Fix escape error message

htdocs/core/lib/security2.lib.php

@@ -111,7 +111,7 @@ function checkLoginPassEntity($usertotest, $passwordtotest, $entitytotest, $auth
 					// Load translation files required by the page
 					$langs->loadLangs(array('other', 'main', 'errors'));
 
-					$_SESSION["dol_loginmesg"] = $langs->trans("ErrorFailedToLoadLoginFileForMode", $mode);
+					$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorFailedToLoadLoginFileForMode", $mode);
 				}
 			}
 		}

htdocs/core/login/functions_dolibarr.php

@@ -76,13 +76,13 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes
 				if ($obj->datestartvalidity && $db->jdate($obj->datestartvalidity) > $now) {
 					// Load translation files required by the page
 					$langs->loadLangs(array('main', 'errors'));
-					$_SESSION["dol_loginmesg"] = $langs->trans("ErrorLoginDateValidity");
+					$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity");
 					return '--bad-login-validity--';
 				}
 				if ($obj->dateendvalidity && $db->jdate($obj->dateendvalidity) < dol_get_first_hour($now)) {
 					// Load translation files required by the page
 					$langs->loadLangs(array('main', 'errors'));
-					$_SESSION["dol_loginmesg"] = $langs->trans("ErrorLoginDateValidity");
+					$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity");
 					return '--bad-login-validity--';
 				}
 
@@ -129,7 +129,7 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes
 					// Load translation files required by the page
 					$langs->loadLangs(array('main', 'errors'));
 
-					$_SESSION["dol_loginmesg"] = $langs->trans("ErrorBadLoginPassword");
+					$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorBadLoginPassword");
 				}
 
 				// We must check entity
@@ -153,7 +153,7 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes
 				// Load translation files required by the page
 				$langs->loadLangs(array('main', 'errors'));
 
-				$_SESSION["dol_loginmesg"] = $langs->trans("ErrorBadLoginPassword");
+				$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorBadLoginPassword");
 			}
 		} else {
 			dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentication KO db error for '".$usertotest."' error=".$db->lasterror(), LOG_ERR);

htdocs/core/login/functions_empty.php

@@ -38,7 +38,7 @@ function check_user_password_empty($usertotest, $passwordtotest, $entitytotest)
 	dol_syslog("functions_empty::check_user_password_empty usertotest=".$usertotest);
 
 	$login = '';
-	$_SESSION["dol_loginmesg"] = $langs->trans("FailedToLogin");
+	$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("FailedToLogin");
 
 	return $login;
 }

htdocs/core/login/functions_http.php

@@ -50,13 +50,13 @@ function check_user_password_http($usertotest, $passwordtotest, $entitytotest)
 		if ($tmpuser->datestartvalidity && $db->jdate($tmpuser->datestartvalidity) >= $now) {
 			// Load translation files required by the page
 			$langs->loadLangs(array('main', 'errors'));
-			$_SESSION["dol_loginmesg"] = $langs->trans("ErrorLoginDateValidity");
+			$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity");
 			return '--bad-login-validity--';
 		}
 		if ($tmpuser->dateendvalidity && $db->jdate($tmpuser->dateendvalidity) <= dol_get_first_hour($now)) {
 			// Load translation files required by the page
 			$langs->loadLangs(array('main', 'errors'));
-			$_SESSION["dol_loginmesg"] = $langs->trans("ErrorLoginDateValidity");
+			$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity");
 			return '--bad-login-validity--';
 		}
 	}

htdocs/core/login/functions_ldap.php

@@ -59,7 +59,7 @@ function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest)
 		// Load translation files required by the page
 		$langs->loadLangs(array('main', 'other'));
 
-		$_SESSION["dol_loginmesg"] = $langs->trans("ErrorLDAPFunctionsAreDisabledOnThisPHP").' '.$langs->trans("TryAnotherConnectionMode");
+		$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLDAPFunctionsAreDisabledOnThisPHP").' '.$langs->transnoentitiesnoconv("TryAnotherConnectionMode");
 		return;
 	}
 
@@ -123,7 +123,7 @@ function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest)
 					$ldap->close();
 					sleep(1);
 					$langs->load('ldap');
-					$_SESSION["dol_loginmesg"] = $langs->trans("YouMustChangePassNextLogon", $usertotest, $ldap->domainFQDN);
+					$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("YouMustChangePassNextLogon", $usertotest, $ldap->domainFQDN);
 					return '';
 				}
 			} else {
@@ -169,14 +169,14 @@ function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest)
 					$ldap->close();
 					// Load translation files required by the page
 					$langs->loadLangs(array('main', 'errors'));
-					$_SESSION["dol_loginmesg"] = $langs->trans("ErrorLoginDateValidity");
+					$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity");
 					return '--bad-login-validity--';
 				}
 				if ($tmpuser->dateendvalidity && $db->jdate($tmpuser->dateendvalidity) <= dol_get_first_hour($now)) {
 					$ldap->close();
 					// Load translation files required by the page
 					$langs->loadLangs(array('main', 'errors'));
-					$_SESSION["dol_loginmesg"] = $langs->trans("ErrorLoginDateValidity");
+					$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity");
 					return '--bad-login-validity--';
 				}
 
@@ -247,7 +247,7 @@ function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest)
 				// Load translation files required by the page
 				$langs->loadLangs(array('main', 'other'));
 
-				$_SESSION["dol_loginmesg"] = $langs->trans("ErrorBadLoginPassword");
+				$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorBadLoginPassword");
 			}
 		} else {
 			/* Login failed. Return false, together with the error code and text from
@@ -268,7 +268,7 @@ function check_user_password_ldap($usertotest, $passwordtotest, $entitytotest)
 
 			// Load translation files required by the page
 			$langs->loadLangs(array('main', 'other', 'errors'));
-			$_SESSION["dol_loginmesg"] = ($ldap->error ? $ldap->error : $langs->trans("ErrorBadLoginPassword"));
+			$_SESSION["dol_loginmesg"] = ($ldap->error ? $ldap->error : $langs->transnoentitiesnoconv("ErrorBadLoginPassword"));
 		}
 
 		$ldap->close();

htdocs/core/login/functions_openid.php

@@ -45,11 +45,11 @@ function check_user_password_openid($usertotest, $passwordtotest, $entitytotest)
 	// Get identity from user and redirect browser to OpenID Server
 	if (GETPOSTISSET('username')) {
 		$openid = new SimpleOpenID();
-		$openid->SetIdentity($_POST['username']);
+		$openid->SetIdentity(GETPOST('username'));
 		$protocol = ($conf->file->main_force_https ? 'https://' : 'http://');
 		$openid->SetTrustRoot($protocol.$_SERVER["HTTP_HOST"]);
 		$openid->SetRequiredFields(array('email', 'fullname'));
-		$_SESSION['dol_entity'] = $_POST["entity"];
+		$_SESSION['dol_entity'] = GETPOST("entity", 'int');
 		//$openid->SetOptionalFields(array('dob','gender','postcode','country','language','timezone'));
 		if ($openid->sendDiscoveryRequestToGetXRDS()) {
 			$openid->SetApprovedURL($protocol.$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"]); // Send Response from OpenID server to this script
@@ -62,15 +62,15 @@ function check_user_password_openid($usertotest, $passwordtotest, $entitytotest)
 	} elseif ($_GET['openid_mode'] == 'id_res') {
 		// Perform HTTP Request to OpenID server to validate key
 		$openid = new SimpleOpenID();
-		$openid->SetIdentity($_GET['openid_identity']);
+		$openid->SetIdentity(GETPOST('openid_identity'));
 		$openid_validation_result = $openid->ValidateWithServer();
 		if ($openid_validation_result === true) {
 			// OK HERE KEY IS VALID
 
 			$sql = "SELECT login, entity, datestartvalidity, dateendvalidity";
 			$sql .= " FROM ".MAIN_DB_PREFIX."user";
-			$sql .= " WHERE openid = '".$db->escape($_GET['openid_identity'])."'";
-			$sql .= " AND entity IN (0,".($_SESSION["dol_entity"] ? $_SESSION["dol_entity"] : 1).")";
+			$sql .= " WHERE openid = '".$db->escape(GETPOST('openid_identity'))."'";
+			$sql .= " AND entity IN (0,".($_SESSION["dol_entity"] ? ((int) $_SESSION["dol_entity"]) : 1).")";
 
 			dol_syslog("functions_openid::check_user_password_openid", LOG_DEBUG);
 			$resql = $db->query($sql);
@@ -81,13 +81,13 @@ function check_user_password_openid($usertotest, $passwordtotest, $entitytotest)
 					if ($obj->datestartvalidity && $db->jdate($obj->datestartvalidity) > $now) {
 						// Load translation files required by the page
 						$langs->loadLangs(array('main', 'errors'));
-						$_SESSION["dol_loginmesg"] = $langs->trans("ErrorLoginDateValidity");
+						$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity");
 						return '--bad-login-validity--';
 					}
 					if ($obj->dateendvalidity && $db->jdate($obj->dateendvalidity) < dol_get_first_hour($now)) {
 						// Load translation files required by the page
 						$langs->loadLangs(array('main', 'errors'));
-						$_SESSION["dol_loginmesg"] = $langs->trans("ErrorLoginDateValidity");
+						$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity");
 						return '--bad-login-validity--';
 					}
 

htdocs/core/tpl/login.tpl.php

@@ -332,7 +332,7 @@ if (isset($conf->file->main_authentication) && preg_match('/openid/', $conf->fil
 if (!empty($_SESSION['dol_loginmesg'])) {
 	?>
 	<div class="center login_main_message"><div class="error">
-	<?php echo $_SESSION['dol_loginmesg']; ?>
+	<?php echo dol_escape_htmltag($_SESSION['dol_loginmesg']); ?>
 	</div></div>
 	<?php
 }

htdocs/main.inc.php

@@ -651,7 +651,7 @@ if (!defined('NOLOGIN')) {
 				// Load translation files required by page
 				$langs->loadLangs(array('main', 'errors'));
 
-				$_SESSION["dol_loginmesg"] = $langs->trans("ErrorBadValueForCode");
+				$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorBadValueForCode");
 				$test = false;
 
 				// Call trigger for the "security events" log
@@ -745,7 +745,7 @@ if (!defined('NOLOGIN')) {
 				// Bad password. No authmode has found a good password.
 				// We set a generic message if not defined inside function checkLoginPassEntity or subfunctions
 				if (empty($_SESSION["dol_loginmesg"])) {
-					$_SESSION["dol_loginmesg"] = $langs->trans("ErrorBadLoginPassword");
+					$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorBadLoginPassword");
 				}
 
 				// Call trigger for the "security events" log
@@ -798,7 +798,7 @@ if (!defined('NOLOGIN')) {
 				// Load translation files required by page
 				$langs->loadLangs(array('main', 'errors'));
 
-				$_SESSION["dol_loginmesg"] = $langs->trans("ErrorCantLoadUserFromDolibarrDatabase", $login);
+				$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorCantLoadUserFromDolibarrDatabase", $login);
 
 				$user->trigger_mesg = 'ErrorCantLoadUserFromDolibarrDatabase - login='.$login;
 			}
@@ -862,7 +862,7 @@ if (!defined('NOLOGIN')) {
 				// Load translation files required by page
 				$langs->loadLangs(array('main', 'errors'));
 
-				$_SESSION["dol_loginmesg"] = $langs->trans("ErrorCantLoadUserFromDolibarrDatabase", $login);
+				$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorCantLoadUserFromDolibarrDatabase", $login);
 
 				$user->trigger_mesg = 'ErrorCantLoadUserFromDolibarrDatabase - login='.$login;
 			}

htdocs/user/passwordforgotten.php

@@ -97,7 +97,7 @@ if (empty($reshook)) {
 			if ($edituser->pass_temp && dol_verifyHash($edituser->pass_temp.'-'.$edituser->id.'-'.$dolibarr_main_instance_unique_id, $passworduidhash)) {
 				// Clear session
 				unset($_SESSION['dol_login']);
-				$_SESSION['dol_loginmesg'] = $langs->trans('NewPasswordValidated'); // Save message for the session page
+				$_SESSION['dol_loginmesg'] = $langs->transnoentitiesnoconv('NewPasswordValidated'); // Save message for the session page
 
 				$newpassword = $edituser->setPassword($user, $edituser->pass_temp, 0);
 				dol_syslog("passwordforgotten.php new password for user->id=".$edituser->id." validated in database");