From fa2cfb97b16aa950ccf08c947989fd88f3022609 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 26 Feb 2024 15:02:39 +0100
Subject: [PATCH] Fix bad parameter for GETPOST

---
 htdocs/admin/mails.php                                    | 4 ++--
 htdocs/admin/mails_emailing.php                           | 4 ++--
 htdocs/admin/mails_ticket.php                             | 8 ++++----
 htdocs/admin/menus/edit.php                               | 2 +-
 htdocs/comm/propal/stats/index.php                        | 4 ++--
 htdocs/commande/stats/index.php                           | 4 ++--
 htdocs/compta/facture/card.php                            | 4 ++--
 htdocs/compta/facture/stats/index.php                     | 4 ++--
 htdocs/core/actions_massactions.inc.php                   | 2 +-
 htdocs/core/modules/commande/doc/pdf_einstein.modules.php | 2 +-
 htdocs/modulebuilder/admin/setup.php                      | 2 +-
 htdocs/mrp/mo_card.php                                    | 2 +-
 htdocs/projet/tasks/time.php                              | 2 +-
 htdocs/reception/card.php                                 | 2 +-
 htdocs/webportal/class/controller.class.php               | 6 +++---
 .../webportal/controllers/document.controller.class.php   | 2 ++
 16 files changed, 28 insertions(+), 26 deletions(-)

diff --git a/htdocs/admin/mails.php b/htdocs/admin/mails.php
index 443e5eb2e8f..cdda45c2a90 100644
--- a/htdocs/admin/mails.php
+++ b/htdocs/admin/mails.php
@@ -99,10 +99,10 @@ if ($action == 'update' && !$cancel) {
 			dolibarr_set_const($db, "MAIN_MAIL_SMTPS_PW", GETPOST("MAIN_MAIL_SMTPS_PW", 'none'), 'chaine', 0, '', $conf->entity);
 		}
 		if (GETPOSTISSET("MAIN_MAIL_SMTPS_AUTH_TYPE")) {
-			dolibarr_set_const($db, "MAIN_MAIL_SMTPS_AUTH_TYPE", GETPOST("MAIN_MAIL_SMTPS_AUTH_TYPE", 'chaine'), 'chaine', 0, '', $conf->entity);
+			dolibarr_set_const($db, "MAIN_MAIL_SMTPS_AUTH_TYPE", GETPOST("MAIN_MAIL_SMTPS_AUTH_TYPE", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
 		}
 		if (GETPOSTISSET("MAIN_MAIL_SMTPS_OAUTH_SERVICE")) {
-			dolibarr_set_const($db, "MAIN_MAIL_SMTPS_OAUTH_SERVICE", GETPOST("MAIN_MAIL_SMTPS_OAUTH_SERVICE", 'chaine'), 'chaine', 0, '', $conf->entity);
+			dolibarr_set_const($db, "MAIN_MAIL_SMTPS_OAUTH_SERVICE", GETPOST("MAIN_MAIL_SMTPS_OAUTH_SERVICE", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
 		}
 		dolibarr_set_const($db, "MAIN_MAIL_EMAIL_TLS", GETPOST("MAIN_MAIL_EMAIL_TLS", 'int'), 'chaine', 0, '', $conf->entity);
 		dolibarr_set_const($db, "MAIN_MAIL_EMAIL_STARTTLS", GETPOST("MAIN_MAIL_EMAIL_STARTTLS", 'int'), 'chaine', 0, '', $conf->entity);
diff --git a/htdocs/admin/mails_emailing.php b/htdocs/admin/mails_emailing.php
index bf619d5f554..059a99a7a1b 100644
--- a/htdocs/admin/mails_emailing.php
+++ b/htdocs/admin/mails_emailing.php
@@ -88,10 +88,10 @@ if ($action == 'update' && !$cancel) {
 		dolibarr_set_const($db, "MAIN_MAIL_SMTPS_PW_EMAILING", GETPOST("MAIN_MAIL_SMTPS_PW_EMAILING", 'none'), 'chaine', 0, '', $conf->entity);
 	}
 	if (GETPOSTISSET("MAIN_MAIL_SMTPS_AUTH_TYPE_EMAILING")) {
-		dolibarr_set_const($db, "MAIN_MAIL_SMTPS_AUTH_TYPE_EMAILING", GETPOST("MAIN_MAIL_SMTPS_AUTH_TYPE_EMAILING", 'chaine'), 'chaine', 0, '', $conf->entity);
+		dolibarr_set_const($db, "MAIN_MAIL_SMTPS_AUTH_TYPE_EMAILING", GETPOST("MAIN_MAIL_SMTPS_AUTH_TYPE_EMAILING", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
 	}
 	if (GETPOSTISSET("MAIN_MAIL_SMTPS_OAUTH_SERVICE_EMAILING")) {
-		dolibarr_set_const($db, "MAIN_MAIL_SMTPS_OAUTH_SERVICE_EMAILING", GETPOST("MAIN_MAIL_SMTPS_OAUTH_SERVICE_EMAILING", 'chaine'), 'chaine', 0, '', $conf->entity);
+		dolibarr_set_const($db, "MAIN_MAIL_SMTPS_OAUTH_SERVICE_EMAILING", GETPOST("MAIN_MAIL_SMTPS_OAUTH_SERVICE_EMAILING", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
 	}
 	dolibarr_set_const($db, "MAIN_MAIL_EMAIL_TLS_EMAILING", GETPOST("MAIN_MAIL_EMAIL_TLS_EMAILING"), 'chaine', 0, '', $conf->entity);
 	dolibarr_set_const($db, "MAIN_MAIL_EMAIL_STARTTLS_EMAILING", GETPOST("MAIN_MAIL_EMAIL_STARTTLS_EMAILING"), 'chaine', 0, '', $conf->entity);
diff --git a/htdocs/admin/mails_ticket.php b/htdocs/admin/mails_ticket.php
index fbb5edddfc3..dd9f63c3ef6 100644
--- a/htdocs/admin/mails_ticket.php
+++ b/htdocs/admin/mails_ticket.php
@@ -86,10 +86,10 @@ if ($action == 'update' && !$cancel) {
 		dolibarr_set_const($db, "MAIN_MAIL_SMTPS_PW_TICKET", GETPOST("MAIN_MAIL_SMTPS_PW_TICKET", 'none'), 'chaine', 0, '', $conf->entity);
 	}
 	if (GETPOSTISSET("MAIN_MAIL_SMTPS_AUTH_TYPE_TICKET")) {
-		dolibarr_set_const($db, "MAIN_MAIL_SMTPS_AUTH_TYPE_TICKET", GETPOST("MAIN_MAIL_SMTPS_AUTH_TYPE_TICKET", 'chaine'), 'chaine', 0, '', $conf->entity);
+		dolibarr_set_const($db, "MAIN_MAIL_SMTPS_AUTH_TYPE_TICKET", GETPOST("MAIN_MAIL_SMTPS_AUTH_TYPE_TICKET", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
 	}
 	if (GETPOSTISSET("MAIN_MAIL_SMTPS_OAUTH_SERVICE_TICKET")) {
-		dolibarr_set_const($db, "MAIN_MAIL_SMTPS_OAUTH_SERVICE_TICKET", GETPOST("MAIN_MAIL_SMTPS_OAUTH_SERVICE_TICKET", 'chaine'), 'chaine', 0, '', $conf->entity);
+		dolibarr_set_const($db, "MAIN_MAIL_SMTPS_OAUTH_SERVICE_TICKET", GETPOST("MAIN_MAIL_SMTPS_OAUTH_SERVICE_TICKET", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
 	}
 	dolibarr_set_const($db, "MAIN_MAIL_EMAIL_TLS_TICKET", GETPOST("MAIN_MAIL_EMAIL_TLS_TICKET"), 'chaine', 0, '', $conf->entity);
 	dolibarr_set_const($db, "MAIN_MAIL_EMAIL_STARTTLS_TICKET", GETPOST("MAIN_MAIL_EMAIL_STARTTLS_TICKET"), 'chaine', 0, '', $conf->entity);
@@ -672,8 +672,8 @@ if ($action == 'edit') {
 		// Cree l'objet formulaire mail
 		include_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php';
 		$formmail = new FormMail($db);
-		$formmail->fromname = (GETPOSTISSET('fromname') ? GETPOST('fromname', 'restricthtml') : $conf->global->MAIN_MAIL_EMAIL_FROM);
-		$formmail->frommail = (GETPOSTISSET('frommail') ? GETPOST('frommail', 'restricthtml') : $conf->global->MAIN_MAIL_EMAIL_FROM);
+		$formmail->fromname = (GETPOSTISSET('fromname') ? GETPOST('fromname', 'restricthtml') : getDolGlobalString('MAIN_MAIL_EMAIL_FROM'));
+		$formmail->frommail = (GETPOSTISSET('frommail') ? GETPOST('frommail', 'restricthtml') : getDolGlobalString('MAIN_MAIL_EMAIL_FROM'));
 		$formmail->trackid = (($action == 'testhtml') ? "testhtml" : "test");
 		$formmail->fromid = $user->id;
 		$formmail->fromalsorobot = 1;
diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php
index 95de2e96b99..3b680f93a7b 100644
--- a/htdocs/admin/menus/edit.php
+++ b/htdocs/admin/menus/edit.php
@@ -362,7 +362,7 @@ if ($action == 'create') {
 
 	// Picto
 	print '<tr><td class="fieldrequired">'.$langs->trans('Image').'</td>';
-	print '<td><input type="text" class="minwidth300" name="picto" value="'.dol_escape_htmltag(GETPOST("picto", 'alphanohtmlallowclass')).'"></td><td>'.$langs->trans('Example').': fa-global</td></tr>';
+	print '<td><input type="text" class="minwidth300" name="picto" value="'.dol_escape_htmltag(GETPOST("picto", 'alphanohtml')).'"></td><td>'.$langs->trans('Example').': fa-global</td></tr>';
 
 	// URL
 	print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td>';
diff --git a/htdocs/comm/propal/stats/index.php b/htdocs/comm/propal/stats/index.php
index 4e0a4071ae0..3603f89af2a 100644
--- a/htdocs/comm/propal/stats/index.php
+++ b/htdocs/comm/propal/stats/index.php
@@ -41,8 +41,8 @@ $HEIGHT = DolGraph::getDefaultGraphSizeForStats('height');
 $mode = GETPOSTISSET("mode") ? GETPOST("mode", 'aZ09') : 'customer';
 
 $object_status = GETPOST('object_status', 'intcomma');
-$typent_id = GETPOST('typent_id', 'int');
-$categ_id = GETPOST('categ_id', 'categ_id');
+$typent_id = GETPOSTINT('typent_id');
+$categ_id = GETPOSTINT('categ_id');
 
 $userid = GETPOST('userid', 'int');
 $socid = GETPOST('socid', 'int');
diff --git a/htdocs/commande/stats/index.php b/htdocs/commande/stats/index.php
index f7da50833e1..1a06944f272 100644
--- a/htdocs/commande/stats/index.php
+++ b/htdocs/commande/stats/index.php
@@ -62,8 +62,8 @@ if ($mode == 'supplier') {
 }
 
 
-$typent_id = GETPOST('typent_id', 'int');
-$categ_id = GETPOST('categ_id', 'categ_id');
+$typent_id = GETPOSTINT('typent_id');
+$categ_id = GETPOSTINT('categ_id');
 
 $userid = GETPOST('userid', 'int');
 $socid = GETPOST('socid', 'int');
diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php
index 091af287d69..f1ae8948052 100644
--- a/htdocs/compta/facture/card.php
+++ b/htdocs/compta/facture/card.php
@@ -442,13 +442,13 @@ if (empty($reshook)) {
 		}
 	} elseif ($action == 'setretainedwarranty' && $user->hasRight('facture', 'creer')) {
 		$object->fetch($id);
-		$result = $object->setRetainedWarranty(GETPOST('retained_warranty', 'float'));
+		$result = $object->setRetainedWarranty(GETPOSTFLOAT('retained_warranty'));
 		if ($result < 0) {
 			dol_print_error($db, $object->error);
 		}
 	} elseif ($action == 'setretainedwarrantydatelimit' && $user->hasRight('facture', 'creer')) {
 		$object->fetch($id);
-		$result = $object->setRetainedWarrantyDateLimit(GETPOST('retained_warranty_date_limit', 'float'));
+		$result = $object->setRetainedWarrantyDateLimit(GETPOSTFLOAT('retained_warranty_date_limit'));
 		if ($result < 0) {
 			dol_print_error($db, $object->error);
 		}
diff --git a/htdocs/compta/facture/stats/index.php b/htdocs/compta/facture/stats/index.php
index 4ae358d682d..f98216140f9 100644
--- a/htdocs/compta/facture/stats/index.php
+++ b/htdocs/compta/facture/stats/index.php
@@ -52,8 +52,8 @@ if ($mode == 'supplier' && !$user->hasRight('fournisseur', 'facture', 'lire')) {
 }
 
 $object_status = GETPOST('object_status', 'intcomma');
-$typent_id = GETPOST('typent_id', 'int');
-$categ_id = GETPOST('categ_id', 'categ_id');
+$typent_id = GETPOSTINT('typent_id');
+$categ_id = GETPOSTINT('categ_id');
 
 $userid = GETPOST('userid', 'int');
 $socid = GETPOST('socid', 'int');
diff --git a/htdocs/core/actions_massactions.inc.php b/htdocs/core/actions_massactions.inc.php
index e1762456dce..551c7b7c069 100644
--- a/htdocs/core/actions_massactions.inc.php
+++ b/htdocs/core/actions_massactions.inc.php
@@ -1684,7 +1684,7 @@ if (!$error && ($massaction == 'increaseholiday' || ($action == 'increaseholiday
 	$objecttmp = new $objectclass($db);
 	$nbok = 0;
 	$typeholiday = GETPOST('typeholiday', 'alpha');
-	$nbdaysholidays = GETPOST('nbdaysholidays', 'double');
+	$nbdaysholidays = GETPOSTFLOAT('nbdaysholidays');	// May be 1.5
 
 	if ($nbdaysholidays <= 0) {
 		setEventMessages($langs->trans("WrongAmount"), "", 'errors');
diff --git a/htdocs/core/modules/commande/doc/pdf_einstein.modules.php b/htdocs/core/modules/commande/doc/pdf_einstein.modules.php
index 957a57c9f39..a810b92a8d3 100644
--- a/htdocs/core/modules/commande/doc/pdf_einstein.modules.php
+++ b/htdocs/core/modules/commande/doc/pdf_einstein.modules.php
@@ -217,7 +217,7 @@ class pdf_einstein extends ModelePDFCommandes
 				// Possibility to use suffix for proforma
 				$suffix = '';
 				if (getDolGlobalString('PROFORMA_PDF_WITH_SUFFIX')) {
-					$suffix = (GETPOST('model', 2)=='proforma') ? $conf->global->PROFORMA_PDF_WITH_SUFFIX : '';
+					$suffix = (GETPOST('model') == 'proforma') ? $conf->global->PROFORMA_PDF_WITH_SUFFIX : '';
 					$suffix = dol_sanitizeFileName($suffix);
 				}
 
diff --git a/htdocs/modulebuilder/admin/setup.php b/htdocs/modulebuilder/admin/setup.php
index 02513e697be..3b189f9908a 100644
--- a/htdocs/modulebuilder/admin/setup.php
+++ b/htdocs/modulebuilder/admin/setup.php
@@ -45,7 +45,7 @@ if ($action == "update") {
 	$res4 = dolibarr_set_const($db, 'MODULEBUILDER_SPECIFIC_EDITOR_NAME', GETPOST('MODULEBUILDER_SPECIFIC_EDITOR_NAME', 'alphanohtml'), 'chaine', 0, '', $conf->entity);
 	$res5 = dolibarr_set_const($db, 'MODULEBUILDER_SPECIFIC_EDITOR_URL', GETPOST('MODULEBUILDER_SPECIFIC_EDITOR_URL', 'alphanohtml'), 'chaine', 0, '', $conf->entity);
 	$res6 = dolibarr_set_const($db, 'MODULEBUILDER_SPECIFIC_FAMILY', GETPOST('MODULEBUILDER_SPECIFIC_FAMILY', 'alphanohtml'), 'chaine', 0, '', $conf->entity);
-	$res7 = dolibarr_set_const($db, 'MODULEBUILDER_SPECIFIC_AUTHOR', GETPOST('MODULEBUILDER_SPECIFIC_AUTHOR', 'html'), 'chaine', 0, '', $conf->entity);
+	$res7 = dolibarr_set_const($db, 'MODULEBUILDER_SPECIFIC_AUTHOR', GETPOST('MODULEBUILDER_SPECIFIC_AUTHOR', 'restricthtml'), 'chaine', 0, '', $conf->entity);
 	$res8 = dolibarr_set_const($db, 'MODULEBUILDER_SPECIFIC_VERSION', GETPOST('MODULEBUILDER_SPECIFIC_VERSION', 'alphanohtml'), 'chaine', 0, '', $conf->entity);
 	if ($res1 < 0 || $res2 < 0 || $res3 < 0 || $res4 < 0 || $res5 < 0 || $res6 < 0 || $res7 < 0 || $res8 < 0) {
 		setEventMessages('ErrorFailedToSaveDate', null, 'errors');
diff --git a/htdocs/mrp/mo_card.php b/htdocs/mrp/mo_card.php
index 39ae023c7c3..5f6a90f964e 100644
--- a/htdocs/mrp/mo_card.php
+++ b/htdocs/mrp/mo_card.php
@@ -203,7 +203,7 @@ if (empty($reshook)) {
 		}
 
 		$error = 0;
-		$deleteChilds = GETPOST('deletechilds', 'boolean');
+		$deleteChilds = GETPOST('deletechilds', 'aZ');
 
 		// Start the database transaction
 		$db->begin();
diff --git a/htdocs/projet/tasks/time.php b/htdocs/projet/tasks/time.php
index e050fc44c1d..bc970a38fd5 100644
--- a/htdocs/projet/tasks/time.php
+++ b/htdocs/projet/tasks/time.php
@@ -425,7 +425,7 @@ if ($action == 'confirm_generateinvoice') {
 
 		$db->begin();
 		$idprod = GETPOST('productid', 'int');
-		$generateinvoicemode = GETPOST('generateinvoicemode', 'string');
+		$generateinvoicemode = GETPOST('generateinvoicemode', 'alphanohtml');
 		$invoiceToUse = GETPOST('invoiceid', 'int');
 
 		$prodDurationHoursBase = 1.0;
diff --git a/htdocs/reception/card.php b/htdocs/reception/card.php
index 73d31b376b8..79a9fe082ad 100644
--- a/htdocs/reception/card.php
+++ b/htdocs/reception/card.php
@@ -414,7 +414,7 @@ if (empty($reshook)) {
 					$sellbydate = str_replace('/', '-', $sellby);
 
 					if (getDolGlobalString('STOCK_CALCULATE_ON_RECEPTION') || getDolGlobalString('STOCK_CALCULATE_ON_RECEPTION_CLOSE')) {
-						$ret = $object->addline($entrepot_id, GETPOST($idl, 'int'), GETPOST($qty, 'int'), $array_options[$i], GETPOST($comment, 'alpha'), strtotime($eatbydate), strtotime($sellbydate), GETPOST($batch, 'alpha'), price2num(GETPOST($cost_price, 'double'), 'MU'));
+						$ret = $object->addline($entrepot_id, GETPOST($idl, 'int'), GETPOST($qty, 'int'), $array_options[$i], GETPOST($comment, 'alpha'), strtotime($eatbydate), strtotime($sellbydate), GETPOST($batch, 'alpha'), GETPOSTFLOAT($cost_price, 'MU'));
 					} else {
 						$ret = $object->addline($entrepot_id, GETPOST($idl, 'int'), GETPOST($qty, 'int'), $array_options[$i], GETPOST($comment, 'alpha'), strtotime($eatbydate), strtotime($sellbydate), GETPOST($batch, 'alpha'));
 					}
diff --git a/htdocs/webportal/class/controller.class.php b/htdocs/webportal/class/controller.class.php
index 6c2c0aed3b3..0904b664847 100644
--- a/htdocs/webportal/class/controller.class.php
+++ b/htdocs/webportal/class/controller.class.php
@@ -164,11 +164,11 @@ class Controller
 	}
 
 	/**
-	 * Load a template
+	 * Load a template .tpl file
 	 *
-	 * @param	string	$templateName	Template name
+	 * @param	string	$templateName	Template file name (without the .tpl.php)
 	 * @param	mixed	$vars			Data to transmit to template
-	 * @return	bool	True if template found, else false
+	 * @return	bool					True if template found, else false
 	 */
 	public function loadTemplate($templateName, $vars = false)
 	{
diff --git a/htdocs/webportal/controllers/document.controller.class.php b/htdocs/webportal/controllers/document.controller.class.php
index 92cc37e9ad7..9f5cd408867 100644
--- a/htdocs/webportal/controllers/document.controller.class.php
+++ b/htdocs/webportal/controllers/document.controller.class.php
@@ -95,9 +95,11 @@ class DocumentController extends Controller
 		// Security check
 		if (empty($modulepart)) {
 			httponly_accessforbidden('Bad link. Bad value for parameter modulepart', 400);
+			exit;
 		}
 		if (empty($original_file)) {
 			httponly_accessforbidden('Bad link. Missing identification to find file (original_file)', 400);
+			exit;
 		}
 
 		// get original file