Clean code

htdocs/adherents/canvas/actions_adherentcard_common.class.php

@@ -216,7 +216,7 @@ abstract class ActionsAdherentCardCommon
 
 			$this->tpl['visibility'] = $this->object->getmorphylib($this->object->morphy);
 
-			$this->tpl['note'] = nl2br($this->object->note);
+			$this->tpl['note'] = $this->object->note_private;
 		}
 
 		if ($action == 'create_user') {
@@ -251,7 +251,8 @@ abstract class ActionsAdherentCardCommon
 		$this->object->old_name = GETPOST("old_name");
 		$this->object->old_firstname = GETPOST("old_firstname");
 
-		$this->object->fk_soc = GETPOST("fk_soc");
+		$this->object->fk_soc = GETPOST("fk_soc", 'int');
+		$this->object->socid = GETPOST("fk_soc", 'int');
 		$this->object->lastname			= GETPOST("lastname");
 		$this->object->firstname		= GETPOST("firstname");
 		$this->object->civility_id = GETPOST("civility_id");
@@ -262,8 +263,8 @@ abstract class ActionsAdherentCardCommon
 		$this->object->state_id = GETPOST("state_id", 'int');
 		$this->object->phone_perso = GETPOST("phone_perso");
 		$this->object->phone_mobile = GETPOST("phone_mobile");
-		$this->object->email			= GETPOST("email", 'alphawithlgt');
-		$this->object->note				= GETPOST("note", 'restricthtml');
+		$this->object->email = GETPOST("email", 'alphawithlgt');
+		$this->object->note_private = GETPOST("note", 'restricthtml');
 		$this->object->canvas = GETPOST("canvas");
 
 		// We set country_id, and country_code label of the chosen country

htdocs/adherents/card.php

@@ -316,7 +316,7 @@ if (empty($reshook)) {
 			$object->birth = $birthdate;
 			$object->default_lang = GETPOST('default_lang', 'alpha');
 			$object->typeid = GETPOST("typeid", 'int');
-			//$object->note = trim(GETPOST("comment","alpha"));
+			//$object->note = trim(GETPOST("comment", "restricthtml"));
 			$object->morphy = GETPOST("morphy", 'alpha');
 
 			if (GETPOST('deletephoto', 'alpha')) {

htdocs/adherents/subscription/card.php

@@ -228,7 +228,7 @@ if ($user->hasRight('adherent', 'cotisation', 'creer') && $action == 'edit') {
 
 	// Label
 	print '<tr><td>'.$langs->trans("Label").'</td><td class="valeur" colspan="2">';
-	print '<input type="text" class="flat" size="60" name="note" value="'.$object->note.'"></td></tr>';
+	print '<input type="text" class="flat" size="60" name="note" value="'.$object->note_private.'"></td></tr>';
 
 	// Bank line
 	if (isModEnabled("banque") && (!empty($conf->global->ADHERENT_BANK_USE) || $object->fk_bank)) {
@@ -324,7 +324,7 @@ if ($rowid && $action != 'edit') {
 	print '<tr><td>'.$langs->trans("Amount").'</td><td class="valeur"><span class="amount">'.price($object->amount).'</span></td></tr>';
 
 	// Label
-	print '<tr><td>'.$langs->trans("Label").'</td><td class="valeur">'.$object->note.'</td></tr>';
+	print '<tr><td>'.$langs->trans("Label").'</td><td class="valeur sensiblehtmlcontent">'.dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note_private)).'</td></tr>';
 
 	// Bank line
 	if (isModEnabled("banque") && (!empty($conf->global->ADHERENT_BANK_USE) || $object->fk_bank)) {

htdocs/adherents/type.php

@@ -537,10 +537,12 @@ if ($rowid > 0) {
 		print '</td></tr>';
 
 		print '<tr><td class="tdtop">'.$langs->trans("Description").'</td><td>';
-		print nl2br($object->note)."</td></tr>";
+		print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note_private));
+		print "</td></tr>";
 
 		print '<tr><td class="tdtop">'.$langs->trans("WelcomeEMail").'</td><td>';
-		print nl2br($object->mail_valid)."</td></tr>";
+		print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->mail_valid));
+		print "</td></tr>";
 
 		// Other attributes
 		include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_view.tpl.php';

htdocs/comm/action/card.php

@@ -2415,7 +2415,7 @@ if ($id > 0) {
 		}
 
 		// Description
-		print '<tr><td class="tdtop">'.$langs->trans("Description").'</td><td class="wordbreak">';
+		print '<tr><td class="tdtop">'.$langs->trans("Description").'</td><td class="wordbreak sensiblehtmlcontent">';
 		print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note_private));
 		print '</td></tr>';
 

htdocs/compta/payment_sc/card.php

@@ -55,7 +55,7 @@ if ($id > 0) {
 	}
 }
 
-$result = restrictedArea($user, 'payment_sc', $id, '');
+$result = restrictedArea($user, 'payment_sc', $object, '');
 
 
 /*
@@ -130,26 +130,20 @@ print '<div class="underbanner clearboth"></div>';
 
 print '<table class="border centpercent">';
 
-// Ref
-/*print '<tr><td class="titlefield">'.$langs->trans('Ref').'</td>';
-print '<td colspan="3">';
-print $form->showrefnav($object,'id','',1,'rowid','id');
-print '</td></tr>';*/
-
 // Date
-print '<tr><td>'.$langs->trans('Date').'</td><td colspan="3">'.dol_print_date($object->datep, 'day').'</td></tr>';
+print '<tr><td>'.$langs->trans('Date').'</td><td>'.dol_print_date($object->datep, 'day').'</td></tr>';
 
 // Mode
-print '<tr><td>'.$langs->trans('Mode').'</td><td colspan="3">'.$langs->trans("PaymentType".$object->type_code).'</td></tr>';
+print '<tr><td>'.$langs->trans('Mode').'</td><td>'.$langs->trans("PaymentType".$object->type_code).'</td></tr>';
 
 // Numero
-print '<tr><td>'.$langs->trans('Numero').'</td><td colspan="3">'.$object->num_payment.'</td></tr>';
+print '<tr><td>'.$langs->trans('Numero').'</td><td>'.dol_escape_htmltag($object->num_payment).'</td></tr>';
 
 // Amount
-print '<tr><td>'.$langs->trans('Amount').'</td><td colspan="3">'.price($object->amount, 0, $langs, 1, -1, -1, $conf->currency).'</td></tr>';
+print '<tr><td>'.$langs->trans('Amount').'</td><td>'.price($object->amount, 0, $langs, 1, -1, -1, $conf->currency).'</td></tr>';
 
 // Note
-print '<tr><td>'.$langs->trans('Note').'</td><td colspan="3">'.nl2br($object->note).'</td></tr>';
+print '<tr><td>'.$langs->trans('Note').'</td><td class="wordbreak sensiblehtmlcontent">'.dol_string_onlythesehtmltags(dol_htmlcleanlastbr($object->note_private)).'</td></tr>';
 
 // Bank account
 if (isModEnabled("banque")) {
@@ -159,7 +153,7 @@ if (isModEnabled("banque")) {
 
 		print '<tr>';
 		print '<td>'.$langs->trans('BankTransactionLine').'</td>';
-		print '<td colspan="3">';
+		print '<td>';
 		print $bankline->getNomUrl(1, 0, 'showall');
 		print '</td>';
 		print '</tr>';

htdocs/compta/payment_vat/card.php

@@ -125,7 +125,6 @@ if ($action == 'confirm_valide' && $confirm == 'yes' && $user->rights->tax->char
 llxHeader();
 
 $tva = new TVA($db);
-
 $form = new Form($db);
 
 $h = 0;
@@ -173,26 +172,20 @@ print '<div class="underbanner clearboth"></div>';
 
 print '<table class="border centpercent">';
 
-// Ref
-/*print '<tr><td class="titlefield">'.$langs->trans('Ref').'</td>';
-print '<td colspan="3">';
-print $form->showrefnav($object,'id','',1,'rowid','id');
-print '</td></tr>';*/
-
 // Date
-print '<tr><td>'.$langs->trans('Date').'</td><td colspan="3">'.dol_print_date($object->datep, 'day').'</td></tr>';
+print '<tr><td>'.$langs->trans('Date').'</td><td>'.dol_print_date($object->datep, 'day').'</td></tr>';
 
 // Mode
-print '<tr><td>'.$langs->trans('Mode').'</td><td colspan="3">'.$langs->trans("PaymentType".$object->type_code).'</td></tr>';
+print '<tr><td>'.$langs->trans('Mode').'</td><td>'.$langs->trans("PaymentType".$object->type_code).'</td></tr>';
 
 // Numero
-print '<tr><td>'.$langs->trans('Numero').'</td><td colspan="3">'.$object->num_paiement.'</td></tr>';
+print '<tr><td>'.$langs->trans('Numero').'</td><td>'.dol_escape_htmltag($object->num_payment).'</td></tr>';
 
 // Montant
-print '<tr><td>'.$langs->trans('Amount').'</td><td colspan="3">'.price($object->amount, 0, $outputlangs, 1, -1, -1, $conf->currency).'</td></tr>';
+print '<tr><td>'.$langs->trans('Amount').'</td><td>'.price($object->amount, 0, $outputlangs, 1, -1, -1, $conf->currency).'</td></tr>';
 
 // Note
-print '<tr><td>'.$langs->trans('Note').'</td><td colspan="3">'.nl2br($object->note).'</td></tr>';
+print '<tr><td>'.$langs->trans('Note').'</td><td class="wordbreak sensiblehtmlcontent">'.dol_string_onlythesehtmltags(dol_htmlcleanlastbr($object->note_private)).'</td></tr>';
 
 // Bank account
 if (isModEnabled("banque")) {
@@ -202,7 +195,7 @@ if (isModEnabled("banque")) {
 
 		print '<tr>';
 		print '<td>'.$langs->trans('BankTransactionLine').'</td>';
-		print '<td colspan="3">';
+		print '<td>';
 		print $bankline->getNomUrl(1, 0, 'showall');
 		print '</td>';
 		print '</tr>';

htdocs/compta/tva/class/paymentvat.class.php

@@ -265,7 +265,6 @@ class PaymentVAT extends CommonObject
 	 */
 	public function fetch($id)
 	{
-		global $langs;
 		$sql = "SELECT";
 		$sql .= " t.rowid,";
 		$sql .= " t.fk_tva,";
@@ -275,7 +274,7 @@ class PaymentVAT extends CommonObject
 		$sql .= " t.amount,";
 		$sql .= " t.fk_typepaiement,";
 		$sql .= " t.num_paiement as num_payment,";
-		$sql .= " t.note,";
+		$sql .= " t.note as note_private,";
 		$sql .= " t.fk_bank,";
 		$sql .= " t.fk_user_creat,";
 		$sql .= " t.fk_user_modif,";
@@ -303,7 +302,8 @@ class PaymentVAT extends CommonObject
 				$this->fk_typepaiement = $obj->fk_typepaiement;
 				$this->num_paiement = $obj->num_payment;
 				$this->num_payment = $obj->num_payment;
-				$this->note = $obj->note;
+				$this->note = $obj->note_private;
+				$this->note_private = $obj->note_private;
 				$this->fk_bank = $obj->fk_bank;
 				$this->fk_user_creat = $obj->fk_user_creat;
 				$this->fk_user_modif = $obj->fk_user_modif;

htdocs/contact/canvas/actions_contactcard_common.class.php

@@ -253,7 +253,7 @@ abstract class ActionsContactCardCommon
 
 			$this->tpl['visibility'] = $this->object->LibPubPriv($this->object->priv);
 
-			$this->tpl['note'] = nl2br($this->object->note);
+			$this->tpl['note'] = $this->object->note_private;
 		}
 
 		if ($action == 'create_user') {

htdocs/core/lib/functions.lib.php

@@ -1582,6 +1582,7 @@ function dol_escape_json($stringtoescape)
 
 /**
  *  Returns text escaped for inclusion in HTML alt or title or value tags, or into values of HTML input fields.
+ *  When we output string on pages, we use dol_string_onlythesehtmltags(dol_htmlentitiesbr()) for notes, and use dol_escape_htmltag() for simple labels.
  *
  *  @param      string		$stringtoescape			String to escape
  *  @param		int			$keepb					1=Keep b tags, 0=remove them completely
@@ -7099,21 +7100,29 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto =
  *  @param	int		$cleanalsojavascript	Remove also occurence of 'javascript:'.
  *  @param	int		$allowiframe			Allow iframe tags.
  *  @param	array	$allowed_tags			List of allowed tags to replace the default list
+ *  @param	int		$allowlink				Allow link tags.
  *	@return string	    					String cleaned
  *
  * 	@see	dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_neverthesehtmltags()
  */
-function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $removeclassattribute = 1, $cleanalsojavascript = 0, $allowiframe = 0, $allowed_tags = array())
+function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, $removeclassattribute = 1, $cleanalsojavascript = 0, $allowiframe = 0, $allowed_tags = array(), $allowlink = 0)
 {
 	if (empty($allowed_tags)) {
 		$allowed_tags = array(
-			"html", "head", "meta", "body", "article", "a", "abbr", "b", "blockquote", "br", "cite", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link",
+			"html", "head", "meta", "body", "article", "a", "abbr", "b", "blockquote", "br", "cite", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li",
 			"ol", "p", "q", "s", "section", "span", "strike", "strong", "title", "table", "tr", "th", "td", "u", "ul", "sup", "sub", "blockquote", "pre", "h1", "h2", "h3", "h4", "h5", "h6"
 		);
 	}
 	$allowed_tags[] = "comment";		// this tags is added to manage comment <!--...--> that are replaced into <comment>...</comment>
 	if ($allowiframe) {
-		$allowed_tags[] = "iframe";
+		if (!in_array('iframe', $allowed_tags)) {
+			$allowed_tags[] = "iframe";
+		}
+	}
+	if ($allowlink) {
+		if (!in_array('link', $allowed_tags)) {
+			$allowed_tags[] = "link";
+		}
 	}
 
 	$allowed_tags_string = join("><", $allowed_tags);
@@ -7304,7 +7313,8 @@ function dolGetFirstLineOfText($text, $nboflines = 1, $charset = 'UTF-8')
 
 /**
  * Replace CRLF in string with a HTML BR tag.
- * WARNING: The content after operation contains some HTML tags (the <br>) so be sure to also have encode the special chars of stringtoencode into HTML before.
+ * WARNING: The content after operation contains some HTML tags (the <br>) so be sure to also have
+ *          encoded the special chars of stringtoencode into HTML before with dol_htmlentitiesbr().
  *
  * @param	string	$stringtoencode		String to encode
  * @param	int     $nl2brmode			0=Adding br before \n, 1=Replacing \n by br
@@ -7331,7 +7341,7 @@ function dol_nl2br($stringtoencode, $nl2brmode = 0, $forxml = false)
  *
  * @param	string	$stringtoencode				String to encode
  * @param	int     $nouseofiframesandbox		Allow use of option MAIN_SECURITY_USE_SANDBOX_FOR_HTMLWITHNOJS for html sanitizing
- * @param	string	$check						'restricthtmlnolink' or  'restricthtml' or 'restricthtmlallowunvalid'
+ * @param	string	$check						'restricthtmlnolink' or 'restricthtml' or 'restricthtmlallowunvalid'
  * @return	string								HTML sanitized
  */
 function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = 'restricthtml')
@@ -7402,9 +7412,12 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
 			$out = preg_replace('/&apos;/i', "&#39;", $out);
 		} while ($oldstringtoclean != $out);
 
-		// Check the limit of external links in a Rich text content. We count '<img' and 'url('
+		// Check the limit of external links that are automatically executed in a Rich text content. We count:
+		// '<img' to avoid <img src="http...">
+		// 'url(' to avoid inline style like background: url(http...
+		// '<link' to avoid <link href="http...">
 		$reg = array();
-		preg_match_all('/(<img|url\()/i', $out, $reg);
+		preg_match_all('/(<img|url\(|<link)/i', $out, $reg);
 		$nbextlink = count($reg[0]);
 		if ($nbextlink > getDolGlobalInt("MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT", 1000)) {
 			$out = 'TooManyLinksIntoHTMLString';
@@ -7430,13 +7443,14 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
  *              - MultiCell -> param must not be encoded into HTML.
  *              Because writeHTMLCell convert also \n into <br>, if function
  *              is used to build PDF, nl2brmode must be 1.
+ *  When we output string on pages, we use dol_string_onlythesehtmltags(dol_htmlentitiesbr()) for notes, and use dol_escape_htmltag() for simple labels.
  *
  *	@param	string	$stringtoencode		String to encode
  *	@param	int		$nl2brmode			0=Adding br before \n, 1=Replacing \n by br (for use with FPDF writeHTMLCell function for example)
  *  @param  string	$pagecodefrom       Pagecode stringtoencode is encoded
  *  @param	int		$removelasteolbr	1=Remove last br or lasts \n (default), 0=Do nothing
  *  @return	string						String encoded
- *  @see dolGetFirstLineOfText()
+ *  @see dol_escape_htmltag(), dolGetFirstLineOfText()
  */
 function dol_htmlentitiesbr($stringtoencode, $nl2brmode = 0, $pagecodefrom = 'UTF-8', $removelasteolbr = 1)
 {

htdocs/core/lib/security.lib.php

@@ -847,14 +847,15 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 			$feature = 'agenda';
 			$dbtablename = 'actioncomm';
 		}
-
 		if ($feature == 'payment_sc') {
 			$feature = "chargesociales";
+			$objectid = $object->fk_charge;
 		}
+
 		$checkonentitydone = 0;
 
 		// Array to define rules of checks to do
-		$check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website', 'recruitment','chargesociales'); // Test on entity only (Objects with no link to company)
+		$check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website', 'recruitment', 'chargesociales'); // Test on entity only (Objects with no link to company)
 		$checksoc = array('societe'); // Test for object Societe
 		$checkother = array('agenda', 'contact', 'contrat'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...).
 		$checkproject = array('projet', 'project'); // Test for project object
@@ -1002,7 +1003,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 
 			$checkonentitydone = 1;
 		}
-		//var_dump($checkonentitydone);
+		//var_dump($sql);
 
 		if (!$checkonentitydone && !in_array($feature, $nocheck) && $objectid > 0) {		// By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield
 			// If external user: Check permission for external users

htdocs/datapolicy/class/actions_datapolicy.class.php

@@ -116,7 +116,7 @@ class ActionsDatapolicy
 				$object->state_id = '';
 				$object->socialnetworks = '';
 				$object->country_id = '';
-				$object->note_private = $object->note_private.'<br>'.$langs->trans('ANONYMISER_AT', dol_print_date(time()));
+				$object->note_private = dol_concatdesc($object->note_private, $langs->trans('ANONYMISER_AT', dol_print_date(dol_now())));
 
 				if ($object->update($object->id, $user, 0)) {
 					// On supprime les contacts associé

htdocs/delivery/card.php

@@ -442,7 +442,7 @@ if ($action == 'create') {
 			// Incoterms
 			if (isModEnabled('incoterm')) {
 				print '<tr><td>';
-				print '<table width="100%" class="nobordernopadding"><tr><td>';
+				print '<table class="centpercent nobordernopadding"><tr><td>';
 				print $langs->trans('IncotermLabel');
 				print '<td><td class="right">';
 				if ($user->rights->expedition->delivery->creer) {
@@ -465,13 +465,13 @@ if ($action == 'create') {
 			// Note Public
 			print '<tr><td>'.$langs->trans("NotePublic").'</td>';
 			print '<td colspan="3">';
-			print nl2br($object->note_public);
+			print dol_string_onlythesehtmltags(dol_htmlcleanlastbr($object->note_public));
 			print "</td></tr>";
 
 			// Note Private
 			print '<tr><td>'.$langs->trans("NotePrivate").'</td>';
 			print '<td colspan="3">';
-			print nl2br($object->note_private);
+			print dol_string_onlythesehtmltags(dol_htmlcleanlastbr($object->note_private));
 			print "</td></tr>";
 			*/
 

htdocs/don/payment/card.php

@@ -116,13 +116,13 @@ print '<tr><td class="titlefield">'.$langs->trans('Date').'</td><td>'.dol_print_
 print '<tr><td>'.$langs->trans('Mode').'</td><td>'.$langs->trans("PaymentType".$object->type_code).'</td></tr>';
 
 // Number
-print '<tr><td>'.$langs->trans('Numero').'</td><td>'.$object->num_payment.'</td></tr>';
+print '<tr><td>'.$langs->trans('Numero').'</td><td>'.dol_escape_htmltag($object->num_payment).'</td></tr>';
 
 // Amount
 print '<tr><td>'.$langs->trans('Amount').'</td><td>'.price($object->amount, 0, $outputlangs, 1, -1, -1, $conf->currency).'</td></tr>';
 
 // Note public
-print '<tr><td>'.$langs->trans('Note').'</td><td>'.nl2br($object->note_public).'</td></tr>';
+print '<tr><td>'.$langs->trans('Note').'</td><td class="valeur sensiblehtmlcontent">'.dol_string_onlythesehtmltags(dol_htmlcleanlastbr($object->note_public)).'</td></tr>';
 
 // Bank account
 if (isModEnabled("banque")) {

htdocs/expedition/card.php

@@ -224,7 +224,8 @@ if (empty($reshook)) {
 
 		$db->begin();
 
-		$object->note = GETPOST('note', 'alpha');
+		$object->note = GETPOST('note', 'restricthtml');
+		$object->note_private = GETPOST('note', 'restricthtml');
 		$object->origin = $origin;
 		$object->origin_id = $origin_id;
 		$object->fk_project = GETPOST('projectid', 'int');

htdocs/expedition/shipment.php

@@ -378,10 +378,6 @@ if ($id > 0 || !empty($ref)) {
 			}
 		}
 		print '</td>';
-		// Note on several rows
-		//print '<td rowspan="'.$nbrow.'" valign="top">'.$langs->trans('NotePublic').' :<br>';
-		//print nl2br($object->note_public);
-		//print '</td>';
 		print '</tr>';
 
 		// Delivery delay

htdocs/expensereport/payment/card.php

@@ -105,19 +105,19 @@ print '<div class="underbanner clearboth"></div>';
 print '<table class="border centpercent">'."\n";
 
 // Date payment
-print '<tr><td class="titlefield">'.$langs->trans('Date').'</td><td colspan="3">'.dol_print_date($object->datep, 'day').'</td></tr>';
+print '<tr><td class="titlefield">'.$langs->trans('Date').'</td><td>'.dol_print_date($object->datep, 'day').'</td></tr>';
 
 // Mode
-print '<tr><td>'.$langs->trans('PaymentMode').'</td><td colspan="3">'.$langs->trans("PaymentType".$object->type_code).'</td></tr>';
+print '<tr><td>'.$langs->trans('PaymentMode').'</td><td>'.$langs->trans("PaymentType".$object->type_code).'</td></tr>';
 
 // Number
-print '<tr><td>'.$langs->trans('Numero').'</td><td colspan="3">'.$object->num_payment.'</td></tr>';
+print '<tr><td>'.$langs->trans('Numero').'</td><td>'.dol_escape_htmltag($object->num_payment).'</td></tr>';
 
 // Amount
-print '<tr><td>'.$langs->trans('Amount').'</td><td colspan="3">'.price($object->amount, 0, $outputlangs, 1, -1, -1, $conf->currency).'</td></tr>';
+print '<tr><td>'.$langs->trans('Amount').'</td><td>'.price($object->amount, 0, $outputlangs, 1, -1, -1, $conf->currency).'</td></tr>';
 
 // Note public
-print '<tr><td class="tdtop">'.$langs->trans('Note').'</td><td colspan="3">'.nl2br($object->note_public).'</td></tr>';
+print '<tr><td class="tdtop">'.$langs->trans('Note').'</td><td class="valeur sensiblehtmlcontent">'.dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note_public)).'</td></tr>';
 
 $disable_delete = 0;
 // Bank account

htdocs/externalsite/admin/index.php

@@ -59,7 +59,7 @@ if ($action == 'update') {
 
 	// exturl can be an url or a HTML string
 	$exturl = GETPOST('EXTERNALSITE_URL', 'restricthtml');
-	$exturl = dol_string_onlythesehtmltags($exturl, 1, 1, 0, 1);
+	$exturl = dol_string_onlythesehtmltags($exturl, 1, 1, 0, 1, array(), 1);
 	$exturl = dol_string_onlythesehtmlattributes($exturl);
 
 	$i += dolibarr_set_const($db, 'EXTERNALSITE_LABEL', trim($label), 'chaine', 0, '', $conf->entity);
@@ -112,7 +112,7 @@ print '<td class="fieldrequired">'.$langs->trans("ExternalSiteURL")."</td>";
 print '<td><textarea class="flat minwidth500" name="EXTERNALSITE_URL">';
 
 $exturl = GETPOST('EXTERNALSITE_URL', 'restricthtml');
-$exturl = dol_string_onlythesehtmltags($exturl, 1, 1, 0, 1);
+$exturl = dol_string_onlythesehtmltags($exturl, 1, 1, 0, 1, array(), 1);
 $exturl = dol_string_onlythesehtmlattributes($exturl);
 
 print (GETPOSTISSET('EXTERNALSITE_URL') ? $exturl : (empty($conf->global->EXTERNALSITE_URL) ? '' : $conf->global->EXTERNALSITE_URL));

htdocs/fourn/paiement/card.php

@@ -256,9 +256,9 @@ if ($result > 0) {
 	}
 
 	// Note
-	print '<tr><td>'.$form->editfieldkey("Comments", 'note', $object->note, $object, ($user->rights->fournisseur->facture->creer || $user->rights->supplier_invoice->creer)).'</td>';
+	print '<tr><td>'.$form->editfieldkey("Comments", 'note', $object->note_private, $object, ($user->rights->fournisseur->facture->creer || $user->rights->supplier_invoice->creer)).'</td>';
 	print '<td>';
-	print $form->editfieldval("Note", 'note', $object->note, $object, ($user->rights->fournisseur->facture->creer || $user->rights->supplier_invoice->creer), 'textarea');
+	print $form->editfieldval("Note", 'note', $object->note_private, $object, ($user->rights->fournisseur->facture->creer || $user->rights->supplier_invoice->creer), 'textarea');
 	print '</td></tr>';
 
 	print '</table>';

htdocs/product/canvas/product/actions_card_product.class.php

@@ -111,7 +111,7 @@ class ActionsCardProduct
 		$this->tpl['status'] = $this->object->getLibStatut(2);
 
 		// Note
-		$this->tpl['note'] = nl2br($this->object->note_private);
+		$this->tpl['note'] = $this->object->note_private;
 
 		if ($action == 'create') {
 			// Price
@@ -168,7 +168,7 @@ class ActionsCardProduct
 			$this->tpl['status_buy'] = $form->selectarray('statut_buy', $statutarray, $this->object->status_buy);
 
 			$this->tpl['description'] = $this->object->description;
-			$this->tpl['note'] = $this->object->note;
+			$this->tpl['note'] = $this->object->note_private;
 
 			// Finished
 			$statutarray = array('1' => $langs->trans("Finished"), '0' => $langs->trans("RowMaterial"));

htdocs/product/canvas/product/tpl/card_view.tpl.php

@@ -49,12 +49,12 @@ dol_banner_tab($object, 'ref', $linkback, $shownav, 'ref');
 
 <tr>
 <td width="15%"><?php echo $langs->trans("Ref"); ?></td>
-<td colspan="2"><?php echo $object->ref; ?></td>
+<td colspan="2"><?php echo dol_escape_htmltag($object->ref); ?></td>
 </tr>
 
 <tr>
 <td><?php echo $langs->trans("Label") ?></td>
-<td><?php echo $object->label; ?></td>
+<td><?php echo dol_escape_htmltag($object->label); ?></td>
 
 <?php if ($object->photos) { ?>
 <td valign="middle" align="center" width="30%" rowspan="<?php echo $object->nblines; ?>">
@@ -66,37 +66,37 @@ dol_banner_tab($object, 'ref', $linkback, $shownav, 'ref');
 
 <tr>
 <td class="tdtop"><?php echo $langs->trans("Description"); ?></td>
-<td colspan="2"><?php echo $object->description; ?></td>
+<td colspan="2"><?php echo dol_escape_htmltag($object->description); ?></td>
 </tr>
 
 <tr>
 <td><?php echo $langs->trans("Nature"); ?></td>
-<td colspan="2"><?php echo $object->finished; ?></td>
+<td colspan="2"><?php echo dol_escape_htmltag($object->finished); ?></td>
 </tr>
 
 <tr>
 <td><?php echo $langs->trans("Weight"); ?></td>
-<td colspan="2"><?php echo $object->weight; ?></td>
+<td colspan="2"><?php echo dol_escape_htmltag($object->weight); ?></td>
 </tr>
 
 <tr>
 <td><?php echo $langs->trans("Length"); ?></td>
-<td colspan="2"><?php echo $object->length; ?></td>
+<td colspan="2"><?php echo dol_escape_htmltag($object->length); ?></td>
 </tr>
 
 <tr>
 <td><?php echo $langs->trans("Surface"); ?></td>
-<td colspan="2"><?php echo $object->surface; ?></td>
+<td colspan="2"><?php echo dol_escape_htmltag($object->surface); ?></td>
 </tr>
 
 <tr>
 <td><?php echo $langs->trans("Volume"); ?></td>
-<td colspan="2"><?php echo $object->volume; ?></td>
+<td colspan="2"><?php echo dol_escape_htmltag($object->volume); ?></td>
 </tr>
 
 <tr>
 <td class="tdtop"><?php echo $langs->trans("Note"); ?></td>
-<td colspan="2"><?php echo $object->note; ?></td>
+<td colspan="2" class="valeur sensiblehtmlcontent"><?php echo dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note)); ?></td>
 </tr>
 
 </table>

htdocs/product/canvas/service/actions_card_service.class.php

@@ -151,7 +151,7 @@ class ActionsCardService
 		$this->tpl['label'] = $this->object->label;
 		$this->tpl['id'] = $this->object->id;
 		$this->tpl['type'] = $this->object->type;
-		$this->tpl['note'] = $this->object->note;
+		$this->tpl['note'] = $this->object->note_private;
 		$this->tpl['seuil_stock_alerte'] = $this->object->seuil_stock_alerte;
 
 		// Duration

htdocs/product/canvas/service/tpl/card_view.tpl.php

@@ -76,7 +76,7 @@ dol_banner_tab($object, 'ref', $linkback, $shownav, 'ref');
 
 <tr>
 <td class="tdtop"><?php echo $langs->trans("Note"); ?></td>
-<td colspan="2"><?php echo $object->note; ?></td>
+<td colspan="2" class="valeur sensiblehtmlcontent"><?php echo dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note)); ?></td>
 </tr>
 
 </table>

htdocs/public/members/public_card.php

@@ -126,7 +126,7 @@ if ($id > 0) {
 		//    print "<tr><td>$value</td><td>".$object->array_options["options_$key"]."&nbsp;</td></tr>\n";
 		//  }
 
-		print '<tr><td class="tdtop">'.$langs->trans("Comments").'</td><td>'.nl2br($object->note_public).'</td></tr>';
+		print '<tr><td class="tdtop">'.$langs->trans("Comments").'</td><td class="valeur sensiblehtmlcontent">'.dol_string_onlythesehtmltags(dol_htmlcleanlastbr($object->note_public)).'</td></tr>';
 
 		print '</table>';
 	}

htdocs/salaries/payment_salary/card.php

@@ -165,7 +165,7 @@ print '<tr><td>'.$langs->trans('Numero').'</td><td>'.dol_escape_htmltag($object-
 print '<tr><td>'.$langs->trans('Amount').'</td><td>'.price($object->amount, 0, $langs, 1, -1, -1, $conf->currency).'</td></tr>';
 
 // Note
-print '<tr><td>'.$langs->trans('Note').'</td><td>'.dol_nl2br($object->note_private).'</td></tr>';
+print '<tr><td>'.$langs->trans('Note').'</td><td class="valeur sensiblehtmlcontent">'.dol_string_onlythesehtmltags(dol_htmlcleanlastbr($object->note_private)).'</td></tr>';
 
 // Bank account
 if (isModEnabled("banque")) {

htdocs/zapier/class/api_zapier.class.php

@@ -354,13 +354,6 @@ class Zapier extends DolibarrApi
 		// phpcs:disable
 		$object = parent::_cleanObjectDatas($object);
 
-		/*unset($object->note);
-        unset($object->address);
-        unset($object->barcode_type);
-        unset($object->barcode_type_code);
-        unset($object->barcode_type_label);
-        unset($object->barcode_type_coder);*/
-
 		return $object;
 	}
 

test/phpunit/SecurityTest.php

@@ -691,6 +691,14 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 		$decodedstring = dol_string_onlythesehtmltags($stringtotest, 1, 1, 1);
 		$this->assertEquals('<a href="aaa">bbbڴ', $decodedstring, 'Function did not sanitize correclty with test 3');
 
+		$stringtotest = 'text <link href="aaa"> text';
+		$decodedstring = dol_string_onlythesehtmltags($stringtotest, 1, 1, 1, 0, array(), 0);
+		$this->assertEquals('text  text', $decodedstring, 'Function did not sanitize correclty with test 4a');
+
+		$stringtotest = 'text <link href="aaa"> text';
+		$decodedstring = dol_string_onlythesehtmltags($stringtotest, 1, 1, 1, 0, array(), 1);
+		$this->assertEquals('text <link href="aaa"> text', $decodedstring, 'Function did not sanitize correclty with test 4b');
+
 		return 0;
 	}