diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index 28cd8773d53..4eda43dcca5 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -57,7 +57,7 @@ $type=GETPOST("type"); $search_email=GETPOST("search_email"); $search_categ = GETPOST("search_categ",'int'); $catid = GETPOST("catid",'int'); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $optioncss = GETPOST('optioncss','alpha'); if ($statut < -1) $statut = ''; diff --git a/htdocs/comm/mailing/list.php b/htdocs/comm/mailing/list.php index 2d6fae37b98..7346c0045f5 100644 --- a/htdocs/comm/mailing/list.php +++ b/htdocs/comm/mailing/list.php @@ -41,8 +41,8 @@ $pagenext = $page + 1; if (! $sortorder) $sortorder="DESC"; if (! $sortfield) $sortfield="m.date_creat"; -$sall=GETPOST("sall","alpha"); -$sref=GETPOST("sref","alpha"); +$sall=GETPOST('sall', 'alphanohtml'); +$sref=GETPOST("sref", "alpha"); $filteremail=GETPOST('filteremail','alpha'); // Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index 44a2b9356e8..d85448397de 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -77,7 +77,7 @@ $viewstatut=GETPOST('viewstatut'); $optioncss = GETPOST('optioncss','alpha'); $object_statut=GETPOST('propal_statut'); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $mesg=(GETPOST("msg") ? GETPOST("msg") : GETPOST("mesg")); $day=GETPOST("day","int"); diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php index 073a20bc391..80601ec9727 100644 --- a/htdocs/commande/list.php +++ b/htdocs/commande/list.php @@ -71,7 +71,7 @@ $search_zip=GETPOST('search_zip','alpha'); $search_state=trim(GETPOST("search_state")); $search_country=GETPOST("search_country",'int'); $search_type_thirdparty=GETPOST("search_type_thirdparty",'int'); -$sall=GETPOST('sall'); +$sall=GETPOST('sall', 'alphanohtml'); $socid=GETPOST('socid','int'); $search_user=GETPOST('search_user','int'); $search_sale=GETPOST('search_sale','int'); diff --git a/htdocs/commande/orderstoinvoice.php b/htdocs/commande/orderstoinvoice.php index 009326f1f41..40071a0b21d 100644 --- a/htdocs/commande/orderstoinvoice.php +++ b/htdocs/commande/orderstoinvoice.php @@ -52,7 +52,7 @@ $action = GETPOST('action','alpha'); $confirm = GETPOST('confirm','alpha'); $sref = GETPOST('sref'); $sref_client = GETPOST('sref_client'); -$sall = GETPOST('sall'); +$sall = GETPOST('sall', 'alphanohtml'); $socid = GETPOST('socid','int'); $selected = GETPOST('orders_to_invoice'); $sortfield = GETPOST("sortfield",'alpha'); diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php index 5dbbeb24e5a..cce94646616 100644 --- a/htdocs/compta/facture/list.php +++ b/htdocs/compta/facture/list.php @@ -52,7 +52,7 @@ $langs->load('bills'); $langs->load('companies'); $langs->load('products'); -$sall=trim(GETPOST('sall')); +$sall=trim(GETPOST('sall', 'alphanohtml')); $projectid=(GETPOST('projectid')?GETPOST('projectid','int'):0); $id=(GETPOST('id','int')?GETPOST('id','int'):GETPOST('facid','int')); // For backward compatibility diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index ae0f8f9398a..b425ea56667 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -42,7 +42,7 @@ $ref = ''; // There is no ref for contacts if ($user->societe_id) $socid=$user->societe_id; $result = restrictedArea($user, 'contact', $contactid,''); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $search_firstlast_only=GETPOST("search_firstlast_only"); $search_lastname=GETPOST("search_lastname"); $search_firstname=GETPOST("search_firstname"); diff --git a/htdocs/contrat/list.php b/htdocs/contrat/list.php index 7436c16fe69..8a22f7ee324 100644 --- a/htdocs/contrat/list.php +++ b/htdocs/contrat/list.php @@ -53,7 +53,7 @@ $search_country=GETPOST("search_country",'int'); $search_type_thirdparty=GETPOST("search_type_thirdparty",'int'); $search_contract=GETPOST('search_contract'); $search_ref_supplier=GETPOST('search_ref_supplier','alpha'); -$sall=GETPOST('sall'); +$sall=GETPOST('sall', 'alphanohtml'); $search_status=GETPOST('search_status'); $socid=GETPOST('socid'); $search_user=GETPOST('search_user','int'); diff --git a/htdocs/don/list.php b/htdocs/don/list.php index d925573b859..1b490b34085 100644 --- a/htdocs/don/list.php +++ b/htdocs/don/list.php @@ -43,7 +43,7 @@ if (! $sortorder) $sortorder="DESC"; if (! $sortfield) $sortfield="d.datedon"; $statut=isset($_GET["statut"])?$_GET["statut"]:"-1"; -$search_all=GETPOST('sall','alpha'); +$search_all=GETPOST('sall', 'alphanohtml'); $search_ref=GETPOST('search_ref','alpha'); $search_company=GETPOST('search_company','alpha'); $search_name=GETPOST('search_name','alpha'); diff --git a/htdocs/expedition/list.php b/htdocs/expedition/list.php index 65d7fd5223e..68f3add0229 100644 --- a/htdocs/expedition/list.php +++ b/htdocs/expedition/list.php @@ -50,7 +50,7 @@ $search_zip=GETPOST('search_zip','alpha'); $search_state=trim(GETPOST("search_state")); $search_country=GETPOST("search_country",'int'); $search_type_thirdparty=GETPOST("search_type_thirdparty",'int'); -$sall = GETPOST('sall'); +$sall = GETPOST('sall', 'alphanohtml'); $optioncss = GETPOST('optioncss','alpha'); $limit = GETPOST("limit")?GETPOST("limit","int"):$conf->liste_limit; diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php index 13b95311dee..58541330c83 100644 --- a/htdocs/expensereport/list.php +++ b/htdocs/expensereport/list.php @@ -63,7 +63,7 @@ if (!$sortorder) $sortorder="DESC"; if (!$sortfield) $sortfield="d.date_debut"; -$sall = GETPOST('sall'); +$sall = GETPOST('sall', 'alphanohtml'); $search_ref = GETPOST('search_ref'); $search_user = GETPOST('search_user','int'); $search_amount_ht = GETPOST('search_amount_ht','alpha'); diff --git a/htdocs/fichinter/list.php b/htdocs/fichinter/list.php index 563c57f5ad7..9ef7d22ad10 100644 --- a/htdocs/fichinter/list.php +++ b/htdocs/fichinter/list.php @@ -62,7 +62,7 @@ $search_ref=GETPOST('search_ref')?GETPOST('search_ref','alpha'):GETPOST('search_ $search_company=GETPOST('search_company','alpha'); $search_desc=GETPOST('search_desc','alpha'); $search_status=GETPOST('search_status'); -$sall=GETPOST('sall'); +$sall=GETPOST('sall', 'alphanohtml'); $optioncss = GETPOST('optioncss','alpha'); // Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php index 427f428d652..59a3bd3a809 100644 --- a/htdocs/filefunc.inc.php +++ b/htdocs/filefunc.inc.php @@ -164,14 +164,17 @@ if (empty($multicompany_force_entity)) $multicompany_force_entity=0; // To force // This test check if referrer ($_SERVER['HTTP_REFERER']) is same web site than Dolibarr ($_SERVER['HTTP_HOST']) // when we post forms (we allow GET to allow direct link to access a particular page). // Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host -if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) - && ! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) - && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))) +if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)) { - //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER']; - print "Access refused by CSRF protection in main.inc.php.\n"; - print "If you access your server behind a proxy using url rewriting, you might add the line \$dolibarr_nocsrfcheck=1 into your conf.php file.\n"; - die; + if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) + && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))) + { + //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER']; + print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n"; + print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n"; + die; + } + // Another test is done later on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on. } if (empty($dolibarr_main_db_host)) { diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php index 49de2dac7a3..42773058471 100644 --- a/htdocs/fourn/commande/list.php +++ b/htdocs/fourn/commande/list.php @@ -54,6 +54,8 @@ $orderday=GETPOST("orderday","int"); $deliveryyear=GETPOST("deliveryyear","int"); $deliverymonth=GETPOST("deliverymonth","int"); $deliveryday=GETPOST("deliveryday","int"); + +$sall=GETPOST('search_all', 'alphanohtml'); $search_product_category=GETPOST('search_product_category','int'); $search_ref=GETPOST('search_ref'); $search_refsupp=GETPOST('search_refsupp'); @@ -69,7 +71,6 @@ $search_ht=GETPOST('search_ht'); $search_ttc=GETPOST('search_ttc'); $search_status=(GETPOST('search_status','alpha')!=''?GETPOST('search_status','alpha'):GETPOST('statut','alpha')); // alpha and not intbecause it can be '6,7' $optioncss = GETPOST('optioncss','alpha'); -$sall=GETPOST('search_all'); $socid = GETPOST('socid','int'); $search_sale=GETPOST('search_sale','int'); $search_total_ht=GETPOST('search_total_ht','alpha'); diff --git a/htdocs/fourn/commande/orderstoinvoice.php b/htdocs/fourn/commande/orderstoinvoice.php index f804a1d9ab7..32f1a5538b5 100644 --- a/htdocs/fourn/commande/orderstoinvoice.php +++ b/htdocs/fourn/commande/orderstoinvoice.php @@ -53,7 +53,7 @@ $action = GETPOST('action', 'alpha'); $confirm = GETPOST('confirm', 'alpha'); $sref = GETPOST('sref'); $sref_client = GETPOST('sref_client'); -$sall = GETPOST('sall'); +$sall = GETPOST('sall', 'alphanohtml'); $socid = GETPOST('socid', 'int'); $selected = GETPOST('orders_to_invoice'); $sortfield = GETPOST("sortfield", 'alpha'); diff --git a/htdocs/fourn/facture/list.php b/htdocs/fourn/facture/list.php index 3afb97c5fb1..396d5ffd8a5 100644 --- a/htdocs/fourn/facture/list.php +++ b/htdocs/fourn/facture/list.php @@ -88,7 +88,7 @@ $toselect = GETPOST('toselect', 'array'); $option = GETPOST('option'); if ($option == 'late') $filter = 'paye:0'; -$search_all = GETPOST('sall'); +$search_all = GETPOST('sall', 'alphanohtml'); $search_label = GETPOST("search_label","alpha"); $search_company = GETPOST("search_company","alpha"); $search_amount_no_tax = GETPOST("search_amount_no_tax","alpha"); diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index 131dcc3651b..1ab8fbd785f 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -55,7 +55,7 @@ $pagenext = $page + 1; $id = GETPOST('id','int'); -$sall = GETPOST('sall'); +$sall = GETPOST('sall', 'alphanohtml'); $search_ref = GETPOST('search_ref'); $month_create = GETPOST('month_create'); $year_create = GETPOST('year_create'); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index dd45222fa42..9d97770e48a 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -298,16 +298,24 @@ if ((! empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_V // Creation of a token against CSRF vulnerabilities if (! defined('NOTOKENRENEWAL')) { - $token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number // roulement des jetons car cree a chaque appel if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken']; + + // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken'] + $token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number $_SESSION['newtoken'] = $token; } if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) // Check validity of token, only if option enabled (this option breaks some features sometimes) { - if ($_SERVER['REQUEST_METHOD'] === 'POST') + if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOST('token')) // Note, offender can still send request by GET { - if (GETPOST('token') != $_SESSION['token']) + print "Access refused by CSRF protection in main.inc.php. Token not provided.\n"; + print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n"; + die; + } + if ($_SERVER['REQUEST_METHOD'] === 'POST') // This test must be after loading $_SESSION['token']. + { + if (GETPOST('token', 'alpha') != $_SESSION['token']) { dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action').", _POST['token']=".GETPOST('token').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING); //print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers. diff --git a/htdocs/product/canvas/product/actions_card_product.class.php b/htdocs/product/canvas/product/actions_card_product.class.php index 06803e8239d..8db1ae21469 100644 --- a/htdocs/product/canvas/product/actions_card_product.class.php +++ b/htdocs/product/canvas/product/actions_card_product.class.php @@ -326,7 +326,7 @@ class ActionsCardProduct $this->list_datas = array(); // Clean parameters - $sall=trim(GETPOST("sall")); + $sall=trim(GETPOST('sall', 'alphanohtml')); foreach($this->field_list as $field) { diff --git a/htdocs/product/list.php b/htdocs/product/list.php index 9efdca6a4d0..1aec109474e 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -49,7 +49,7 @@ $action = GETPOST('action'); $sref=GETPOST("sref"); $sbarcode=GETPOST("sbarcode"); $snom=GETPOST("snom"); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $type=GETPOST("type","int"); $search_sale = GETPOST("search_sale"); $search_categ = GETPOST("search_categ",'int'); diff --git a/htdocs/product/reassort.php b/htdocs/product/reassort.php index 13bc0fef186..e3e9af6a61a 100644 --- a/htdocs/product/reassort.php +++ b/htdocs/product/reassort.php @@ -42,7 +42,7 @@ $result=restrictedArea($user,'produit|service'); $action=GETPOST('action','alpha'); $sref=GETPOST("sref"); $snom=GETPOST("snom"); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $type=GETPOST("type","int"); $sbarcode=GETPOST("sbarcode"); $catid=GETPOST('catid','int'); diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php index 01285f09417..40b96c24db1 100644 --- a/htdocs/product/reassortlot.php +++ b/htdocs/product/reassortlot.php @@ -44,7 +44,7 @@ $result=restrictedArea($user,'produit|service'); $action=GETPOST('action','alpha'); $sref=GETPOST("sref"); $snom=GETPOST("snom"); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $type=GETPOST("type","int"); $sbarcode=GETPOST("sbarcode",'alpha'); $search_warehouse=GETPOST('search_warehouse','alpha'); diff --git a/htdocs/product/stock/list.php b/htdocs/product/stock/list.php index 0bfd9048352..ed1b91b4ad5 100644 --- a/htdocs/product/stock/list.php +++ b/htdocs/product/stock/list.php @@ -32,9 +32,9 @@ $langs->load("stocks"); // Security check $result=restrictedArea($user,'stock'); +$sall=GETPOST('sall', 'alphanohtml'); $search_ref=GETPOST("sref","alpha")?GETPOST("sref","alpha"):GETPOST("search_ref","alpha"); $search_label=GETPOST("snom","alpha")?GETPOST("snom","alpha"):GETPOST("search_label","alpha"); -$sall=GETPOST("sall","alpha"); $search_status=GETPOST("search_status","int"); $limit = GETPOST('limit')?GETPOST('limit','int'):$conf->liste_limit; diff --git a/htdocs/product/stock/replenish.php b/htdocs/product/stock/replenish.php index 437361b5cf5..26c6ab1dfd1 100644 --- a/htdocs/product/stock/replenish.php +++ b/htdocs/product/stock/replenish.php @@ -48,7 +48,7 @@ $result=restrictedArea($user,'produit|service'); $action = GETPOST('action','alpha'); $sref = GETPOST('sref', 'alpha'); $snom = GETPOST('snom', 'alpha'); -$sall = GETPOST('sall', 'alpha'); +$sall = GETPOST('sall', 'alphanohtml'); $type = GETPOST('type','int'); $tobuy = GETPOST('tobuy', 'int'); $salert = GETPOST('salert', 'alpha'); diff --git a/htdocs/product/stock/replenishorders.php b/htdocs/product/stock/replenishorders.php index 4986d7c524d..5b1fda0371f 100644 --- a/htdocs/product/stock/replenishorders.php +++ b/htdocs/product/stock/replenishorders.php @@ -39,11 +39,11 @@ $langs->load("orders"); if ($user->societe_id) $socid=$user->societe_id; $result=restrictedArea($user,'produit|service'); +$sall = GETPOST('search_all', 'alphanohtml'); $sref = GETPOST('search_ref', 'alpha'); $snom = GETPOST('search_nom', 'alpha'); $suser = GETPOST('search_user', 'alpha'); $sttc = GETPOST('search_ttc', 'alpha'); -$sall = GETPOST('search_all', 'alpha'); $sdate = GETPOST('search_date', 'alpha'); $page = GETPOST('page', 'int'); $sproduct = GETPOST('sproduct', 'int'); diff --git a/htdocs/product/stock/valo.php b/htdocs/product/stock/valo.php index be56636ee57..b13dd0bd27e 100644 --- a/htdocs/product/stock/valo.php +++ b/htdocs/product/stock/valo.php @@ -33,7 +33,7 @@ $result=restrictedArea($user,'stock'); $sref=GETPOST("sref"); $snom=GETPOST("snom"); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $sortfield = GETPOST("sortfield"); $sortorder = GETPOST("sortorder"); diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index dadc199d146..51f260cac6f 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -62,13 +62,12 @@ $offset = $limit * $page ; $pageprev = $page - 1; $pagenext = $page + 1; -$search_all=GETPOST("search_all"); +$search_all=GETPOST('search_all', 'alphanohtml'); $search_categ=GETPOST("search_categ",'alpha'); $search_ref=GETPOST("search_ref"); $search_label=GETPOST("search_label"); $search_societe=GETPOST("search_societe"); $search_year=GETPOST("search_year"); -$search_all=GETPOST("search_all"); $search_status=GETPOST("search_status",'int'); $search_opp_status=GETPOST("search_opp_status",'alpha'); $search_opp_percent=GETPOST("search_opp_percent",'alpha'); diff --git a/htdocs/projet/tasks/list.php b/htdocs/projet/tasks/list.php index 74f9b122f14..30a89109115 100644 --- a/htdocs/projet/tasks/list.php +++ b/htdocs/projet/tasks/list.php @@ -36,7 +36,7 @@ $langs->load('companies'); $id=GETPOST('id','int'); -$search_all=GETPOST('search_all'); +$search_all=GETPOST('search_all', 'alphanohtml'); $search_project=GETPOST('search_project'); if (! isset($_GET['search_projectstatus']) && ! isset($_POST['search_projectstatus'])) { diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php index 393d3a1fad4..0a79921d153 100644 --- a/htdocs/societe/list.php +++ b/htdocs/societe/list.php @@ -48,7 +48,7 @@ $socid = GETPOST('socid','int'); if ($user->societe_id) $socid=$user->societe_id; $result = restrictedArea($user,'societe',$socid,''); -$search_all=trim(GETPOST("sall")); +$search_all=trim(GETPOST('sall', 'alphanohtml')); $search_nom=trim(GETPOST("search_nom")); $search_nom_only=trim(GETPOST("search_nom_only")); $search_barcode=trim(GETPOST("sbarcode")); diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php index caf79597e53..7a841a13b19 100644 --- a/htdocs/supplier_proposal/list.php +++ b/htdocs/supplier_proposal/list.php @@ -66,7 +66,7 @@ $search_author=GETPOST('search_author','alpha'); $search_status=GETPOST('viewstatut','alpha')?GETPOST('viewstatut','alpha'):GETPOST('search_status','int'); $object_statut=$db->escape(GETPOST('supplier_proposal_statut')); -$sall=GETPOST("sall"); +$sall=GETPOST('sall', 'alphanohtml'); $mesg=(GETPOST("msg") ? GETPOST("msg") : GETPOST("mesg")); $year=GETPOST("year"); $month=GETPOST("month"); diff --git a/htdocs/user/group/index.php b/htdocs/user/group/index.php index 94c12147f1a..12e51a79d0f 100644 --- a/htdocs/user/group/index.php +++ b/htdocs/user/group/index.php @@ -34,7 +34,7 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS)) $langs->load("users"); -$sall=GETPOST('sall'); +$sall=GETPOST('sall', 'alphanohtml'); $search_group=GETPOST('search_group'); $optioncss = GETPOST('optioncss','alpha'); diff --git a/htdocs/user/hierarchy.php b/htdocs/user/hierarchy.php index bb558bd56b3..2bba66d464e 100644 --- a/htdocs/user/hierarchy.php +++ b/htdocs/user/hierarchy.php @@ -39,7 +39,7 @@ $socid=0; if ($user->societe_id > 0) $socid = $user->societe_id; -$sall=GETPOST('sall','alpha'); +$sall=GETPOST('sall', 'alphanohtml'); $search_user=GETPOST('search_user','alpha'); $userstatic=new User($db); diff --git a/htdocs/user/index.php b/htdocs/user/index.php index 623e2df3434..9e7c78f9799 100644 --- a/htdocs/user/index.php +++ b/htdocs/user/index.php @@ -110,7 +110,7 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab } // Init search fields -$sall=GETPOST('sall','alpha'); +$sall=GETPOST('sall', 'alphanohtml'); $search_user=GETPOST('search_user','alpha'); $search_login=GETPOST('search_login','alpha'); $search_lastname=GETPOST('search_lastname','alpha');