From 925eec265d6671264be84833e0639e3b48017a65 Mon Sep 17 00:00:00 2001
From: Laurent Giovannoni <laurent.giovannoni@maarch.org>
Date: Fri, 26 Jun 2015 10:57:41 +0000
Subject: [PATCH] FEAT #2481 echo
---
maarch_entreprise/trunk/actions/index_mlb.php | 12 +--
.../trunk/actions/validate_mail.php | 14 +--
.../trunk/definition_mail_categories.php | 1 -
.../trunk/documents_list_copies.php | 3 +-
.../trunk/documents_list_with_attachments.php | 2 +-
.../trunk/getIframeTemplateContent.php | 7 --
maarch_entreprise/trunk/index.php | 5 +-
.../indexing_searching/change_doctype.php | 40 ++++----
maarch_entreprise/trunk/loadContactsList.php | 22 +++--
maarch_entreprise/trunk/loadNoteList.php | 6 +-
maarch_entreprise/trunk/loadRepList.php | 16 ++--
maarch_entreprise/trunk/log.php | 2 +-
maarch_entreprise/trunk/login.php | 6 +-
maarch_entreprise/trunk/merged_js.php | 1 -
.../trunk/param_index_statuses.php | 17 +---
.../trunk/param_mlb_doctypes.php | 1 -
maarch_entreprise/trunk/quicklaunch.php | 3 +-
maarch_entreprise/trunk/reopen.php | 14 ---
maarch_entreprise/trunk/security_bitmask.php | 7 --
.../trunk/select_attachedAddress.php | 93 ++++++++++---------
maarch_entreprise/trunk/sso_connect.php | 2 +-
maarch_entreprise/trunk/standard_connect.php | 53 ++++++++---
maarch_entreprise/trunk/static.php | 5 -
maarch_entreprise/trunk/user_info.php | 5 +-
.../trunk/users_autocomplete_list.php | 4 +-
maarch_entreprise/trunk/verif_pass.php | 92 +++++++++---------
.../trunk/view_technical_infos.php | 41 ++------
27 files changed, 211 insertions(+), 263 deletions(-)
diff --git a/maarch_entreprise/trunk/actions/index_mlb.php b/maarch_entreprise/trunk/actions/index_mlb.php
index 0529df7b93d..8b380d11c97 100644
--- a/maarch_entreprise/trunk/actions/index_mlb.php
+++ b/maarch_entreprise/trunk/actions/index_mlb.php
@@ -337,7 +337,7 @@ function get_form_txt($values, $pathManageAction, $actionId, $table, $module, $
$frmStr .= '<option value="">' . _CHOOSE_CATEGORY . '</option>';
foreach (array_keys($_SESSION['coll_categories']['letterbox_coll']) as $catId) {
if ($catId <> 'default_category') {
- $frmStr .= '<option value="' . $catId . '"';
+ $frmStr .= '<option value="' . functions::xssafe($catId) . '"';
if ($_SESSION['coll_categories']['letterbox_coll']['default_category'] == $catId
|| (isset($_SESSION['indexing']['category_id'])
&& $_SESSION['indexing']['category_id'] == $catId)
@@ -345,7 +345,7 @@ function get_form_txt($values, $pathManageAction, $actionId, $table, $module, $
$frmStr .= 'selected="selected"';
}
- $frmStr .= '>' . $_SESSION['coll_categories']['letterbox_coll'][$catId] . '</option>';
+ $frmStr .= '>' . functions::xssafe($_SESSION['coll_categories']['letterbox_coll'][$catId]) . '</option>';
}
}
$frmStr .= '</select></td>';
@@ -419,11 +419,11 @@ if ($_SESSION['features']['show_types_tree'] == 'true') {
. '\');">';
$frmStr .= '<option value="">' . _CHOOSE_PRIORITY . '</option>';
for ($i = 0; $i < count($_SESSION['mail_priorities']); $i ++) {
- $frmStr .= '<option value="' . $i . '" ';
+ $frmStr .= '<option value="' . functions::xssafe($i) . '" ';
if ($_SESSION['default_mail_priority'] == $i) {
$frmStr .= 'selected="selected"';
}
- $frmStr .= '>' . $_SESSION['mail_priorities'][$i] . '</option>';
+ $frmStr .= '>' . functions::xssafe($_SESSION['mail_priorities'][$i]) . '</option>';
}
$frmStr .= '</select></td>';
$frmStr .= '<td><span class="red_asterisk" id="priority_mandatory" '
@@ -632,11 +632,11 @@ if ($_SESSION['features']['show_types_tree'] == 'true') {
. '\');affiche_reference();">';
$frmStr .= '<option value="">' . _CHOOSE_NATURE . '</option>';
foreach (array_keys($_SESSION['mail_natures']) as $nature) {
- $frmStr .= '<option value="' . $nature . '" with_reference = "'.$_SESSION['mail_natures_attribute'][$nature].'"';
+ $frmStr .= '<option value="' . functions::xssafe($nature) . '" with_reference = "'.$_SESSION['mail_natures_attribute'][$nature].'"';
if ($_SESSION['default_mail_nature'] == $nature) {
$frmStr .= 'selected="selected"';
}
- $frmStr .= '>' . $_SESSION['mail_natures'][$nature] . '</option>';
+ $frmStr .= '>' . functions::xssafe($_SESSION['mail_natures'][$nature]) . '</option>';
}
$frmStr .= '</select></td>';
$frmStr .= '<td><span class="red_asterisk" id="nature_id_mandatory" '
diff --git a/maarch_entreprise/trunk/actions/validate_mail.php b/maarch_entreprise/trunk/actions/validate_mail.php
index 0776d118502..e1e83187b3b 100644
--- a/maarch_entreprise/trunk/actions/validate_mail.php
+++ b/maarch_entreprise/trunk/actions/validate_mail.php
@@ -345,7 +345,7 @@ function get_form_txt($values, $path_manage_action, $id_action, $table, $module
$frm_str .='<option value="">'._CHOOSE_CATEGORY.'</option>';
foreach (array_keys($_SESSION['coll_categories']['letterbox_coll']) as $cat_id) {
if ($cat_id <> 'default_category') {
- $frm_str .='<option value="'.$cat_id.'"';
+ $frm_str .='<option value="'.functions::xssafe($cat_id).'"';
if (
(isset($data['category_id']['value']) && $data['category_id']['value'] == $cat_id)
|| $_SESSION['coll_categories']['letterbox_coll']['default_category'] == $cat_id
@@ -353,7 +353,7 @@ function get_form_txt($values, $path_manage_action, $id_action, $table, $module
) {
$frm_str .='selected="selected"';
}
- $frm_str .='>'.$_SESSION['coll_categories']['letterbox_coll'][$cat_id].'</option>';
+ $frm_str .='>'.functions::xssafe($_SESSION['coll_categories']['letterbox_coll'][$cat_id]).'</option>';
}
}
$frm_str.='</select></td>';
@@ -420,14 +420,14 @@ function get_form_txt($values, $path_manage_action, $id_action, $table, $module
$frm_str .='<option value="">'._CHOOSE_PRIORITY.'</option>';
for($i=0; $i<count($_SESSION['mail_priorities']);$i++)
{
- $frm_str .='<option value="'.$i.'" ';
+ $frm_str .='<option value="'.functions::xssafe($i).'" ';
if(isset($data['type_id'])&& $data['priority'] == $i)
{
$frm_str .='selected="selected"';
}else if($data['priority']=='' && $_SESSION['default_mail_priority']==$i){
$frm_str .='selected="selected"';
}
- $frm_str .='>'.$_SESSION['mail_priorities'][$i].'</option>';
+ $frm_str .='>'.functions::xssafe($_SESSION['mail_priorities'][$i]).'</option>';
}
$frm_str .='</select></td>';
$frm_str .= '<td><span class="red_asterisk" id="priority_mandatory" style="display:inline;"><i class="fa fa-star"></i></span> </td>';
@@ -657,13 +657,13 @@ function get_form_txt($values, $path_manage_action, $id_action, $table, $module
$frm_str .='<option value="">'. _CHOOSE_NATURE.'</option>';
foreach(array_keys($_SESSION['mail_natures']) as $nature)
{
- $frm_str .='<option value="'.$nature.'" with_reference = "'.$_SESSION['mail_natures_attribute'][$nature].'"';
+ $frm_str .='<option value="'.functions::xssafe($nature).'" with_reference = "'.$_SESSION['mail_natures_attribute'][$nature].'"';
if(isset($data['nature_id']) && $data['nature_id'] == $nature) {
$frm_str .='selected="selected"';
} else if ($data['nature_id'] == "" && $_SESSION['default_mail_nature'] == $nature) {
$frm_str .='selected="selected"';
}
- $frm_str .='>'.$_SESSION['mail_natures'][$nature].'</option>';
+ $frm_str .='>'.functions::xssafe($_SESSION['mail_natures'][$nature]).'</option>';
}
$frm_str .= '</select></td>';
$frm_str .= '<td><span class="red_asterisk" id="nature_mandatory" style="display:inline;vertical-align:text-top"><i class="fa fa-star"></i></span></td>';
@@ -864,7 +864,7 @@ function get_form_txt($values, $path_manage_action, $id_action, $table, $module
$frm_str .='<td><label for="chrono_number" class="form_title" >'._CHRONO_NUMBER.'</label></td>';
$frm_str .='<td> </td>';
$frm_str .='<td class="indexing_field"><input type="text" name="chrono_number" value="'
- . $chrono_number . '" id="chrono_number" onchange="clear_error(\'frm_error_'.$id_action.'\');"/></td>';
+ . functions::xssafe($chrono_number) . '" id="chrono_number" onchange="clear_error(\'frm_error_'.$id_action.'\');"/></td>';
$frm_str .='<td><span class="red_asterisk" id="chrono_number_mandatory" style="display:inline;"><i class="fa fa-star"></i></span> </td>';
$frm_str .= '</tr>';
diff --git a/maarch_entreprise/trunk/definition_mail_categories.php b/maarch_entreprise/trunk/definition_mail_categories.php
index 24aaf988bb0..947e7dc31bd 100644
--- a/maarch_entreprise/trunk/definition_mail_categories.php
+++ b/maarch_entreprise/trunk/definition_mail_categories.php
@@ -880,7 +880,6 @@ function get_general_data($coll_id, $res_id, $mode, $params = array ()) {
}
// Folder
if (isset ($_ENV['categories'][$cat_id]['other_cases']['folder']) && count($_ENV['categories'][$cat_id]['other_cases']['folder']) > 0 && (!isset ($params['show_folder']) || $params['show_folder'] == true)) {
- //echo 'folder';
$fields .= 'folders_system_id,';
diff --git a/maarch_entreprise/trunk/documents_list_copies.php b/maarch_entreprise/trunk/documents_list_copies.php
index 98660f58a16..19e8d80eb5f 100644
--- a/maarch_entreprise/trunk/documents_list_copies.php
+++ b/maarch_entreprise/trunk/documents_list_copies.php
@@ -204,7 +204,6 @@ for ($i=0;$i<count($tab);$i++)
$query .= "OR ";
$query .= "user_id = '" . $_SESSION['user']['UserId'] . "' ";
$query .= ") ";
- //echo $query . '<br />';
$db->query($query);
$tab[$i][$j]['hasNotes'] = $db->fetch_object();
$tab[$i][$j]['res_multi_contacts'] = $_SESSION['mlb_search_current_res_id'];
@@ -560,4 +559,4 @@ $content .= "<script>$$('#container')[0].setAttribute('style', 'width: 90%; min-
// "$$('table#extended_list')[0].setAttribute('style', 'width: 100%; min-width: 900px; margin: 0;');".
"</script>";
-echo "{'status' : " . $status . ", 'content' : '" . addslashes($debug.$content) . "', 'error' : '" . addslashes($error) . "'}";
+echo "{'status' : " . $status . ", 'content' : '" . addslashes($debug.$content) . "', 'error' : '" . addslashes(functions::xssafe($error)) . "'}";
diff --git a/maarch_entreprise/trunk/documents_list_with_attachments.php b/maarch_entreprise/trunk/documents_list_with_attachments.php
index f117a69e7ad..03a62073d83 100644
--- a/maarch_entreprise/trunk/documents_list_with_attachments.php
+++ b/maarch_entreprise/trunk/documents_list_with_attachments.php
@@ -544,4 +544,4 @@ $content .= "<script>$$('#container')[0].setAttribute('style', 'width: 90%; min-
// "$$('table#extended_list')[0].setAttribute('style', 'width: 100%; min-width: 900px; margin: 0;');".
"</script>";
-echo "{'status' : " . $status . ", 'content' : '" . addslashes($debug.$content) . "', 'error' : '" . addslashes($error) . "'}";
+echo "{'status' : " . $status . ", 'content' : '" . addslashes($debug.$content) . "', 'error' : '" . addslashes(functions::xssafe($error)) . "'}";
diff --git a/maarch_entreprise/trunk/getIframeTemplateContent.php b/maarch_entreprise/trunk/getIframeTemplateContent.php
index 482b512adb4..f2da93b4b89 100644
--- a/maarch_entreprise/trunk/getIframeTemplateContent.php
+++ b/maarch_entreprise/trunk/getIframeTemplateContent.php
@@ -43,13 +43,6 @@ $requestTemplateContent = trim(str_replace(
$requestTemplateContent
));
-
-/*echo $sessionTemplateContent;
-echo "
-";
-echo $requestTemplateContent;
-exit;*/
-
if ($sessionTemplateContent == $requestTemplateContent) {
$_SESSION['template_content'] = '';
echo "{status : '1, responseText : same content ! '}";
diff --git a/maarch_entreprise/trunk/index.php b/maarch_entreprise/trunk/index.php
index 1f3e9adb56e..26398412a81 100644
--- a/maarch_entreprise/trunk/index.php
+++ b/maarch_entreprise/trunk/index.php
@@ -101,7 +101,6 @@ if (isset($_SESSION['user']['UserId']) && isset($_GET['page'])
// CV 31 oct 2014 : clean request
//var_dump($_REQUEST);
foreach ($_REQUEST as $name => $value) {
- //echo $value . PHP_EOL;
//if (is_string($value) && strpos($value, "<") !== false) {
//$value = preg_replace('/(<\/?script[^>]*>|<\w+[\s\n\r]*on[^>]*>|<\?php|<\?[\s|\n|\r])/i', "", $value);
$value = functions::xssafe($value);
@@ -171,7 +170,7 @@ if (file_exists($path)) {
?>
<div class="error" id="main_error_popup" onclick="this.hide();">
<?php
- echo $_SESSION['error'];
+ echo functions::xssafe($_SESSION['error']);
?>
</div>
<?php
@@ -181,7 +180,7 @@ if (file_exists($path)) {
?>
<div class="info" id="main_info" onclick="this.hide();">
<?php
- echo $_SESSION['info'];
+ echo functions::xssafe($_SESSION['info']);
?>
</div>
<?php
diff --git a/maarch_entreprise/trunk/indexing_searching/change_doctype.php b/maarch_entreprise/trunk/indexing_searching/change_doctype.php
index de3a991c4ef..46bdad62d60 100644
--- a/maarch_entreprise/trunk/indexing_searching/change_doctype.php
+++ b/maarch_entreprise/trunk/indexing_searching/change_doctype.php
@@ -39,13 +39,13 @@ $type = new types();
if (!isset($_REQUEST['type_id']) || empty($_REQUEST['type_id'])) {
$_SESSION['error'] = _DOCTYPE.' '._IS_EMPTY;
- echo "{status : 1, error_txt : '".addslashes($_SESSION['error'])."'}";
+ echo "{status : 1, error_txt : '".addslashes(functions::xssafe($_SESSION['error']))."'}";
exit();
}
if (!isset($_REQUEST['id_action']) || empty($_REQUEST['id_action'])) {
$_SESSION['error'] = _ACTION_ID.' '._IS_EMPTY;
- echo "{status : 1, error_txt : '".addslashes($_SESSION['error'])."'}";
+ echo "{status : 1, error_txt : '".addslashes(functions::xssafe($_SESSION['error']))."'}";
exit();
}
$id_action = $_REQUEST['id_action'];
@@ -93,13 +93,6 @@ if ($core->service_is_enabled('param_mlb_doctypes')) {
. $_REQUEST['type_id']
);
//$db->show();
-/*
- if ($db->nb_result() == 0) {
- $_SESSION['error'] = _NO_DOCTYPE_IN_DB;
- echo "{status : 2, error_txt : '".addslashes($_SESSION['error'])."'}";
- exit();
- }
-*/
$res = $db->fetch_object();
$delay = $res->process_delay;
@@ -155,52 +148,51 @@ if(count($indexes) > 0)
$opt_indexes .= '<table width="100%" align="center" border="0">';
foreach (array_keys($indexes) as $key) {
- //echo $key.' ';
$mandatory = false;
if (in_array($key, $mandatory_indexes)) {
$mandatory = true;
}
$opt_indexes .= '<tr >';
- $opt_indexes.='<td><label for="' . $key . '" class="form_title" >'
+ $opt_indexes.='<td><label for="' . functions::xssafe($key) . '" class="form_title" >'
. $indexes[$key]['label'].'</label></td>';
$opt_indexes .='<td> </td>';
$opt_indexes .='<td class="indexing_field">';
if ($indexes[$key]['type_field'] == 'input') {
if ($indexes[$key]['type'] == 'date') {
- $opt_indexes .='<input name="' . $key . '" type="text" id="'
+ $opt_indexes .='<input name="' . functions::xssafe($key) . '" type="text" id="'
. $key . '" value="';
if (isset($values_fields->$key)) {
$opt_indexes .= $db->format_date_db(
- $values_fields->$key, true
+ functions::xssafe($values_fields->$key), true
);
} elseif ($indexes[$key]['default_value'] <> false) {
$opt_indexes .= $db->format_date_db(
- $indexes[$key]['default_value'], true
+ functions::xssafe($indexes[$key]['default_value']), true
);
}
$opt_indexes .= '" onclick="clear_error(\'frm_error_'
. $id_action . '\');showCalender(this);"/>';
} else {
- $opt_indexes .= '<input name="'.$key.'" type="text" id="'
+ $opt_indexes .= '<input name="'.functions::xssafe($key).'" type="text" id="'
. $key . '" value="';
if (isset($values_fields->$key)) {
$opt_indexes .= $db->show_string(
- $values_fields->$key, true
+ functions::xssafe($values_fields->$key), true
);
} else if ($indexes[$key]['default_value'] <> false) {
$opt_indexes .= $db->show_string(
- $indexes[$key]['default_value'], true
+ functions::xssafe($indexes[$key]['default_value']), true
);
}
$opt_indexes .= '" onclick="clear_error(\'frm_error_'
. $id_action . '\');" />';
}
} else {
- $opt_indexes .= '<select name="'.$key.'" id="'.$key.'" >';
+ $opt_indexes .= '<select name="'.functions::xssafe($key).'" id="'.functions::xssafe($key).'" >';
$opt_indexes .= '<option value="">'._CHOOSE.'...</option>';
for ($i=0; $i<count($indexes[$key]['values']);$i++) {
$opt_indexes .= '<option value="'
- . $indexes[$key]['values'][$i]['id'] . '"';
+ . functions::xssafe($indexes[$key]['values'][$i]['id']) . '"';
if ($indexes[$key]['values'][$i]['id']
== $values_fields->$key) {
$opt_indexes .= 'selected="selected"';
@@ -211,7 +203,7 @@ if(count($indexes) > 0)
) {
$opt_indexes .= 'selected="selected"';
}
- $opt_indexes .= ' >' . $indexes[$key]['values'][$i]['label']
+ $opt_indexes .= ' >' . functions::xssafe($indexes[$key]['values'][$i]['label'])
. '</option>';
}
$opt_indexes .= '</select>';
@@ -250,14 +242,14 @@ $core->execute_app_services(
for ($i=0;$i< count($_SESSION['indexing_services']);$i++) {
$services .= "{ script : '" . $_SESSION['indexing_services'][$i]['script']
. "', function_to_execute : '"
- . $_SESSION['indexing_services'][$i]['function_to_execute']
+ . functions::xssafe($_SESSION['indexing_services'][$i]['function_to_execute'])
. "', arguments : '[";
for ($j=0;$j<count($_SESSION['indexing_services'][$i]['arguments']);$j++) {
$services .= " { id : \'"
- . $_SESSION['indexing_services'][$i]['arguments'][$j]['id']
+ . functions::xssafe($_SESSION['indexing_services'][$i]['arguments'][$j]['id'])
. "\', value : \'"
. addslashes(
- $_SESSION['indexing_services'][$i]['arguments'][$j]['value']
+ functions::xssafe($_SESSION['indexing_services'][$i]['arguments'][$j]['value'])
)
. "\' }, ";
}
@@ -284,7 +276,7 @@ if (isset($delay) && $delay > 0) {
$date = $alert_engine->date_max_treatment($delay, false);
}
$process_date = $db->dateformat($date, '-');
- echo "{status : 0, process_date : '" . trim($process_date)
+ echo "{status : 0, process_date : '" . trim(functions::xssafe($process_date))
. "', opt_indexes : '" . addslashes($opt_indexes) . "', services : "
. $services . "}";
exit();
diff --git a/maarch_entreprise/trunk/loadContactsList.php b/maarch_entreprise/trunk/loadContactsList.php
index d840efe7101..1ea276c554c 100644
--- a/maarch_entreprise/trunk/loadContactsList.php
+++ b/maarch_entreprise/trunk/loadContactsList.php
@@ -31,25 +31,30 @@ if (isset($_REQUEST['res_id'])) {
$return .= '(contact) ';
if ($res->is_corporate_person == 'Y') {
- $return .= $res->society . ' ' ;
+ $return .= functions::xssafe($res->society) . ' ' ;
if (!empty ($res->society_short)) {
- $return .= '('.$res->society_short.') ';
+ $return .= '('.functions::xssafe($res->society_short).') ';
}
} else {
- $return .= $res->contact_lastname . ' ' . $res->contact_firstname . ' ';
+ $return .= functions::xssafe($res->contact_lastname)
+ . ' ' . functions::xssafe($res->contact_firstname) . ' ';
if (!empty ($res->society)) {
- $return .= '(' .$res->society . ') ';
+ $return .= '(' . functions::xssafe($res->society) . ') ';
}
}
if ($res->is_private == 'Y') {
$return .= '('._CONFIDENTIAL_ADDRESS.')';
} else {
- $return .= "- " . $res->contact_purpose_label." : ";
+ $return .= "- " . functions::xssafe($res->contact_purpose_label)." : ";
if (!empty($res->lastname) || !empty($res->firstname)) {
- $return .= $res->lastname . ' ' . $res->firstname;
+ $return .= functions::xssafe($res->lastname)
+ . ' ' . functions::xssafe($res->firstname);
}
if (!empty($res->address_num) || !empty($res->address_street) || !empty($res->address_town) || !empty($res->address_postal_code)) {
- $return .= ', '.$res->address_num .' ' . $res->address_street .' ' . $res->address_postal_code .' ' . strtoupper($res->address_town);
+ $return .= ', ' . functions::xssafe($res->address_num) . ' '
+ . functions::xssafe($res->address_street) . ' '
+ . functions::xssafe($res->address_postal_code) . ' '
+ . functions::xssafe(strtoupper($res->address_town));
}
}
@@ -75,7 +80,8 @@ if (isset($_REQUEST['res_id'])) {
$return .= '<td style="background: transparent; border: 0px dashed rgb(200, 200, 200);">';
$return .= '<div style="text-align: left; background-color: rgb(230, 230, 230); padding: 3px; margin-left: 20px; margin-top: -6px;">';
- $return .= ' (utilisateur) ' . $res->firstname . ' ' . $res->lastname;
+ $return .= ' (utilisateur) '
+ . functions::xssafe($res->firstname) . ' ' . functions::xssafe($res->lastname);
$return .= '</div>';
//$return .= '<br />';
diff --git a/maarch_entreprise/trunk/loadNoteList.php b/maarch_entreprise/trunk/loadNoteList.php
index c70462939cc..2577d4fd286 100644
--- a/maarch_entreprise/trunk/loadNoteList.php
+++ b/maarch_entreprise/trunk/loadNoteList.php
@@ -104,13 +104,13 @@ if (isset($_REQUEST['identifier'])) {
// $return .= '<blockquote style="padding: 1px;">';
$return .= '<div style="text-align: right; background-color: rgb(230, 230, 230); padding: 2px;">';
$return .= ucfirst(_BY) . ' : ';
- $return .= $firstname . ' ' . $lastname;
+ $return .= functions::xssafe($firstname) . ' ' . functions::xssafe($lastname);
$return .= ', ';
- $return .= $Core_Tools->format_date_db($return_db->date_note);
+ $return .= functions::xssafe($Core_Tools->format_date_db($return_db->date_note));
$return .= '</div>';
// $return .= '<br />';
$return .= '<div style="padding-top:2px;padding-bottom:2px;">';
- $note_text = str_replace(array("\r", "\n"), array("<br />", "<br />"), $return_db->note_text);
+ $note_text = str_replace(array("\r", "\n"), array("<br />", "<br />"), functions::xssafe($return_db->note_text));
$return .= str_replace('<br /><br />', '<br />', $note_text);
$return .= '</div>';
// $return .= '</blockquote>';
diff --git a/maarch_entreprise/trunk/loadRepList.php b/maarch_entreprise/trunk/loadRepList.php
index 469507f81a1..a44bbfa1f37 100644
--- a/maarch_entreprise/trunk/loadRepList.php
+++ b/maarch_entreprise/trunk/loadRepList.php
@@ -53,7 +53,7 @@ if (isset($_REQUEST['res_id_master'])) {
$return .= '<tr style="border: 1px solid;" style="background-color: #FFF;">';
$return .= '<td>';
$return .= ' ';
- $return .= $return_db->identifier;
+ $return .= functions::xssafe($return_db->identifier);
$return .= '</td>';
$return .= '<td>';
$return .= ' ';
@@ -62,13 +62,13 @@ if (isset($_REQUEST['res_id_master'])) {
$query = "SELECT label_status FROM status WHERE id ='".$return_db->status."'";
$db2->query($query);
while ($status_db = $db2->fetch_object()) {
- $return .= $status_db->label_status;
+ $return .= functions::xssafe($status_db->label_status);
}
$return .= '</td>';
$return .= '<td>';
$return .= ' ';
$attachment_types_valeur = $return_db->attachment_type;
- $return .= $_SESSION['attachment_types'][$attachment_types_valeur];
+ $return .= functions::xssafe($_SESSION['attachment_types'][$attachment_types_valeur]);
$return .= '</td>';
$return .= '<td>';
$return .= ' ';
@@ -89,16 +89,17 @@ if (isset($_REQUEST['res_id_master'])) {
case '12': $date_m_txt = _DECEMBER; break;
default: $date_m_txt = $date_m;
}
- $return .= $date_d.' '.$date_m_txt.' '.$date_Y;
+ $return .= functions::xssafe($date_d.' '.$date_m_txt.' '.$date_Y);
$return .= '</td>';
$return .= '<td>';
$return .= ' ';
- $return .= $return_db->title;
+ $return .= functions::xssafe($return_db->title);
$return .= '</td>';
$return .= '<td>';
$return .= ' ';
$current_user = $users->get_user($return_db->typist);
- $return .= $current_user['firstname'] . ' ' . $current_user['lastname'];
+ $return .= functions::xssafe($current_user['firstname'])
+ . ' ' . functions::xssafe($current_user['lastname']);
$return .= '</td>';
$return .= '<td>';
$return .= ' ';
@@ -109,7 +110,8 @@ if (isset($_REQUEST['res_id_master'])) {
} else {
$id = $return_db->res_id_version;
}
- $return .= 'index.php?display=true&module=attachments&page=view_attachment&id='.$id.'&res_id_master='.$_REQUEST['res_id_master'];
+ $return .= 'index.php?display=true&module=attachments&page=view_attachment&id='.$id.'&res_id_master='
+ . functions::xssafe($_REQUEST['res_id_master']);
$return .= '" ';
$return .= 'target="_blank" ';
$return .= '>';
diff --git a/maarch_entreprise/trunk/log.php b/maarch_entreprise/trunk/log.php
index 87d270245a5..c5af884c6ba 100644
--- a/maarch_entreprise/trunk/log.php
+++ b/maarch_entreprise/trunk/log.php
@@ -119,7 +119,7 @@ if (! empty($_SESSION['error'])) {
try {
$ad = new LDAP($domain, $login_admin, $pass, $ssl);
} catch(Exception $conFailure) {
- echo $conFailure->getMessage();
+ echo functions::xssafe($conFailure->getMessage());
exit;
}
diff --git a/maarch_entreprise/trunk/login.php b/maarch_entreprise/trunk/login.php
index 2cf076ff5cf..018d9957271 100644
--- a/maarch_entreprise/trunk/login.php
+++ b/maarch_entreprise/trunk/login.php
@@ -127,7 +127,7 @@ if (isset($_SESSION['error'])) {
?>static.php?filename=default_maarch.gif" alt="Maarch" /></p>
<div align="center">
<h3>
- <?php echo$_SESSION['config']['applicationname'] ?>
+ <?php functions::xecho($_SESSION['config']['applicationname']); ?>
</h3>
</div>
<?php
@@ -135,7 +135,7 @@ if (isset($_SESSION['error'])) {
?>
<div class="error" id="main_error_popup" onclick="this.hide();">
<?php
- echo $_SESSION['error'];
+ functions::xecho($_SESSION['error']);
?>
</div>
<?php
@@ -145,7 +145,7 @@ if (isset($_SESSION['error'])) {
?>
<div class="info" id="main_info" onclick="this.hide();">
<?php
- echo $_SESSION['info'];
+ functions::xecho($_SESSION['info']);
?>
</div>
<?php
diff --git a/maarch_entreprise/trunk/merged_js.php b/maarch_entreprise/trunk/merged_js.php
index 7db18f316ab..19a8ebac1c7 100644
--- a/maarch_entreprise/trunk/merged_js.php
+++ b/maarch_entreprise/trunk/merged_js.php
@@ -34,4 +34,3 @@ include_once('../../core/init.php');
}
}
ob_end_flush();
-?>
diff --git a/maarch_entreprise/trunk/param_index_statuses.php b/maarch_entreprise/trunk/param_index_statuses.php
index ec24a50b96b..932502f75c5 100644
--- a/maarch_entreprise/trunk/param_index_statuses.php
+++ b/maarch_entreprise/trunk/param_index_statuses.php
@@ -9,7 +9,7 @@ if($_SESSION['service_tag'] == 'group_basket')
$current_groupbasket = $_SESSION['m_admin']['basket']['groups'][$_SESSION['m_admin']['basket']['ind_group']];
$current_compteur = $_SESSION['m_admin']['compteur'];
// This param is only for the actions with the keyword : indexing
- if( trim($_SESSION['m_admin']['basket']['all_actions'][$current_compteur]['KEYWORD']) == 'indexing') // Indexing case
+ if(trim($_SESSION['m_admin']['basket']['all_actions'][$current_compteur]['KEYWORD']) == 'indexing') // Indexing case
{
$_SESSION['m_admin']['show_where_clause'] = false;
$is_default_action = false;
@@ -53,7 +53,7 @@ if($_SESSION['service_tag'] == 'group_basket')
if($state_status == false)
{
?>
- <option value="<?php functions::xecho($_SESSION['m_admin']['statuses'][$cpt]['id']);?>"><?php echo $_SESSION['m_admin']['statuses'][$cpt]['label'];?></option>
+ <option value="<?php functions::xecho($_SESSION['m_admin']['statuses'][$cpt]['id']);?>"><?php functions::xecho($_SESSION['m_admin']['statuses'][$cpt]['label']); ?></option>
<?php
}
}
@@ -100,7 +100,7 @@ if($_SESSION['service_tag'] == 'group_basket')
if($state_status == true)
{
?>
- <option value="<?php functions::xecho($_SESSION['m_admin']['statuses'][$cpt]['id']);?>" selected="selected" ><?php echo $_SESSION['m_admin']['statuses'][$cpt]['label'];?></option>
+ <option value="<?php functions::xecho($_SESSION['m_admin']['statuses'][$cpt]['id']);?>" selected="selected" ><?php functions::xecho($_SESSION['m_admin']['statuses'][$cpt]['label']);?></option>
<?php
}
}
@@ -119,11 +119,6 @@ elseif($_SESSION['service_tag'] == 'manage_groupbasket')
{
$db = new dbquery();
$db->connect();
- /*
- echo 'before<br>';
- echo 'param status';
- $db->show_array($_SESSION['m_admin']['basket']['groups']);
- */
$groupe = $_REQUEST['group'];
if(isset($_REQUEST['old_group']) && !empty($_REQUEST['old_group']))
{
@@ -176,12 +171,6 @@ elseif($_SESSION['service_tag'] == 'manage_groupbasket')
}
}
$_SESSION['m_admin']['load_groupbasket'] = false;
- /*
- echo 'after<br>';
- echo 'param status';
- $ent->show_array($_SESSION['m_admin']['basket']['groups']);
- exit;
- */
}
elseif($_SESSION['service_tag'] == 'load_basket_session')
{
diff --git a/maarch_entreprise/trunk/param_mlb_doctypes.php b/maarch_entreprise/trunk/param_mlb_doctypes.php
index 2480b998c41..4e75e389bee 100644
--- a/maarch_entreprise/trunk/param_mlb_doctypes.php
+++ b/maarch_entreprise/trunk/param_mlb_doctypes.php
@@ -89,4 +89,3 @@ elseif($_SESSION['service_tag'] == "doctype_delete")
$db->connect();
$db->query("delete from ".$_SESSION['tablename']['mlb_doctype_ext']." where type_id = ".$_SESSION['m_admin']['doctypes']['TYPE_ID']."");
}
-?>
diff --git a/maarch_entreprise/trunk/quicklaunch.php b/maarch_entreprise/trunk/quicklaunch.php
index 674b1a1ae69..486e1d460e7 100644
--- a/maarch_entreprise/trunk/quicklaunch.php
+++ b/maarch_entreprise/trunk/quicklaunch.php
@@ -52,7 +52,8 @@ $core_tools->test_service('quicklaunch', "apps");
<?php
foreach ($_SESSION['user']['security'] as $key => $value) {
if ($key == 'letterbox_coll' || $key == 'business_coll' || $key == 'rm_coll' || $key == 'res_coll') {
- echo '<option id="' . $key . '" value="' . $key . '">' . $value['DOC']['label_coll'] .'</option>';
+ echo '<option id="' . functions::xssafe($key) . '" value="' . functions::xssafe($key) . '">'
+ . functions::xssafe($value['DOC']['label_coll']) .'</option>';
}
}
?>
diff --git a/maarch_entreprise/trunk/reopen.php b/maarch_entreprise/trunk/reopen.php
index f78cf1d9ce2..16e658acb54 100644
--- a/maarch_entreprise/trunk/reopen.php
+++ b/maarch_entreprise/trunk/reopen.php
@@ -26,21 +26,7 @@ if(!isset($_SESSION['config']['app_id']) || empty($_SESSION['config']['app_id'])
{
$_SESSION['config']['app_id'] = $path_tmp[count($path_tmp) -2];
}
-/*
-if(isset($_SESSION['config']['corepath']))
-{
- require_once("core".DIRECTORY_SEPARATOR."class".DIRECTORY_SEPARATOR."class_functions.php");
-}
-else
-{
- require_once("..".DIRECTORY_SEPARATOR."..".DIRECTORY_SEPARATOR."core".DIRECTORY_SEPARATOR."class".DIRECTORY_SEPARATOR."class_functions.php");
-}*/
-//require_once("core".DIRECTORY_SEPARATOR."class".DIRECTORY_SEPARATOR."class_db.php");
-//require_once("core".DIRECTORY_SEPARATOR."class".DIRECTORY_SEPARATOR."class_core_tools.php");
-//require_once('apps'.DIRECTORY_SEPARATOR.$_SESSION['config']['app_id'].DIRECTORY_SEPARATOR."class".DIRECTORY_SEPARATOR."class_business_app_tools.php");
-//$core_tools = new core_tools();
-//$business_app_tools = new business_app_tools();
$func = new functions();
$cookie = explode("&", $_COOKIE['maarch']);
$user = explode("=",$cookie[0]);
diff --git a/maarch_entreprise/trunk/security_bitmask.php b/maarch_entreprise/trunk/security_bitmask.php
index 0f0161b16e2..f8fb76bf0d9 100644
--- a/maarch_entreprise/trunk/security_bitmask.php
+++ b/maarch_entreprise/trunk/security_bitmask.php
@@ -103,13 +103,6 @@ if ($core->is_module_loaded('moreq')) {
'LABEL' => _DELETE_RECORD_LABEL,
)
);
-/* array_push(
- $_ENV['security_bitmask'],
- array(
- 'ID' => VIEW_LOG,
- 'LABEL' => _VIEW_LOG_LABEL,
- )
- );*/
}
function getTaskLabel($taskId, $tasksArray)
diff --git a/maarch_entreprise/trunk/select_attachedAddress.php b/maarch_entreprise/trunk/select_attachedAddress.php
index 591daa702eb..a6b2fc587aa 100644
--- a/maarch_entreprise/trunk/select_attachedAddress.php
+++ b/maarch_entreprise/trunk/select_attachedAddress.php
@@ -7,53 +7,56 @@
* @author <dev@maarch.org>
*/
- $contactAddresses = array();
- $db = new dbquery();
- $db->connect();
-
- require_once("apps".DIRECTORY_SEPARATOR.$_SESSION['config']['app_id'].DIRECTORY_SEPARATOR."class".DIRECTORY_SEPARATOR."class_contacts_v2.php");
- $contact = new contacts_v2();
- $core_tools = new core_tools('');
- $core_tools->test_user();
-
- $query = "SELECT ca.id, ca.lastname as ca_lastname, ca.firstname, ca.contact_purpose_id, cp.label
- FROM ".$_SESSION['tablename']['contact_addresses']." ca
- LEFT JOIN contact_purposes cp on ca.contact_purpose_id = cp.id
- WHERE ca.contact_id = ".$_POST['contact_id'];
-
- $query .= " order by ca_lastname";
- $db->query($query);
- // $db->show();
-
- $listArray = array();
- while($line = $db->fetch_object())
- {
- $contactAddress = $contact->get_label_contact($line->contact_purpose_id, $_SESSION['tablename']['contact_purposes']);
-
- if ($line->ca_lastname <> "" || $line->firstname) {
- $contactAddress .= " :";
- if ($line->ca_lastname <> "") {
- $contactAddress .= " " . $line->ca_lastname;
- }
- if ($line->firstname <> "") {
- $contactAddress .= " " . $line->firstname;
- }
+$contactAddresses = array();
+$db = new dbquery();
+$db->connect();
+
+require_once("apps".DIRECTORY_SEPARATOR.$_SESSION['config']['app_id'].DIRECTORY_SEPARATOR
+ ."class".DIRECTORY_SEPARATOR."class_contacts_v2.php");
+$contact = new contacts_v2();
+$core_tools = new core_tools('');
+$core_tools->test_user();
+
+$query = "SELECT ca.id, ca.lastname as ca_lastname, ca.firstname, ca.contact_purpose_id, cp.label
+ FROM ".$_SESSION['tablename']['contact_addresses']." ca
+ LEFT JOIN contact_purposes cp on ca.contact_purpose_id = cp.id
+ WHERE ca.contact_id = ".$_POST['contact_id'];
+
+$query .= " order by ca_lastname";
+$db->query($query);
+ // $db->show();
+
+$listArray = array();
+while($line = $db->fetch_object())
+{
+ $contactAddress = $contact->get_label_contact(
+ $line->contact_purpose_id, $_SESSION['tablename']['contact_purposes']
+ );
+
+ if ($line->ca_lastname <> "" || $line->firstname) {
+ $contactAddress .= " :";
+ if ($line->ca_lastname <> "") {
+ $contactAddress .= " " . functions::xssafe($line->ca_lastname);
+ }
+ if ($line->firstname <> "") {
+ $contactAddress .= " " . functions::xssafe($line->firstname);
}
- array_push($contactAddresses,array('contact_id' => $line->id,'name' => $contactAddress ));
}
+ array_push($contactAddresses,array('contact_id' => $line->id,'name' => $contactAddress ));
+}
- $frmStr .= '<select name="selectContactAddress_'.$_POST['select'].'" id="selectContactAddress_'.$_POST['select'].'" > ';
-
- $countsContactAddress = count($contactAddresses);
- $frmStr .= '<option value="">Sélectionner une adresse</option>';
- for ($cptsContacts = 0;$cptsContacts< $countsContactAddress;$cptsContacts++) {
-
- $frmStr .= '<option value="'.$contactAddresses[$cptsContacts]['contact_id'].'">'
- . $db->show_string($contactAddresses[$cptsContacts]['name'])
-
+$frmStr .= '<select name="selectContactAddress_'.functions::xssafe($_POST['select'])
+ .'" id="selectContactAddress_'.functions::xssafe($_POST['select']).'" > ';
+
+$countsContactAddress = count($contactAddresses);
+$frmStr .= '<option value="">Sélectionner une adresse</option>';
+for ($cptsContacts = 0;$cptsContacts< $countsContactAddress;$cptsContacts++) {
+
+ $frmStr .= '<option value="'.functions::xssafe($contactAddresses[$cptsContacts]['contact_id']).'">'
+ . functions::xssafe($db->show_string($contactAddresses[$cptsContacts]['name']))
. '</option>';
- }
- $frmStr .= '</select></td>';
-
- echo $frmStr;
+}
+$frmStr .= '</select></td>';
+
+echo $frmStr;
\ No newline at end of file
diff --git a/maarch_entreprise/trunk/sso_connect.php b/maarch_entreprise/trunk/sso_connect.php
index 1bc9fc80d52..9e9eeb7133b 100755
--- a/maarch_entreprise/trunk/sso_connect.php
+++ b/maarch_entreprise/trunk/sso_connect.php
@@ -25,7 +25,7 @@ require_once
$core = new core_tools();
if (isset($_SESSION['error'])) {
- echo $_SESSION['error'];
+ echo functions::xssafe($_SESSION['error']);
$_SESSION['error'] = '';
exit;
}
diff --git a/maarch_entreprise/trunk/standard_connect.php b/maarch_entreprise/trunk/standard_connect.php
index efab4816723..30bb62d9e3d 100755
--- a/maarch_entreprise/trunk/standard_connect.php
+++ b/maarch_entreprise/trunk/standard_connect.php
@@ -3,15 +3,20 @@ if (isset($_REQUEST['askRACode']) && $_REQUEST['askRACode'] == 'true') {
echo '<div>';
echo '<p>';
echo ' <br /><br /><br /><br /><br /><br />';
- echo _ASK_RA_CODE_1 . $_SESSION['user']['Mail'] . '<br />';
+ echo _ASK_RA_CODE_1 . functions::xssafe($_SESSION['user']['Mail']) . '<br />';
echo '<br />';
echo _ASK_RA_CODE_2 . '<br />';
echo '<br />';
- echo '<input onclick="window.location.href=\'' . $_SESSION['config']['businessappurl'].'index.php?display=true&confirmAskRACode=true&page=login' . '\'" type="button" class="button" name="submit" value="'._SEND.'" />';
+ echo '<input onclick="window.location.href=\''
+ . $_SESSION['config']['businessappurl']
+ .'index.php?display=true&confirmAskRACode=true&page=login'
+ . '\'" type="button" class="button" name="submit" value="'._SEND.'" />';
echo ' ';
- echo '<input onclick="window.location.href=\'' . $_SESSION['config']['businessappurl'].'index.php?display=true&page=login' . '\'" type="button" class="button" name="submit" value="'._CANCEL.'" />';
+ echo '<input onclick="window.location.href=\''
+ . $_SESSION['config']['businessappurl'].'index.php?display=true&page=login'
+ . '\'" type="button" class="button" name="submit" value="'._CANCEL.'" />';
echo '</p>';
echo '</div>';
@@ -30,11 +35,18 @@ elseif(isset($_REQUEST['confirmAskRACode']) && $_REQUEST['confirmAskRACode'] ==
//calcul de la date d'expiration
$pathToIPFilter = '';
- if(file_exists($_SESSION['config']['corepath'].'custom'.DIRECTORY_SEPARATOR.$_SESSION['custom_override_id'].DIRECTORY_SEPARATOR.'apps'.DIRECTORY_SEPARATOR.$_SESSION['config']['app_id'].DIRECTORY_SEPARATOR.'xml'.DIRECTORY_SEPARATOR.'ip_filter.xml')){
- $pathToIPFilter = $_SESSION['config']['corepath'].'custom'.DIRECTORY_SEPARATOR.$_SESSION['custom_override_id'].DIRECTORY_SEPARATOR.'apps'.DIRECTORY_SEPARATOR.$_SESSION['config']['app_id'].DIRECTORY_SEPARATOR.'xml'.DIRECTORY_SEPARATOR.'ip_filter.xml';
+ if(file_exists($_SESSION['config']['corepath'].'custom'.DIRECTORY_SEPARATOR
+ .$_SESSION['custom_override_id'].DIRECTORY_SEPARATOR.'apps'
+ .DIRECTORY_SEPARATOR.$_SESSION['config']['app_id']
+ .DIRECTORY_SEPARATOR.'xml'.DIRECTORY_SEPARATOR.'ip_filter.xml')){
+ $pathToIPFilter = $_SESSION['config']['corepath']
+ .'custom'.DIRECTORY_SEPARATOR.$_SESSION['custom_override_id']
+ .DIRECTORY_SEPARATOR.'apps'.DIRECTORY_SEPARATOR
+ .$_SESSION['config']['app_id'].DIRECTORY_SEPARATOR.'xml'.DIRECTORY_SEPARATOR.'ip_filter.xml';
}
else {
- $pathToIPFilter = 'apps'.DIRECTORY_SEPARATOR.$_SESSION['config']['app_id'].DIRECTORY_SEPARATOR.'xml'.DIRECTORY_SEPARATOR.'ip_filter.xml';
+ $pathToIPFilter = 'apps'.DIRECTORY_SEPARATOR.$_SESSION['config']['app_id']
+ .DIRECTORY_SEPARATOR.'xml'.DIRECTORY_SEPARATOR.'ip_filter.xml';
}
$ipArray = array();
$ipArray = functions::object2array(simplexml_load_file($pathToIPFilter));
@@ -44,10 +56,13 @@ elseif(isset($_REQUEST['confirmAskRACode']) && $_REQUEST['confirmAskRACode'] ==
$db = new dbquery();
$db->connect();
- $db->query("UPDATE users set ra_code = '".md5($raCodeGenerated)."' WHERE user_id = '".$_SESSION['user']['UserId']."'", false, true);
- $db->query("UPDATE users set ra_expiration_date = '".$expiration_date."' WHERE user_id = '".$_SESSION['user']['UserId']."'", false, true);
+ $db->query("UPDATE users set ra_code = '".md5($raCodeGenerated)
+ ."' WHERE user_id = '".$_SESSION['user']['UserId']."'", false, true);
+ $db->query("UPDATE users set ra_expiration_date = '"
+ .$expiration_date."' WHERE user_id = '".$_SESSION['user']['UserId']."'", false, true);
- $mailDest = $db->query("SELECT mail FROM users WHERE user_id = '".$_SESSION['user']['UserId']."' ;", false, true);
+ $mailDest = $db->query("SELECT mail FROM users WHERE user_id = '"
+ .$_SESSION['user']['UserId']."' ;", false, true);
$mailToSend = '<html>';
$mailToSend .= '<body>';
@@ -63,7 +78,10 @@ elseif(isset($_REQUEST['confirmAskRACode']) && $_REQUEST['confirmAskRACode'] ==
$mailToSend .= '</html>';
//if (!mail($_SESSION['user']['Mail'], 'Votre code de connexion Maarch', $mailToSend)) {
- if (!mail($_SESSION['user']['Mail'], _CONFIRM_ASK_RA_CODE_6, $mailToSend, "From: info@maarch.org\nReply-To: info@maarch.org \nContent-Type: text/html; charset=\"iso-8859-1\"\n")) {
+ if (!mail(
+ $_SESSION['user']['Mail'], _CONFIRM_ASK_RA_CODE_6, $mailToSend,
+ "From: info@maarch.org\nReply-To: info@maarch.org \nContent-Type: text/html; charset=\"iso-8859-1\"\n")
+ ) {
echo 'mail not send';
}
@@ -92,7 +110,7 @@ echo '<form id="formlogin" method="post" action="'
$_SESSION['error'] = '';
$ipNotAllowed = true;
$ra_code = true;
- $userId = $_SESSION['user']['UserId'];
+ $userId = functions::xssafe($_SESSION['user']['UserId']);
echo '<div>';
echo '<br /><br /><br /><br /><br /><br />';
echo _TRYING_TO_CONNECT_FROM_NOT_ALLOWED_IP;
@@ -106,13 +124,17 @@ echo '<form id="formlogin" method="post" action="'
$ra_code = false;
$userId = $_SESSION['user']['UserId'];
echo '<div>';
- echo _CAN_T_CONNECT_WITH_THIS_IP;//echo 'Vous ne pouvez pas vous connecter depuis un emplacement non répertorié.<br />';
+ echo _CAN_T_CONNECT_WITH_THIS_IP;
+ //echo 'Vous ne pouvez pas vous connecter depuis un emplacement non répertorié.<br />';
echo '</div>';
}
if ($ipNotAllowed && $ra_code) {
if (!isset($_SESSION['withRA_CODE'])) {
echo '<br /><p class="buttons">';
- echo '<input onclick="window.location.href=\'' . $_SESSION['config']['businessappurl'].'index.php?display=true&askRACode=true&page=login' . '\'" type="button" class="button" name="submit" value="';
+ echo '<input onclick="window.location.href=\''
+ . $_SESSION['config']['businessappurl']
+ .'index.php?display=true&askRACode=true&page=login'
+ . '\'" type="button" class="button" name="submit" value="';
echo _ASK_AN_RA_CODE;
echo '" />';
echo ' ';
@@ -123,7 +145,8 @@ echo '<form id="formlogin" method="post" action="'
}
echo '<p>';
echo '<br/><label for="login">'._ID.'</label>';
- echo '<input name="login" id="login" value="'.$userId.'" type="text" />';
+ echo '<input name="login" id="login" value="'.functions::xssafe($userId)
+ .'" type="text" />';
echo '</p>';
echo '<p>';
echo '<label for="pass">'._PASSWORD.'</label>';
@@ -142,7 +165,7 @@ echo '<form id="formlogin" method="post" action="'
echo '<div class="error">';
if(isset($_SESSION['error']))
{
- echo $_SESSION['error'];
+ echo functions::xssafe($_SESSION['error']);
}
$_SESSION['error'] = '';
echo '</div>';
diff --git a/maarch_entreprise/trunk/static.php b/maarch_entreprise/trunk/static.php
index 298c3459a5f..bf28b0e9779 100644
--- a/maarch_entreprise/trunk/static.php
+++ b/maarch_entreprise/trunk/static.php
@@ -90,9 +90,6 @@ if(isset($_GET['filename']) && !empty($_GET['filename']))
}
}
- //echo get_include_path();
- //echo '<br/>';
- //echo $path;
if(!empty($mime_type) && !empty($path))
{
@@ -112,5 +109,3 @@ if(isset($_GET['filename']) && !empty($_GET['filename']))
}
exit();
-
-?>
diff --git a/maarch_entreprise/trunk/user_info.php b/maarch_entreprise/trunk/user_info.php
index fdc3a920af2..57db2698153 100644
--- a/maarch_entreprise/trunk/user_info.php
+++ b/maarch_entreprise/trunk/user_info.php
@@ -82,11 +82,11 @@ else
?><option value=""><?php
if($entities[$i]['PRIMARY'] == 'Y')
{
- echo '<b>'.$entities[$i]['LABEL'].'</b>';
+ echo '<b>'.functions::xssafe($entities[$i]['LABEL']).'</b>';
}
else
{
- echo $entities[$i]['LABEL'];
+ echo functions::xssafe($entities[$i]['LABEL']);
}
?></option><?php
}?>
@@ -106,4 +106,3 @@ else
<?php
}
$core_tools->load_js();
-?>
diff --git a/maarch_entreprise/trunk/users_autocomplete_list.php b/maarch_entreprise/trunk/users_autocomplete_list.php
index ee16bc9dc52..0dcdbae4afa 100644
--- a/maarch_entreprise/trunk/users_autocomplete_list.php
+++ b/maarch_entreprise/trunk/users_autocomplete_list.php
@@ -36,7 +36,9 @@ $res = $req->select($select, $where, $other, $_SESSION['config']['databasetype']
echo "<ul>\n";
for($i=0; $i< min(count($res), 10) ;$i++)
{
- echo "<li>".$req->show_string($res[$i][0]['value']).', '.$req->show_string($res[$i][1]['value']).' ('.$res[$i][2]['value'].")</li>\n";
+ echo "<li>".functions::xssafe($req->show_string($res[$i][0]['value']))
+ .', ' . functions::xssafe($req->show_string($res[$i][1]['value']))
+ .' (' . functions::xssafe($res[$i][2]['value']).")</li>\n";
}
if(count($res) == 11)
{
diff --git a/maarch_entreprise/trunk/verif_pass.php b/maarch_entreprise/trunk/verif_pass.php
index 16ee12d8f9c..95f2bb07f79 100644
--- a/maarch_entreprise/trunk/verif_pass.php
+++ b/maarch_entreprise/trunk/verif_pass.php
@@ -13,59 +13,57 @@
$core_tools = new core_tools();
$core_tools->load_lang();
- $func = new functions();
+$func = new functions();
- $_SESSION['error'] ="";
- $_SESSION['user']['pass'] = $func->wash($_REQUEST['pass1'], "no", _THE_PSW);
+$_SESSION['error'] ="";
+$_SESSION['user']['pass'] = $func->wash($_REQUEST['pass1'], "no", _THE_PSW);
- $pass2 = $func->wash($_REQUEST['pass2'], "no", _THE_PSW_VALIDATION);
+$pass2 = $func->wash($_REQUEST['pass2'], "no", _THE_PSW_VALIDATION);
- if($_SESSION['user']['pass'] <> $pass2)
- {
- $_SESSION['error'] = _WRONG_SECOND_PSW.".<br />";
- }
- else
- {
- $_SESSION['user']['pass'] = md5($pass2);
- }
+if($_SESSION['user']['pass'] <> $pass2)
+{
+ $_SESSION['error'] = _WRONG_SECOND_PSW.".<br />";
+}
+else
+{
+ $_SESSION['user']['pass'] = md5($pass2);
+}
- $_SESSION['user']['FirstName'] = $func->wash($_REQUEST['FirstName'], "no", _THE_LASTNAME);
- $_SESSION['user']['LastName'] = $func->wash($_REQUEST['LastName'], "no", _THE_FIRSTNAME);
+$_SESSION['user']['FirstName'] = $func->wash($_REQUEST['FirstName'], "no", _THE_LASTNAME);
+$_SESSION['user']['LastName'] = $func->wash($_REQUEST['LastName'], "no", _THE_FIRSTNAME);
- if(isset($_REQUEST['Department']) && !empty($_REQUEST['Department']))
- {
- $_SESSION['user']['department'] = $func->wash($_REQUEST['Department'], "no", _THE_DEPARTMENT);
- }
+if(isset($_REQUEST['Department']) && !empty($_REQUEST['Department']))
+{
+ $_SESSION['user']['department'] = $func->wash($_REQUEST['Department'], "no", _THE_DEPARTMENT);
+}
- if(isset($_REQUEST['Phone']) && !empty($_REQUEST['Phone']))
- {
- $_SESSION['user']['Phone'] = $_REQUEST['Phone'];
- }
- $_SESSION['user']['Mail'] = '';
- $tmp=$func->wash($_REQUEST['Mail'], "mail", _MAIL);
- if($tmp <> false)
- {
- $_SESSION['user']['Mail'] = $tmp;
- }
- if(!empty($_SESSION['error']))
- {
- header("location: ".$_SESSION['config']['businessappurl']."index.php?display=true&page=change_pass");
- exit();
- }
- else
- {
- $db = new dbquery();
- $db->connect();
+if(isset($_REQUEST['Phone']) && !empty($_REQUEST['Phone']))
+{
+ $_SESSION['user']['Phone'] = $_REQUEST['Phone'];
+}
+$_SESSION['user']['Mail'] = '';
+$tmp=$func->wash($_REQUEST['Mail'], "mail", _MAIL);
+if($tmp <> false)
+{
+ $_SESSION['user']['Mail'] = $tmp;
+}
+if(!empty($_SESSION['error']))
+{
+ header("location: ".$_SESSION['config']['businessappurl']."index.php?display=true&page=change_pass");
+ exit();
+}
+else
+{
+ $db = new dbquery();
+ $db->connect();
- $tmp_fn = $db->protect_string_db($_SESSION['user']['FirstName']);
- $tmp_ln = $db->protect_string_db($_SESSION['user']['LastName']);
- $tmp_dep = $db->protect_string_db($_SESSION['user']['department']);
+ $tmp_fn = $db->protect_string_db($_SESSION['user']['FirstName']);
+ $tmp_ln = $db->protect_string_db($_SESSION['user']['LastName']);
+ $tmp_dep = $db->protect_string_db($_SESSION['user']['department']);
- $db->query("update ".$_SESSION['tablename']['users']." set password = '".$_SESSION['user']['pass']."' ,firstname = '".$tmp_fn."', lastname = '".$tmp_ln."', phone = '".$_SESSION['user']['Phone']."', mail = '".$_SESSION['user']['Mail']."' , department = '".$tmp_dep."' , change_password = 'N' where user_id = '".$_SESSION['user']['UserId']."'");
- //$db->show();
- header("location: ".$_SESSION['config']['businessappurl']."index.php");
- exit();
+ $db->query("update ".$_SESSION['tablename']['users']." set password = '".$_SESSION['user']['pass']."' ,firstname = '".$tmp_fn."', lastname = '".$tmp_ln."', phone = '".$_SESSION['user']['Phone']."', mail = '".$_SESSION['user']['Mail']."' , department = '".$tmp_dep."' , change_password = 'N' where user_id = '".$_SESSION['user']['UserId']."'");
+ //$db->show();
+ header("location: ".$_SESSION['config']['businessappurl']."index.php");
+ exit();
- }
-
-?>
+}
diff --git a/maarch_entreprise/trunk/view_technical_infos.php b/maarch_entreprise/trunk/view_technical_infos.php
index 86bb46c71b2..8c2f060b11f 100644
--- a/maarch_entreprise/trunk/view_technical_infos.php
+++ b/maarch_entreprise/trunk/view_technical_infos.php
@@ -163,32 +163,6 @@ if ($coreTools->test_service('view_technical_infos', 'apps', false)) {
<td align="left"><?php echo _WORK_BATCH;?> :</td>
<td><input type="text" class="readonly" readonly="readonly" value="<?php functions::xecho($workBatch);?>" title="<?php functions::xecho($workBatch);?>" alt="<?php functions::xecho($workBatch);?>" /></td>
</tr>
- <!--
- <tr>
- <th align="left"><?php echo _PAGECOUNT;?> :</th>
- <td><input type="text" class="readonly" readonly="readonly" value="<?php functions::xecho($pageCount);?>" /></td>
- <th align="left"><?php echo _ISPAPER;?> :</th>
- <td><input type="text" class="readonly" readonly="readonly" value="<?php functions::xecho($isPaper);?>" /></td>
- </tr>
- <tr class="col">
- <th align="left"><?php echo _SCANUSER;?> :</th>
- <td><input type="text" class="readonly" readonly="readonly" value="<?php functions::xecho($scanUser);?>" /></td>
- <th align="left"><?php echo _SCANDATE;?> :</th>
- <td><input type="text" class="readonly" readonly="readonly" value="<?php functions::xecho($scanDate);?>" /></td>
- </tr>
- <tr>
- <th align="left"><?php echo _SCANWKSATION;?> :</th>
- <td><input type="text" class="readonly" readonly="readonly" value="<?php functions::xecho($scanWkstation);?>" /></td>
- <th align="left"><?php echo _SCANLOCATION;?> :</th>
- <td><input type="text" class="readonly" readonly="readonly" value="<?php functions::xecho($scanLocation);?>" /></td>
- </tr>
- <tr class="col">
- <th align="left"><?php echo _SCANBATCH;?> :</th>
- <td><input type="text" class="readonly" readonly="readonly" value="<?php functions::xecho($scanBatch);?>" /></td>
- <th align="right"><?php echo _SOURCE;?> :</th>
- <td><input type="text" class="readonly" readonly="readonly" value="<?php functions::xecho($source);?>" /></td>
- </tr>
- -->
</table>
<br>
<?php
@@ -225,17 +199,14 @@ if ($coreTools->test_service('view_technical_infos', 'apps', false)) {
</h2>
<br/>
<?php
- /*echo '<pre>';
- print_r($adr);
- echo '</pre>';*/
$docserversControler = new docservers_controler();
if ($isMultiDs == 'Y') {
for ($cptAdr = 0;$cptAdr < count($adr[0]);$cptAdr++) {
$docserver = $docserversControler->get(
$adr[0][$cptAdr]['docserver_id']
);
- echo '<h4>' . $adr[0][$cptAdr]['docserver_id']
- . ' (' . $docserver->device_label . ')</h4>';
+ echo '<h4>' . $functions::xssafe(adr[0][$cptAdr]['docserver_id'])
+ . ' (' . functions::xssafe($docserver->device_label) . ')</h4>';
?>
<table cellpadding="2" cellspacing="2" border="0" class="block forms details" width="100%">
<tr>
@@ -243,7 +214,7 @@ if ($coreTools->test_service('view_technical_infos', 'apps', false)) {
</th>
<td align="left" width="200px"><?php echo _PATH_TEMPLATE;?> :</td>
- <td><input type="text" class="readonly" readonly="readonly" value="<?php echo str_replace('#', '/', $adr[0][$cptAdr]['path']);?>"/></td>
+ <td><input type="text" class="readonly" readonly="readonly" value="<?php echo str_replace('#', '/', functions::xssafe($adr[0][$cptAdr]['path']));?>"/></td>
<th align="left" class="picto">
</th>
@@ -279,8 +250,8 @@ if ($coreTools->test_service('view_technical_infos', 'apps', false)) {
}
} else {
$docserver = $docserversControler->get($docserverId);
- echo '<h4>' . $docserverId
- . ' (' . $docserver->device_label . ')</h4>';
+ echo '<h4>' . functions::xssafe($docserverId)
+ . ' (' . functions::xssafe($docserver->device_label) . ')</h4>';
?>
<table cellpadding="2" cellspacing="2" border="0" class="block forms details" width="100%">
<tr>
@@ -288,7 +259,7 @@ if ($coreTools->test_service('view_technical_infos', 'apps', false)) {
</th>
<td align="left" width="200px"><?php echo _PATH_TEMPLATE;?> :</td>
- <td><input type="text" class="readonly" readonly="readonly" value="<?php echo str_replace('#', '/', $path);?>"/></td>
+ <td><input type="text" class="readonly" readonly="readonly" value="<?php echo functions::xssafe(str_replace('#', '/', $path));?>"/></td>
<th align="left" class="picto">
</th>
--
GitLab