''; - - print "\n"; - - $total_ttc += $objp->total_ttc; - $totalrecu += $paiement; - $totalrecucreditnote += $creditnotes; - $totalrecudeposits += $deposits; - $i++; } - if ($i > 1) { - // Print total - print ''; - print ''; - if (isModEnabled('multicurrency')) { - print ''; - print ''; - print ''; - print ''; - print ''; - } - print ''; - print ''; - print ''; - print ''; // Autofilled - print ''; - print "\n"; + // Full amount + print ''; + + // Received + already paid + print '
'.$arraytitle.''.$langs->trans('Date').''.$langs->trans('DateMaxPayment').''.$langs->trans('Currency').''.$langs->trans('MulticurrencyAmountTTC').''.$multicurrencyalreadypayedlabel.''.$multicurrencyremaindertopay.''.$langs->trans('MulticurrencyPaymentAmount').''.$langs->trans('AmountTTC').''.$alreadypayedlabel.''.$remaindertopay.''.$langs->trans('PaymentAmount').' 
'; + print $invoice->getNomUrl(1, ''); + if ($objp->socid != $facture->thirdparty->id) { + print ' - '.$soc->getNomUrl(1).' '; + } + print "'.dol_print_date($db->jdate($objp->df), 'day')."'; + print dol_print_date($db->jdate($objp->dlr), 'day'); + + if ($invoice->hasDelay()) { + print img_warning($langs->trans('Late')); } - $soc = new Societe($db); - $soc->fetch($objp->socid); + print ''.$objp->multicurrency_code."
'; - print $invoice->getNomUrl(1, ''); - if ($objp->socid != $facture->thirdparty->id) { - print ' - '.$soc->getNomUrl(1).' '; - } - print "'.dol_print_date($db->jdate($objp->df), 'day')."'; - print dol_print_date($db->jdate($objp->dlr), 'day'); - - if ($invoice->hasDelay()) { - print img_warning($langs->trans('Late')); - } - - print ''.$objp->multicurrency_code."'; - if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { - print '' . price($sign * $objp->multicurrency_total_ttc); - } - print ''; - if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { - print price($sign * $multicurrency_payment); - if ($multicurrency_creditnotes) { - print '+'.price($multicurrency_creditnotes); - } - if ($multicurrency_deposits) { - print '+'.price($multicurrency_deposits); - } - } - print ''; - if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { - print price($sign * (float) $multicurrency_remaintopay); - } - print ''; - - // Add remind multicurrency amount - $namef = 'multicurrency_amount_'.$objp->facid; - $nameRemain = 'multicurrency_remain_'.$objp->facid; - - if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { - if ($action != 'add_paiement') { - if (!empty($conf->use_javascript_ajax)) { - print img_picto("Auto fill", 'rightarrow', "class='AutoFillAmount' data-rowname='".$namef."' data-value='".($sign * (float) $multicurrency_remaintopay)."'"); - } - print ''; - print ''; - } else { - print ''; - print ''; - } - } - print "'.price($sign * $objp->total_ttc).''.price($sign * $paiement); - if ($creditnotes) { - print '+'.price($creditnotes).''; - } - if ($deposits) { - print '+'.price($deposits).''; + // Multicurrency full amount + if (isModEnabled('multicurrency')) { + print ''; + if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { + print '' . price($sign * $objp->multicurrency_total_ttc); } print ''; - print price($sign * (float) $remaintopay); - if (isModEnabled('prelevement')) { - $numdirectdebitopen = 0; - $totaldirectdebit = 0; - $sql = "SELECT COUNT(pfd.rowid) as nb, SUM(pfd.amount) as amount"; - $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_demande as pfd"; - $sql .= " WHERE fk_facture = ".((int) $objp->facid); - $sql .= " AND pfd.traite = 0"; - $sql .= " AND pfd.ext_payment_id IS NULL"; - - $result_sql = $db->query($sql); - if ($result_sql) { - $obj = $db->fetch_object($result_sql); - $numdirectdebitopen = $obj->nb; - $totaldirectdebit = $obj->amount; - } else { - dol_print_error($db); + if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { + print price($sign * $multicurrency_payment); + if ($multicurrency_creditnotes) { + print '+'.price($multicurrency_creditnotes); } - if ($numdirectdebitopen) { - $langs->load("withdrawals"); - print img_warning($langs->trans("WarningSomeDirectDebitOrdersAlreadyExists", $numdirectdebitopen, price(price2num($totaldirectdebit, 'MT'), 0, $langs, 1, -1, -1, $conf->currency)), '', 'classfortooltip'); + if ($multicurrency_deposits) { + print '+'.price($multicurrency_deposits); } } print ''; + if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { + print price($sign * (float) $multicurrency_remaintopay); + } + print ''; - // Add remind amount - $namef = 'amount_'.$objp->facid; - $nameRemain = 'remain_'.$objp->facid; + // Add remind multicurrency amount + $namef = 'multicurrency_amount_'.$objp->facid; + $nameRemain = 'multicurrency_remain_'.$objp->facid; - if ($action != 'add_paiement') { - if (!empty($conf->use_javascript_ajax)) { - print img_picto("Auto fill", 'rightarrow', "class='AutoFillAmount' data-rowname='".$namef."' data-value='".($sign * (float) $remaintopay)."'"); + if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { + if ($action != 'add_paiement') { + if (!empty($conf->use_javascript_ajax)) { + print img_picto("Auto fill", 'rightarrow', "class='AutoFillAmount' data-rowname='".$namef."' data-value='".($sign * (float) $multicurrency_remaintopay)."'"); + } + print ''; + print ''; + } else { + print ''; + print ''; } - print ''; - print ''; - } else { - print ''; - print ''; } print "'; - //print "xx".$amounts[$invoice->id]."-".$amountsresttopay[$invoice->id]."
"; - if (!empty($amounts[$invoice->id]) && (abs((float) $amounts[$invoice->id]) > abs((float) $amountsresttopay[$invoice->id])) - || !empty($multicurrency_amounts[$invoice->id]) && (abs((float) $multicurrency_amounts[$invoice->id]) > abs((float) $multicurrency_amountsresttopay[$invoice->id]))) { - print ' '.img_warning($langs->trans("PaymentHigherThanReminderToPay")); - } - print '
'.$langs->trans('TotalTTC').''.price($sign * $total_ttc).''.price($sign * $totalrecu); - if ($totalrecucreditnote) { - print '+'.price($totalrecucreditnote); - } - if ($totalrecudeposits) { - print '+'.price($totalrecudeposits); - } - print ''.price($sign * (float) price2num($total_ttc - $totalrecu - $totalrecucreditnote - $totalrecudeposits, 'MT')).' 
'.price($sign * $objp->total_ttc).''.price($sign * $paiement); + if ($creditnotes) { + print '+'.price($creditnotes).''; } - print "
"; - print "
\n"; - } - $db->free($resql); - } else { - dol_print_error($db); - } - - $formconfirm = ''; - - // Save button - if ($action != 'add_paiement') { - $checkboxlabel = $langs->trans("ClosePaidInvoicesAutomatically"); - if ($facture->type == Facture::TYPE_CREDIT_NOTE) { - $checkboxlabel = $langs->trans("ClosePaidCreditNotesAutomatically"); - } - $buttontitle = $langs->trans('ToMakePayment'); - if ($facture->type == Facture::TYPE_CREDIT_NOTE) { - $buttontitle = $langs->trans('ToMakePaymentBack'); - } - - print '
'; - print ''; - /*if (isModEnabled('prelevement')) { - $langs->load("withdrawals"); - if (getDolGlobalString('WITHDRAW_DISABLE_AUTOCREATE_ONPAYMENTS')) { - print '
'.$langs->trans("IfInvoiceNeedOnWithdrawPaymentWontBeClosed"); + if ($deposits) { + print '+'.price($deposits).''; } - }*/ - print '


'; - print '
'; - } + print ''; - // Form to confirm payment - if ($action == 'add_paiement') { - $preselectedchoice = $addwarning ? 'no' : 'yes'; + // Remain to take or to pay back + print ''; + print price($sign * (float) $remaintopay); + if (isModEnabled('prelevement')) { + $numdirectdebitopen = 0; + $totaldirectdebit = 0; + $sql = "SELECT COUNT(pfd.rowid) as nb, SUM(pfd.amount) as amount"; + $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_demande as pfd"; + $sql .= " WHERE fk_facture = ".((int) $objp->facid); + $sql .= " AND pfd.traite = 0"; + $sql .= " AND pfd.ext_payment_id IS NULL"; - print '
'; - $text = ''; - if (!empty($totalpayment)) { - $text = $langs->trans('ConfirmCustomerPayment', $totalpayment, $langs->transnoentitiesnoconv("Currency".$conf->currency)); + $result_sql = $db->query($sql); + if ($result_sql) { + $obj = $db->fetch_object($result_sql); + $numdirectdebitopen = $obj->nb; + $totaldirectdebit = $obj->amount; + } else { + dol_print_error($db); + } + if ($numdirectdebitopen) { + $langs->load("withdrawals"); + print img_warning($langs->trans("WarningSomeDirectDebitOrdersAlreadyExists", $numdirectdebitopen, price(price2num($totaldirectdebit, 'MT'), 0, $langs, 1, -1, -1, $conf->currency)), '', 'classfortooltip'); + } + } + print ''; + //$test= price(price2num($objp->total_ttc - $paiement - $creditnotes - $deposits)); + + // Amount + print ''; + + // Add remind amount + $namef = 'amount_'.$objp->facid; + $nameRemain = 'remain_'.$objp->facid; + + if ($action != 'add_paiement') { + if (!empty($conf->use_javascript_ajax)) { + print img_picto("Auto fill", 'rightarrow', "class='AutoFillAmount' data-rowname='".$namef."' data-value='".($sign * (float) $remaintopay)."'"); + } + print ''; + print ''; + } else { + print ''; + print ''; + } + print ""; + + $parameters = array(); + $reshook = $hookmanager->executeHooks('printFieldListValue', $parameters, $objp, $action); // Note that $action and $object may have been modified by hook + + // Warning + print ''; + //print "xx".$amounts[$invoice->id]."-".$amountsresttopay[$invoice->id]."
"; + if (!empty($amounts[$invoice->id]) && (abs((float) $amounts[$invoice->id]) > abs((float) $amountsresttopay[$invoice->id])) + || !empty($multicurrency_amounts[$invoice->id]) && (abs((float) $multicurrency_amounts[$invoice->id]) > abs((float) $multicurrency_amountsresttopay[$invoice->id]))) { + print ' '.img_warning($langs->trans("PaymentHigherThanReminderToPay")); + } + print ''; + + print "\n"; + + $total_ttc += $objp->total_ttc; + $totalrecu += $paiement; + $totalrecucreditnote += $creditnotes; + $totalrecudeposits += $deposits; + $i++; } - if (!empty($multicurrency_totalpayment)) { - $text .= '
'.$langs->trans('ConfirmCustomerPayment', $multicurrency_totalpayment, $langs->transnoentitiesnoconv("paymentInInvoiceCurrency")); + + if ($i > 1) { + // Print total + print ''; + print ''.$langs->trans('TotalTTC').''; + if (isModEnabled('multicurrency')) { + print ''; + print ''; + print ''; + print ''; + print ''; + } + print ''.price($sign * $total_ttc).''; + print ''.price($sign * $totalrecu); + if ($totalrecucreditnote) { + print '+'.price($totalrecucreditnote); + } + if ($totalrecudeposits) { + print '+'.price($totalrecudeposits); + } + print ''; + print ''.price($sign * (float) price2num($total_ttc - $totalrecu - $totalrecucreditnote - $totalrecudeposits, 'MT')).''; + print ''; // Autofilled + print ' '; + print "\n"; } - if (GETPOST('closepaidinvoices')) { - $text .= '
'.$langs->trans("AllCompletelyPayedInvoiceWillBeClosed"); - print ''; - } - $formconfirm = $form->formconfirm($_SERVER['PHP_SELF'].'?facid='.$facture->id.'&socid='.$facture->socid.'&type='.$facture->type, $langs->trans('ReceivedCustomersPayments'), $text, 'confirm_paiement', $formquestion, $preselectedchoice); + print ""; + print "
\n"; } - - // Call Hook formConfirm - $parameters = array('formConfirm' => $formconfirm); - $reshook = $hookmanager->executeHooks('formConfirm', $parameters, $object, $action); // Note that $action and $object may have been modified by hook - if (empty($reshook)) { - $formconfirm .= $hookmanager->resPrint; - } elseif ($reshook > 0) { - $formconfirm = $hookmanager->resPrint; - } - - // Print form confirm - print $formconfirm; - - print "\n"; + $db->free($resql); + } else { + dol_print_error($db); } + + $formconfirm = ''; + + // Save button + if ($action != 'add_paiement') { + $checkboxlabel = $langs->trans("ClosePaidInvoicesAutomatically"); + if ($facture->type == Facture::TYPE_CREDIT_NOTE) { + $checkboxlabel = $langs->trans("ClosePaidCreditNotesAutomatically"); + } + $buttontitle = $langs->trans('ToMakePayment'); + if ($facture->type == Facture::TYPE_CREDIT_NOTE) { + $buttontitle = $langs->trans('ToMakePaymentBack'); + } + + print '
'; + print ''; + /*if (isModEnabled('prelevement')) { + $langs->load("withdrawals"); + if (getDolGlobalString('WITHDRAW_DISABLE_AUTOCREATE_ONPAYMENTS')) { + print '
'.$langs->trans("IfInvoiceNeedOnWithdrawPaymentWontBeClosed"); + } + }*/ + print '


'; + print '
'; + } + + // Form to confirm payment + if ($action == 'add_paiement') { + $preselectedchoice = $addwarning ? 'no' : 'yes'; + + print '
'; + $text = ''; + if (!empty($totalpayment)) { + $text = $langs->trans('ConfirmCustomerPayment', $totalpayment, $langs->transnoentitiesnoconv("Currency".$conf->currency)); + } + if (!empty($multicurrency_totalpayment)) { + $text .= '
'.$langs->trans('ConfirmCustomerPayment', $multicurrency_totalpayment, $langs->transnoentitiesnoconv("paymentInInvoiceCurrency")); + } + if (GETPOST('closepaidinvoices')) { + $text .= '
'.$langs->trans("AllCompletelyPayedInvoiceWillBeClosed"); + print ''; + } + $formconfirm = $form->formconfirm($_SERVER['PHP_SELF'].'?facid='.$facture->id.'&socid='.$facture->socid.'&type='.$facture->type, $langs->trans('ReceivedCustomersPayments'), $text, 'confirm_paiement', $formquestion, $preselectedchoice); + } + + // Call Hook formConfirm + $parameters = array('formConfirm' => $formconfirm); + $reshook = $hookmanager->executeHooks('formConfirm', $parameters, $object, $action); // Note that $action and $object may have been modified by hook + if (empty($reshook)) { + $formconfirm .= $hookmanager->resPrint; + } elseif ($reshook > 0) { + $formconfirm = $hookmanager->resPrint; + } + + // Print form confirm + print $formconfirm; + + print "\n"; } -/** - * Show list of payments - */ -if (!GETPOST('action', 'aZ09')) { - if (empty($page) || $page == -1) { - $page = 0; - } - $limit = GETPOSTINT('limit') ? GETPOSTINT('limit') : $conf->liste_limit; - $offset = $limit * $page; - - if (!$sortorder) { - $sortorder = 'DESC'; - } - if (!$sortfield) { - $sortfield = 'p.datep'; - } - - $sql = 'SELECT p.datep as dp, p.amount, f.total_ttc as fa_amount, f.ref'; - $sql .= ', f.rowid as facid, c.libelle as paiement_type, p.num_paiement as num_payment'; - $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement as p LEFT JOIN '.MAIN_DB_PREFIX.'c_paiement as c ON p.fk_paiement = c.id'; - $sql .= ', '.MAIN_DB_PREFIX.'facture as f'; - $sql .= ' WHERE p.fk_facture = f.rowid'; - $sql .= ' AND f.entity IN ('.getEntity('invoice').')'; - if ($socid) { - $sql .= ' AND f.fk_soc = '.((int) $socid); - } - - $sql .= $db->order($sortfield, $sortorder); - $sql .= $db->plimit($limit + 1, $offset); - $resql = $db->query($sql); - - if ($resql) { - $num = $db->num_rows($resql); - $i = 0; - - print_barre_liste($langs->trans('Payments'), $page, $_SERVER["PHP_SELF"], '', $sortfield, $sortorder, '', $num); - print ''; - print ''; - print_liste_field_titre('Invoice', $_SERVER["PHP_SELF"], 'f.ref', '', '', '', $sortfield, $sortorder); - print_liste_field_titre('Date', $_SERVER["PHP_SELF"], 'p.datep', '', '', '', $sortfield, $sortorder); - print_liste_field_titre('Type', $_SERVER["PHP_SELF"], 'c.libelle', '', '', '', $sortfield, $sortorder); - print_liste_field_titre('Amount', $_SERVER["PHP_SELF"], 'p.amount', '', '', '', $sortfield, $sortorder, 'right '); - print_liste_field_titre('', $_SERVER["PHP_SELF"], "", '', '', '', $sortfield, $sortorder, 'maxwidthsearch '); - print "\n"; - - while ($i < min($num, $limit)) { - $objp = $db->fetch_object($resql); - - print ''; - print '\n"; - print '\n"; - print '\n"; - print ''; - print ''; - print ''; - - $parameters = array(); - $reshook = $hookmanager->executeHooks('printObjectLine', $parameters, $objp, $action); // Note that $action and $object may have been modified by hook - - $i++; - } - print '
'.$objp->ref."'.dol_print_date($db->jdate($objp->dp))."'.$objp->paiement_type.' '.$objp->num_payment."'.price($objp->amount).' 
'; - } -} - llxFooter(); $db->close(); From 802562a575b0c0e0952dfdfe439a876ff382a2e1 Mon Sep 17 00:00:00 2001 From: "Laurent Destailleur (aka Eldy)" Date: Thu, 9 Jan 2025 13:54:25 +0100 Subject: [PATCH 15/33] Fix regression after a fix --- htdocs/adherents/subscription.php | 4 +- htdocs/comm/card.php | 10 ++--- htdocs/compta/facture/card.php | 18 ++++----- htdocs/core/class/html.form.class.php | 2 +- htdocs/core/lib/company.lib.php | 4 +- htdocs/core/lib/contact.lib.php | 2 +- htdocs/core/lib/functions.lib.php | 32 ++++++++++++--- htdocs/core/menus/standard/eldy.lib.php | 54 ++++++++++++------------- htdocs/core/modules/modAgenda.class.php | 2 +- htdocs/expensereport/card.php | 2 +- htdocs/fourn/facture/card.php | 6 +-- htdocs/societe/paymentmodes.php | 4 +- htdocs/user/bank.php | 2 +- test/phpunit/SecurityTest.php | 18 +++++++++ test/phpunit/test.php | 38 +++++++++++------ 15 files changed, 124 insertions(+), 74 deletions(-) diff --git a/htdocs/adherents/subscription.php b/htdocs/adherents/subscription.php index 069f89de048..5a60b07c223 100644 --- a/htdocs/adherents/subscription.php +++ b/htdocs/adherents/subscription.php @@ -1057,7 +1057,7 @@ if (($action == 'addsubscription' || $action == 'create_thirdparty') && $user->h print img_warning($langs->trans("NoThirdPartyAssociatedToMember")); } print $langs->trans("NoThirdPartyAssociatedToMember"); - print ' - '; + print ' - '; print $langs->trans("CreateDolibarrThirdParty"); print ')'; } @@ -1087,7 +1087,7 @@ if (($action == 'addsubscription' || $action == 'create_thirdparty') && $user->h print img_warning($langs->trans("NoThirdPartyAssociatedToMember")); } print $langs->trans("NoThirdPartyAssociatedToMember"); - print ' - '; + print ' - '; print $langs->trans("CreateDolibarrThirdParty"); print ')'; } diff --git a/htdocs/comm/card.php b/htdocs/comm/card.php index cce00f8b832..d9c5a933554 100644 --- a/htdocs/comm/card.php +++ b/htdocs/comm/card.php @@ -1693,28 +1693,28 @@ if ($object->id > 0) { if (isModEnabled("propal") && $user->hasRight('propal', 'creer') && $object->status == 1) { $langs->load("propal"); - print '
'.$langs->trans("AddProp").'
'; + print '
'.$langs->trans("AddProp").'
'; } if (isModEnabled('order') && $user->hasRight('commande', 'creer') && $object->status == 1) { $langs->load("orders"); - print '
'.$langs->trans("AddOrder").'
'; + print '
'.$langs->trans("AddOrder").'
'; } if ($user->hasRight('contrat', 'creer') && $object->status == 1) { $langs->load("contracts"); - print '
'.$langs->trans("AddContract").'
'; + print '
'.$langs->trans("AddContract").'
'; } if (isModEnabled('intervention') && $user->hasRight('ficheinter', 'creer') && $object->status == 1) { $langs->load("interventions"); - print '
'.$langs->trans("AddIntervention").'
'; + print '
'.$langs->trans("AddIntervention").'
'; } // Add invoice if (isModEnabled('deplacement') && $object->status == 1) { $langs->load("trips"); - print '
'.$langs->trans("AddTrip").'
'; + print '
'.$langs->trans("AddTrip").'
'; } if (isModEnabled('invoice') && $object->status == 1) { diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index b38b68611fe..26dd8a8c63b 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -5908,9 +5908,9 @@ if ($action == 'create') { print dolGetButtonAction($langs->trans('DoPayment'), '', 'default', '#', '', false, $params); } else { // Sometimes we can receive more, so we accept to enter more and will offer a button to convert into discount (but it is not a credit note, just a prepayment done) - //print ''.$langs->trans('DoPayment').''; + //print ''.$langs->trans('DoPayment').''; unset($params['attr']['title']); - print dolGetButtonAction($langs->trans('DoPayment'), '', 'default', DOL_URL_ROOT.'/compta/paiement.php?facid='.$object->id.'&action=create'.($object->fk_account > 0 ? '&accountid='.$object->fk_account : ''), '', true, $params); + print dolGetButtonAction($langs->trans('DoPayment'), '', 'default', DOL_URL_ROOT.'/compta/paiement.php?facid='.$object->id.'&action=create'.($object->fk_account > 0 ? '&accountid='.$object->fk_account : ''), '', true, $params); } } } @@ -5925,7 +5925,7 @@ if ($action == 'create') { if ($resteapayer == 0) { print ''.$langs->trans('DoPaymentBack').''; } else { - print ''.$langs->trans('DoPaymentBack').''; + print ''.$langs->trans('DoPaymentBack').''; } } @@ -5978,7 +5978,7 @@ if ($action == 'create') { if ($objectidnext) { print ''.$langs->trans('ClassifyCanceled').''; } else { - print ''.$langs->trans('ClassifyCanceled').''; + print ''.$langs->trans('ClassifyCanceled').''; } } } @@ -5987,7 +5987,7 @@ if ($action == 'create') { // Create a credit note if (($object->type == Facture::TYPE_STANDARD || ($object->type == Facture::TYPE_DEPOSIT && !getDolGlobalString('FACTURE_DEPOSITS_ARE_JUST_PAYMENTS')) || $object->type == Facture::TYPE_PROFORMA) && $object->status > 0 && $usercancreate) { if (!$objectidnext) { - print ''.$langs->trans("CreateCreditNote").''; + print ''.$langs->trans("CreateCreditNote").''; } } @@ -6001,7 +6001,7 @@ if ($action == 'create') { && getDolGlobalInt('INVOICE_USE_SITUATION_CREDIT_NOTE') ) { if ($usercanunvalidate) { - print ''.$langs->trans("CreateCreditNote").''; + print ''.$langs->trans("CreateCreditNote").''; } else { print ''.$langs->trans("CreateCreditNote").''; } @@ -6017,7 +6017,7 @@ if ($action == 'create') { if (($object->type == Facture::TYPE_STANDARD || $object->type == Facture::TYPE_DEPOSIT || $object->type == Facture::TYPE_PROFORMA) && $object->status == 0 && $usercancreate) { if (!$objectidnext && count($object->lines) > 0) { unset($params['attr']['title']); - print dolGetButtonAction($langs->trans('ChangeIntoRepeatableInvoice'), '', 'default', DOL_URL_ROOT.'/compta/facture/card-rec.php?facid='.$object->id.'&action=create', '', true, $params); + print dolGetButtonAction($langs->trans('ChangeIntoRepeatableInvoice'), '', 'default', DOL_URL_ROOT.'/compta/facture/card-rec.php?facid='.$object->id.'&action=create', '', true, $params); } } @@ -6031,7 +6031,7 @@ if ($action == 'create') { && $usercanunvalidate ) { if (($object->total_ttc - $totalcreditnotes) == 0) { - print ''.$langs->trans("RemoveSituationFromCycle").''; + print ''.$langs->trans("RemoveSituationFromCycle").''; } else { print ''.$langs->trans("RemoveSituationFromCycle").''; } @@ -6040,7 +6040,7 @@ if ($action == 'create') { // Create next situation invoice if ($usercancreate && ($object->type == 5) && ($object->status == 1 || $object->status == 2)) { if ($object->is_last_in_cycle() && $object->situation_final != 1) { - print ''.$langs->trans('CreateNextSituationInvoice').''; + print ''.$langs->trans('CreateNextSituationInvoice').''; } elseif (!$object->is_last_in_cycle()) { print ''.$langs->trans('CreateNextSituationInvoice').''; } else { diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index a23db2adf8a..d148f8fd784 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -6591,7 +6591,7 @@ class Form $num = $this->num; if ($num == 0) { $addcontact = (getDolGlobalString('SOCIETE_ADDRESSES_MANAGEMENT') ? $langs->trans("AddContact") : $langs->trans("AddContactAddress")); - print '' . $addcontact . ''; + print '' . $addcontact . ''; } print ''; print ''; diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index a4682c21a13..5507cbd46e2 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -880,7 +880,7 @@ function show_projects($conf, $langs, $db, $object, $backtopage = '', $nocreatel $newcardbutton = ''; if (isModEnabled('project') && $user->hasRight('projet', 'creer') && empty($nocreatelink)) { - $newcardbutton .= dolGetButtonTitle($langs->trans('AddProject'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/projet/card.php?socid='.$object->id.'&action=create&backtopage='.urlencode($backtopage)); + $newcardbutton .= dolGetButtonTitle($langs->trans('AddProject'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/projet/card.php?socid='.$object->id.'&action=create&backtopage='.urlencode($backtopage)); } print "\n"; @@ -1277,7 +1277,7 @@ function show_contacts($conf, $langs, $db, $object, $backtopage = '', $showuserl $newcardbutton = ''; if ($user->hasRight('societe', 'contact', 'creer')) { $addcontact = (getDolGlobalString('SOCIETE_ADDRESSES_MANAGEMENT') ? $langs->trans("AddContact") : $langs->trans("AddContactAddress")); - $newcardbutton .= dolGetButtonTitle($addcontact, '', 'fa fa-plus-circle', DOL_URL_ROOT.'/contact/card.php?socid='.$object->id.'&action=create&backtopage='.urlencode($backtopage)); + $newcardbutton .= dolGetButtonTitle($addcontact, '', 'fa fa-plus-circle', DOL_URL_ROOT.'/contact/card.php?socid='.$object->id.'&action=create&backtopage='.urlencode($backtopage)); } print "\n"; diff --git a/htdocs/core/lib/contact.lib.php b/htdocs/core/lib/contact.lib.php index 24bb66763a5..aa4fa429ae7 100644 --- a/htdocs/core/lib/contact.lib.php +++ b/htdocs/core/lib/contact.lib.php @@ -179,7 +179,7 @@ function show_contacts_projects($conf, $langs, $db, $object, $backtopage = '', $ $newcardbutton = ''; if (isModEnabled('project') && $user->hasRight('projet', 'creer') && empty($nocreatelink)) { - $newcardbutton .= dolGetButtonTitle($langs->trans('AddProject'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/projet/card.php?socid='.$object->id.'&action=create&backtopage='.urlencode($backtopage)); + $newcardbutton .= dolGetButtonTitle($langs->trans('AddProject'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/projet/card.php?socid='.$object->id.'&action=create&backtopage='.urlencode($backtopage)); } print "\n"; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index f2268767734..df7b61f06c0 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -2037,6 +2037,22 @@ function dolPrintHTMLForAttribute($s) return dol_escape_htmltag(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 0, 0, 0, array('br', 'b', 'font', 'hr', 'span')), 1, -1, '', 0, 1); } +/** + * Return a string ready to be output on a href attribute (this one need a special because we need content is HTML with no way to detect it is HTML). + * With dolPrintHTMLForAttribute(), the content is HTML encode, even if it is already HTML content. + * + * @param string $s String to print + * @return string String ready for HTML output + * @see dolPrintHTML(), dolPrintHTMLFortextArea() + */ +function dolPrintHTMLForAttributeUrl($s) +{ + // The dol_htmlentitiesbr has been removed compared to dolPrintHTMLForAttribute because we know content is a HTML URL string (even if we have no way to detect it automatically) + // The dol_escape_htmltag will escape html chars. + $escapeonlyhtmltags = 1; + return dol_escape_htmltag(dol_string_onlythesehtmltags($s, 1, 1, 1, 0, array()), 0, 0, '', $escapeonlyhtmltags, 1); +} + /** * Return a string ready to be output on input textarea. * Differs from dolPrintHTML because all tags are escape. With dolPrintHTML, all tags except common one are escaped. @@ -8687,9 +8703,9 @@ function dol_htmlentitiesbr($stringtoencode, $nl2brmode = 0, $pagecodefrom = 'UT $newstring = preg_replace('/
$/i', '', $newstring); // Remove last
(remove only last one) } $newstring = preg_replace('/[\x{200B}-\x{200D}\x{FEFF}]/u', ' ', $newstring); - $newstring = strtr($newstring, array('&' => '__and__', '<' => '__lt__', '>' => '__gt__', '"' => '__dquot__')); + $newstring = strtr($newstring, array('&' => '__PROTECTand__', '<' => '__PROTECTlt__', '>' => '__PROTECTgt__', '"' => '__PROTECTdquot__')); $newstring = dol_htmlentities($newstring, ENT_COMPAT, $pagecodefrom); // Make entity encoding - $newstring = strtr($newstring, array('__and__' => '&', '__lt__' => '<', '__gt__' => '>', '__dquot__' => '"')); + $newstring = strtr($newstring, array('__PROTECTand__' => '&', '__PROTECTlt__' => '<', '__PROTECTgt__' => '>', '__PROTECTdquot__' => '"')); } else { if ($removelasteolbr) { $newstring = preg_replace('/(\r\n|\r|\n)$/i', '', $newstring); // Remove last \n (may remove several) @@ -12828,12 +12844,16 @@ function dolGetButtonAction($label, $text = '', $actionType = 'default', $url = unset($attr['href']); } - // escape all attribute - $attr = array_map('dol_escape_htmltag', $attr); - + // escape all attributes $TCompiledAttr = array(); foreach ($attr as $key => $value) { - $TCompiledAttr[] = $key.'= "'.$value.'"'; + if ($key == 'href') { + $value = dolPrintHTMLForAttributeUrl($value); + } else { + $value = dolPrintHTMLForAttribute($value); + } + + $TCompiledAttr[] = $key.'="'.$value.'"'; // $value has been escaped by the dolPrintHTMLForAttribute... just before } $compiledAttributes = empty($TCompiledAttr) ? '' : implode(' ', $TCompiledAttr); diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php index 8bfe214c523..c3da1b43170 100644 --- a/htdocs/core/menus/standard/eldy.lib.php +++ b/htdocs/core/menus/standard/eldy.lib.php @@ -1275,7 +1275,7 @@ function get_left_menu_thridparties($mainmenu, &$newmenu, $usemenuhider = 1, $le $langs->load("commercial"); $newmenu->add("/societe/list.php?type=p&leftmenu=prospects", $langs->trans("Prospects"), 2, $user->hasRight('societe', 'lire'), '', $mainmenu, 'prospects', 5); - $newmenu->add("/societe/card.php?leftmenu=prospects&action=create&type=p", $langs->trans("MenuNewProspect"), 3, $user->hasRight('societe', 'creer')); + $newmenu->add("/societe/card.php?leftmenu=prospects&action=create&type=p", $langs->trans("MenuNewProspect"), 3, $user->hasRight('societe', 'creer')); } // Customers/Prospects @@ -1283,7 +1283,7 @@ function get_left_menu_thridparties($mainmenu, &$newmenu, $usemenuhider = 1, $le $langs->load("commercial"); $newmenu->add("/societe/list.php?type=c&leftmenu=customers", $langs->trans("Customers"), 2, $user->hasRight('societe', 'lire'), '', $mainmenu, 'customers', 10); - $newmenu->add("/societe/card.php?leftmenu=customers&action=create&type=c", $langs->trans("MenuNewCustomer"), 3, $user->hasRight('societe', 'creer')); + $newmenu->add("/societe/card.php?leftmenu=customers&action=create&type=c", $langs->trans("MenuNewCustomer"), 3, $user->hasRight('societe', 'creer')); } // Suppliers @@ -1291,7 +1291,7 @@ function get_left_menu_thridparties($mainmenu, &$newmenu, $usemenuhider = 1, $le $langs->load("suppliers"); $newmenu->add("/societe/list.php?type=f&leftmenu=suppliers", $langs->trans("Suppliers"), 2, ($user->hasRight('fournisseur', 'lire') || $user->hasRight('supplier_order', 'lire') || $user->hasRight('supplier_invoice', 'lire') || $user->hasRight('supplier_proposal', 'lire')), '', $mainmenu, 'suppliers', 15); - $newmenu->add("/societe/card.php?leftmenu=suppliers&action=create&type=f", $langs->trans("MenuNewSupplier"), 3, $user->hasRight('societe', 'creer') && ($user->hasRight('fournisseur', 'lire') || $user->hasRight('supplier_order', 'lire') || $user->hasRight('supplier_invoice', 'lire') || $user->hasRight('supplier_proposal', 'lire'))); + $newmenu->add("/societe/card.php?leftmenu=suppliers&action=create&type=f", $langs->trans("MenuNewSupplier"), 3, $user->hasRight('societe', 'creer') && ($user->hasRight('fournisseur', 'lire') || $user->hasRight('supplier_order', 'lire') || $user->hasRight('supplier_invoice', 'lire') || $user->hasRight('supplier_proposal', 'lire'))); } // Categories @@ -1317,7 +1317,7 @@ function get_left_menu_thridparties($mainmenu, &$newmenu, $usemenuhider = 1, $le // Contacts $newmenu->add("/societe/index.php?leftmenu=thirdparties", (getDolGlobalString('SOCIETE_ADDRESSES_MANAGEMENT') ? $langs->trans("Contacts") : $langs->trans("ContactsAddresses")), 0, $user->hasRight('societe', 'contact', 'lire'), '', $mainmenu, 'contacts', 0, '', '', '', img_picto('', 'contact', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/contact/card.php?leftmenu=contacts&action=create", (getDolGlobalString('SOCIETE_ADDRESSES_MANAGEMENT') ? $langs->trans("NewContact") : $langs->trans("NewContactAddress")), 1, $user->hasRight('societe', 'contact', 'creer')); + $newmenu->add("/contact/card.php?leftmenu=contacts&action=create", (getDolGlobalString('SOCIETE_ADDRESSES_MANAGEMENT') ? $langs->trans("NewContact") : $langs->trans("NewContactAddress")), 1, $user->hasRight('societe', 'contact', 'creer')); $newmenu->add("/contact/list.php?leftmenu=contacts", $langs->trans("List"), 1, $user->hasRight('societe', 'contact', 'lire')); if (!getDolGlobalString('SOCIETE_DISABLE_PROSPECTS')) { $newmenu->add("/contact/list.php?leftmenu=contacts&type=p", $langs->trans("Prospects"), 2, $user->hasRight('societe', 'contact', 'lire')); @@ -1514,7 +1514,7 @@ function get_left_menu_billing($mainmenu, &$newmenu, $usemenuhider = 1, $leftmen if (isModEnabled('societe') && isModEnabled('supplier_invoice') && !getDolGlobalString('SUPPLIER_INVOICE_MENU_DISABLED')) { $langs->load("bills"); $newmenu->add("/fourn/facture/index.php?leftmenu=suppliers_bills", $langs->trans("BillsSuppliers"), 0, $user->hasRight('fournisseur', 'facture', 'lire'), '', $mainmenu, 'suppliers_bills', 0, '', '', '', img_picto('', 'supplier_invoice', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/fourn/facture/card.php?leftmenu=suppliers_bills&action=create", $langs->trans("NewBill"), 1, ($user->hasRight('fournisseur', 'facture', 'creer') || $user->hasRight('supplier_invoice', 'creer')), '', $mainmenu, 'suppliers_bills_create'); + $newmenu->add("/fourn/facture/card.php?leftmenu=suppliers_bills&action=create", $langs->trans("NewBill"), 1, ($user->hasRight('fournisseur', 'facture', 'creer') || $user->hasRight('supplier_invoice', 'creer')), '', $mainmenu, 'suppliers_bills_create'); $newmenu->add("/fourn/facture/list.php?leftmenu=suppliers_bills", $langs->trans("List"), 1, $user->hasRight('fournisseur', 'facture', 'lire'), '', $mainmenu, 'suppliers_bills_list'); if ($usemenuhider || empty($leftmenu) || preg_match('/suppliers_bills/', $leftmenu)) { @@ -1558,7 +1558,7 @@ function get_left_menu_billing($mainmenu, &$newmenu, $usemenuhider = 1, $leftmen $langs->load("donations"); $newmenu->add("/don/index.php?leftmenu=donations&mainmenu=billing", $langs->trans("Donations"), 0, $user->hasRight('don', 'lire'), '', $mainmenu, 'donations', 0, '', '', '', img_picto('', 'donation', 'class="paddingright pictofixedwidth"')); if ($usemenuhider || empty($leftmenu) || $leftmenu == "donations") { - $newmenu->add("/don/card.php?leftmenu=donations&action=create", $langs->trans("NewDonation"), 1, $user->hasRight('don', 'creer')); + $newmenu->add("/don/card.php?leftmenu=donations&action=create", $langs->trans("NewDonation"), 1, $user->hasRight('don', 'creer')); $newmenu->add("/don/list.php?leftmenu=donations", $langs->trans("List"), 1, $user->hasRight('don', 'lire')); $newmenu->add("/don/paiement/list.php?leftmenu=donations", $langs->trans("Payments"), 1, $user->hasRight('don', 'lire')); $newmenu->add("/don/stats/index.php", $langs->trans("Statistics"), 1, $user->hasRight('don', 'lire')); @@ -2000,12 +2000,12 @@ function get_left_menu_accountancy($mainmenu, &$newmenu, $usemenuhider = 1, $lef // Assets if (isModEnabled('asset')) { - $newmenu->add("/asset/list.php?leftmenu=asset&mainmenu=accountancy", $langs->trans("MenuAssets"), 0, $user->hasRight('asset', 'read'), '', $mainmenu, 'asset', 100, '', '', '', img_picto('', 'payment', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/asset/card.php?leftmenu=asset&action=create", $langs->trans("MenuNewAsset"), 1, $user->hasRight('asset', 'write')); - $newmenu->add("/asset/list.php?leftmenu=asset&mainmenu=accountancy", $langs->trans("MenuListAssets"), 1, $user->hasRight('asset', 'read')); + $newmenu->add("/asset/list.php?leftmenu=asset&mainmenu=accountancy", $langs->trans("MenuAssets"), 0, $user->hasRight('asset', 'read'), '', $mainmenu, 'asset', 100, '', '', '', img_picto('', 'payment', 'class="paddingright pictofixedwidth"')); + $newmenu->add("/asset/card.php?leftmenu=asset&action=create", $langs->trans("MenuNewAsset"), 1, $user->hasRight('asset', 'write')); + $newmenu->add("/asset/list.php?leftmenu=asset&mainmenu=accountancy", $langs->trans("MenuListAssets"), 1, $user->hasRight('asset', 'read')); $newmenu->add("/asset/model/list.php?leftmenu=asset_model", $langs->trans("MenuAssetModels"), 1, (!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'read')) || (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'model_advance', 'read')), '', $mainmenu, 'asset_model'); if ($usemenuhider || empty($leftmenu) || preg_match('/asset_model/', $leftmenu)) { - $newmenu->add("/asset/model/card.php?leftmenu=asset_model&action=create", $langs->trans("MenuNewAssetModel"), 2, (!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'write')) || (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'model_advance', 'write'))); + $newmenu->add("/asset/model/card.php?leftmenu=asset_model&action=create", $langs->trans("MenuNewAssetModel"), 2, (!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'write')) || (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'model_advance', 'write'))); $newmenu->add("/asset/model/list.php?leftmenu=asset_model", $langs->trans("MenuListAssetModels"), 2, (!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'read')) || (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'model_advance', 'read'))); } } @@ -2113,8 +2113,8 @@ function get_left_menu_products($mainmenu, &$newmenu, $usemenuhider = 1, $leftme // Products if (isModEnabled('product')) { $newmenu->add("/product/index.php?leftmenu=product", $langs->trans("Products"), 0, $user->hasRight('product', 'read'), '', $mainmenu, 'product', 0, '', '', '', img_picto('', 'product', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/product/card.php?leftmenu=product&action=create&type=0", $langs->trans("NewProduct"), 1, $user->hasRight('product', 'creer')); - $newmenu->add("/product/list.php?leftmenu=product&type=0", $langs->trans("List"), 1, $user->hasRight('product', 'read')); + $newmenu->add("/product/card.php?leftmenu=product&action=create&type=0", $langs->trans("NewProduct"), 1, $user->hasRight('product', 'creer')); + $newmenu->add("/product/list.php?leftmenu=product&type=0", $langs->trans("List"), 1, $user->hasRight('product', 'read')); if (isModEnabled('stock')) { $newmenu->add("/product/reassort.php?type=0", $langs->trans("MenuStocks"), 1, $user->hasRight('product', 'read') && $user->hasRight('stock', 'lire')); } @@ -2141,8 +2141,8 @@ function get_left_menu_products($mainmenu, &$newmenu, $usemenuhider = 1, $leftme // Services if (isModEnabled('service')) { $newmenu->add("/product/index.php?leftmenu=service", $langs->trans("Services"), 0, $user->hasRight('service', 'read'), '', $mainmenu, 'service', 0, '', '', '', img_picto('', 'service', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/product/card.php?leftmenu=service&action=create&type=1", $langs->trans("NewService"), 1, $user->hasRight('service', 'creer')); - $newmenu->add("/product/list.php?leftmenu=service&type=1", $langs->trans("List"), 1, $user->hasRight('service', 'read')); + $newmenu->add("/product/card.php?leftmenu=service&action=create&type=1", $langs->trans("NewService"), 1, $user->hasRight('service', 'creer')); + $newmenu->add("/product/list.php?leftmenu=service&type=1", $langs->trans("List"), 1, $user->hasRight('service', 'read')); if (isModEnabled('stock') && getDolGlobalString('STOCK_SUPPORTS_SERVICES')) { $newmenu->add("/product/reassort.php?type=1", $langs->trans("MenuStocks"), 1, $user->hasRight('service', 'read') && $user->hasRight('stock', 'lire')); @@ -2259,7 +2259,7 @@ function get_left_menu_mrp($mainmenu, &$newmenu, $usemenuhider = 1, $leftmenu = $langs->load("mrp"); $newmenu->add("", $langs->trans("MenuBOM"), 0, $user->hasRight('bom', 'read'), '', $mainmenu, 'bom', 0, '', '', '', img_picto('', 'bom', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/bom/bom_card.php?leftmenu=bom&action=create", $langs->trans("NewBOM"), 1, $user->hasRight('bom', 'write'), '', $mainmenu, 'bom'); + $newmenu->add("/bom/bom_card.php?leftmenu=bom&action=create", $langs->trans("NewBOM"), 1, $user->hasRight('bom', 'write'), '', $mainmenu, 'bom'); $newmenu->add("/bom/bom_list.php?leftmenu=bom", $langs->trans("List"), 1, $user->hasRight('bom', 'read'), '', $mainmenu, 'bom'); } @@ -2267,7 +2267,7 @@ function get_left_menu_mrp($mainmenu, &$newmenu, $usemenuhider = 1, $leftmenu = $langs->load("mrp"); $newmenu->add("", $langs->trans("MenuMRP"), 0, $user->hasRight('mrp', 'read'), '', $mainmenu, 'mrp', 0, '', '', '', img_picto('', 'mrp', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/mrp/mo_card.php?leftmenu=mo&action=create", $langs->trans("NewMO"), 1, $user->hasRight('mrp', 'write'), '', $mainmenu, ''); + $newmenu->add("/mrp/mo_card.php?leftmenu=mo&action=create", $langs->trans("NewMO"), 1, $user->hasRight('mrp', 'write'), '', $mainmenu, ''); $newmenu->add("/mrp/mo_list.php?leftmenu=mo", $langs->trans("List"), 1, $user->hasRight('mrp', 'read'), '', $mainmenu, ''); } } @@ -2485,7 +2485,7 @@ function get_left_menu_tools($mainmenu, &$newmenu, $usemenuhider = 1, $leftmenu $titlenew .= ' | '.$langs->trans("NewSMSing"); } $newmenu->add("/comm/mailing/index.php?leftmenu=mailing", $titleindex, 0, $user->hasRight('mailing', 'lire'), '', $mainmenu, 'mailing', 0, '', '', '', img_picto('', 'email', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/comm/mailing/card.php?leftmenu=mailing&action=create", $titlenew, 1, $user->hasRight('mailing', 'creer')); + $newmenu->add("/comm/mailing/card.php?leftmenu=mailing&action=create", $titlenew, 1, $user->hasRight('mailing', 'creer')); $newmenu->add("/comm/mailing/list.php?leftmenu=mailing", $titlelist, 1, $user->hasRight('mailing', 'lire')); } @@ -2525,16 +2525,16 @@ function get_left_menu_members($mainmenu, &$newmenu, $usemenuhider = 1, $leftmen // Load translation files required by the page $langs->loadLangs(array("members", "compta")); - $newmenu->add("/adherents/index.php?leftmenu=members&mainmenu=members", $langs->trans("Members"), 0, $user->hasRight('adherent', 'read'), '', $mainmenu, 'members', 0, '', '', '', img_picto('', 'member', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/adherents/card.php?leftmenu=members&action=create", $langs->trans("NewMember"), 1, $user->hasRight('adherent', 'write')); + $newmenu->add("/adherents/index.php?leftmenu=members&mainmenu=members", $langs->trans("Members"), 0, $user->hasRight('adherent', 'read'), '', $mainmenu, 'members', 0, '', '', '', img_picto('', 'member', 'class="paddingright pictofixedwidth"')); + $newmenu->add("/adherents/card.php?leftmenu=members&action=create", $langs->trans("NewMember"), 1, $user->hasRight('adherent', 'write')); $newmenu->add("/adherents/list.php?leftmenu=members", $langs->trans("List"), 1, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=-1", $langs->trans("MenuMembersToValidate"), 2, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=1", $langs->trans("MenuMembersValidated"), 2, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=1&filter=waitingsubscription", $langs->trans("WaitingSubscription"), 3, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=1&filter=uptodate", $langs->trans("UpToDate"), 3, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=1&filter=outofdate", $langs->trans("OutOfDate"), 3, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=0", $langs->trans("MenuMembersResiliated"), 2, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=-2", $langs->trans("MenuMembersExcluded"), 2, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=-1", $langs->trans("MenuMembersToValidate"), 2, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=1", $langs->trans("MenuMembersValidated"), 2, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=1&filter=waitingsubscription", $langs->trans("WaitingSubscription"), 3, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=1&filter=uptodate", $langs->trans("UpToDate"), 3, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=1&filter=outofdate", $langs->trans("OutOfDate"), 3, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=0", $langs->trans("MenuMembersResiliated"), 2, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=-2", $langs->trans("MenuMembersExcluded"), 2, $user->hasRight('adherent', 'read')); $newmenu->add("/adherents/stats/index.php?leftmenu=members", $langs->trans("MenuMembersStats"), 1, $user->hasRight('adherent', 'read')); $newmenu->add("/adherents/cartes/carte.php?leftmenu=export", $langs->trans("MembersCards"), 1, $user->hasRight('adherent', 'export')); @@ -2554,7 +2554,7 @@ function get_left_menu_members($mainmenu, &$newmenu, $usemenuhider = 1, $leftmen // Type $newmenu->add("/adherents/type.php?leftmenu=setup&mainmenu=members", $langs->trans("MembersTypes"), 0, $user->hasRight('adherent', 'configurer'), '', $mainmenu, 'setup', 0, '', '', '', img_picto('', 'members', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/adherents/type.php?leftmenu=setup&mainmenu=members&action=create", $langs->trans("New"), 1, $user->hasRight('adherent', 'configurer')); + $newmenu->add("/adherents/type.php?leftmenu=setup&mainmenu=members&action=create", $langs->trans("New"), 1, $user->hasRight('adherent', 'configurer')); $newmenu->add("/adherents/type.php?leftmenu=setup&mainmenu=members", $langs->trans("List"), 1, $user->hasRight('adherent', 'configurer')); } } diff --git a/htdocs/core/modules/modAgenda.class.php b/htdocs/core/modules/modAgenda.class.php index bc0d440bad8..0cbbbb0dd8b 100644 --- a/htdocs/core/modules/modAgenda.class.php +++ b/htdocs/core/modules/modAgenda.class.php @@ -249,7 +249,7 @@ class modAgenda extends DolibarrModules 'type' => 'left', 'titre' => 'NewAction', 'mainmenu' => 'agenda', - 'url' => '/comm/action/card.php?mainmenu=agenda&leftmenu=agenda&action=create', + 'url' => '/comm/action/card.php?mainmenu=agenda&leftmenu=agenda&action=create', 'langs' => 'commercial', 'position' => 101, 'perms' => '($user->hasRight("agenda", "myactions", "create") || $user->hasRight("agenda", "allactions", "create"))', diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php index 56d300c9b8f..e0cd273c028 100644 --- a/htdocs/expensereport/card.php +++ b/htdocs/expensereport/card.php @@ -2848,7 +2848,7 @@ if ($action != 'create' && $action != 'edit' && $action != 'editline') { if ($remaintopay == 0) { print '
'.$langs->trans('DoPayment').'
'; } else { - print '
'.$langs->trans('DoPayment').'
'; + print '
'.$langs->trans('DoPayment').'
'; } } diff --git a/htdocs/fourn/facture/card.php b/htdocs/fourn/facture/card.php index 1d330322f87..39d971bba99 100644 --- a/htdocs/fourn/facture/card.php +++ b/htdocs/fourn/facture/card.php @@ -4094,7 +4094,7 @@ if ($action == 'create') { // Create payment if ($object->type != FactureFournisseur::TYPE_CREDIT_NOTE && $object->status == FactureFournisseur::STATUS_VALIDATED && $object->paid == 0) { - print ''.$langs->trans('DoPayment').''; // must use facid because id is for payment id not invoice + print ''.$langs->trans('DoPayment').''; // must use facid because id is for payment id not invoice } // Reverse back money or convert to reduction @@ -4104,7 +4104,7 @@ if ($action == 'create') { if ($resteapayer == 0) { print ''.$langs->trans('DoPaymentBack').''; } else { - print ''.$langs->trans('DoPaymentBack').''; + print ''.$langs->trans('DoPaymentBack').''; } } @@ -4154,7 +4154,7 @@ if ($action == 'create') { // Create a credit note if (($object->type == FactureFournisseur::TYPE_STANDARD || $object->type == FactureFournisseur::TYPE_DEPOSIT) && $object->status > 0 && $usercancreate) { if (!$objectidnext) { - print ''.$langs->trans("CreateCreditNote").''; + print ''.$langs->trans("CreateCreditNote").''; } } diff --git a/htdocs/societe/paymentmodes.php b/htdocs/societe/paymentmodes.php index cacc2c3e002..774e274a426 100644 --- a/htdocs/societe/paymentmodes.php +++ b/htdocs/societe/paymentmodes.php @@ -1206,7 +1206,7 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard' if ($showcardpaymentmode && $object->client) { $morehtmlright = ''; if (getDolGlobalString('STRIPE_ALLOW_LOCAL_CARD')) { - $morehtmlright .= dolGetButtonTitle($langs->trans('Add'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"].'?socid='.$object->id.'&action=createcard'); + $morehtmlright .= dolGetButtonTitle($langs->trans('Add'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"].'?socid='.$object->id.'&action=createcard'); } print load_fiche_titre($langs->trans('CreditCard'), $morehtmlright, 'fa-credit-card'); //($stripeacc ? ' (Stripe connection with StripeConnect account '.$stripeacc.')' : ' (Stripe connection with keys from Stripe module setup)') @@ -1557,7 +1557,7 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard' // List of bank accounts if ($permissiontoaddupdatepaymentinformation) { - $morehtmlright = dolGetButtonTitle($langs->trans('Add'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"] . '?socid=' . $object->id . '&action=create'); + $morehtmlright = dolGetButtonTitle($langs->trans('Add'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"] . '?socid=' . $object->id . '&action=create'); } print load_fiche_titre($langs->trans("BankAccounts"), $morehtmlright, 'bank'); diff --git a/htdocs/user/bank.php b/htdocs/user/bank.php index 2b31b7097f0..c098ac3c762 100644 --- a/htdocs/user/bank.php +++ b/htdocs/user/bank.php @@ -836,7 +836,7 @@ if ($action != 'edit' && $action != 'create') { // If not bank account yet, $ac $morehtmlright = ''; if ($account->id == 0) { if ($permissiontoaddbankaccount) { - $morehtmlright = dolGetButtonTitle($langs->trans('Add'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"].'?id='.$object->id.'&action=create'); + $morehtmlright = dolGetButtonTitle($langs->trans('Add'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"].'?id='.$object->id.'&action=create'); } else { $morehtmlright = dolGetButtonTitle($langs->trans('Add'), $langs->trans('NotEnoughPermissions'), 'fa fa-plus-circle', '', '', -2); } diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 28c2bcf6f90..bfb49309025 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -828,6 +828,24 @@ class SecurityTest extends CommonClassTest $this->assertEquals($stringfixed, $result, 'Error in dolPrintHTMLForAttribute test 2'); // Expected '' because should failed because login 'auto' does not exists + // dolPrintHTMLForAttributeUrl - With dolPrintHTMLForAttributeUrl(), the param should already be and HTML URL encoded + + $stringtotest = "aa & & a=%10"; + $stringfixed = "aa & & a=%10"; + // $result = dol_escape_htmltag(dol_string_onlythesehtmltags($s, 1, 1, 1, 0, array()), 0, 0, '', $escapeonlyhtmltags, 1); + $result = dolPrintHTMLForAttributeUrl($stringtotest); + print __METHOD__." result=".$result."\n"; + $this->assertEquals($stringfixed, $result, 'Error in dolPrintHTMLForAttributeUrl test 1'); // Expected '' because should failed because login 'auto' does not exists + + // For a string that is already HTML (contains HTML tags) with special tags but badly formatted + $stringtotest = "aa & & a=%10"; + $stringfixed = "aa & & a=%10"; + // $result = dol_escape_htmltag(dol_string_onlythesehtmltags($s, 1, 1, 1, 0, array()), 0, 0, '', $escapeonlyhtmltags, 1); + $result = dolPrintHTMLForAttributeUrl($stringtotest); + print __METHOD__." result=".$result."\n"; + $this->assertEquals($stringfixed, $result, 'Error in dolPrintHTMLForAttributeUrl test 2'); // Expected '' because should failed because login 'auto' does not exists + + // dolPrintHTML /* diff --git a/test/phpunit/test.php b/test/phpunit/test.php index 6e8f0c8565a..bd471275f1f 100755 --- a/test/phpunit/test.php +++ b/test/phpunit/test.php @@ -12,18 +12,30 @@ include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $langs->setDefaultLang('fr'); $langs->loadLangs(array('main', 'companies')); -var_dump($langs->tab_translate["Preview"]); +$s = 'aa & & a=%10'; +print $s."\n"; +//print dol_htmlentitiesbr($s)."\n"; +//print dol_escape_htmltag(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 0, 0, 0, array('br', 'b', 'font', 'hr', 'span')), 1, -1, '', 0, 1); +print dolPrintHTMLForAttributeUrl('aa & & a=%10'); +print "\n"; +$s = 'aa & & a=%10'; +print $s."\n"; +//print dol_htmlentitiesbr($s)."\n"; +//print dol_escape_htmltag(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 0, 0, 0, array('br', 'b', 'font', 'hr', 'span')), 1, -1, '', 0, 1); +print dolPrintHTMLForAttributeUrl('aa & & a=%10'); +print "\n"; + print $langs->tr("Preview"); print "\n"; print $langs->trans("Preview"); print "\n"; -print ">>> dol_escape_htmltag(eée < > bbbold ç) - should not happen\n"; -print dol_escape_htmltag("eée < > bbbold ç", 1); +print ">>> dol_escape_htmltag(< > bbbold ç &) - should not happen\n"; +print dol_escape_htmltag("< > bbbold ç &", 1); print "\n"; -print ">>> dol_escape_htmltag(eée < > bbbold ç)\n"; -print dol_escape_htmltag("eée < > bbbold ç", 1); +print ">>> dol_escape_htmltag(< > bbbold ç &)\n"; +print dol_escape_htmltag("< > bbbold ç &", 1); print "\n"; print '>>> dol_escape_htmltag(<script>alert("azerty")</script>)'."\n"; print dol_escape_htmltag('<script>alert("azerty")</script>', 1); @@ -32,11 +44,11 @@ print "\n"; print "\n"; // dol_escape_htmltag(dol_htmlwithnojs(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 1, 1, array())), 1, 1, 'common', 0, 1); -print ">>> dolPrintHtml(eée < > bbbold ç) - should not happen\n"; -print dolPrintHtml("eée < > bbbold ç"); +print ">>> dolPrintHtml(< > bbbold ç &) - should not happen\n"; +print dolPrintHtml("< > bbbold ç &"); print "\n"; -print ">>> dolPrintHtml(eée < > bbbold ç)\n"; -print dolPrintHtml("eée < > bbbold ç"); +print ">>> dolPrintHtml(< > bbbold ç &)\n"; +print dolPrintHtml("< > bbbold ç &"); print "\n"; print '>>> dolPrintHtml(<script>alert("azerty")</script>)'."\n"; print dolPrintHtml('<script>alert("azerty")</script>'); @@ -45,11 +57,11 @@ print "\n"; print "\n"; // dol_escape_htmltag(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 0, 0, 0, array('br', 'b', 'font', 'hr', 'span')), 1, -1, '', 0, 1); -print ">>> dolPrintHtmlForattribute(eée < > bbbold ç)\n"; -print dolPrintHTMLForAttribute("eée < > bbbold ç"); +print ">>> dolPrintHtmlForattribute(< > bbbold ç & )\n"; +print dolPrintHTMLForAttribute("< > bbbold ç &"); print "\n"; -print ">>> dolPrintHTMLForAttribute(eée < > bbbold ç)\n"; -print dolPrintHTMLForAttribute("eée < > bbbold ç"); +print ">>> dolPrintHTMLForAttribute(< > bbbold ç &)\n"; +print dolPrintHTMLForAttribute("< > bbbold ç &"); print "\n"; print '>>> dolPrintHtmlForattribute(<script>alert("azerty")</script>)'."\n"; print dolPrintHTMLForAttribute('<script>alert("azerty")</script>'); From e75b72d46764b252aa1eb4bd5308562ff11e88d6 Mon Sep 17 00:00:00 2001 From: "Laurent Destailleur (aka Eldy)" Date: Thu, 9 Jan 2025 13:58:06 +0100 Subject: [PATCH 16/33] Add OVER on list of reserved words --- htdocs/core/actions_extrafields.inc.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/core/actions_extrafields.inc.php b/htdocs/core/actions_extrafields.inc.php index f1a7eca0c50..3c52491d4cb 100644 --- a/htdocs/core/actions_extrafields.inc.php +++ b/htdocs/core/actions_extrafields.inc.php @@ -61,13 +61,14 @@ if ($type == 'select') { $extrasize = ''; } +// List of reserved words for databases $listofreservedwords = array( 'ADD', 'ALL', 'ALTER', 'ANALYZE', 'AND', 'AS', 'ASENSITIVE', 'BEFORE', 'BETWEEN', 'BINARY', 'BLOB', 'BOTH', 'CALL', 'CASCADE', 'CASE', 'CHANGE', 'CHAR', 'CHARACTER', 'CHECK', 'COLLATE', 'COLUMN', 'CONDITION', 'CONSTRAINT', 'CONTINUE', 'CONVERT', 'CREATE', 'CROSS', 'CURRENT_DATE', 'CURRENT_TIME', 'CURRENT_TIMESTAMP', 'CURRENT_USER', 'CURSOR', 'DATABASE', 'DATABASES', 'DAY_HOUR', 'DAY_MICROSECOND', 'DAY_MINUTE', 'DAY_SECOND', 'DECIMAL', 'DECLARE', 'DEFAULT', 'DELAYED', 'DELETE', 'DESC', 'DESCRIBE', 'DETERMINISTIC', 'DISTINCT', 'DISTINCTROW', 'DOUBLE', 'DROP', 'DUAL', 'EACH', 'ELSE', 'ELSEIF', 'ENCLOSED', 'ESCAPED', 'EXISTS', 'EXPLAIN', 'FALSE', 'FETCH', 'FLOAT', 'FLOAT4', 'FLOAT8', 'FORCE', 'FOREIGN', 'FULLTEXT', 'GRANT', 'GROUP', 'HAVING', 'HIGH_PRIORITY', 'HOUR_MICROSECOND', 'HOUR_MINUTE', 'HOUR_SECOND', 'IGNORE', 'IGNORE_SERVER_IDS', 'INDEX', 'INFILE', 'INNER', 'INOUT', 'INSENSITIVE', 'INSERT', 'INT', 'INTEGER', 'INTERVAL', 'INTO', 'ITERATE', 'KEYS', 'KEYWORD', 'LEADING', 'LEAVE', 'LEFT', 'LIKE', 'LIMIT', 'LINES', 'LOCALTIME', 'LOCALTIMESTAMP', 'LONGBLOB', 'LONGTEXT', 'MASTER_SSL_VERIFY_SERVER_CERT', 'MATCH', 'MEDIUMBLOB', 'MEDIUMINT', 'MEDIUMTEXT', 'MIDDLEINT', 'MINUTE_MICROSECOND', 'MINUTE_SECOND', 'MODIFIES', 'NATURAL', 'NOT', 'NO_WRITE_TO_BINLOG', 'NUMERIC', - 'OFFSET', 'ON', 'OPTION', 'OPTIONALLY', 'OUTER', 'OUTFILE', + 'OFFSET', 'ON', 'OPTION', 'OPTIONALLY', 'OUTER', 'OUTFILE', 'OVER', 'PARTITION', 'POSITION', 'PRECISION', 'PRIMARY', 'PROCEDURE', 'PURGE', 'RANGE', 'READS', 'READ_WRITE', 'REAL', 'REFERENCES', 'REGEXP', 'RELEASE', 'RENAME', 'REPEAT', 'REQUIRE', 'RESTRICT', 'RETURN', 'REVOKE', 'RIGHT', 'RLIKE', 'SCHEMAS', 'SECOND_MICROSECOND', 'SENSITIVE', 'SEPARATOR', 'SIGNAL', 'SMALLINT', 'SPATIAL', 'SPECIFIC', 'SQLEXCEPTION', 'SQLSTATE', 'SQLWARNING', 'SQL_BIG_RESULT', 'SQL_CALC_FOUND_ROWS', 'SQL_SMALL_RESULT', 'SSL', 'STARTING', 'STRAIGHT_JOIN', 'TABLE', 'TERMINATED', 'TINYBLOB', 'TINYINT', 'TINYTEXT', 'TRAILING', 'TRIGGER', 'UNDO', 'UNIQUE', 'UNSIGNED', 'UPDATE', 'USAGE', 'USING', 'UTC_DATE', 'UTC_TIME', 'UTC_TIMESTAMP', 'VALUES', 'VARBINARY', 'VARCHAR', 'VARYING', From 9aa24d9d9aeab36358c725dae3fe20c9631082e7 Mon Sep 17 00:00:00 2001 From: "Laurent Destailleur (aka Eldy)" Date: Wed, 8 Jan 2025 17:41:45 +0100 Subject: [PATCH 17/33] FIX CVE-2024-55227 and CVE-2024-55228 CSRF when MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY is on (hidden option not on by default) --- .../class/accountingjournal.class.php | 4 +- .../accountancy/class/bookkeeping.class.php | 4 +- htdocs/adherents/class/adherent.class.php | 4 +- .../adherents/class/adherent_type.class.php | 2 +- htdocs/admin/user.php | 10 ++-- htdocs/asset/class/asset.class.php | 4 +- htdocs/asset/class/assetmodel.class.php | 4 +- htdocs/bom/class/bom.class.php | 4 +- htdocs/bom/class/bomline.class.php | 4 +- htdocs/bookcal/class/availabilities.class.php | 4 +- htdocs/bookcal/class/calendar.class.php | 4 +- htdocs/bookmarks/class/bookmark.class.php | 4 +- htdocs/categories/class/categorie.class.php | 4 +- htdocs/comm/action/class/actioncomm.class.php | 6 +- htdocs/comm/mailing/class/mailing.class.php | 4 +- htdocs/comm/propal/class/propal.class.php | 4 +- htdocs/commande/class/commande.class.php | 4 +- htdocs/compta/bank/class/account.class.php | 4 +- .../bank/class/paymentvarious.class.php | 4 +- .../cashcontrol/class/cashcontrol.class.php | 4 +- htdocs/compta/facture/class/facture.class.php | 4 +- .../cheque/class/remisecheque.class.php | 4 +- .../compta/paiement/class/paiement.class.php | 4 +- .../sociales/class/chargesociales.class.php | 4 +- htdocs/compta/tva/class/tva.class.php | 4 +- htdocs/contact/class/contact.class.php | 4 +- htdocs/contrat/class/contrat.class.php | 4 +- htdocs/contrat/class/contratligne.class.php | 2 +- htdocs/core/class/fiscalyear.class.php | 4 +- htdocs/core/class/timespent.class.php | 4 +- htdocs/core/lib/functions.lib.php | 57 +++++++++++++++--- htdocs/cron/class/cronjob.class.php | 4 +- htdocs/delivery/class/delivery.class.php | 2 +- htdocs/ecm/class/ecmfiles.class.php | 4 +- .../class/emailcollector.class.php | 4 +- .../class/emailcollectoraction.class.php | 4 +- .../class/emailcollectorfilter.class.php | 4 +- .../class/conferenceorbooth.class.php | 4 +- .../class/conferenceorboothattendee.class.php | 4 +- htdocs/expedition/class/expedition.class.php | 4 +- .../class/expensereport.class.php | 4 +- htdocs/fichinter/class/fichinter.class.php | 4 +- .../class/fournisseur.commande.class.php | 4 +- .../fourn/class/fournisseur.facture.class.php | 4 +- .../fourn/class/fournisseur.product.class.php | 4 +- htdocs/fourn/class/paiementfourn.class.php | 4 +- htdocs/holiday/class/holiday.class.php | 4 +- htdocs/hrm/class/establishment.class.php | 4 +- htdocs/hrm/class/evaluation.class.php | 4 +- htdocs/hrm/class/evaluationdet.class.php | 4 +- htdocs/hrm/class/job.class.php | 4 +- htdocs/hrm/class/skill.class.php | 4 +- htdocs/hrm/class/skilldet.class.php | 4 +- htdocs/hrm/class/skillrank.class.php | 4 +- .../class/intracommreport.class.php | 4 +- .../class/knowledgerecord.class.php | 4 +- htdocs/loan/class/loan.class.php | 4 +- .../template/class/myobject.class.php | 4 +- htdocs/mrp/class/mo.class.php | 4 +- .../class/opensurveysondage.class.php | 4 +- .../partnership/class/partnership.class.php | 4 +- .../class/partnership_type.class.php | 4 +- .../class/productfournisseurprice.class.php | 4 +- .../inventory/class/inventory.class.php | 4 +- htdocs/product/stock/class/entrepot.class.php | 4 +- .../product/stock/class/productlot.class.php | 4 +- .../class/stocktransfer.class.php | 4 +- .../class/stocktransferline.class.php | 4 +- htdocs/projet/class/project.class.php | 4 +- htdocs/projet/class/task.class.php | 4 +- htdocs/reception/class/reception.class.php | 4 +- .../class/recruitmentcandidature.class.php | 4 +- .../class/recruitmentjobposition.class.php | 4 +- htdocs/resource/class/dolresource.class.php | 4 +- htdocs/salaries/class/paymentsalary.class.php | 4 +- htdocs/salaries/class/salary.class.php | 4 +- .../class/companypaymentmode.class.php | 4 +- htdocs/societe/class/societe.class.php | 4 +- htdocs/societe/class/societeaccount.class.php | 4 +- .../class/supplier_proposal.class.php | 4 +- htdocs/ticket/class/cticketcategory.class.php | 4 +- htdocs/ticket/class/ticket.class.php | 4 +- htdocs/user/card.php | 4 +- htdocs/user/class/user.class.php | 4 +- htdocs/user/class/usergroup.class.php | 2 +- htdocs/webhook/class/target.class.php | 4 +- htdocs/website/class/websitepage.class.php | 4 +- .../workstation/class/workstation.class.php | 4 +- htdocs/zapier/class/hook.class.php | 4 +- test/phpunit/SecurityTest.php | 60 ++++++++++++++++--- test/phpunit/test.php | 46 ++++++++++++++ 91 files changed, 326 insertions(+), 189 deletions(-) create mode 100755 test/phpunit/test.php diff --git a/htdocs/accountancy/class/accountingjournal.class.php b/htdocs/accountancy/class/accountingjournal.class.php index 4135e982d14..3cc0aa41007 100644 --- a/htdocs/accountancy/class/accountingjournal.class.php +++ b/htdocs/accountancy/class/accountingjournal.class.php @@ -189,9 +189,9 @@ class AccountingJournal extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowAccountingJournal"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip"'; } diff --git a/htdocs/accountancy/class/bookkeeping.class.php b/htdocs/accountancy/class/bookkeeping.class.php index f8573c3f75e..f34694ef5bc 100644 --- a/htdocs/accountancy/class/bookkeeping.class.php +++ b/htdocs/accountancy/class/bookkeeping.class.php @@ -529,9 +529,9 @@ class BookKeeping extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowTransaction"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index a401823fc3c..42c1f192825 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -2382,9 +2382,9 @@ class Adherent extends CommonObject if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $langs->load("users"); $label = $langs->trans("ShowUser"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } diff --git a/htdocs/adherents/class/adherent_type.class.php b/htdocs/adherents/class/adherent_type.class.php index 2947f20b158..cf33af23343 100644 --- a/htdocs/adherents/class/adherent_type.class.php +++ b/htdocs/adherents/class/adherent_type.class.php @@ -780,7 +780,7 @@ class AdherentType extends CommonObject } } $linkstart = ''; $linkend = ''; diff --git a/htdocs/admin/user.php b/htdocs/admin/user.php index bbc06499e6e..0c957617ce1 100644 --- a/htdocs/admin/user.php +++ b/htdocs/admin/user.php @@ -163,9 +163,9 @@ print ''; print ''; print ''.$langs->trans("UserMailRequired").''; -print ' '; +print ' '; -print ''; +print ''; if ($conf->use_javascript_ajax) { print ajax_constantonoff('USER_MAIL_REQUIRED'); } else { @@ -181,9 +181,9 @@ print ''; print ''; print ''.$langs->trans("UserHideInactive").''; -print ' '; +print ' '; -print ''; +print ''; if ($conf->use_javascript_ajax) { print ajax_constantonoff('USER_HIDE_INACTIVE_IN_COMBOBOX'); } else { @@ -325,7 +325,7 @@ foreach ($dirmodels as $reldir) { if ($module->type == 'pdf') { print ''.img_object($langs->trans("Preview"), 'pdf').''; } else { - print img_object($langs->trans("PreviewNotAvailable"), 'generic'); + print img_object($langs->transnoentitiesnoconv("PreviewNotAvailable"), 'generic'); } print ''; diff --git a/htdocs/asset/class/asset.class.php b/htdocs/asset/class/asset.class.php index 9dc62995ffc..75566f379a7 100644 --- a/htdocs/asset/class/asset.class.php +++ b/htdocs/asset/class/asset.class.php @@ -1408,9 +1408,9 @@ class Asset extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowAsset"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/asset/class/assetmodel.class.php b/htdocs/asset/class/assetmodel.class.php index 753b89a4a35..56852c052d6 100644 --- a/htdocs/asset/class/assetmodel.class.php +++ b/htdocs/asset/class/assetmodel.class.php @@ -619,9 +619,9 @@ class AssetModel extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowAssetModel"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/bom/class/bom.class.php b/htdocs/bom/class/bom.class.php index b6fa70ade31..f204993c892 100644 --- a/htdocs/bom/class/bom.class.php +++ b/htdocs/bom/class/bom.class.php @@ -1159,9 +1159,9 @@ class BOM extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowBillOfMaterials"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/bom/class/bomline.class.php b/htdocs/bom/class/bomline.class.php index 92328b09fcd..5ebd98a756c 100644 --- a/htdocs/bom/class/bomline.class.php +++ b/htdocs/bom/class/bomline.class.php @@ -387,9 +387,9 @@ class BOMLine extends CommonObjectLine if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowBillOfMaterialsLine"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/bookcal/class/availabilities.class.php b/htdocs/bookcal/class/availabilities.class.php index 1c5b7c78424..d072343caae 100644 --- a/htdocs/bookcal/class/availabilities.class.php +++ b/htdocs/bookcal/class/availabilities.class.php @@ -756,9 +756,9 @@ class Availabilities extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowAvailabilities"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/bookcal/class/calendar.class.php b/htdocs/bookcal/class/calendar.class.php index a1acf818ba9..c96fbe2da34 100644 --- a/htdocs/bookcal/class/calendar.class.php +++ b/htdocs/bookcal/class/calendar.class.php @@ -742,9 +742,9 @@ class Calendar extends CommonObject if (empty($notooltip)) { if (getDolGlobalInt('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowCalendar"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/bookmarks/class/bookmark.class.php b/htdocs/bookmarks/class/bookmark.class.php index a386876a7d6..f58d1839389 100644 --- a/htdocs/bookmarks/class/bookmark.class.php +++ b/htdocs/bookmarks/class/bookmark.class.php @@ -319,9 +319,9 @@ class Bookmark extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowBookmark"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index 09e0cb52c47..21a642afd22 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -1811,9 +1811,9 @@ class Categorie extends CommonObject if (empty($notooltip)) { if (getDolGlobalInt('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowMyObject"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.' '.$forced_color.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ' class="'.$forced_color.($morecss ? ' '.$morecss : '').'"'; diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 249e342d5fc..a96ec4e0e82 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -1658,6 +1658,7 @@ class ActionComm extends CommonObject $datas['note'] .= (dol_textishtml($texttoshow) ? str_replace(array("\r", "\n"), "", $texttoshow) : str_replace(array("\r", "\n"), '
', $texttoshow)); $datas['note'] .= ''; } + // show categories for this record only in ajax to not overload lists if (isModEnabled('category') && !$nofetch) { require_once DOL_DOCUMENT_ROOT . '/categories/class/categorie.class.php'; @@ -1767,6 +1768,7 @@ class ActionComm extends CommonObject $tooltip .= (dol_textishtml($texttoshow) ? str_replace(array("\r", "\n"), "", $texttoshow) : str_replace(array("\r", "\n"), '
', $texttoshow)); $tooltip .= ''; } + $linkclose = ''; $classfortooltip = 'classfortooltip'; $dataparams = ''; @@ -1784,9 +1786,9 @@ class ActionComm extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowAction"); - $linkclose .= ' alt="'.dol_escape_htmltag($tooltip, 1).'"'; + $linkclose .= ' alt="'.dolPrintHTMLForAttribute($tooltip).'"'; } - $linkclose .= ($tooltip ? ' title="'.dol_escape_htmltag($tooltip, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($tooltip ? ' title="'.dolPrintHTMLForAttribute($tooltip).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classname.' '.$classfortooltip.'"'; } else { $linkclose .= ' class="'.$classname.'"'; diff --git a/htdocs/comm/mailing/class/mailing.class.php b/htdocs/comm/mailing/class/mailing.class.php index facaec0753f..d86745f21e9 100644 --- a/htdocs/comm/mailing/class/mailing.class.php +++ b/htdocs/comm/mailing/class/mailing.class.php @@ -852,9 +852,9 @@ class Mailing extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowEMailing"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 31bb5a8dd73..077f2446540 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -3831,9 +3831,9 @@ class Propal extends CommonObject if (empty($notooltip) && $user->hasRight('propal', 'lire')) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("Proposal"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.'"'; } diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 069b76a9c88..26efa02d0d5 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -3898,9 +3898,9 @@ class Commande extends CommonOrder if (empty($notooltip) && $user->hasRight('commande', 'lire')) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("Order"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.'"'; $target_value = array('_self', '_blank', '_parent', '_top'); diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index 73ee30a83fe..37050661838 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -1597,9 +1597,9 @@ class Account extends CommonObject if (empty($notooltip)) { if (getDolGlobalInt('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("BankAccount"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/compta/bank/class/paymentvarious.class.php b/htdocs/compta/bank/class/paymentvarious.class.php index 1fa01691f34..b474592d93d 100644 --- a/htdocs/compta/bank/class/paymentvarious.class.php +++ b/htdocs/compta/bank/class/paymentvarious.class.php @@ -724,9 +724,9 @@ class PaymentVarious extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowMyObject"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/compta/cashcontrol/class/cashcontrol.class.php b/htdocs/compta/cashcontrol/class/cashcontrol.class.php index d2bbbf5b545..0e71db22c62 100644 --- a/htdocs/compta/cashcontrol/class/cashcontrol.class.php +++ b/htdocs/compta/cashcontrol/class/cashcontrol.class.php @@ -463,9 +463,9 @@ class CashControl extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowMyObject"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index a3e40af94e9..a3e4ef47bef 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -2109,9 +2109,9 @@ class Facture extends CommonInvoice if (empty($notooltip) && $user->hasRight("facture", "read")) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("Invoice"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.'"'; } diff --git a/htdocs/compta/paiement/cheque/class/remisecheque.class.php b/htdocs/compta/paiement/cheque/class/remisecheque.class.php index 17527a26591..fae7d4894aa 100644 --- a/htdocs/compta/paiement/cheque/class/remisecheque.class.php +++ b/htdocs/compta/paiement/cheque/class/remisecheque.class.php @@ -964,9 +964,9 @@ class RemiseCheque extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowCheckReceipt"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/compta/paiement/class/paiement.class.php b/htdocs/compta/paiement/class/paiement.class.php index cbe1c9b4111..29b19528619 100644 --- a/htdocs/compta/paiement/class/paiement.class.php +++ b/htdocs/compta/paiement/class/paiement.class.php @@ -1415,9 +1415,9 @@ class Paiement extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("Payment"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/compta/sociales/class/chargesociales.class.php b/htdocs/compta/sociales/class/chargesociales.class.php index fcfffab7b7c..7e64a35e963 100644 --- a/htdocs/compta/sociales/class/chargesociales.class.php +++ b/htdocs/compta/sociales/class/chargesociales.class.php @@ -688,9 +688,9 @@ class ChargeSociales extends CommonObject if (empty($notooltip) && $user->hasRight("facture", "read")) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("SocialContribution"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip"'; } diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php index 9ed504b6a13..1b68ceaf8ae 100644 --- a/htdocs/compta/tva/class/tva.class.php +++ b/htdocs/compta/tva/class/tva.class.php @@ -783,9 +783,9 @@ class Tva extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowMyObject"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index 082639332be..1e19a39b9f6 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -1571,9 +1571,9 @@ class Contact extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowContact"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index 0f83d2dc1f4..ea22c7c335b 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -2133,9 +2133,9 @@ class Contrat extends CommonObject if (empty($notooltip) && $user->hasRight('contrat', 'lire')) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowContract"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.'"'; } $linkstart = ''; $linkend = ''; diff --git a/htdocs/core/class/fiscalyear.class.php b/htdocs/core/class/fiscalyear.class.php index 0edc34a55a3..49199c22397 100644 --- a/htdocs/core/class/fiscalyear.class.php +++ b/htdocs/core/class/fiscalyear.class.php @@ -355,9 +355,9 @@ class Fiscalyear extends CommonObject if (empty($notooltip) && $user->hasRight('accounting', 'fiscalyear', 'write')) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("FiscalPeriod"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' title="'.dolPrintHtmlForAttribute($label).'"'; $linkclose .= $dataparams.' class="'.$classfortooltip.'"'; } diff --git a/htdocs/core/class/timespent.class.php b/htdocs/core/class/timespent.class.php index d0736d63a9c..8619d3c182e 100644 --- a/htdocs/core/class/timespent.class.php +++ b/htdocs/core/class/timespent.class.php @@ -757,9 +757,9 @@ class TimeSpent extends CommonObject if (empty($notooltip)) { if (getDolGlobalString('MAIN_OPTIMIZEFORTEXTBROWSER')) { $label = $langs->trans("ShowTimeSpent"); - $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' alt="'.dolPrintHtmlForAttribute($label).'"'; } - $linkclose .= ($label ? ' title="'.dol_escape_htmltag($label, 1).'"' : ' title="tocomplete"'); + $linkclose .= ($label ? ' title="'.dolPrintHtmlForAttribute($label).'"' : ' title="tocomplete"'); $linkclose .= $dataparams.' class="'.$classfortooltip.($morecss ? ' '.$morecss : '').'"'; } else { $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index e6ad6bab5c4..64d1f2137fa 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -2010,6 +2010,7 @@ function dolPrintText($s) /** * Return a string (that can be on several lines) ready to be output on a HTML page. * To output a text inside an attribute, you can use dolPrintHTMLForAttribute() or dolPrintHTMLForTextArea() inside a textarea + * With dolPrintHTML(), only content not already in HTML is encoded with HTML. * * @param string $s String to print * @param int $allowiframe Allow iframe tags @@ -2023,6 +2024,7 @@ function dolPrintHTML($s, $allowiframe = 0) /** * Return a string ready to be output on an HTML attribute (alt, title, data-html, ...) + * With dolPrintHTMLForAttribute(), the content is HTML encode, even if it is already HTML content. * * @param string $s String to print * @return string String ready for HTML output @@ -2032,7 +2034,7 @@ function dolPrintHTMLForAttribute($s) { // The dol_htmlentitiesbr will convert simple text into html // The dol_escape_htmltag will escape html chars. - return dol_escape_htmltag(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 0, 0, 0, array('br', 'b', 'font', 'span')), 1, -1, '', 0, 1); + return dol_escape_htmltag(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 0, 0, 0, array('br', 'b', 'font', 'hr', 'span')), 1, -1, '', 0, 1); } /** @@ -2071,7 +2073,7 @@ function dolPrintPassword($s) * @param string $stringtoescape String to escape * @param int $keepb 1=Replace b tags with escaped value (except if in $noescapetags), 0=Remove them completely * @param int $keepn 1=Preserve \r\n strings, 0=Replace them with escaped value, -1=Remove them. Set to 1 when escaping for a '; + print ''; + + // Go Source Invoice (useful when there are many invoices) + if ($action != 'add_paiement' && getDolGlobalString('FACTURE_PAYMENTS_SHOW_LINK_TO_INPUT_ORIGIN_IS_MORE_THAN')) { + print ''; + print ''; + print ''.$langs->trans("GoSourceInvoice").''; print ''; + } - // Payment mode - print ''.$langs->trans('PaymentMode').''; - $form->select_types_paiements((GETPOST('paiementcode') ? GETPOST('paiementcode') : $facture->mode_reglement_code), 'paiementcode', '', 2); - print "\n"; - print ''; + print ''; - // Bank account - print ''; - if (isModEnabled("bank")) { - if ($facture->type != 2) { - print ''.$langs->trans('AccountToCredit').''; - } + print dol_get_fiche_end(); + + + /* + * List of unpaid invoices + */ + + $sql = 'SELECT f.rowid as facid, f.ref, f.total_ht, f.total_tva, f.total_ttc, f.multicurrency_code, f.multicurrency_total_ht, f.multicurrency_total_tva, f.multicurrency_total_ttc, f.type,'; + $sql .= ' f.datef as df, f.fk_soc as socid, f.date_lim_reglement as dlr'; + $sql .= ' FROM '.MAIN_DB_PREFIX.'facture as f'; + $sql .= ' WHERE f.entity IN ('.getEntity('facture').')'; + $sql .= ' AND (f.fk_soc = '.((int) $facture->socid); + // Can pay invoices of all child of parent company + if (getDolGlobalString('FACTURE_PAYMENTS_ON_DIFFERENT_THIRDPARTIES_BILLS') && !empty($facture->thirdparty->parent)) { + $sql .= ' OR f.fk_soc IN (SELECT rowid FROM '.MAIN_DB_PREFIX.'societe WHERE parent = '.((int) $facture->thirdparty->parent).')'; + } + // Can pay invoices of all child of myself + if (getDolGlobalString('FACTURE_PAYMENTS_ON_SUBSIDIARY_COMPANIES')) { + $sql .= ' OR f.fk_soc IN (SELECT rowid FROM '.MAIN_DB_PREFIX.'societe WHERE parent = '.((int) $facture->thirdparty->id).')'; + } + $sql .= ') AND f.paye = 0'; + $sql .= ' AND f.fk_statut = 1'; // Statut=0 => not validated, Statut=2 => canceled + if ($facture->type != Facture::TYPE_CREDIT_NOTE) { + $sql .= ' AND type IN (0,1,3,5)'; // Standard invoice, replacement, deposit, situation + } else { + $sql .= ' AND type = 2'; // If paying back a credit note, we show all credit notes + } + // Sort invoices by date and serial number: the older one comes first + $sql .= ' ORDER BY f.datef ASC, f.ref ASC'; + + $resql = $db->query($sql); + if ($resql) { + $num = $db->num_rows($resql); + if ($num > 0) { + $arraytitle = $langs->trans('Invoice'); if ($facture->type == 2) { - print ''.$langs->trans('AccountToDebit').''; + $arraytitle = $langs->trans("CreditNotes"); + } + $alreadypayedlabel = $langs->trans('Received'); + $multicurrencyalreadypayedlabel = $langs->trans('MulticurrencyReceived'); + if ($facture->type == 2) { + $alreadypayedlabel = $langs->trans("PaidBack"); + $multicurrencyalreadypayedlabel = $langs->trans("MulticurrencyPaidBack"); + } + $remaindertopay = $langs->trans('RemainderToTake'); + $multicurrencyremaindertopay = $langs->trans('MulticurrencyRemainderToTake'); + if ($facture->type == 2) { + $remaindertopay = $langs->trans("RemainderToPayBack"); + $multicurrencyremaindertopay = $langs->trans("MulticurrencyRemainderToPayBack"); } - print ''; - print img_picto('', 'bank_account', 'class="pictofixedwidth"'); - print $form->select_comptes($accountid, 'accountid', 0, '', 2, '', (isModEnabled('multicurrency') ? 1 : 0), 'widthcentpercentminusx maxwidth500', 1); - print ''; - } else { - print ' '; - } - print "\n"; + $i = 0; + //print ''; + print '
'; - // Bank check number - print ''.$langs->trans('Numero'); - print ' ('.$langs->trans("ChequeOrTransferNumber").')'; - print ''; - print ''; + print '
'; // You can use div-table-responsive-no-min if you don't need reserved height for your table + print ''; - // Check transmitter - print ''; - print ''; + print ''; + print ''; + print ''; + print ''; + if (isModEnabled('multicurrency')) { + print ''; + print ''; + print ''; + print ''; + print ''; + } + print ''; + print ''; + print ''; + print ''; - // Bank name - print ''; - print ''; + $parameters = array(); + $reshook = $hookmanager->executeHooks('printFieldListTitle', $parameters, $facture, $action); // Note that $action and $object may have been modified by hook - // Comments - print ''; - print ''; + print ''; + print "\n"; - // Go Source Invoice (useful when there are many invoices) - if ($action != 'add_paiement' && getDolGlobalString('FACTURE_PAYMENTS_SHOW_LINK_TO_INPUT_ORIGIN_IS_MORE_THAN')) { - print ''; - print ''; - } + $total_ttc = 0; + $totalrecu = 0; + $totalrecucreditnote = 0; + $totalrecudeposits = 0; + $sign = 1; - print '
'.$langs->trans('CheckTransmitter'); - print ' ('.$langs->trans("ChequeMaker").')'; - print '
'.$arraytitle.''.$langs->trans('Date').''.$langs->trans('DateMaxPayment').''.$langs->trans('Currency').''.$langs->trans('MulticurrencyAmountTTC').''.$multicurrencyalreadypayedlabel.''.$multicurrencyremaindertopay.''.$langs->trans('MulticurrencyPaymentAmount').''.$langs->trans('AmountTTC').''.$alreadypayedlabel.''.$remaindertopay.''.$langs->trans('PaymentAmount').'
'.$langs->trans('Bank'); - print ' ('.$langs->trans("ChequeBank").')'; - print '
'.$langs->trans('Comments').''; - print ''; - print '
 
'; - print ''.$langs->trans("GoSourceInvoice").''; - print '
'; + while ($i < $num) { + $objp = $db->fetch_object($resql); - print dol_get_fiche_end(); - - - /* - * List of unpaid invoices - */ - - $sql = 'SELECT f.rowid as facid, f.ref, f.total_ht, f.total_tva, f.total_ttc, f.multicurrency_code, f.multicurrency_total_ht, f.multicurrency_total_tva, f.multicurrency_total_ttc, f.type,'; - $sql .= ' f.datef as df, f.fk_soc as socid, f.date_lim_reglement as dlr'; - $sql .= ' FROM '.MAIN_DB_PREFIX.'facture as f'; - $sql .= ' WHERE f.entity IN ('.getEntity('facture').')'; - $sql .= ' AND (f.fk_soc = '.((int) $facture->socid); - // Can pay invoices of all child of parent company - if (getDolGlobalString('FACTURE_PAYMENTS_ON_DIFFERENT_THIRDPARTIES_BILLS') && !empty($facture->thirdparty->parent)) { - $sql .= ' OR f.fk_soc IN (SELECT rowid FROM '.MAIN_DB_PREFIX.'societe WHERE parent = '.((int) $facture->thirdparty->parent).')'; - } - // Can pay invoices of all child of myself - if (getDolGlobalString('FACTURE_PAYMENTS_ON_SUBSIDIARY_COMPANIES')) { - $sql .= ' OR f.fk_soc IN (SELECT rowid FROM '.MAIN_DB_PREFIX.'societe WHERE parent = '.((int) $facture->thirdparty->id).')'; - } - $sql .= ') AND f.paye = 0'; - $sql .= ' AND f.fk_statut = 1'; // Statut=0 => not validated, Statut=2 => canceled - if ($facture->type != Facture::TYPE_CREDIT_NOTE) { - $sql .= ' AND type IN (0,1,3,5)'; // Standard invoice, replacement, deposit, situation - } else { - $sql .= ' AND type = 2'; // If paying back a credit note, we show all credit notes - } - // Sort invoices by date and serial number: the older one comes first - $sql .= ' ORDER BY f.datef ASC, f.ref ASC'; - - $resql = $db->query($sql); - if ($resql) { - $num = $db->num_rows($resql); - if ($num > 0) { - $arraytitle = $langs->trans('Invoice'); - if ($facture->type == 2) { - $arraytitle = $langs->trans("CreditNotes"); - } - $alreadypayedlabel = $langs->trans('Received'); - $multicurrencyalreadypayedlabel = $langs->trans('MulticurrencyReceived'); - if ($facture->type == 2) { - $alreadypayedlabel = $langs->trans("PaidBack"); - $multicurrencyalreadypayedlabel = $langs->trans("MulticurrencyPaidBack"); - } - $remaindertopay = $langs->trans('RemainderToTake'); - $multicurrencyremaindertopay = $langs->trans('MulticurrencyRemainderToTake'); - if ($facture->type == 2) { - $remaindertopay = $langs->trans("RemainderToPayBack"); - $multicurrencyremaindertopay = $langs->trans("MulticurrencyRemainderToPayBack"); - } - - $i = 0; - //print ''; - print '
'; - - print '
'; // You can use div-table-responsive-no-min if you don't need reserved height for your table - print ''; - - print ''; - print ''; - print ''; - print ''; - if (isModEnabled('multicurrency')) { - print ''; - print ''; - print ''; - print ''; - print ''; - } - print ''; - print ''; - print ''; - print ''; - - $parameters = array(); - $reshook = $hookmanager->executeHooks('printFieldListTitle', $parameters, $facture, $action); // Note that $action and $object may have been modified by hook - - print ''; - print "\n"; - - $total_ttc = 0; - $totalrecu = 0; - $totalrecucreditnote = 0; - $totalrecudeposits = 0; $sign = 1; + if ($facture->type == Facture::TYPE_CREDIT_NOTE) { + $sign = -1; + } - while ($i < $num) { - $objp = $db->fetch_object($resql); + $soc = new Societe($db); + $soc->fetch($objp->socid); - $sign = 1; - if ($facture->type == Facture::TYPE_CREDIT_NOTE) { - $sign = -1; + $invoice = new Facture($db); + $invoice->fetch($objp->facid); + $paiement = $invoice->getSommePaiement(); + $creditnotes = $invoice->getSumCreditNotesUsed(); + $deposits = $invoice->getSumDepositsUsed(); + $alreadypayed = price2num($paiement + $creditnotes + $deposits, 'MT'); + $remaintopay = price2num($invoice->total_ttc - $paiement - $creditnotes - $deposits, 'MT'); + + // Multicurrency Price + $tooltiponmulticurrencyfullamount = ''; + $multicurrency_remaintopay = ''; + $multicurrency_payment = 0; + $multicurrency_creditnotes = 0; + $multicurrency_deposits = 0; + if (isModEnabled('multicurrency')) { + $multicurrency_payment = $invoice->getSommePaiement(1); + $multicurrency_creditnotes = $invoice->getSumCreditNotesUsed(1); + $multicurrency_deposits = $invoice->getSumDepositsUsed(1); + $multicurrency_alreadypayed = price2num($multicurrency_payment + $multicurrency_creditnotes + $multicurrency_deposits, 'MT'); + $multicurrency_remaintopay = price2num($invoice->multicurrency_total_ttc - $multicurrency_payment - $multicurrency_creditnotes - $multicurrency_deposits, 'MT'); + // Multicurrency full amount tooltip + $tooltiponmulticurrencyfullamount = $langs->trans('AmountHT') . ": " . price($objp->multicurrency_total_ht, 0, $langs, 0, -1, -1, $objp->multicurrency_code) . "
"; + $tooltiponmulticurrencyfullamount .= $langs->trans('AmountVAT') . ": " . price($objp->multicurrency_total_tva, 0, $langs, 0, -1, -1, $objp->multicurrency_code) . "
"; + $tooltiponmulticurrencyfullamount .= $langs->trans('AmountTTC') . ": " . price($objp->multicurrency_total_ttc, 0, $langs, 0, -1, -1, $objp->multicurrency_code) . "
"; + } + + // Full amount tooltip + $tooltiponfullamount = $langs->trans('AmountHT') . ": " . price($objp->total_ht, 0, $langs, 0, -1, -1, $conf->currency) . "
"; + $tooltiponfullamount .= $langs->trans('AmountVAT') . ": " . price($objp->total_tva, 0, $langs, 0, -1, -1, $conf->currency) . "
"; + $tooltiponfullamount .= $langs->trans('AmountTTC') . ": " . price($objp->total_ttc, 0, $langs, 0, -1, -1, $conf->currency) . "
"; + + print ''; + + print '\n"; + + // Date + print '\n"; + + // Due date + if ($objp->dlr > 0) { + print ''; + } else { + print ''; + } - $invoice = new Facture($db); - $invoice->fetch($objp->facid); - $paiement = $invoice->getSommePaiement(); - $creditnotes = $invoice->getSumCreditNotesUsed(); - $deposits = $invoice->getSumDepositsUsed(); - $alreadypayed = price2num($paiement + $creditnotes + $deposits, 'MT'); - $remaintopay = price2num($invoice->total_ttc - $paiement - $creditnotes - $deposits, 'MT'); + // Currency + if (isModEnabled('multicurrency')) { + print '\n"; + } - // Multicurrency Price - $tooltiponmulticurrencyfullamount = ''; - $multicurrency_remaintopay = ''; - $multicurrency_payment = 0; - $multicurrency_creditnotes = 0; - $multicurrency_deposits = 0; - if (isModEnabled('multicurrency')) { - $multicurrency_payment = $invoice->getSommePaiement(1); - $multicurrency_creditnotes = $invoice->getSumCreditNotesUsed(1); - $multicurrency_deposits = $invoice->getSumDepositsUsed(1); - $multicurrency_alreadypayed = price2num($multicurrency_payment + $multicurrency_creditnotes + $multicurrency_deposits, 'MT'); - $multicurrency_remaintopay = price2num($invoice->multicurrency_total_ttc - $multicurrency_payment - $multicurrency_creditnotes - $multicurrency_deposits, 'MT'); - // Multicurrency full amount tooltip - $tooltiponmulticurrencyfullamount = $langs->trans('AmountHT') . ": " . price($objp->multicurrency_total_ht, 0, $langs, 0, -1, -1, $objp->multicurrency_code) . "
"; - $tooltiponmulticurrencyfullamount .= $langs->trans('AmountVAT') . ": " . price($objp->multicurrency_total_tva, 0, $langs, 0, -1, -1, $objp->multicurrency_code) . "
"; - $tooltiponmulticurrencyfullamount .= $langs->trans('AmountTTC') . ": " . price($objp->multicurrency_total_ttc, 0, $langs, 0, -1, -1, $objp->multicurrency_code) . "
"; - } - - // Full amount tooltip - $tooltiponfullamount = $langs->trans('AmountHT') . ": " . price($objp->total_ht, 0, $langs, 0, -1, -1, $conf->currency) . "
"; - $tooltiponfullamount .= $langs->trans('AmountVAT') . ": " . price($objp->total_tva, 0, $langs, 0, -1, -1, $conf->currency) . "
"; - $tooltiponfullamount .= $langs->trans('AmountTTC') . ": " . price($objp->total_ttc, 0, $langs, 0, -1, -1, $conf->currency) . "
"; - - print ''; - - print '\n"; - - // Date - print '\n"; - - // Due date - if ($objp->dlr > 0) { - print ''; - } else { - print ''; - } - - // Currency - if (isModEnabled('multicurrency')) { - print '\n"; - } - - // Multicurrency full amount - if (isModEnabled('multicurrency')) { - print ''; - - // Multicurrency Price - print ''; - - // Multicurrency remain to pay - print ''; - - print '"; - } - - // Full amount - print ''; - - // Received + already paid - print ''; - // Remain to take or to pay back + // Multicurrency Price print ''; - //$test= price(price2num($objp->total_ttc - $paiement - $creditnotes - $deposits)); - // Amount + // Multicurrency remain to pay + print ''; + print '"; - - $parameters = array(); - $reshook = $hookmanager->executeHooks('printFieldListValue', $parameters, $objp, $action); // Note that $action and $object may have been modified by hook - - // Warning - print ''; - - print "\n"; - - $total_ttc += $objp->total_ttc; - $totalrecu += $paiement; - $totalrecucreditnote += $creditnotes; - $totalrecudeposits += $deposits; - $i++; } - if ($i > 1) { - // Print total - print ''; - print ''; - if (isModEnabled('multicurrency')) { - print ''; - print ''; - print ''; - print ''; - print ''; - } - print ''; - print ''; - print ''; - print ''; // Autofilled - print ''; - print "\n"; + // Full amount + print ''; + + // Received + already paid + print '
'.$arraytitle.''.$langs->trans('Date').''.$langs->trans('DateMaxPayment').''.$langs->trans('Currency').''.$langs->trans('MulticurrencyAmountTTC').''.$multicurrencyalreadypayedlabel.''.$multicurrencyremaindertopay.''.$langs->trans('MulticurrencyPaymentAmount').''.$langs->trans('AmountTTC').''.$alreadypayedlabel.''.$remaindertopay.''.$langs->trans('PaymentAmount').' 
'; + print $invoice->getNomUrl(1, ''); + if ($objp->socid != $facture->thirdparty->id) { + print ' - '.$soc->getNomUrl(1).' '; + } + print "'.dol_print_date($db->jdate($objp->df), 'day')."'; + print dol_print_date($db->jdate($objp->dlr), 'day'); + + if ($invoice->hasDelay()) { + print img_warning($langs->trans('Late')); } - $soc = new Societe($db); - $soc->fetch($objp->socid); + print ''.$objp->multicurrency_code."
'; - print $invoice->getNomUrl(1, ''); - if ($objp->socid != $facture->thirdparty->id) { - print ' - '.$soc->getNomUrl(1).' '; - } - print "'.dol_print_date($db->jdate($objp->df), 'day')."'; - print dol_print_date($db->jdate($objp->dlr), 'day'); - - if ($invoice->hasDelay()) { - print img_warning($langs->trans('Late')); - } - - print ''.$objp->multicurrency_code."'; - if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { - print '' . price($sign * $objp->multicurrency_total_ttc); - } - print ''; - if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { - print price($sign * $multicurrency_payment); - if ($multicurrency_creditnotes) { - print '+'.price($multicurrency_creditnotes); - } - if ($multicurrency_deposits) { - print '+'.price($multicurrency_deposits); - } - } - print ''; - if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { - print price($sign * (float) $multicurrency_remaintopay); - } - print ''; - - // Add remind multicurrency amount - $namef = 'multicurrency_amount_'.$objp->facid; - $nameRemain = 'multicurrency_remain_'.$objp->facid; - - if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { - if ($action != 'add_paiement') { - if (!empty($conf->use_javascript_ajax)) { - print img_picto("Auto fill", 'rightarrow', "class='AutoFillAmount' data-rowname='".$namef."' data-value='".($sign * (float) $multicurrency_remaintopay)."'"); - } - print ''; - print ''; - } else { - print ''; - print ''; - } - } - print "'.price($sign * $objp->total_ttc).''.price($sign * $paiement); - if ($creditnotes) { - print '+'.price($creditnotes).''; - } - if ($deposits) { - print '+'.price($deposits).''; + // Multicurrency full amount + if (isModEnabled('multicurrency')) { + print ''; + if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { + print '' . price($sign * $objp->multicurrency_total_ttc); } print ''; - print price($sign * (float) $remaintopay); - if (isModEnabled('prelevement')) { - $numdirectdebitopen = 0; - $totaldirectdebit = 0; - $sql = "SELECT COUNT(pfd.rowid) as nb, SUM(pfd.amount) as amount"; - $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_demande as pfd"; - $sql .= " WHERE fk_facture = ".((int) $objp->facid); - $sql .= " AND pfd.traite = 0"; - $sql .= " AND pfd.ext_payment_id IS NULL"; - - $result_sql = $db->query($sql); - if ($result_sql) { - $obj = $db->fetch_object($result_sql); - $numdirectdebitopen = $obj->nb; - $totaldirectdebit = $obj->amount; - } else { - dol_print_error($db); + if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { + print price($sign * $multicurrency_payment); + if ($multicurrency_creditnotes) { + print '+'.price($multicurrency_creditnotes); } - if ($numdirectdebitopen) { - $langs->load("withdrawals"); - print img_warning($langs->trans("WarningSomeDirectDebitOrdersAlreadyExists", $numdirectdebitopen, price(price2num($totaldirectdebit, 'MT'), 0, $langs, 1, -1, -1, $conf->currency)), '', 'classfortooltip'); + if ($multicurrency_deposits) { + print '+'.price($multicurrency_deposits); } } print ''; + if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { + print price($sign * (float) $multicurrency_remaintopay); + } + print ''; - // Add remind amount - $namef = 'amount_'.$objp->facid; - $nameRemain = 'remain_'.$objp->facid; + // Add remind multicurrency amount + $namef = 'multicurrency_amount_'.$objp->facid; + $nameRemain = 'multicurrency_remain_'.$objp->facid; - if ($action != 'add_paiement') { - if (!empty($conf->use_javascript_ajax)) { - print img_picto("Auto fill", 'rightarrow', "class='AutoFillAmount' data-rowname='".$namef."' data-value='".($sign * (float) $remaintopay)."'"); + if ($objp->multicurrency_code && $objp->multicurrency_code != $conf->currency) { + if ($action != 'add_paiement') { + if (!empty($conf->use_javascript_ajax)) { + print img_picto("Auto fill", 'rightarrow', "class='AutoFillAmount' data-rowname='".$namef."' data-value='".($sign * (float) $multicurrency_remaintopay)."'"); + } + print ''; + print ''; + } else { + print ''; + print ''; } - print ''; - print ''; - } else { - print ''; - print ''; } print "'; - //print "xx".$amounts[$invoice->id]."-".$amountsresttopay[$invoice->id]."
"; - if (!empty($amounts[$invoice->id]) && (abs((float) $amounts[$invoice->id]) > abs((float) $amountsresttopay[$invoice->id])) - || !empty($multicurrency_amounts[$invoice->id]) && (abs((float) $multicurrency_amounts[$invoice->id]) > abs((float) $multicurrency_amountsresttopay[$invoice->id]))) { - print ' '.img_warning($langs->trans("PaymentHigherThanReminderToPay")); - } - print '
'.$langs->trans('TotalTTC').''.price($sign * $total_ttc).''.price($sign * $totalrecu); - if ($totalrecucreditnote) { - print '+'.price($totalrecucreditnote); - } - if ($totalrecudeposits) { - print '+'.price($totalrecudeposits); - } - print ''.price($sign * (float) price2num($total_ttc - $totalrecu - $totalrecucreditnote - $totalrecudeposits, 'MT')).' 
'.price($sign * $objp->total_ttc).''.price($sign * $paiement); + if ($creditnotes) { + print '+'.price($creditnotes).''; } - print "
"; - print "
\n"; - } - $db->free($resql); - } else { - dol_print_error($db); - } - - $formconfirm = ''; - - // Save button - if ($action != 'add_paiement') { - $checkboxlabel = $langs->trans("ClosePaidInvoicesAutomatically"); - if ($facture->type == Facture::TYPE_CREDIT_NOTE) { - $checkboxlabel = $langs->trans("ClosePaidCreditNotesAutomatically"); - } - $buttontitle = $langs->trans('ToMakePayment'); - if ($facture->type == Facture::TYPE_CREDIT_NOTE) { - $buttontitle = $langs->trans('ToMakePaymentBack'); - } - - print '
'; - print ''; - /*if (isModEnabled('prelevement')) { - $langs->load("withdrawals"); - if (getDolGlobalString('WITHDRAW_DISABLE_AUTOCREATE_ONPAYMENTS')) { - print '
'.$langs->trans("IfInvoiceNeedOnWithdrawPaymentWontBeClosed"); + if ($deposits) { + print '+'.price($deposits).''; } - }*/ - print '


'; - print '
'; - } + print ''; - // Form to confirm payment - if ($action == 'add_paiement') { - $preselectedchoice = $addwarning ? 'no' : 'yes'; + // Remain to take or to pay back + print ''; + print price($sign * (float) $remaintopay); + if (isModEnabled('prelevement')) { + $numdirectdebitopen = 0; + $totaldirectdebit = 0; + $sql = "SELECT COUNT(pfd.rowid) as nb, SUM(pfd.amount) as amount"; + $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_demande as pfd"; + $sql .= " WHERE fk_facture = ".((int) $objp->facid); + $sql .= " AND pfd.traite = 0"; + $sql .= " AND pfd.ext_payment_id IS NULL"; - print '
'; - $text = ''; - if (!empty($totalpayment)) { - $text = $langs->trans('ConfirmCustomerPayment', $totalpayment, $langs->transnoentitiesnoconv("Currency".$conf->currency)); + $result_sql = $db->query($sql); + if ($result_sql) { + $obj = $db->fetch_object($result_sql); + $numdirectdebitopen = $obj->nb; + $totaldirectdebit = $obj->amount; + } else { + dol_print_error($db); + } + if ($numdirectdebitopen) { + $langs->load("withdrawals"); + print img_warning($langs->trans("WarningSomeDirectDebitOrdersAlreadyExists", $numdirectdebitopen, price(price2num($totaldirectdebit, 'MT'), 0, $langs, 1, -1, -1, $conf->currency)), '', 'classfortooltip'); + } + } + print ''; + //$test= price(price2num($objp->total_ttc - $paiement - $creditnotes - $deposits)); + + // Amount + print ''; + + // Add remind amount + $namef = 'amount_'.$objp->facid; + $nameRemain = 'remain_'.$objp->facid; + + if ($action != 'add_paiement') { + if (!empty($conf->use_javascript_ajax)) { + print img_picto("Auto fill", 'rightarrow', "class='AutoFillAmount' data-rowname='".$namef."' data-value='".($sign * (float) $remaintopay)."'"); + } + print ''; + print ''; + } else { + print ''; + print ''; + } + print ""; + + $parameters = array(); + $reshook = $hookmanager->executeHooks('printFieldListValue', $parameters, $objp, $action); // Note that $action and $object may have been modified by hook + + // Warning + print ''; + //print "xx".$amounts[$invoice->id]."-".$amountsresttopay[$invoice->id]."
"; + if (!empty($amounts[$invoice->id]) && (abs((float) $amounts[$invoice->id]) > abs((float) $amountsresttopay[$invoice->id])) + || !empty($multicurrency_amounts[$invoice->id]) && (abs((float) $multicurrency_amounts[$invoice->id]) > abs((float) $multicurrency_amountsresttopay[$invoice->id]))) { + print ' '.img_warning($langs->trans("PaymentHigherThanReminderToPay")); + } + print ''; + + print "\n"; + + $total_ttc += $objp->total_ttc; + $totalrecu += $paiement; + $totalrecucreditnote += $creditnotes; + $totalrecudeposits += $deposits; + $i++; } - if (!empty($multicurrency_totalpayment)) { - $text .= '
'.$langs->trans('ConfirmCustomerPayment', $multicurrency_totalpayment, $langs->transnoentitiesnoconv("paymentInInvoiceCurrency")); + + if ($i > 1) { + // Print total + print ''; + print ''.$langs->trans('TotalTTC').''; + if (isModEnabled('multicurrency')) { + print ''; + print ''; + print ''; + print ''; + print ''; + } + print ''.price($sign * $total_ttc).''; + print ''.price($sign * $totalrecu); + if ($totalrecucreditnote) { + print '+'.price($totalrecucreditnote); + } + if ($totalrecudeposits) { + print '+'.price($totalrecudeposits); + } + print ''; + print ''.price($sign * (float) price2num($total_ttc - $totalrecu - $totalrecucreditnote - $totalrecudeposits, 'MT')).''; + print ''; // Autofilled + print ' '; + print "\n"; } - if (GETPOST('closepaidinvoices')) { - $text .= '
'.$langs->trans("AllCompletelyPayedInvoiceWillBeClosed"); - print ''; - } - $formconfirm = $form->formconfirm($_SERVER['PHP_SELF'].'?facid='.$facture->id.'&socid='.$facture->socid.'&type='.$facture->type, $langs->trans('ReceivedCustomersPayments'), $text, 'confirm_paiement', $formquestion, $preselectedchoice); + print ""; + print "
\n"; } - - // Call Hook formConfirm - $parameters = array('formConfirm' => $formconfirm); - $reshook = $hookmanager->executeHooks('formConfirm', $parameters, $object, $action); // Note that $action and $object may have been modified by hook - if (empty($reshook)) { - $formconfirm .= $hookmanager->resPrint; - } elseif ($reshook > 0) { - $formconfirm = $hookmanager->resPrint; - } - - // Print form confirm - print $formconfirm; - - print "\n"; + $db->free($resql); + } else { + dol_print_error($db); } + + $formconfirm = ''; + + // Save button + if ($action != 'add_paiement') { + $checkboxlabel = $langs->trans("ClosePaidInvoicesAutomatically"); + if ($facture->type == Facture::TYPE_CREDIT_NOTE) { + $checkboxlabel = $langs->trans("ClosePaidCreditNotesAutomatically"); + } + $buttontitle = $langs->trans('ToMakePayment'); + if ($facture->type == Facture::TYPE_CREDIT_NOTE) { + $buttontitle = $langs->trans('ToMakePaymentBack'); + } + + print '
'; + print ''; + /*if (isModEnabled('prelevement')) { + $langs->load("withdrawals"); + if (getDolGlobalString('WITHDRAW_DISABLE_AUTOCREATE_ONPAYMENTS')) { + print '
'.$langs->trans("IfInvoiceNeedOnWithdrawPaymentWontBeClosed"); + } + }*/ + print '


'; + print '
'; + } + + // Form to confirm payment + if ($action == 'add_paiement') { + $preselectedchoice = $addwarning ? 'no' : 'yes'; + + print '
'; + $text = ''; + if (!empty($totalpayment)) { + $text = $langs->trans('ConfirmCustomerPayment', $totalpayment, $langs->transnoentitiesnoconv("Currency".$conf->currency)); + } + if (!empty($multicurrency_totalpayment)) { + $text .= '
'.$langs->trans('ConfirmCustomerPayment', $multicurrency_totalpayment, $langs->transnoentitiesnoconv("paymentInInvoiceCurrency")); + } + if (GETPOST('closepaidinvoices')) { + $text .= '
'.$langs->trans("AllCompletelyPayedInvoiceWillBeClosed"); + print ''; + } + $formconfirm = $form->formconfirm($_SERVER['PHP_SELF'].'?facid='.$facture->id.'&socid='.$facture->socid.'&type='.$facture->type, $langs->trans('ReceivedCustomersPayments'), $text, 'confirm_paiement', $formquestion, $preselectedchoice); + } + + // Call Hook formConfirm + $parameters = array('formConfirm' => $formconfirm); + $reshook = $hookmanager->executeHooks('formConfirm', $parameters, $object, $action); // Note that $action and $object may have been modified by hook + if (empty($reshook)) { + $formconfirm .= $hookmanager->resPrint; + } elseif ($reshook > 0) { + $formconfirm = $hookmanager->resPrint; + } + + // Print form confirm + print $formconfirm; + + print "\n"; } -/** - * Show list of payments - */ -if (!GETPOST('action', 'aZ09')) { - if (empty($page) || $page == -1) { - $page = 0; - } - $limit = GETPOSTINT('limit') ? GETPOSTINT('limit') : $conf->liste_limit; - $offset = $limit * $page; - - if (!$sortorder) { - $sortorder = 'DESC'; - } - if (!$sortfield) { - $sortfield = 'p.datep'; - } - - $sql = 'SELECT p.datep as dp, p.amount, f.total_ttc as fa_amount, f.ref'; - $sql .= ', f.rowid as facid, c.libelle as paiement_type, p.num_paiement as num_payment'; - $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement as p LEFT JOIN '.MAIN_DB_PREFIX.'c_paiement as c ON p.fk_paiement = c.id'; - $sql .= ', '.MAIN_DB_PREFIX.'facture as f'; - $sql .= ' WHERE p.fk_facture = f.rowid'; - $sql .= ' AND f.entity IN ('.getEntity('invoice').')'; - if ($socid) { - $sql .= ' AND f.fk_soc = '.((int) $socid); - } - - $sql .= $db->order($sortfield, $sortorder); - $sql .= $db->plimit($limit + 1, $offset); - $resql = $db->query($sql); - - if ($resql) { - $num = $db->num_rows($resql); - $i = 0; - - print_barre_liste($langs->trans('Payments'), $page, $_SERVER["PHP_SELF"], '', $sortfield, $sortorder, '', $num); - print ''; - print ''; - print_liste_field_titre('Invoice', $_SERVER["PHP_SELF"], 'f.ref', '', '', '', $sortfield, $sortorder); - print_liste_field_titre('Date', $_SERVER["PHP_SELF"], 'p.datep', '', '', '', $sortfield, $sortorder); - print_liste_field_titre('Type', $_SERVER["PHP_SELF"], 'c.libelle', '', '', '', $sortfield, $sortorder); - print_liste_field_titre('Amount', $_SERVER["PHP_SELF"], 'p.amount', '', '', '', $sortfield, $sortorder, 'right '); - print_liste_field_titre('', $_SERVER["PHP_SELF"], "", '', '', '', $sortfield, $sortorder, 'maxwidthsearch '); - print "\n"; - - while ($i < min($num, $limit)) { - $objp = $db->fetch_object($resql); - - print ''; - print '\n"; - print '\n"; - print '\n"; - print ''; - print ''; - print ''; - - $parameters = array(); - $reshook = $hookmanager->executeHooks('printObjectLine', $parameters, $objp, $action); // Note that $action and $object may have been modified by hook - - $i++; - } - print '
'.$objp->ref."'.dol_print_date($db->jdate($objp->dp))."'.$objp->paiement_type.' '.$objp->num_payment."'.price($objp->amount).' 
'; - } -} - llxFooter(); $db->close(); From 87436c8798931f36b97b6072f8ec506a26cc9561 Mon Sep 17 00:00:00 2001 From: "Laurent Destailleur (aka Eldy)" Date: Thu, 9 Jan 2025 13:54:25 +0100 Subject: [PATCH 31/33] Fix regression after a fix --- htdocs/adherents/subscription.php | 4 +- htdocs/comm/card.php | 10 ++--- htdocs/compta/facture/card.php | 18 ++++----- htdocs/core/class/html.form.class.php | 2 +- htdocs/core/lib/company.lib.php | 4 +- htdocs/core/lib/contact.lib.php | 2 +- htdocs/core/lib/functions.lib.php | 32 ++++++++++++--- htdocs/core/menus/standard/eldy.lib.php | 54 ++++++++++++------------- htdocs/core/modules/modAgenda.class.php | 2 +- htdocs/expensereport/card.php | 2 +- htdocs/fourn/facture/card.php | 6 +-- htdocs/societe/paymentmodes.php | 4 +- htdocs/user/bank.php | 2 +- test/phpunit/SecurityTest.php | 18 +++++++++ test/phpunit/test.php | 38 +++++++++++------ 15 files changed, 124 insertions(+), 74 deletions(-) diff --git a/htdocs/adherents/subscription.php b/htdocs/adherents/subscription.php index 069f89de048..5a60b07c223 100644 --- a/htdocs/adherents/subscription.php +++ b/htdocs/adherents/subscription.php @@ -1057,7 +1057,7 @@ if (($action == 'addsubscription' || $action == 'create_thirdparty') && $user->h print img_warning($langs->trans("NoThirdPartyAssociatedToMember")); } print $langs->trans("NoThirdPartyAssociatedToMember"); - print ' - '; + print ' - '; print $langs->trans("CreateDolibarrThirdParty"); print ')'; } @@ -1087,7 +1087,7 @@ if (($action == 'addsubscription' || $action == 'create_thirdparty') && $user->h print img_warning($langs->trans("NoThirdPartyAssociatedToMember")); } print $langs->trans("NoThirdPartyAssociatedToMember"); - print ' - '; + print ' - '; print $langs->trans("CreateDolibarrThirdParty"); print ')'; } diff --git a/htdocs/comm/card.php b/htdocs/comm/card.php index cce00f8b832..d9c5a933554 100644 --- a/htdocs/comm/card.php +++ b/htdocs/comm/card.php @@ -1693,28 +1693,28 @@ if ($object->id > 0) { if (isModEnabled("propal") && $user->hasRight('propal', 'creer') && $object->status == 1) { $langs->load("propal"); - print '
'.$langs->trans("AddProp").'
'; + print '
'.$langs->trans("AddProp").'
'; } if (isModEnabled('order') && $user->hasRight('commande', 'creer') && $object->status == 1) { $langs->load("orders"); - print '
'.$langs->trans("AddOrder").'
'; + print '
'.$langs->trans("AddOrder").'
'; } if ($user->hasRight('contrat', 'creer') && $object->status == 1) { $langs->load("contracts"); - print '
'.$langs->trans("AddContract").'
'; + print '
'.$langs->trans("AddContract").'
'; } if (isModEnabled('intervention') && $user->hasRight('ficheinter', 'creer') && $object->status == 1) { $langs->load("interventions"); - print '
'.$langs->trans("AddIntervention").'
'; + print '
'.$langs->trans("AddIntervention").'
'; } // Add invoice if (isModEnabled('deplacement') && $object->status == 1) { $langs->load("trips"); - print '
'.$langs->trans("AddTrip").'
'; + print '
'.$langs->trans("AddTrip").'
'; } if (isModEnabled('invoice') && $object->status == 1) { diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index b38b68611fe..26dd8a8c63b 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -5908,9 +5908,9 @@ if ($action == 'create') { print dolGetButtonAction($langs->trans('DoPayment'), '', 'default', '#', '', false, $params); } else { // Sometimes we can receive more, so we accept to enter more and will offer a button to convert into discount (but it is not a credit note, just a prepayment done) - //print ''.$langs->trans('DoPayment').''; + //print ''.$langs->trans('DoPayment').''; unset($params['attr']['title']); - print dolGetButtonAction($langs->trans('DoPayment'), '', 'default', DOL_URL_ROOT.'/compta/paiement.php?facid='.$object->id.'&action=create'.($object->fk_account > 0 ? '&accountid='.$object->fk_account : ''), '', true, $params); + print dolGetButtonAction($langs->trans('DoPayment'), '', 'default', DOL_URL_ROOT.'/compta/paiement.php?facid='.$object->id.'&action=create'.($object->fk_account > 0 ? '&accountid='.$object->fk_account : ''), '', true, $params); } } } @@ -5925,7 +5925,7 @@ if ($action == 'create') { if ($resteapayer == 0) { print ''.$langs->trans('DoPaymentBack').''; } else { - print ''.$langs->trans('DoPaymentBack').''; + print ''.$langs->trans('DoPaymentBack').''; } } @@ -5978,7 +5978,7 @@ if ($action == 'create') { if ($objectidnext) { print ''.$langs->trans('ClassifyCanceled').''; } else { - print ''.$langs->trans('ClassifyCanceled').''; + print ''.$langs->trans('ClassifyCanceled').''; } } } @@ -5987,7 +5987,7 @@ if ($action == 'create') { // Create a credit note if (($object->type == Facture::TYPE_STANDARD || ($object->type == Facture::TYPE_DEPOSIT && !getDolGlobalString('FACTURE_DEPOSITS_ARE_JUST_PAYMENTS')) || $object->type == Facture::TYPE_PROFORMA) && $object->status > 0 && $usercancreate) { if (!$objectidnext) { - print ''.$langs->trans("CreateCreditNote").''; + print ''.$langs->trans("CreateCreditNote").''; } } @@ -6001,7 +6001,7 @@ if ($action == 'create') { && getDolGlobalInt('INVOICE_USE_SITUATION_CREDIT_NOTE') ) { if ($usercanunvalidate) { - print ''.$langs->trans("CreateCreditNote").''; + print ''.$langs->trans("CreateCreditNote").''; } else { print ''.$langs->trans("CreateCreditNote").''; } @@ -6017,7 +6017,7 @@ if ($action == 'create') { if (($object->type == Facture::TYPE_STANDARD || $object->type == Facture::TYPE_DEPOSIT || $object->type == Facture::TYPE_PROFORMA) && $object->status == 0 && $usercancreate) { if (!$objectidnext && count($object->lines) > 0) { unset($params['attr']['title']); - print dolGetButtonAction($langs->trans('ChangeIntoRepeatableInvoice'), '', 'default', DOL_URL_ROOT.'/compta/facture/card-rec.php?facid='.$object->id.'&action=create', '', true, $params); + print dolGetButtonAction($langs->trans('ChangeIntoRepeatableInvoice'), '', 'default', DOL_URL_ROOT.'/compta/facture/card-rec.php?facid='.$object->id.'&action=create', '', true, $params); } } @@ -6031,7 +6031,7 @@ if ($action == 'create') { && $usercanunvalidate ) { if (($object->total_ttc - $totalcreditnotes) == 0) { - print ''.$langs->trans("RemoveSituationFromCycle").''; + print ''.$langs->trans("RemoveSituationFromCycle").''; } else { print ''.$langs->trans("RemoveSituationFromCycle").''; } @@ -6040,7 +6040,7 @@ if ($action == 'create') { // Create next situation invoice if ($usercancreate && ($object->type == 5) && ($object->status == 1 || $object->status == 2)) { if ($object->is_last_in_cycle() && $object->situation_final != 1) { - print ''.$langs->trans('CreateNextSituationInvoice').''; + print ''.$langs->trans('CreateNextSituationInvoice').''; } elseif (!$object->is_last_in_cycle()) { print ''.$langs->trans('CreateNextSituationInvoice').''; } else { diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index a23db2adf8a..d148f8fd784 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -6591,7 +6591,7 @@ class Form $num = $this->num; if ($num == 0) { $addcontact = (getDolGlobalString('SOCIETE_ADDRESSES_MANAGEMENT') ? $langs->trans("AddContact") : $langs->trans("AddContactAddress")); - print '' . $addcontact . ''; + print '' . $addcontact . ''; } print ''; print ''; diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index a4682c21a13..5507cbd46e2 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -880,7 +880,7 @@ function show_projects($conf, $langs, $db, $object, $backtopage = '', $nocreatel $newcardbutton = ''; if (isModEnabled('project') && $user->hasRight('projet', 'creer') && empty($nocreatelink)) { - $newcardbutton .= dolGetButtonTitle($langs->trans('AddProject'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/projet/card.php?socid='.$object->id.'&action=create&backtopage='.urlencode($backtopage)); + $newcardbutton .= dolGetButtonTitle($langs->trans('AddProject'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/projet/card.php?socid='.$object->id.'&action=create&backtopage='.urlencode($backtopage)); } print "\n"; @@ -1277,7 +1277,7 @@ function show_contacts($conf, $langs, $db, $object, $backtopage = '', $showuserl $newcardbutton = ''; if ($user->hasRight('societe', 'contact', 'creer')) { $addcontact = (getDolGlobalString('SOCIETE_ADDRESSES_MANAGEMENT') ? $langs->trans("AddContact") : $langs->trans("AddContactAddress")); - $newcardbutton .= dolGetButtonTitle($addcontact, '', 'fa fa-plus-circle', DOL_URL_ROOT.'/contact/card.php?socid='.$object->id.'&action=create&backtopage='.urlencode($backtopage)); + $newcardbutton .= dolGetButtonTitle($addcontact, '', 'fa fa-plus-circle', DOL_URL_ROOT.'/contact/card.php?socid='.$object->id.'&action=create&backtopage='.urlencode($backtopage)); } print "\n"; diff --git a/htdocs/core/lib/contact.lib.php b/htdocs/core/lib/contact.lib.php index 24bb66763a5..aa4fa429ae7 100644 --- a/htdocs/core/lib/contact.lib.php +++ b/htdocs/core/lib/contact.lib.php @@ -179,7 +179,7 @@ function show_contacts_projects($conf, $langs, $db, $object, $backtopage = '', $ $newcardbutton = ''; if (isModEnabled('project') && $user->hasRight('projet', 'creer') && empty($nocreatelink)) { - $newcardbutton .= dolGetButtonTitle($langs->trans('AddProject'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/projet/card.php?socid='.$object->id.'&action=create&backtopage='.urlencode($backtopage)); + $newcardbutton .= dolGetButtonTitle($langs->trans('AddProject'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/projet/card.php?socid='.$object->id.'&action=create&backtopage='.urlencode($backtopage)); } print "\n"; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index f2268767734..df7b61f06c0 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -2037,6 +2037,22 @@ function dolPrintHTMLForAttribute($s) return dol_escape_htmltag(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 0, 0, 0, array('br', 'b', 'font', 'hr', 'span')), 1, -1, '', 0, 1); } +/** + * Return a string ready to be output on a href attribute (this one need a special because we need content is HTML with no way to detect it is HTML). + * With dolPrintHTMLForAttribute(), the content is HTML encode, even if it is already HTML content. + * + * @param string $s String to print + * @return string String ready for HTML output + * @see dolPrintHTML(), dolPrintHTMLFortextArea() + */ +function dolPrintHTMLForAttributeUrl($s) +{ + // The dol_htmlentitiesbr has been removed compared to dolPrintHTMLForAttribute because we know content is a HTML URL string (even if we have no way to detect it automatically) + // The dol_escape_htmltag will escape html chars. + $escapeonlyhtmltags = 1; + return dol_escape_htmltag(dol_string_onlythesehtmltags($s, 1, 1, 1, 0, array()), 0, 0, '', $escapeonlyhtmltags, 1); +} + /** * Return a string ready to be output on input textarea. * Differs from dolPrintHTML because all tags are escape. With dolPrintHTML, all tags except common one are escaped. @@ -8687,9 +8703,9 @@ function dol_htmlentitiesbr($stringtoencode, $nl2brmode = 0, $pagecodefrom = 'UT $newstring = preg_replace('/
$/i', '', $newstring); // Remove last
(remove only last one) } $newstring = preg_replace('/[\x{200B}-\x{200D}\x{FEFF}]/u', ' ', $newstring); - $newstring = strtr($newstring, array('&' => '__and__', '<' => '__lt__', '>' => '__gt__', '"' => '__dquot__')); + $newstring = strtr($newstring, array('&' => '__PROTECTand__', '<' => '__PROTECTlt__', '>' => '__PROTECTgt__', '"' => '__PROTECTdquot__')); $newstring = dol_htmlentities($newstring, ENT_COMPAT, $pagecodefrom); // Make entity encoding - $newstring = strtr($newstring, array('__and__' => '&', '__lt__' => '<', '__gt__' => '>', '__dquot__' => '"')); + $newstring = strtr($newstring, array('__PROTECTand__' => '&', '__PROTECTlt__' => '<', '__PROTECTgt__' => '>', '__PROTECTdquot__' => '"')); } else { if ($removelasteolbr) { $newstring = preg_replace('/(\r\n|\r|\n)$/i', '', $newstring); // Remove last \n (may remove several) @@ -12828,12 +12844,16 @@ function dolGetButtonAction($label, $text = '', $actionType = 'default', $url = unset($attr['href']); } - // escape all attribute - $attr = array_map('dol_escape_htmltag', $attr); - + // escape all attributes $TCompiledAttr = array(); foreach ($attr as $key => $value) { - $TCompiledAttr[] = $key.'= "'.$value.'"'; + if ($key == 'href') { + $value = dolPrintHTMLForAttributeUrl($value); + } else { + $value = dolPrintHTMLForAttribute($value); + } + + $TCompiledAttr[] = $key.'="'.$value.'"'; // $value has been escaped by the dolPrintHTMLForAttribute... just before } $compiledAttributes = empty($TCompiledAttr) ? '' : implode(' ', $TCompiledAttr); diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php index 8bfe214c523..c3da1b43170 100644 --- a/htdocs/core/menus/standard/eldy.lib.php +++ b/htdocs/core/menus/standard/eldy.lib.php @@ -1275,7 +1275,7 @@ function get_left_menu_thridparties($mainmenu, &$newmenu, $usemenuhider = 1, $le $langs->load("commercial"); $newmenu->add("/societe/list.php?type=p&leftmenu=prospects", $langs->trans("Prospects"), 2, $user->hasRight('societe', 'lire'), '', $mainmenu, 'prospects', 5); - $newmenu->add("/societe/card.php?leftmenu=prospects&action=create&type=p", $langs->trans("MenuNewProspect"), 3, $user->hasRight('societe', 'creer')); + $newmenu->add("/societe/card.php?leftmenu=prospects&action=create&type=p", $langs->trans("MenuNewProspect"), 3, $user->hasRight('societe', 'creer')); } // Customers/Prospects @@ -1283,7 +1283,7 @@ function get_left_menu_thridparties($mainmenu, &$newmenu, $usemenuhider = 1, $le $langs->load("commercial"); $newmenu->add("/societe/list.php?type=c&leftmenu=customers", $langs->trans("Customers"), 2, $user->hasRight('societe', 'lire'), '', $mainmenu, 'customers', 10); - $newmenu->add("/societe/card.php?leftmenu=customers&action=create&type=c", $langs->trans("MenuNewCustomer"), 3, $user->hasRight('societe', 'creer')); + $newmenu->add("/societe/card.php?leftmenu=customers&action=create&type=c", $langs->trans("MenuNewCustomer"), 3, $user->hasRight('societe', 'creer')); } // Suppliers @@ -1291,7 +1291,7 @@ function get_left_menu_thridparties($mainmenu, &$newmenu, $usemenuhider = 1, $le $langs->load("suppliers"); $newmenu->add("/societe/list.php?type=f&leftmenu=suppliers", $langs->trans("Suppliers"), 2, ($user->hasRight('fournisseur', 'lire') || $user->hasRight('supplier_order', 'lire') || $user->hasRight('supplier_invoice', 'lire') || $user->hasRight('supplier_proposal', 'lire')), '', $mainmenu, 'suppliers', 15); - $newmenu->add("/societe/card.php?leftmenu=suppliers&action=create&type=f", $langs->trans("MenuNewSupplier"), 3, $user->hasRight('societe', 'creer') && ($user->hasRight('fournisseur', 'lire') || $user->hasRight('supplier_order', 'lire') || $user->hasRight('supplier_invoice', 'lire') || $user->hasRight('supplier_proposal', 'lire'))); + $newmenu->add("/societe/card.php?leftmenu=suppliers&action=create&type=f", $langs->trans("MenuNewSupplier"), 3, $user->hasRight('societe', 'creer') && ($user->hasRight('fournisseur', 'lire') || $user->hasRight('supplier_order', 'lire') || $user->hasRight('supplier_invoice', 'lire') || $user->hasRight('supplier_proposal', 'lire'))); } // Categories @@ -1317,7 +1317,7 @@ function get_left_menu_thridparties($mainmenu, &$newmenu, $usemenuhider = 1, $le // Contacts $newmenu->add("/societe/index.php?leftmenu=thirdparties", (getDolGlobalString('SOCIETE_ADDRESSES_MANAGEMENT') ? $langs->trans("Contacts") : $langs->trans("ContactsAddresses")), 0, $user->hasRight('societe', 'contact', 'lire'), '', $mainmenu, 'contacts', 0, '', '', '', img_picto('', 'contact', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/contact/card.php?leftmenu=contacts&action=create", (getDolGlobalString('SOCIETE_ADDRESSES_MANAGEMENT') ? $langs->trans("NewContact") : $langs->trans("NewContactAddress")), 1, $user->hasRight('societe', 'contact', 'creer')); + $newmenu->add("/contact/card.php?leftmenu=contacts&action=create", (getDolGlobalString('SOCIETE_ADDRESSES_MANAGEMENT') ? $langs->trans("NewContact") : $langs->trans("NewContactAddress")), 1, $user->hasRight('societe', 'contact', 'creer')); $newmenu->add("/contact/list.php?leftmenu=contacts", $langs->trans("List"), 1, $user->hasRight('societe', 'contact', 'lire')); if (!getDolGlobalString('SOCIETE_DISABLE_PROSPECTS')) { $newmenu->add("/contact/list.php?leftmenu=contacts&type=p", $langs->trans("Prospects"), 2, $user->hasRight('societe', 'contact', 'lire')); @@ -1514,7 +1514,7 @@ function get_left_menu_billing($mainmenu, &$newmenu, $usemenuhider = 1, $leftmen if (isModEnabled('societe') && isModEnabled('supplier_invoice') && !getDolGlobalString('SUPPLIER_INVOICE_MENU_DISABLED')) { $langs->load("bills"); $newmenu->add("/fourn/facture/index.php?leftmenu=suppliers_bills", $langs->trans("BillsSuppliers"), 0, $user->hasRight('fournisseur', 'facture', 'lire'), '', $mainmenu, 'suppliers_bills', 0, '', '', '', img_picto('', 'supplier_invoice', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/fourn/facture/card.php?leftmenu=suppliers_bills&action=create", $langs->trans("NewBill"), 1, ($user->hasRight('fournisseur', 'facture', 'creer') || $user->hasRight('supplier_invoice', 'creer')), '', $mainmenu, 'suppliers_bills_create'); + $newmenu->add("/fourn/facture/card.php?leftmenu=suppliers_bills&action=create", $langs->trans("NewBill"), 1, ($user->hasRight('fournisseur', 'facture', 'creer') || $user->hasRight('supplier_invoice', 'creer')), '', $mainmenu, 'suppliers_bills_create'); $newmenu->add("/fourn/facture/list.php?leftmenu=suppliers_bills", $langs->trans("List"), 1, $user->hasRight('fournisseur', 'facture', 'lire'), '', $mainmenu, 'suppliers_bills_list'); if ($usemenuhider || empty($leftmenu) || preg_match('/suppliers_bills/', $leftmenu)) { @@ -1558,7 +1558,7 @@ function get_left_menu_billing($mainmenu, &$newmenu, $usemenuhider = 1, $leftmen $langs->load("donations"); $newmenu->add("/don/index.php?leftmenu=donations&mainmenu=billing", $langs->trans("Donations"), 0, $user->hasRight('don', 'lire'), '', $mainmenu, 'donations', 0, '', '', '', img_picto('', 'donation', 'class="paddingright pictofixedwidth"')); if ($usemenuhider || empty($leftmenu) || $leftmenu == "donations") { - $newmenu->add("/don/card.php?leftmenu=donations&action=create", $langs->trans("NewDonation"), 1, $user->hasRight('don', 'creer')); + $newmenu->add("/don/card.php?leftmenu=donations&action=create", $langs->trans("NewDonation"), 1, $user->hasRight('don', 'creer')); $newmenu->add("/don/list.php?leftmenu=donations", $langs->trans("List"), 1, $user->hasRight('don', 'lire')); $newmenu->add("/don/paiement/list.php?leftmenu=donations", $langs->trans("Payments"), 1, $user->hasRight('don', 'lire')); $newmenu->add("/don/stats/index.php", $langs->trans("Statistics"), 1, $user->hasRight('don', 'lire')); @@ -2000,12 +2000,12 @@ function get_left_menu_accountancy($mainmenu, &$newmenu, $usemenuhider = 1, $lef // Assets if (isModEnabled('asset')) { - $newmenu->add("/asset/list.php?leftmenu=asset&mainmenu=accountancy", $langs->trans("MenuAssets"), 0, $user->hasRight('asset', 'read'), '', $mainmenu, 'asset', 100, '', '', '', img_picto('', 'payment', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/asset/card.php?leftmenu=asset&action=create", $langs->trans("MenuNewAsset"), 1, $user->hasRight('asset', 'write')); - $newmenu->add("/asset/list.php?leftmenu=asset&mainmenu=accountancy", $langs->trans("MenuListAssets"), 1, $user->hasRight('asset', 'read')); + $newmenu->add("/asset/list.php?leftmenu=asset&mainmenu=accountancy", $langs->trans("MenuAssets"), 0, $user->hasRight('asset', 'read'), '', $mainmenu, 'asset', 100, '', '', '', img_picto('', 'payment', 'class="paddingright pictofixedwidth"')); + $newmenu->add("/asset/card.php?leftmenu=asset&action=create", $langs->trans("MenuNewAsset"), 1, $user->hasRight('asset', 'write')); + $newmenu->add("/asset/list.php?leftmenu=asset&mainmenu=accountancy", $langs->trans("MenuListAssets"), 1, $user->hasRight('asset', 'read')); $newmenu->add("/asset/model/list.php?leftmenu=asset_model", $langs->trans("MenuAssetModels"), 1, (!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'read')) || (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'model_advance', 'read')), '', $mainmenu, 'asset_model'); if ($usemenuhider || empty($leftmenu) || preg_match('/asset_model/', $leftmenu)) { - $newmenu->add("/asset/model/card.php?leftmenu=asset_model&action=create", $langs->trans("MenuNewAssetModel"), 2, (!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'write')) || (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'model_advance', 'write'))); + $newmenu->add("/asset/model/card.php?leftmenu=asset_model&action=create", $langs->trans("MenuNewAssetModel"), 2, (!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'write')) || (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'model_advance', 'write'))); $newmenu->add("/asset/model/list.php?leftmenu=asset_model", $langs->trans("MenuListAssetModels"), 2, (!getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'read')) || (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && $user->hasRight('asset', 'model_advance', 'read'))); } } @@ -2113,8 +2113,8 @@ function get_left_menu_products($mainmenu, &$newmenu, $usemenuhider = 1, $leftme // Products if (isModEnabled('product')) { $newmenu->add("/product/index.php?leftmenu=product", $langs->trans("Products"), 0, $user->hasRight('product', 'read'), '', $mainmenu, 'product', 0, '', '', '', img_picto('', 'product', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/product/card.php?leftmenu=product&action=create&type=0", $langs->trans("NewProduct"), 1, $user->hasRight('product', 'creer')); - $newmenu->add("/product/list.php?leftmenu=product&type=0", $langs->trans("List"), 1, $user->hasRight('product', 'read')); + $newmenu->add("/product/card.php?leftmenu=product&action=create&type=0", $langs->trans("NewProduct"), 1, $user->hasRight('product', 'creer')); + $newmenu->add("/product/list.php?leftmenu=product&type=0", $langs->trans("List"), 1, $user->hasRight('product', 'read')); if (isModEnabled('stock')) { $newmenu->add("/product/reassort.php?type=0", $langs->trans("MenuStocks"), 1, $user->hasRight('product', 'read') && $user->hasRight('stock', 'lire')); } @@ -2141,8 +2141,8 @@ function get_left_menu_products($mainmenu, &$newmenu, $usemenuhider = 1, $leftme // Services if (isModEnabled('service')) { $newmenu->add("/product/index.php?leftmenu=service", $langs->trans("Services"), 0, $user->hasRight('service', 'read'), '', $mainmenu, 'service', 0, '', '', '', img_picto('', 'service', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/product/card.php?leftmenu=service&action=create&type=1", $langs->trans("NewService"), 1, $user->hasRight('service', 'creer')); - $newmenu->add("/product/list.php?leftmenu=service&type=1", $langs->trans("List"), 1, $user->hasRight('service', 'read')); + $newmenu->add("/product/card.php?leftmenu=service&action=create&type=1", $langs->trans("NewService"), 1, $user->hasRight('service', 'creer')); + $newmenu->add("/product/list.php?leftmenu=service&type=1", $langs->trans("List"), 1, $user->hasRight('service', 'read')); if (isModEnabled('stock') && getDolGlobalString('STOCK_SUPPORTS_SERVICES')) { $newmenu->add("/product/reassort.php?type=1", $langs->trans("MenuStocks"), 1, $user->hasRight('service', 'read') && $user->hasRight('stock', 'lire')); @@ -2259,7 +2259,7 @@ function get_left_menu_mrp($mainmenu, &$newmenu, $usemenuhider = 1, $leftmenu = $langs->load("mrp"); $newmenu->add("", $langs->trans("MenuBOM"), 0, $user->hasRight('bom', 'read'), '', $mainmenu, 'bom', 0, '', '', '', img_picto('', 'bom', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/bom/bom_card.php?leftmenu=bom&action=create", $langs->trans("NewBOM"), 1, $user->hasRight('bom', 'write'), '', $mainmenu, 'bom'); + $newmenu->add("/bom/bom_card.php?leftmenu=bom&action=create", $langs->trans("NewBOM"), 1, $user->hasRight('bom', 'write'), '', $mainmenu, 'bom'); $newmenu->add("/bom/bom_list.php?leftmenu=bom", $langs->trans("List"), 1, $user->hasRight('bom', 'read'), '', $mainmenu, 'bom'); } @@ -2267,7 +2267,7 @@ function get_left_menu_mrp($mainmenu, &$newmenu, $usemenuhider = 1, $leftmenu = $langs->load("mrp"); $newmenu->add("", $langs->trans("MenuMRP"), 0, $user->hasRight('mrp', 'read'), '', $mainmenu, 'mrp', 0, '', '', '', img_picto('', 'mrp', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/mrp/mo_card.php?leftmenu=mo&action=create", $langs->trans("NewMO"), 1, $user->hasRight('mrp', 'write'), '', $mainmenu, ''); + $newmenu->add("/mrp/mo_card.php?leftmenu=mo&action=create", $langs->trans("NewMO"), 1, $user->hasRight('mrp', 'write'), '', $mainmenu, ''); $newmenu->add("/mrp/mo_list.php?leftmenu=mo", $langs->trans("List"), 1, $user->hasRight('mrp', 'read'), '', $mainmenu, ''); } } @@ -2485,7 +2485,7 @@ function get_left_menu_tools($mainmenu, &$newmenu, $usemenuhider = 1, $leftmenu $titlenew .= ' | '.$langs->trans("NewSMSing"); } $newmenu->add("/comm/mailing/index.php?leftmenu=mailing", $titleindex, 0, $user->hasRight('mailing', 'lire'), '', $mainmenu, 'mailing', 0, '', '', '', img_picto('', 'email', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/comm/mailing/card.php?leftmenu=mailing&action=create", $titlenew, 1, $user->hasRight('mailing', 'creer')); + $newmenu->add("/comm/mailing/card.php?leftmenu=mailing&action=create", $titlenew, 1, $user->hasRight('mailing', 'creer')); $newmenu->add("/comm/mailing/list.php?leftmenu=mailing", $titlelist, 1, $user->hasRight('mailing', 'lire')); } @@ -2525,16 +2525,16 @@ function get_left_menu_members($mainmenu, &$newmenu, $usemenuhider = 1, $leftmen // Load translation files required by the page $langs->loadLangs(array("members", "compta")); - $newmenu->add("/adherents/index.php?leftmenu=members&mainmenu=members", $langs->trans("Members"), 0, $user->hasRight('adherent', 'read'), '', $mainmenu, 'members', 0, '', '', '', img_picto('', 'member', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/adherents/card.php?leftmenu=members&action=create", $langs->trans("NewMember"), 1, $user->hasRight('adherent', 'write')); + $newmenu->add("/adherents/index.php?leftmenu=members&mainmenu=members", $langs->trans("Members"), 0, $user->hasRight('adherent', 'read'), '', $mainmenu, 'members', 0, '', '', '', img_picto('', 'member', 'class="paddingright pictofixedwidth"')); + $newmenu->add("/adherents/card.php?leftmenu=members&action=create", $langs->trans("NewMember"), 1, $user->hasRight('adherent', 'write')); $newmenu->add("/adherents/list.php?leftmenu=members", $langs->trans("List"), 1, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=-1", $langs->trans("MenuMembersToValidate"), 2, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=1", $langs->trans("MenuMembersValidated"), 2, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=1&filter=waitingsubscription", $langs->trans("WaitingSubscription"), 3, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=1&filter=uptodate", $langs->trans("UpToDate"), 3, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=1&filter=outofdate", $langs->trans("OutOfDate"), 3, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=0", $langs->trans("MenuMembersResiliated"), 2, $user->hasRight('adherent', 'read')); - $newmenu->add("/adherents/list.php?leftmenu=members&statut=-2", $langs->trans("MenuMembersExcluded"), 2, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=-1", $langs->trans("MenuMembersToValidate"), 2, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=1", $langs->trans("MenuMembersValidated"), 2, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=1&filter=waitingsubscription", $langs->trans("WaitingSubscription"), 3, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=1&filter=uptodate", $langs->trans("UpToDate"), 3, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=1&filter=outofdate", $langs->trans("OutOfDate"), 3, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=0", $langs->trans("MenuMembersResiliated"), 2, $user->hasRight('adherent', 'read')); + $newmenu->add("/adherents/list.php?leftmenu=members&statut=-2", $langs->trans("MenuMembersExcluded"), 2, $user->hasRight('adherent', 'read')); $newmenu->add("/adherents/stats/index.php?leftmenu=members", $langs->trans("MenuMembersStats"), 1, $user->hasRight('adherent', 'read')); $newmenu->add("/adherents/cartes/carte.php?leftmenu=export", $langs->trans("MembersCards"), 1, $user->hasRight('adherent', 'export')); @@ -2554,7 +2554,7 @@ function get_left_menu_members($mainmenu, &$newmenu, $usemenuhider = 1, $leftmen // Type $newmenu->add("/adherents/type.php?leftmenu=setup&mainmenu=members", $langs->trans("MembersTypes"), 0, $user->hasRight('adherent', 'configurer'), '', $mainmenu, 'setup', 0, '', '', '', img_picto('', 'members', 'class="paddingright pictofixedwidth"')); - $newmenu->add("/adherents/type.php?leftmenu=setup&mainmenu=members&action=create", $langs->trans("New"), 1, $user->hasRight('adherent', 'configurer')); + $newmenu->add("/adherents/type.php?leftmenu=setup&mainmenu=members&action=create", $langs->trans("New"), 1, $user->hasRight('adherent', 'configurer')); $newmenu->add("/adherents/type.php?leftmenu=setup&mainmenu=members", $langs->trans("List"), 1, $user->hasRight('adherent', 'configurer')); } } diff --git a/htdocs/core/modules/modAgenda.class.php b/htdocs/core/modules/modAgenda.class.php index bc0d440bad8..0cbbbb0dd8b 100644 --- a/htdocs/core/modules/modAgenda.class.php +++ b/htdocs/core/modules/modAgenda.class.php @@ -249,7 +249,7 @@ class modAgenda extends DolibarrModules 'type' => 'left', 'titre' => 'NewAction', 'mainmenu' => 'agenda', - 'url' => '/comm/action/card.php?mainmenu=agenda&leftmenu=agenda&action=create', + 'url' => '/comm/action/card.php?mainmenu=agenda&leftmenu=agenda&action=create', 'langs' => 'commercial', 'position' => 101, 'perms' => '($user->hasRight("agenda", "myactions", "create") || $user->hasRight("agenda", "allactions", "create"))', diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php index 56d300c9b8f..e0cd273c028 100644 --- a/htdocs/expensereport/card.php +++ b/htdocs/expensereport/card.php @@ -2848,7 +2848,7 @@ if ($action != 'create' && $action != 'edit' && $action != 'editline') { if ($remaintopay == 0) { print '
'.$langs->trans('DoPayment').'
'; } else { - print '
'.$langs->trans('DoPayment').'
'; + print '
'.$langs->trans('DoPayment').'
'; } } diff --git a/htdocs/fourn/facture/card.php b/htdocs/fourn/facture/card.php index 1d330322f87..39d971bba99 100644 --- a/htdocs/fourn/facture/card.php +++ b/htdocs/fourn/facture/card.php @@ -4094,7 +4094,7 @@ if ($action == 'create') { // Create payment if ($object->type != FactureFournisseur::TYPE_CREDIT_NOTE && $object->status == FactureFournisseur::STATUS_VALIDATED && $object->paid == 0) { - print ''.$langs->trans('DoPayment').''; // must use facid because id is for payment id not invoice + print ''.$langs->trans('DoPayment').''; // must use facid because id is for payment id not invoice } // Reverse back money or convert to reduction @@ -4104,7 +4104,7 @@ if ($action == 'create') { if ($resteapayer == 0) { print ''.$langs->trans('DoPaymentBack').''; } else { - print ''.$langs->trans('DoPaymentBack').''; + print ''.$langs->trans('DoPaymentBack').''; } } @@ -4154,7 +4154,7 @@ if ($action == 'create') { // Create a credit note if (($object->type == FactureFournisseur::TYPE_STANDARD || $object->type == FactureFournisseur::TYPE_DEPOSIT) && $object->status > 0 && $usercancreate) { if (!$objectidnext) { - print ''.$langs->trans("CreateCreditNote").''; + print ''.$langs->trans("CreateCreditNote").''; } } diff --git a/htdocs/societe/paymentmodes.php b/htdocs/societe/paymentmodes.php index cacc2c3e002..774e274a426 100644 --- a/htdocs/societe/paymentmodes.php +++ b/htdocs/societe/paymentmodes.php @@ -1206,7 +1206,7 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard' if ($showcardpaymentmode && $object->client) { $morehtmlright = ''; if (getDolGlobalString('STRIPE_ALLOW_LOCAL_CARD')) { - $morehtmlright .= dolGetButtonTitle($langs->trans('Add'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"].'?socid='.$object->id.'&action=createcard'); + $morehtmlright .= dolGetButtonTitle($langs->trans('Add'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"].'?socid='.$object->id.'&action=createcard'); } print load_fiche_titre($langs->trans('CreditCard'), $morehtmlright, 'fa-credit-card'); //($stripeacc ? ' (Stripe connection with StripeConnect account '.$stripeacc.')' : ' (Stripe connection with keys from Stripe module setup)') @@ -1557,7 +1557,7 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard' // List of bank accounts if ($permissiontoaddupdatepaymentinformation) { - $morehtmlright = dolGetButtonTitle($langs->trans('Add'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"] . '?socid=' . $object->id . '&action=create'); + $morehtmlright = dolGetButtonTitle($langs->trans('Add'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"] . '?socid=' . $object->id . '&action=create'); } print load_fiche_titre($langs->trans("BankAccounts"), $morehtmlright, 'bank'); diff --git a/htdocs/user/bank.php b/htdocs/user/bank.php index 2b31b7097f0..c098ac3c762 100644 --- a/htdocs/user/bank.php +++ b/htdocs/user/bank.php @@ -836,7 +836,7 @@ if ($action != 'edit' && $action != 'create') { // If not bank account yet, $ac $morehtmlright = ''; if ($account->id == 0) { if ($permissiontoaddbankaccount) { - $morehtmlright = dolGetButtonTitle($langs->trans('Add'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"].'?id='.$object->id.'&action=create'); + $morehtmlright = dolGetButtonTitle($langs->trans('Add'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"].'?id='.$object->id.'&action=create'); } else { $morehtmlright = dolGetButtonTitle($langs->trans('Add'), $langs->trans('NotEnoughPermissions'), 'fa fa-plus-circle', '', '', -2); } diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 28c2bcf6f90..bfb49309025 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -828,6 +828,24 @@ class SecurityTest extends CommonClassTest $this->assertEquals($stringfixed, $result, 'Error in dolPrintHTMLForAttribute test 2'); // Expected '' because should failed because login 'auto' does not exists + // dolPrintHTMLForAttributeUrl - With dolPrintHTMLForAttributeUrl(), the param should already be and HTML URL encoded + + $stringtotest = "aa & & a=%10"; + $stringfixed = "aa & & a=%10"; + // $result = dol_escape_htmltag(dol_string_onlythesehtmltags($s, 1, 1, 1, 0, array()), 0, 0, '', $escapeonlyhtmltags, 1); + $result = dolPrintHTMLForAttributeUrl($stringtotest); + print __METHOD__." result=".$result."\n"; + $this->assertEquals($stringfixed, $result, 'Error in dolPrintHTMLForAttributeUrl test 1'); // Expected '' because should failed because login 'auto' does not exists + + // For a string that is already HTML (contains HTML tags) with special tags but badly formatted + $stringtotest = "aa & & a=%10"; + $stringfixed = "aa & & a=%10"; + // $result = dol_escape_htmltag(dol_string_onlythesehtmltags($s, 1, 1, 1, 0, array()), 0, 0, '', $escapeonlyhtmltags, 1); + $result = dolPrintHTMLForAttributeUrl($stringtotest); + print __METHOD__." result=".$result."\n"; + $this->assertEquals($stringfixed, $result, 'Error in dolPrintHTMLForAttributeUrl test 2'); // Expected '' because should failed because login 'auto' does not exists + + // dolPrintHTML /* diff --git a/test/phpunit/test.php b/test/phpunit/test.php index 6e8f0c8565a..bd471275f1f 100755 --- a/test/phpunit/test.php +++ b/test/phpunit/test.php @@ -12,18 +12,30 @@ include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $langs->setDefaultLang('fr'); $langs->loadLangs(array('main', 'companies')); -var_dump($langs->tab_translate["Preview"]); +$s = 'aa & & a=%10'; +print $s."\n"; +//print dol_htmlentitiesbr($s)."\n"; +//print dol_escape_htmltag(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 0, 0, 0, array('br', 'b', 'font', 'hr', 'span')), 1, -1, '', 0, 1); +print dolPrintHTMLForAttributeUrl('aa & & a=%10'); +print "\n"; +$s = 'aa & & a=%10'; +print $s."\n"; +//print dol_htmlentitiesbr($s)."\n"; +//print dol_escape_htmltag(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 0, 0, 0, array('br', 'b', 'font', 'hr', 'span')), 1, -1, '', 0, 1); +print dolPrintHTMLForAttributeUrl('aa & & a=%10'); +print "\n"; + print $langs->tr("Preview"); print "\n"; print $langs->trans("Preview"); print "\n"; -print ">>> dol_escape_htmltag(eée < > bbbold ç) - should not happen\n"; -print dol_escape_htmltag("eée < > bbbold ç", 1); +print ">>> dol_escape_htmltag(< > bbbold ç &) - should not happen\n"; +print dol_escape_htmltag("< > bbbold ç &", 1); print "\n"; -print ">>> dol_escape_htmltag(eée < > bbbold ç)\n"; -print dol_escape_htmltag("eée < > bbbold ç", 1); +print ">>> dol_escape_htmltag(< > bbbold ç &)\n"; +print dol_escape_htmltag("< > bbbold ç &", 1); print "\n"; print '>>> dol_escape_htmltag(<script>alert("azerty")</script>)'."\n"; print dol_escape_htmltag('<script>alert("azerty")</script>', 1); @@ -32,11 +44,11 @@ print "\n"; print "\n"; // dol_escape_htmltag(dol_htmlwithnojs(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 1, 1, array())), 1, 1, 'common', 0, 1); -print ">>> dolPrintHtml(eée < > bbbold ç) - should not happen\n"; -print dolPrintHtml("eée < > bbbold ç"); +print ">>> dolPrintHtml(< > bbbold ç &) - should not happen\n"; +print dolPrintHtml("< > bbbold ç &"); print "\n"; -print ">>> dolPrintHtml(eée < > bbbold ç)\n"; -print dolPrintHtml("eée < > bbbold ç"); +print ">>> dolPrintHtml(< > bbbold ç &)\n"; +print dolPrintHtml("< > bbbold ç &"); print "\n"; print '>>> dolPrintHtml(<script>alert("azerty")</script>)'."\n"; print dolPrintHtml('<script>alert("azerty")</script>'); @@ -45,11 +57,11 @@ print "\n"; print "\n"; // dol_escape_htmltag(dol_string_onlythesehtmltags(dol_htmlentitiesbr($s), 1, 0, 0, 0, array('br', 'b', 'font', 'hr', 'span')), 1, -1, '', 0, 1); -print ">>> dolPrintHtmlForattribute(eée < > bbbold ç)\n"; -print dolPrintHTMLForAttribute("eée < > bbbold ç"); +print ">>> dolPrintHtmlForattribute(< > bbbold ç & )\n"; +print dolPrintHTMLForAttribute("< > bbbold ç &"); print "\n"; -print ">>> dolPrintHTMLForAttribute(eée < > bbbold ç)\n"; -print dolPrintHTMLForAttribute("eée < > bbbold ç"); +print ">>> dolPrintHTMLForAttribute(< > bbbold ç &)\n"; +print dolPrintHTMLForAttribute("< > bbbold ç &"); print "\n"; print '>>> dolPrintHtmlForattribute(<script>alert("azerty")</script>)'."\n"; print dolPrintHTMLForAttribute('<script>alert("azerty")</script>'); From d5a36eee1547440c39c5455d24e544fce1626d64 Mon Sep 17 00:00:00 2001 From: "Laurent Destailleur (aka Eldy)" Date: Thu, 9 Jan 2025 13:58:06 +0100 Subject: [PATCH 32/33] Add OVER on list of reserved words --- htdocs/core/actions_extrafields.inc.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/core/actions_extrafields.inc.php b/htdocs/core/actions_extrafields.inc.php index f1a7eca0c50..3c52491d4cb 100644 --- a/htdocs/core/actions_extrafields.inc.php +++ b/htdocs/core/actions_extrafields.inc.php @@ -61,13 +61,14 @@ if ($type == 'select') { $extrasize = ''; } +// List of reserved words for databases $listofreservedwords = array( 'ADD', 'ALL', 'ALTER', 'ANALYZE', 'AND', 'AS', 'ASENSITIVE', 'BEFORE', 'BETWEEN', 'BINARY', 'BLOB', 'BOTH', 'CALL', 'CASCADE', 'CASE', 'CHANGE', 'CHAR', 'CHARACTER', 'CHECK', 'COLLATE', 'COLUMN', 'CONDITION', 'CONSTRAINT', 'CONTINUE', 'CONVERT', 'CREATE', 'CROSS', 'CURRENT_DATE', 'CURRENT_TIME', 'CURRENT_TIMESTAMP', 'CURRENT_USER', 'CURSOR', 'DATABASE', 'DATABASES', 'DAY_HOUR', 'DAY_MICROSECOND', 'DAY_MINUTE', 'DAY_SECOND', 'DECIMAL', 'DECLARE', 'DEFAULT', 'DELAYED', 'DELETE', 'DESC', 'DESCRIBE', 'DETERMINISTIC', 'DISTINCT', 'DISTINCTROW', 'DOUBLE', 'DROP', 'DUAL', 'EACH', 'ELSE', 'ELSEIF', 'ENCLOSED', 'ESCAPED', 'EXISTS', 'EXPLAIN', 'FALSE', 'FETCH', 'FLOAT', 'FLOAT4', 'FLOAT8', 'FORCE', 'FOREIGN', 'FULLTEXT', 'GRANT', 'GROUP', 'HAVING', 'HIGH_PRIORITY', 'HOUR_MICROSECOND', 'HOUR_MINUTE', 'HOUR_SECOND', 'IGNORE', 'IGNORE_SERVER_IDS', 'INDEX', 'INFILE', 'INNER', 'INOUT', 'INSENSITIVE', 'INSERT', 'INT', 'INTEGER', 'INTERVAL', 'INTO', 'ITERATE', 'KEYS', 'KEYWORD', 'LEADING', 'LEAVE', 'LEFT', 'LIKE', 'LIMIT', 'LINES', 'LOCALTIME', 'LOCALTIMESTAMP', 'LONGBLOB', 'LONGTEXT', 'MASTER_SSL_VERIFY_SERVER_CERT', 'MATCH', 'MEDIUMBLOB', 'MEDIUMINT', 'MEDIUMTEXT', 'MIDDLEINT', 'MINUTE_MICROSECOND', 'MINUTE_SECOND', 'MODIFIES', 'NATURAL', 'NOT', 'NO_WRITE_TO_BINLOG', 'NUMERIC', - 'OFFSET', 'ON', 'OPTION', 'OPTIONALLY', 'OUTER', 'OUTFILE', + 'OFFSET', 'ON', 'OPTION', 'OPTIONALLY', 'OUTER', 'OUTFILE', 'OVER', 'PARTITION', 'POSITION', 'PRECISION', 'PRIMARY', 'PROCEDURE', 'PURGE', 'RANGE', 'READS', 'READ_WRITE', 'REAL', 'REFERENCES', 'REGEXP', 'RELEASE', 'RENAME', 'REPEAT', 'REQUIRE', 'RESTRICT', 'RETURN', 'REVOKE', 'RIGHT', 'RLIKE', 'SCHEMAS', 'SECOND_MICROSECOND', 'SENSITIVE', 'SEPARATOR', 'SIGNAL', 'SMALLINT', 'SPATIAL', 'SPECIFIC', 'SQLEXCEPTION', 'SQLSTATE', 'SQLWARNING', 'SQL_BIG_RESULT', 'SQL_CALC_FOUND_ROWS', 'SQL_SMALL_RESULT', 'SSL', 'STARTING', 'STRAIGHT_JOIN', 'TABLE', 'TERMINATED', 'TINYBLOB', 'TINYINT', 'TINYTEXT', 'TRAILING', 'TRIGGER', 'UNDO', 'UNIQUE', 'UNSIGNED', 'UPDATE', 'USAGE', 'USING', 'UTC_DATE', 'UTC_TIME', 'UTC_TIMESTAMP', 'VALUES', 'VARBINARY', 'VARCHAR', 'VARYING', From 4527a0eb31a9b3ee4e62d993f2b3f2ca2ea59ff3 Mon Sep 17 00:00:00 2001 From: "Laurent Destailleur (aka Eldy)" Date: Thu, 9 Jan 2025 22:15:24 +0100 Subject: [PATCH 33/33] Debug v21 --- htdocs/public/payment/newpayment.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/htdocs/public/payment/newpayment.php b/htdocs/public/payment/newpayment.php index 02dcc1ce6af..fcff7afc7d6 100644 --- a/htdocs/public/payment/newpayment.php +++ b/htdocs/public/payment/newpayment.php @@ -230,15 +230,13 @@ $urlwithroot = DOL_MAIN_URL_ROOT; // This is to use same domain name than curren $urlok = $urlwithroot.'/public/payment/paymentok.php?'; $urlko = $urlwithroot.'/public/payment/paymentko.php?'; -/* -if ($ws) { +if ($ws && !defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) { // So defined('USEEXTERNALSERVER') should be set but is not always include_once DOL_DOCUMENT_ROOT.'/website/class/website.class.php'; $tmpwebsite = new WebSite($db); $tmpwebsite->fetch(0, $ws); $urlok = $tmpwebsite->virtualhost.'/public/payment/paymentok.php?'; $urlko = $tmpwebsite->virtualhost.'/public/payment/paymentko.php?'; } -*/ // Complete urls for post treatment $ref = $REF = GETPOST('ref', 'alpha');