Merge branch '7.0' of git@github.com:Dolibarr/dolibarr.git into develop

Conflicts:
	htdocs/admin/company.php

htdocs/admin/company.php

@@ -80,7 +80,7 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha'))
 	dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP", GETPOST("zipcode",'alpha'),'chaine',0,'',$conf->entity);
 	dolibarr_set_const($db, "MAIN_INFO_SOCIETE_STATE", GETPOST("state_id",'alpha'),'chaine',0,'',$conf->entity);
 	dolibarr_set_const($db, "MAIN_INFO_SOCIETE_REGION", GETPOST("region_code",'alpha'),'chaine',0,'',$conf->entity);
-	dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'alpha'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'aZ09'),'chaine',0,'',$conf->entity);
 	dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL", GETPOST("tel",'alpha'),'chaine',0,'',$conf->entity);
 	dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax",'alpha'),'chaine',0,'',$conf->entity);
 	dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail",'alpha'),'chaine',0,'',$conf->entity);
@@ -156,26 +156,26 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha'))
 		}
 	}
 
-	dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'alpha'),'chaine',0,'',$conf->entity);
-	dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'alpha'),'chaine',0,'',$conf->entity);
-	dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'alpha'),'chaine',0,'',$conf->entity);
-	dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'alpha'),'chaine',0,'',$conf->entity);
-	dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'alpha'),'chaine',0,'',$conf->entity);
-	dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'alpha'),'chaine',0,'',$conf->entity);
-	dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'alpha'),'chaine',0,'',$conf->entity);
-	dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'alpha'),'chaine',0,'',$conf->entity);
-	dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'alpha'),'chaine',0,'',$conf->entity);
-
-	dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'alpha'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'nohtml'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'nohtml'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'nohtml'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'nohtml'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'nohtml'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'nohtml'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'nohtml'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'nohtml'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'nohtml'),'chaine',0,'',$conf->entity);
+
+	dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'nohtml'),'chaine',0,'',$conf->entity);
 	dolibarr_set_const($db, "MAIN_INFO_SOCIETE_OBJECT", GETPOST("object",'nohtml'),'chaine',0,'',$conf->entity);
 
-	dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("SOCIETE_FISCAL_MONTH_START",'alpha'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("SOCIETE_FISCAL_MONTH_START",'int'),'chaine',0,'',$conf->entity);
 
-	dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'alpha'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'aZ09'),'chaine',0,'',$conf->entity);
 
 	// Local taxes
-	dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'alpha'),'chaine',0,'',$conf->entity);
-	dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'alpha'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'aZ09'),'chaine',0,'',$conf->entity);
+	dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'aZ09'),'chaine',0,'',$conf->entity);
 
 	if($_POST["optionlocaltax1"]=="localtax1on")
 	{
@@ -185,9 +185,9 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha'))
 		}
 		else
 		{
-			dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','alpha'),'chaine',0,'',$conf->entity);
+			dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','aZ09'),'chaine',0,'',$conf->entity);
 		}
-		dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1",  GETPOST("clt1",'alpha'),'chaine',0,'',$conf->entity);
+		dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1",  GETPOST("clt1",'aZ09'),'chaine',0,'',$conf->entity);
 	}
 	if($_POST["optionlocaltax2"]=="localtax2on")
 	{
@@ -197,9 +197,9 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha'))
 		}
 		else
 		{
-			dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','alpha'),'chaine',0,'',$conf->entity);
+			dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','aZ09'),'chaine',0,'',$conf->entity);
 		}
-		dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2",  GETPOST("clt2",'alpha'),'chaine',0,'',$conf->entity);
+		dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2",  GETPOST("clt2",'aZ09'),'chaine',0,'',$conf->entity);
 	}
 
 	if ($action != 'updateedit' && ! $error)
@@ -415,7 +415,7 @@ if ($action == 'edit' || $action == 'updateedit')
 
 	// IDs of the company (country-specific)
 	print '<table class="noborder" width="100%">';
-	print '<tr class="liste_titre"><td>'.$langs->trans("CompanyIds").'</td><td>'.$langs->trans("Value").'</td></tr>';
+	print '<tr class="liste_titre"><td class="titlefield">'.$langs->trans("CompanyIds").'</td><td>'.$langs->trans("Value").'</td></tr>';
 
 	$langs->load("companies");
 
@@ -568,7 +568,7 @@ if ($action == 'edit' || $action == 'updateedit')
 	print '<br>';
 	print '<table class="noborder" width="100%">';
 	print '<tr class="liste_titre">';
-	print '<td class="titlefield">'.$langs->trans("VATManagement").'</td><td>'.$langs->trans("Description").'</td>';
+	print '<td width="140">'.$langs->trans("VATManagement").'</td><td>'.$langs->trans("Description").'</td>';
 	print '<td align="right">&nbsp;</td>';
 	print "</tr>\n";
 
@@ -601,7 +601,7 @@ if ($action == 'edit' || $action == 'updateedit')
 		print '<br>';
 		print '<table class="noborder" width="100%">';
 		print '<tr class="liste_titre">';
-		print '<td>'.$langs->transcountry("LocalTax1Management",$mysoc->country_code).'</td><td>'.$langs->trans("Description").'</td>';
+		print '<td width="140">'.$langs->transcountry("LocalTax1Management",$mysoc->country_code).'</td><td>'.$langs->trans("Description").'</td>';
 		print '<td align="right">&nbsp;</td>';
 		print "</tr>\n";
 

htdocs/comm/action/class/api_agendaevents.class.php

@@ -115,13 +115,17 @@ class AgendaEvents extends DolibarrApi
         // If the internal user must only see his customers, force searching by him
         $search_sale = 0;
         if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id;
+		if (empty($conf->societe->enabled)) $search_sale = 0;	// If module thirdparty not enabled, sale representative is something that does not exists
 
         $sql = "SELECT t.id as rowid";
-        if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects)
+        if (! empty($conf->societe->enabled))
+        	if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects)
         $sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as t";
-        if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale
+        if (! empty($conf->societe->enabled))
+        	if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale
         $sql.= ' WHERE t.entity IN ('.getEntity('agenda').')';
-        if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= " AND t.fk_soc = sc.fk_soc";
+        if (! empty($conf->societe->enabled))
+        	if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= " AND t.fk_soc = sc.fk_soc";
         if ($user_ids) $sql.=" AND t.fk_user_action IN (".$user_ids.")";
         if ($socid > 0) $sql.= " AND t.fk_soc = ".$socid;
         // Insert sale filter

htdocs/comm/action/list.php

@@ -234,7 +234,7 @@ $sql.= ' a.fk_user_author,a.fk_user_action,';
 $sql.= " a.fk_contact, a.note, a.percent as percent,";
 $sql.= " a.fk_element, a.elementtype,";
 $sql.= " c.code as type_code, c.libelle as type_label,";
-$sql.= " sp.lastname, sp.firstname";
+$sql.= " sp.lastname, sp.firstname, sp.email, sp.phone, sp.address, sp.phone as phone_pro, sp.phone_mobile, sp.phone_perso, sp.fk_pays as country_id";
 // Add fields from extrafields
 foreach ($extrafields->attribute_label as $key => $val) $sql.=($extrafields->attribute_type[$key] != 'separate' ? ",ef.".$key.' as options_'.$key : '');
 $sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as a";
@@ -602,9 +602,14 @@ if ($resql)
 			print '<td>';
 			if ($obj->fk_contact > 0)
 			{
+				$contactstatic->id=$obj->fk_contact;
+				$contactstatic->email=$obj->email;
 				$contactstatic->lastname=$obj->lastname;
 				$contactstatic->firstname=$obj->firstname;
-				$contactstatic->id=$obj->fk_contact;
+				$contactstatic->phone_pro=$obj->phone_pro;
+				$contactstatic->phone_mobile=$obj->phone_mobile;
+				$contactstatic->phone_perso=$obj->phone_perso;
+				$contactstatic->country_id=$obj->country_id;
 				print $contactstatic->getNomUrl(1,'',28);
 			}
 			else

htdocs/compta/bank/transfer.php

@@ -49,8 +49,8 @@ if ($action == 'add')
 
 	$dateo = dol_mktime(12,0,0,GETPOST('remonth','int'),GETPOST('reday','int'),GETPOST('reyear','int'));
 	$label = GETPOST('label','alpha');
-	$amount= GETPOST('amount');
-	$amountto= GETPOST('amountto');
+	$amount= GETPOST('amount','alpha');
+	$amountto= GETPOST('amountto','alpha');
 
 	if (! $label)
 	{
@@ -125,7 +125,7 @@ if ($action == 'add')
 
 			if (! $error)
 			{
-				$mesgs = $langs->trans("TransferFromToDone",'<a href="bankentries_list.php?id='.$accountfrom->id.'&sortfield=b.datev,b.dateo,b.rowid&sortorder=desc">'.$accountfrom->label."</a>",'<a href="bankentries_list.php?id='.$accountto->id.'">'.$accountto->label."</a>",$amount,$langs->transnoentities("Currency".$conf->currency));
+				$mesgs = $langs->trans("TransferFromToDone", '<a href="bankentries_list.php?id='.$accountfrom->id.'&sortfield=b.datev,b.dateo,b.rowid&sortorder=desc">'.$accountfrom->label."</a>", '<a href="bankentries_list.php?id='.$accountto->id.'">'.$accountto->label."</a>", $amount, $langs->transnoentities("Currency".$conf->currency));
 				setEventMessages($mesgs, null, 'mesgs');
 				$db->commit();
 			}
@@ -153,6 +153,12 @@ llxHeader();
 print '		<script type="text/javascript">
         	$(document).ready(function () {
     	  		$(".selectbankaccount").change(function() {
+						console.log("We change bank account");
+						init_page();
+				});
+
+				function init_page() {
+					console.log("Set fields according to currency");
         			var account1 = $("#selectaccount_from").val();
         			var account2 = $("#selectaccount_to").val();
         			var currencycode1="";
@@ -199,7 +205,9 @@ print '		<script type="text/javascript">
     	        	}).fail(function( data ) {
 						console.error("Error: has returned an empty page. Should be an empty json array.");
 					});
-        		});
+        		}
+
+				init_page();
         	});
     		</script>';
 
@@ -210,12 +218,12 @@ $account_to='';
 $label='';
 $amount='';
 
-if($error)
+if ($error)
 {
 	$account_from =	GETPOST('account_from','int');
 	$account_to	= GETPOST('account_to','int');
 	$label = GETPOST('label','alpha');
-	$amount = GETPOST('amount','int');
+	$amount = GETPOST('amount','alpha');
 }
 
 print load_fiche_titre($langs->trans("MenuBankInternalTransfer"), '', 'title_bank.png');
@@ -246,9 +254,9 @@ print "</td>\n";
 print "<td>";
 $form->select_date((! empty($dateo)?$dateo:''),'','','','','add');
 print "</td>\n";
-print '<td><input name="label" class="flat quatrevingtpercent" type="text" value="'.$label.'"></td>';
-print '<td><input name="amount" class="flat" type="text" size="6" value="'.$amount.'"></td>';
-print '<td style="display:none" class="multicurrency"><input name="amountto" class="flat" type="text" size="6" value="'.$amountto.'"></td>';
+print '<td><input name="label" class="flat quatrevingtpercent" type="text" value="'.dol_escape_htmltag($label).'"></td>';
+print '<td><input name="amount" class="flat" type="text" size="6" value="'.dol_escape_htmltag($amount).'"></td>';
+print '<td style="display:none" class="multicurrency"><input name="amountto" class="flat" type="text" size="6" value="'.dol_escape_htmltag($amountto).'"></td>';
 
 print "</table>";
 

htdocs/contact/card.php

@@ -176,26 +176,26 @@ if (empty($reshook))
 
         $object->entity			= (GETPOSTISSET('entity')?GETPOST('entity', 'int'):$conf->entity);
         $object->socid			= GETPOST("socid",'int');
-        $object->lastname		= GETPOST("lastname");
-        $object->firstname		= GETPOST("firstname");
-        $object->civility_id		= GETPOST("civility_id",'alpha');
-        $object->poste			= GETPOST("poste");
-        $object->address			= GETPOST("address");
-        $object->zip				= GETPOST("zipcode");
-        $object->town			= GETPOST("town");
+        $object->lastname		= GETPOST("lastname",'alpha');
+        $object->firstname		= GETPOST("firstname",'alpha');
+        $object->civility_id	= GETPOST("civility_id",'alpha');
+        $object->poste			= GETPOST("poste",'alpha');
+        $object->address		= GETPOST("address",'alpha');
+        $object->zip			= GETPOST("zipcode",'alpha');
+        $object->town			= GETPOST("town",'alpha');
         $object->country_id		= GETPOST("country_id",'int');
         $object->state_id		= GETPOST("state_id",'int');
-        $object->skype			= GETPOST("skype");
+        $object->skype			= GETPOST("skype",'alpha');
         $object->email			= GETPOST("email",'alpha');
-        $object->phone_pro		= GETPOST("phone_pro");
-        $object->phone_perso		= GETPOST("phone_perso");
-        $object->phone_mobile	= GETPOST("phone_mobile");
-        $object->fax				= GETPOST("fax");
+        $object->phone_pro		= GETPOST("phone_pro",'alpha');
+        $object->phone_perso	= GETPOST("phone_perso",'alpha');
+        $object->phone_mobile	= GETPOST("phone_mobile",'alpha');
+        $object->fax			= GETPOST("fax",'alpha');
         $object->jabberid		= GETPOST("jabberid",'alpha');
 		$object->no_email		= GETPOST("no_email",'int');
         $object->priv			= GETPOST("priv",'int');
-        $object->note_public		= GETPOST("note_public");
-        $object->note_private	= GETPOST("note_private");
+        $object->note_public	= GETPOST("note_public",'none');
+        $object->note_private	= GETPOST("note_private",'none');
         $object->statut			= 1; //Defult status to Actif
 
         // Note: Correct date should be completed with location to have exact GM time of birth.
@@ -340,33 +340,33 @@ if (empty($reshook))
 
 			$object->oldcopy = clone $object;
 
-            $object->old_lastname	= GETPOST("old_lastname");
-            $object->old_firstname	= GETPOST("old_firstname");
+			$object->old_lastname	= GETPOST("old_lastname",'alpha');
+			$object->old_firstname	= GETPOST("old_firstname",'alpha');
 
             $object->socid			= GETPOST("socid",'int');
-            $object->lastname		= GETPOST("lastname");
-            $object->firstname		= GETPOST("firstname");
-            $object->civility_id		= GETPOST("civility_id",'alpha');
-            $object->poste			= GETPOST("poste");
-
-            $object->address			= GETPOST("address");
-            $object->zip				= GETPOST("zipcode");
-            $object->town			= GETPOST("town");
-            $object->state_id   		= GETPOST("state_id",'int');
+            $object->lastname		= GETPOST("lastname",'alpha');
+            $object->firstname		= GETPOST("firstname",'alpha');
+            $object->civility_id	= GETPOST("civility_id",'alpha');
+            $object->poste			= GETPOST("poste",'alpha');
+
+            $object->address		= GETPOST("address",'alpha');
+            $object->zip			= GETPOST("zipcode",'alpha');
+            $object->town			= GETPOST("town",'alpha');
+            $object->state_id   	= GETPOST("state_id",'int');
             $object->fk_departement	= GETPOST("state_id",'int');	// For backward compatibility
             $object->country_id		= GETPOST("country_id",'int');
 
             $object->email			= GETPOST("email",'alpha');
             $object->skype			= GETPOST("skype",'alpha');
-            $object->phone_pro		= GETPOST("phone_pro");
-            $object->phone_perso		= GETPOST("phone_perso");
-            $object->phone_mobile	= GETPOST("phone_mobile");
-            $object->fax				= GETPOST("fax");
+            $object->phone_pro		= GETPOST("phone_pro",'alpha');
+            $object->phone_perso	= GETPOST("phone_perso",'alpha');
+            $object->phone_mobile	= GETPOST("phone_mobile",'alpha');
+            $object->fax			= GETPOST("fax",'alpha');
             $object->jabberid		= GETPOST("jabberid",'alpha');
 			$object->no_email		= GETPOST("no_email",'int');
             $object->priv			= GETPOST("priv",'int');
-            	$object->note_public		= GETPOST("note_public");
-       		$object->note_private	= GETPOST("note_private");
+            $object->note_public	= GETPOST("note_public",'none');
+       		$object->note_private	= GETPOST("note_private",'none');
 
             // Fill array 'array_options' with data from add form
 			$ret = $extrafields->setOptionalsFromPost($extralabels,$object);
@@ -541,9 +541,9 @@ else
 
             // Name
             print '<tr><td class="titlefieldcreate fieldrequired"><label for="lastname">'.$langs->trans("Lastname").' / '.$langs->trans("Label").'</label></td>';
-	        print '<td><input name="lastname" id="lastname" type="text" class="maxwidth100onsmartphone" maxlength="80" value="'.dol_escape_htmltag(GETPOST("lastname")?GETPOST("lastname"):$object->lastname).'" autofocus="autofocus"></td>';
+            print '<td><input name="lastname" id="lastname" type="text" class="maxwidth100onsmartphone" maxlength="80" value="'.dol_escape_htmltag(GETPOST("lastname",'alpha')?GETPOST("lastname",'alpha'):$object->lastname).'" autofocus="autofocus"></td>';
             print '<td><label for="firstname">'.$langs->trans("Firstname").'</label></td>';
-	        print '<td><input name="firstname" id="firstname"type="text" class="maxwidth100onsmartphone" maxlength="80" value="'.dol_escape_htmltag(GETPOST("firstname")?GETPOST("firstname"):$object->firstname).'"></td></tr>';
+            print '<td><input name="firstname" id="firstname"type="text" class="maxwidth100onsmartphone" maxlength="80" value="'.dol_escape_htmltag(GETPOST("firstname",'alpha')?GETPOST("firstname",'alpha'):$object->firstname).'"></td></tr>';
 
             // Company
             if (empty($conf->global->SOCIETE_DISABLE_CONTACTS))
@@ -595,8 +595,8 @@ else
             if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->zip)) == 0) $object->zip = $objsoc->zip;			// Predefined with third party
             if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->town)) == 0) $object->town = $objsoc->town;	// Predefined with third party
             print '<tr><td><label for="zipcode">'.$langs->trans("Zip").'</label> / <label for="town">'.$langs->trans("Town").'</label></td><td colspan="'.$colspan.'" class="maxwidthonsmartphone">';
-            print $formcompany->select_ziptown((GETPOST("zipcode")?GETPOST("zipcode"):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).'&nbsp;';
-            print $formcompany->select_ziptown((GETPOST("town")?GETPOST("town"):$object->town),'town',array('zipcode','selectcountry_id','state_id'));
+            print $formcompany->select_ziptown((GETPOST("zipcode",'alpha')?GETPOST("zipcode",'alpha'):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).'&nbsp;';
+            print $formcompany->select_ziptown((GETPOST("town",'alpha')?GETPOST("town",'alpha'):$object->town),'town',array('zipcode','selectcountry_id','state_id'));
             print '</td></tr>';
 
             // Country
@@ -644,7 +644,7 @@ else
             // EMail
             if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->email)) == 0) $object->email = $objsoc->email;	// Predefined with third party
             print '<tr><td><label for="email">'.$langs->trans("Email").'</label></td>';
-	        print '<td><input name="email" id="email" type="text" class="maxwidth100onsmartphone" value="'.(GETPOST("email",'alpha')?GETPOST("email",'alpha'):$object->email).'"></td>';
+	        print '<td><input name="email" id="email" type="text" class="maxwidth100onsmartphone" value="'.dol_escape_htmltag(GETPOST("email",'alpha')?GETPOST("email",'alpha'):$object->email).'"></td>';
             if (! empty($conf->mailing->enabled))
             {
             	print '<td><label for="no_email">'.$langs->trans("No_Email").'</label></td>';
@@ -658,13 +658,13 @@ else
 
             // Instant message and no email
             print '<tr><td><label for="jabberid">'.$langs->trans("IM").'</label></td>';
-	        print '<td colspan="3"><input name="jabberid" id="jabberid" type="text" class="minwidth100" maxlength="80" value="'.(GETPOST("jabberid",'alpha')?GETPOST("jabberid",'alpha'):$object->jabberid).'"></td></tr>';
+            print '<td colspan="3"><input name="jabberid" id="jabberid" type="text" class="minwidth100" maxlength="80" value="'.dol_escape_htmltag(GETPOST("jabberid",'alpha')?GETPOST("jabberid",'alpha'):$object->jabberid).'"></td></tr>';
 
             // Skype
             if (! empty($conf->skype->enabled))
             {
                 print '<tr><td><label for="skype">'.$langs->trans("Skype").'</label></td>';
-	            print '<td colspan="3"><input name="skype" id="skype" type="text" class="minwidth100" maxlength="80" value="'.(GETPOST("skype",'alpha')?GETPOST("skype",'alpha'):$object->skype).'"></td></tr>';
+                print '<td colspan="3"><input name="skype" id="skype" type="text" class="minwidth100" maxlength="80" value="'.dol_escape_htmltag(GETPOST("skype",'alpha')?GETPOST("skype",'alpha'):$object->skype).'"></td></tr>';
             }
 
             // Visibility

htdocs/core/actions_linkedfiles.inc.php

@@ -27,7 +27,7 @@
 
 
 // Submit file/link
-if (GETPOST('sendit','none') && ! empty($conf->global->MAIN_UPLOAD_DOC))
+if (GETPOST('sendit','alpha') && ! empty($conf->global->MAIN_UPLOAD_DOC))
 {
 	if (! empty($_FILES))
 	{

htdocs/core/lib/functions.lib.php

@@ -545,10 +545,10 @@ function GETPOST($paramname, $check='none', $method=0, $filter=NULL, $options=NU
 		case 'array':
 			if (! is_array($out) || empty($out)) $out=array();
 			break;
-		case 'nohtml':
+		case 'nohtml':		// Recommended for most scalar parameters
 			$out=dol_string_nohtmltag($out, 0);
 			break;
-		case 'alphanohtml':	// Recommended for search params
+		case 'alphanohtml':	// Recommended for search parameters
 			if (! is_array($out))
 			{
 				$out=trim($out);

htdocs/expensereport/list.php

@@ -73,7 +73,7 @@ $search_user  = GETPOST('search_user','int');
 $search_amount_ht = GETPOST('search_amount_ht','alpha');
 $search_amount_vat = GETPOST('search_amount_vat','alpha');
 $search_amount_ttc = GETPOST('search_amount_ttc','alpha');
-$search_status = (GETPOST('search_status','alpha')!=''?GETPOST('search_status','alpha'):GETPOST('statut','alpha'));
+$search_status = (GETPOST('search_status','intcomma')!=''?GETPOST('search_status','intcomma'):GETPOST('statut','intcomma'));
 $month_start  = GETPOST("month_start","int");
 $year_start   = GETPOST("year_start","int");
 $month_end    = GETPOST("month_end","int");
@@ -304,11 +304,7 @@ if ($search_amount_ttc != '') $sql.= natural_search('d.total_ttc', $search_amoun
 // User
 if ($search_user != '' && $search_user >= 0) $sql.= " AND u.rowid = '".$db->escape($search_user)."'";
 // Status
-if ($search_status != '' && $search_status >= 0)
-{
-	if (strstr($search_status, ',')) $sql.=" AND d.fk_statut IN (".$db->escape($search_status).")";
-	else $sql.=" AND d.fk_statut = ".$search_status;
-}
+if ($search_status != '' && $search_status >= 0) $sql.=" AND d.fk_statut IN (".$db->escape($search_status).")";
 // RESTRICT RIGHTS
 if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)
     && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance)))

htdocs/filefunc.inc.php

@@ -151,13 +151,23 @@ if (empty($dolibarr_strict_mode)) $dolibarr_strict_mode=0; // For debug in php s
 // Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host
 if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck))
 {
-    if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])
-    && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER'])))
+	if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']))
     {
-    	//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
-    	print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n";
-        print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
-    	die;
+    	$csrfattack=false;
+    	if (empty($_SERVER['HTTP_REFERER'])) $csrfattack=true;	// An evil browser was used
+    	else
+    	{
+    		$tmpa=parse_url($_SERVER['HTTP_HOST']);
+    		$tmpb=parse_url($_SERVER['HTTP_REFERER']);
+    		if ((empty($tmpa['host'])?$tmpa['path']:$tmpa['host']) != (empty($tmpb['host'])?$tmpb['path']:$tmpb['host'])) $csrfattack=true;
+    	}
+    	if ($csrfattack)
+    	{
+    		//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_HOST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
+    		print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n";
+        	print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
+    		die;
+    	}
     }
     // Another test is done later on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on.
 }

htdocs/holiday/list.php

@@ -85,7 +85,7 @@ if (! $sortorder) $sortorder="DESC";
 
 
 $sall                = trim((GETPOST('search_all', 'alphanohtml')!='')?GETPOST('search_all', 'alphanohtml'):GETPOST('sall', 'alphanohtml'));
-$search_ref          = GETPOST('search_ref','alpha');
+$search_ref          = GETPOST('search_ref','alphanohtml');
 $search_day_create   = GETPOST('search_day_create','int');
 $search_month_create = GETPOST('search_month_create','int');
 $search_year_create  = GETPOST('search_year_create','int');
@@ -185,7 +185,7 @@ $order = $db->order($sortfield,$sortorder).$db->plimit($limit + 1, $offset);
 // Ref
 if(!empty($search_ref))
 {
-    $filter.= " AND cp.rowid = ".$db->escape($search_ref);
+    $filter.= " AND cp.rowid = ".(int) $db->escape($search_ref);
 }
 
 // Start date

htdocs/main.inc.php

@@ -73,7 +73,7 @@ if (function_exists('get_magic_quotes_gpc'))	// magic_quotes_* deprecated in PHP
  *
  * @param		string		$val		Value
  * @param		string		$type		1=GET, 0=POST, 2=PHP_SELF
- * @return		int						>0 if there is an injection
+ * @return		int						>0 if there is an injection, 0 if none
  */
 function test_sql_and_script_inject($val, $type)
 {
@@ -101,6 +101,7 @@ function test_sql_and_script_inject($val, $type)
 	// More on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
 	$inj += preg_match('/<script/i', $val);
 	$inj += preg_match('/<iframe/i', $val);
+	$inj += preg_match('/<audio/i', $val);
 	$inj += preg_match('/Set\.constructor/i', $val);	// ECMA script 6
 	if (! defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
 	$inj += preg_match('/base[\s]+href/si', $val);
@@ -108,6 +109,7 @@ function test_sql_and_script_inject($val, $type)
 	$inj += preg_match('/onerror\s*=/i', $val);       // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)>
 	$inj += preg_match('/onfocus\s*=/i', $val);       // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
 	$inj += preg_match('/onload\s*=/i', $val);        // onload can be set on svg tag <svg/onload=alert(1)> or other tag like body <body onload=alert(1)>
+	$inj += preg_match('/onloadstart\s*=/i', $val);   // onload can be set on audio tag <audio onloadstart=alert(1)>
 	$inj += preg_match('/onclick\s*=/i', $val);       // onclick can be set on img text html tag like <img onclick = alert(1)>
 	$inj += preg_match('/onscroll\s*=/i', $val);      // onscroll can be on textarea
 	//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val);   // To lock event handlers onAbort(), ...
@@ -128,17 +130,17 @@ function test_sql_and_script_inject($val, $type)
  *
  * @param		string			$var		Variable name
  * @param		string			$type		1=GET, 0=POST, 2=PHP_SELF
- * @return		boolean||null				true if there is an injection. Stop code if injection found.
+ * @return		boolean|null				true if there is no injection. Stop code if injection found.
  */
 function analyseVarsForSqlAndScriptsInjection(&$var, $type)
 {
 	if (is_array($var))
 	{
-		foreach ($var as $key => $value)
+		foreach ($var as $key => $value)	// Warning, $key may also be used for attacks
 		{
-			if (analyseVarsForSqlAndScriptsInjection($value,$type))
+			if (analyseVarsForSqlAndScriptsInjection($key, $type) && analyseVarsForSqlAndScriptsInjection($value, $type))
 			{
-				$var[$key] = $value;
+				//$var[$key] = $value;	// This is useless
 			}
 			else
 			{
@@ -150,7 +152,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
 	}
 	else
 	{
-		return (test_sql_and_script_inject($var,$type) <= 0);
+		return (test_sql_and_script_inject($var, $type) <= 0);
 	}
 }
 
@@ -351,7 +353,8 @@ if (! defined('NOTOKENRENEWAL'))
 	$token = dol_hash(uniqid(mt_rand(),TRUE)); // Generates a hash of a random number
 	$_SESSION['newtoken'] = $token;
 }
-if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN))	// Check validity of token, only if option enabled (this option breaks some features sometimes)
+if ((! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN))
+	|| defined('CSRFCHECK_WITH_TOKEN'))	// Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set
 {
 	if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOST('token','alpha')) // Note, offender can still send request by GET
 	{

htdocs/product/card.php

@@ -1248,8 +1248,8 @@ else
     else if ($object->id > 0)
     {
         // Fiche en mode edition
-        	if ($action == 'edit' && $usercancreate)
-        {
+		if ($action == 'edit' && $usercancreate)
+		{
             //WYSIWYG Editor
             require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
 
@@ -1310,11 +1310,15 @@ else
             print '</td></tr>';
 
 			// Batch number managment
-			if ($conf->productbatch->enabled) {
-				print '<tr><td>'.$langs->trans("ManageLotSerial").'</td><td colspan="3">';
-				$statutarray=array('0' => $langs->trans("ProductStatusNotOnBatch"), '1' => $langs->trans("ProductStatusOnBatch"));
-				print $form->selectarray('status_batch',$statutarray,$object->status_batch);
-				print '</td></tr>';
+			if ($conf->productbatch->enabled) 
+			{
+				if ($object->isProduct() || ! empty($conf->global->STOCK_SUPPORTS_SERVICES))
+				{
+					print '<tr><td>'.$langs->trans("ManageLotSerial").'</td><td colspan="3">';
+					$statutarray=array('0' => $langs->trans("ProductStatusNotOnBatch"), '1' => $langs->trans("ProductStatusOnBatch"));
+					print $form->selectarray('status_batch',$statutarray,$object->status_batch);
+					print '</td></tr>';
+				}
 			}
 
             // Barcode
@@ -1406,7 +1410,6 @@ else
                 print '<input name="duration_unit" type="radio" value="m"'.($object->duration_unit=='m'?' checked':'').'>'.$langs->trans("Month");
                 print '&nbsp; ';
                 print '<input name="duration_unit" type="radio" value="y"'.($object->duration_unit=='y'?' checked':'').'>'.$langs->trans("Year");
-
                 print '</td></tr>';
             }
             else
@@ -1627,7 +1630,7 @@ else
                 {
                     require_once DOL_DOCUMENT_ROOT.'/core/class/html.formbarcode.class.php';
                     $formbarcode = new FormBarCode($db);
-		}
+				}
                 if ($action == 'editbarcodetype')
                 {
                     $formbarcode->form_barcode_type($_SERVER['PHP_SELF'].'?id='.$object->id,$object->barcode_type,'fk_barcode_type');
@@ -1733,35 +1736,19 @@ else
 			}
 			print '</td></tr>';
 
-            // Status (to sell)
-            /*
-            print '<tr><td>'.$langs->trans("Status").' ('.$langs->trans("Sell").')</td><td colspan="2">';
-            if (! empty($conf->use_javascript_ajax) && $user->rights->produit->creer && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) {
-                print ajax_object_onoff($object, 'status', 'tosell', 'ProductStatusOnSell', 'ProductStatusNotOnSell');
-            } else {
-                print $object->getLibStatut(2,0);
-            }
-            print '</td></tr>';
-
-            // Status (to buy)
-            print '<tr><td>'.$langs->trans("Status").' ('.$langs->trans("Buy").')</td><td colspan="2">';
-            if (! empty($conf->use_javascript_ajax) && $user->rights->produit->creer && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) {
-                print ajax_object_onoff($object, 'status_buy', 'tobuy', 'ProductStatusOnBuy', 'ProductStatusNotOnBuy');
-            } else {
-                print $object->getLibStatut(2,1);
-            }
-            print '</td></tr>';
-            */
-
             // Batch number management (to batch)
-            if (! empty($conf->productbatch->enabled)) {
-                print '<tr><td>'.$langs->trans("ManageLotSerial").'</td><td colspan="2">';
-                if (! empty($conf->use_javascript_ajax) && $usercancreate && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) {
-                    print ajax_object_onoff($object, 'status_batch', 'tobatch', 'ProductStatusOnBatch', 'ProductStatusNotOnBatch');
-                } else {
-                    print $object->getLibStatut(0,2);
-                }
-                print '</td></tr>';
+            if (! empty($conf->productbatch->enabled)) 
+            {
+				if ($object->isProduct() || ! empty($conf->global->STOCK_SUPPORTS_SERVICES))
+				{
+            		print '<tr><td>'.$langs->trans("ManageLotSerial").'</td><td colspan="2">';
+            	    if (! empty($conf->use_javascript_ajax) && $usercancreate && ! empty($conf->global->MAIN_DIRECT_STATUS_UPDATE)) {
+            	        print ajax_object_onoff($object, 'status_batch', 'tobatch', 'ProductStatusOnBatch', 'ProductStatusNotOnBatch');
+            	    } else {
+            	        print $object->getLibStatut(0,2);
+            	    }
+            	    print '</td></tr>';
+				}
             }
 
             // Description

htdocs/projet/card.php

@@ -1047,11 +1047,21 @@ elseif ($object->id > 0)
                         jQuery("#divtocloseproject").hide();
                     }
 
-                    /* Change percent of default percent of new status is higher */
-                    if (parseFloat(jQuery("#opp_percent").val()) != parseFloat(defaultpercent))
+                    /* Change percent with default percent (defaultpercent) if new status (defaultpercent) is higher than current (jQuery("#opp_percent").val()) */
+                    console.log("oldpercent="+oldpercent);
+                    if (oldpercent != \'\' && (parseFloat(defaultpercent) < parseFloat(oldpercent)))
                     {
                         if (jQuery("#opp_percent").val() != \'\' && oldpercent != \'\') jQuery("#oldopppercent").text(\' - '.dol_escape_js($langs->transnoentities("PreviousValue")).': \'+oldpercent+\' %\');
-                        jQuery("#opp_percent").val(defaultpercent);
+                        if (parseFloat(oldpercent) != 100) { jQuery("#opp_percent").val(oldpercent); }
+                        else { jQuery("#opp_percent").val(defaultpercent); }
+                    }
+                    else 
+                    {
+                    	if ((parseFloat(jQuery("#opp_percent").val()) < parseFloat(defaultpercent)));
+                    	{
+                        	if (jQuery("#opp_percent").val() != \'\' && oldpercent != \'\') jQuery("#oldopppercent").text(\' - '.dol_escape_js($langs->transnoentities("PreviousValue")).': \'+oldpercent+\' %\');
+                        	jQuery("#opp_percent").val(defaultpercent);
+                    	}
                     }
             	}
 

htdocs/public/opensurvey/studs.php

@@ -60,18 +60,18 @@ $nbcolonnes = substr_count($object->sujet, ',') + 1;
 $listofvoters=explode(',',$_SESSION["savevoter"]);
 
 // Add comment
-if (GETPOST('ajoutcomment'))
+if (GETPOST('ajoutcomment','alpha'))
 {
 	if (!$canbemodified) accessforbidden();
 
 	$error=0;
 
-	if (! GETPOST('comment'))
+	if (! GETPOST('comment','none'))
 	{
 		$error++;
 		setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Comment")), null, 'errors');
 	}
-	if (! GETPOST('commentuser'))
+	if (! GETPOST('commentuser','nohtml'))
 	{
 		$error++;
 		setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("User")), null, 'errors');
@@ -79,8 +79,8 @@ if (GETPOST('ajoutcomment'))
 
 	if (! $error)
 	{
-		$comment = GETPOST("comment");
-		$comment_user = GETPOST('commentuser');
+		$comment = GETPOST("comment",'none');
+		$comment_user = GETPOST('commentuser','nohtml');
 
 		$resql = $object->addComment($comment, $comment_user);
 
@@ -94,7 +94,7 @@ if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x"))		// bout
 	if (!$canbemodified) accessforbidden();
 
 	//Si le nom est bien entré
-	if (GETPOST('nom'))
+	if (GETPOST('nom','nohtml'))
 	{
 		$nouveauchoix = '';
 		for ($i=0;$i<$nbcolonnes;$i++)
@@ -112,7 +112,7 @@ if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x"))		// bout
 			}
 		}
 
-		$nom=substr(GETPOST("nom"),0,64);
+		$nom=substr(GETPOST("nom",'nohtml'),0,64);
 
 		// Check if vote already exists
 		$sql = 'SELECT id_users, nom as name';
@@ -739,9 +739,9 @@ if ($comments)
 if ($object->allow_comments) {
 	print '<div class="addcomment">' .$langs->trans("AddACommentForPoll") . "<br>\n";
 
-	print '<textarea name="comment" rows="'.ROWS_2.'" class="quatrevingtpercent"></textarea><br>'."\n";
+	print '<textarea name="comment" rows="'.ROWS_2.'" class="quatrevingtpercent">'.dol_escape_htmltag(GETPOST('comment','none')).'</textarea><br>'."\n";
 	print $langs->trans("Name") .': ';
-	print '<input type="text" name="commentuser" maxlength="64" /> &nbsp; '."\n";
+	print '<input type="text" name="commentuser" maxlength="64" value="'.GETPOST('commentuser','nohtml').'"> &nbsp; '."\n";
 	print '<input type="submit" class="button" name="ajoutcomment" value="'.dol_escape_htmltag($langs->trans("AddComment")).'"><br>'."\n";
 	print '</form>'."\n";
 

htdocs/user/group/card.php

@@ -112,9 +112,9 @@ if (empty($reshook)) {
 				setEventMessages($langs->trans("NameNotDefined"), null, 'errors');
 				$action="create";       // Go back to create page
 			} else {
-				$object->nom	= trim($_POST["nom"]);	// For backward compatibility
-				$object->name	= trim($_POST["nom"]);
-				$object->note	= trim($_POST["note"]);
+				$object->name	= trim(GETPOST("nom",'nohtml'));
+				$object->nom	= $object->name;	// For backward compatibility
+				$object->note	= trim(GETPOST("note",'none'));
 
 				// Fill array 'array_options' with data from add form
 				$ret = $extrafields->setOptionalsFromPost($extralabels,$object);
@@ -195,9 +195,9 @@ if (empty($reshook)) {
 
 			$object->oldcopy = clone $object;
 
-			$object->name	= trim($_POST["group"]);
+			$object->name	= trim(GETPOST("group",'nohtml'));
 			$object->nom	= $object->name;			// For backward compatibility
-			$object->note	= dol_htmlcleanlastbr($_POST["note"]);
+			$object->note	= dol_htmlcleanlastbr(GETPOST("note",'none'));
 
 			// Fill array 'array_options' with data from add form
 			$ret = $extrafields->setOptionalsFromPost($extralabels,$object);
@@ -260,7 +260,7 @@ if ($action == 'create')
 
 	print "<tr>";
 	print '<td class="fieldrequired titlefield">'.$langs->trans("Name").'</td>';
-	print '<td><input type="text" id="nom" name="nom" value="'.GETPOST('nom','alpha').'"></td></tr>';
+	print '<td><input type="text" id="nom" name="nom" value="'.dol_escape_htmltag(GETPOST('nom','nohtml')).'"></td></tr>';
 
 	// Multicompany
 	if (! empty($conf->multicompany->enabled) && is_object($mc))
@@ -343,7 +343,7 @@ else
             if (! empty($conf->mutlicompany->enabled))
             {
     			print '<tr><td class="titlefield">'.$langs->trans("Name").'</td>';
-    			print '<td class="valeur">'.$object->name;
+    			print '<td class="valeur">'.dol_escape_htmltag($object->name);
     			if (empty($object->entity))
     			{
     				print img_picto($langs->trans("GlobalGroup"),'redstar');
@@ -356,7 +356,7 @@ else
 			{
 				$mc->getInfo($object->entity);
 				print "<tr>".'<td class="titlefield">'.$langs->trans("Entity").'</td>';
-				print '<td class="valeur">'.$mc->label;
+				print '<td class="valeur">'.dol_escape_htmltag($mc->label);
 				print "</td></tr>\n";
 			}
 
@@ -490,7 +490,7 @@ else
 	        $genallowed = $user->rights->user->user->creer;
 	        $delallowed = $user->rights->user->user->supprimer;
 
-	        $somethingshown = $formfile->show_documents('usergroup', $filename, $filedir, $urlsource, $genallowed, $delallowed, $object->modelpdf, 1, 0, 0, 28, 0, '', 0, '', $soc->default_lang);
+	        $somethingshown = $formfile->showdocuments('usergroup', $filename, $filedir, $urlsource, $genallowed, $delallowed, $object->modelpdf, 1, 0, 0, 28, 0, '', 0, '', $soc->default_lang);
 
 	        // Show links to link elements
 	        $linktoelem = $form->showLinkToObjectBlock($object, null, null);
@@ -520,7 +520,7 @@ else
 
             print '<table class="border" width="100%">';
             print '<tr><td class="titlefield fieldrequired">'.$langs->trans("Name").'</td>';
-            print '<td class="valeur"><input size="15" type="text" name="group" value="'.$object->name.'">';
+            print '<td class="valeur"><input class="minwidth300" type="text" name="group" value="'.dol_escape_htmltag($object->name).'">';
             print "</td></tr>\n";
 
             // Multicompany