2 years ago · 16c087e04c
--- a/htdocs/admin/dolistore/class/PSWebServiceLibrary.class.php
+++ b/htdocs/admin/dolistore/class/PSWebServiceLibrary.class.php
@@ -206,7 +206,7 @@ class PrestaShopWebservice
 
				 	 */
			
 
				 	public function printDebug($title, $content)
			
 
				 	{
			
 
				-		echo '<div style="display:table;background:#CCC;font-size:8pt;padding:7px"><h6 style="font-size:9pt;margin:0">'.$title.'</h6><pre>'.htmlentities($content).'</pre></div>';
			
 
				+		echo '<div style="display:table;background:#CCC;font-size:8pt;padding:7px"><h6 style="font-size:9pt;margin:0">'.dol_escape_htmltag($title).'</h6><pre>'.dol_escape_htmltag($content).'</pre></div>';
			
 
				 	}
			
 
				 
			
 
				 	/**
			
--- a/htdocs/admin/security_file.php
+++ b/htdocs/admin/security_file.php
@@ -128,7 +128,7 @@ if (isset($max)) {
 
				 }
			
 
				 print '</td>';
			
 
				 print '<td class="nowrap">';
			
 
				-print '<input class="flat" name="MAIN_UPLOAD_DOC" type="text" size="6" value="'.htmlentities($conf->global->MAIN_UPLOAD_DOC).'"> '.$langs->trans("Kb");
			
 
				+print '<input class="flat" name="MAIN_UPLOAD_DOC" type="text" size="6" value="'.dol_escape_htmltag($conf->global->MAIN_UPLOAD_DOC).'"> '.$langs->trans("Kb");
			
 
				 print '</td>';
			
 
				 print '</tr>';
			
 
				 
			
@@ -138,7 +138,7 @@ print '<td>'.$langs->trans("UMask").'</td><td class="right">';
 
				 print $form->textwithpicto('', $langs->trans("UMaskExplanation"));
			
 
				 print '</td>';
			
 
				 print '<td class="nowrap">';
			
 
				-print '<input class="flat" name="MAIN_UMASK" type="text" size="6" value="'.htmlentities($conf->global->MAIN_UMASK).'">';
			
 
				+print '<input class="flat" name="MAIN_UMASK" type="text" size="6" value="'.dol_escape_htmltag($conf->global->MAIN_UMASK).'">';
			
 
				 print '</td>';
			
 
				 print '</tr>';
			
 
				 
			
--- a/htdocs/admin/security_other.php
+++ b/htdocs/admin/security_other.php
@@ -165,7 +165,7 @@ if (ini_get("session.gc_probability") == 0) {
 
				 }
			
 
				 print '</td>';
			
 
				 print '<td class="nowrap">';
			
 
				-print '<input class="flat" name="MAIN_SESSION_TIMEOUT" type="text" size="6" value="'.htmlentities($conf->global->MAIN_SESSION_TIMEOUT).'"> '.strtolower($langs->trans("Seconds"));
			
 
				+print '<input class="flat" name="MAIN_SESSION_TIMEOUT" type="text" size="6" value="'.dol_escape_htmltag($conf->global->MAIN_SESSION_TIMEOUT).'"> '.strtolower($langs->trans("Seconds"));
			
 
				 print '</td>';
			
 
				 print '</tr>';
			
 
				 
			
@@ -177,7 +177,7 @@ print '<tr class="oddeven">';
 
				 print '<td>'.$langs->trans("MAIN_APPLICATION_TITLE").'</td><td class="right">';
			
 
				 print '</td>';
			
 
				 print '<td class="nowrap">';
			
 
				-print '<input class="flat" name="MAIN_APPLICATION_TITLE" type="text" size="20" value="'.htmlentities($conf->global->MAIN_APPLICATION_TITLE).'"> ';
			
 
				+print '<input class="flat" name="MAIN_APPLICATION_TITLE" type="text" size="20" value="'.dol_escape_htmltag($conf->global->MAIN_APPLICATION_TITLE).'"> ';
			
 
				 print '</td>';
			
 
				 print '</tr>';
			
 
				 
			
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -8201,7 +8201,6 @@ function get_htmloutput_mesg($mesgstring = '', $mesgarray = '', $style = 'ok', $
 
				 			}
			
 
				 		}
			
 
				 		if ($mesgstring) {
			
 
				-			$langs->load("errors");
			
 
				 			$ret++;
			
 
				 			$out .= $langs->trans($mesgstring);
			
 
				 		}
			
--- a/htdocs/holiday/card.php
+++ b/htdocs/holiday/card.php
@@ -923,7 +923,7 @@ if ((empty($id) && empty($ref)) || $action == 'create' || $action == 'add') {
 
				 					$errors[] = $langs->trans('ErrorEndDateCP');
			
 
				 					break;
			
 
				 				case 'SQL_Create':
			
 
				-					$errors[] = $langs->trans('ErrorSQLCreateCP').' <b>'.htmlentities($_GET['msg']).'</b>';
			
 
				+					$errors[] = $langs->trans('ErrorSQLCreateCP');
			
 
				 					break;
			
 
				 				case 'CantCreate':
			
 
				 					$errors[] = $langs->trans('CantCreateCP');
			
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -210,7 +210,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
 
				 			} else {
			
 
				 				// Get remote IP: PS: We do not use getRemoteIP(), function is not yet loaded and we need a value that can't be spoofed
			
 
				 				$ip = (empty($_SERVER['REMOTE_ADDR']) ? 'unknown' : $_SERVER['REMOTE_ADDR']);
			
 
				-				$errormessage = 'Access refused to '.$ip.' by SQL or Script injection protection in main.inc.php - GETPOST type='.htmlentities($type).' paramkey='.htmlentities($key).' paramvalue='.htmlentities($value).' page='.htmlentities($_SERVER["REQUEST_URI"]);
			
 
				+				$errormessage = 'Access refused to '.htmlentities($ip, ENT_COMPAT, 'UTF-8').' by SQL or Script injection protection in main.inc.php - GETPOST type='.htmlentities($type, ENT_COMPAT, 'UTF-8').' paramkey='.htmlentities($key, ENT_COMPAT, 'UTF-8').' paramvalue='.htmlentities($value, ENT_COMPAT, 'UTF-8').' page='.htmlentities($_SERVER["REQUEST_URI"], ENT_COMPAT, 'UTF-8');
			
 
				 				print $errormessage;
			
 
				 				// Add entry into error log
			
 
				 				if (function_exists('error_log')) {
			
--- a/htdocs/opensurvey/results.php
+++ b/htdocs/opensurvey/results.php
@@ -471,7 +471,7 @@ print '<tr><td>';
 
				 $adresseadmin = $object->mail_admin;
			
 
				 print $langs->trans("Title").'</td><td>';
			
 
				 if ($action == 'edit') {
			
 
				-	print '<input type="text" name="nouveautitre" size="40" value="'.dol_escape_htmltag(dol_htmlentities($object->title)).'">';
			
 
				+	print '<input type="text" name="nouveautitre" size="40" value="'.dol_escape_htmltag($object->title).'">';
			
 
				 } else {
			
 
				 	print dol_htmlentities($object->title);
			
 
				 }
			
--- a/htdocs/public/error-401.php
+++ b/htdocs/public/error-401.php
@@ -21,7 +21,7 @@
 
				 	Sorry. You are not allowed to access this resource.
			
 
				 
			
 
				 	<br>
			
 
				-	<?php print isset($_SERVER["HTTP_REFERER"]) ? 'You come from '.htmlentities($_SERVER["HTTP_REFERER"]).'.' : ''; ?>
			
 
				+	<?php print isset($_SERVER["HTTP_REFERER"]) ? 'You come from '.htmlentities($_SERVER["HTTP_REFERER"], ENT_COMPAT, 'UTF-8').'.' : ''; ?>
			
 
				 
			
 
				 	<hr>
			
 
				 
			
--- a/htdocs/public/error-404.php
+++ b/htdocs/public/error-404.php
@@ -21,7 +21,7 @@
 
				 	You requested a website or a page that does not exists.
			
 
				 
			
 
				 	<br>
			
 
				-	<?php print isset($_SERVER["HTTP_REFERER"]) ? 'You come from '.htmlentities($_SERVER["HTTP_REFERER"]).'.' : ''; ?>
			
 
				+	<?php print isset($_SERVER["HTTP_REFERER"]) ? 'You come from '.htmlentities($_SERVER["HTTP_REFERER"], ENT_COMPAT, 'UTF-8').'.' : ''; ?>
			
 
				 
			
 
				 	<hr>
			
 
				 
			
--- a/htdocs/societe/consumption.php
+++ b/htdocs/societe/consumption.php
@@ -361,7 +361,8 @@ if (!empty($sql_select)) {
 
				 		$sql .= " AND ".$doc_number." LIKE '%".$db->escape($sref)."%'";
			
 
				 	}
			
 
				 	if ($sprod_fulldescr) {
			
 
				-		$sql .= " AND (d.description LIKE '%".$db->escape($sprod_fulldescr)."%' OR d.description LIKE '%".$db->escape(dol_htmlentities($sprod_fulldescr))."%'";
			
 
				+		// We test both case description is correctly saved of was save after dol_escape_htmltag().
			
 
				+		$sql .= " AND (d.description LIKE '%".$db->escape($sprod_fulldescr)."%' OR d.description LIKE '%".$db->escape(dol_escape_htmltag($sprod_fulldescr))."%'";
			
 
				 		if (GETPOST('type_element') != 'fichinter') {
			
 
				 			$sql .= " OR p.ref LIKE '%".$db->escape($sprod_fulldescr)."%'";
			
 
				 		}