Home Explore Help
Sign In
iProspective
/
dolibarr
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Fix #yogosha4525

Laurent Destailleur 4 years ago
parent
72d5850a5f
commit
d75e1e5771
5 changed files with 7 additions and 7 deletions
Split View Show Diff Stats
  1. 1 1
      htdocs/core/boxes/box_task.php
  2. 1 1
      htdocs/core/class/html.formmargin.class.php
  3. 1 1
      htdocs/core/website.inc.php
  4. 1 1
      htdocs/main.inc.php
  5. 3 3
      htdocs/takepos/index.php

+ 1 - 1
htdocs/core/boxes/box_task.php
View File 

@@ -94,7 +94,7 @@ class box_task extends ModeleBoxes
 
         if (in_array(GETPOST($cookie_name), array('all', 'im_project_contact', 'im_task_contact'))) {
 
             $filterValue = GETPOST($cookie_name);
 
         } elseif (!empty($_COOKIE[$cookie_name])) {
 
-            $filterValue = $_COOKIE[$cookie_name];
 
+            $filterValue = preg_replace('/[^a-z_]/', '', $_COOKIE[$cookie_name]);	// Clean cookie from evil data
 
         }
 
 
         if ($filterValue == 'im_task_contact') {

+ 1 - 1
htdocs/core/class/html.formmargin.class.php
View File 

@@ -204,7 +204,7 @@ class FormMargin
 
 		if (!empty($conf->global->MARGIN_ADD_SHOWHIDE_BUTTON))	// TODO Warning this feature rely on an external js file that may be removed. Using native js function document.cookie should be better
 
 		{
 
 			print $langs->trans('ShowMarginInfos').' : ';
 
-	        $hidemargininfos = $_COOKIE['DOLUSER_MARGININFO_HIDE_SHOW'];
 
+	        $hidemargininfos = preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['DOLUSER_MARGININFO_HIDE_SHOW']);	// Clean cookie
 
 	    	print '<span id="showMarginInfos" class="linkobject '.(!empty($hidemargininfos) ? '' : 'hideobject').'">'.img_picto($langs->trans("Disabled"), 'switch_off').'</span>';
 
 	    	print '<span id="hideMarginInfos" class="linkobject '.(!empty($hidemargininfos) ? 'hideobject' : '').'">'.img_picto($langs->trans("Enabled"), 'switch_on').'</span>';

+ 1 - 1
htdocs/core/website.inc.php
View File 

@@ -68,7 +68,7 @@ if ($pageid > 0)
 
 {
 
 	$websitepage->fetch($pageid);
 
 
-	$weblangs->setDefaultLang(GETPOSTISSET('lang') ? GETPOST('lang', 'aZ09') : (empty($_COOKIE['weblangs-shortcode']) ? 'auto' : $_COOKIE['weblangs-shortcode']));
 
+	$weblangs->setDefaultLang(GETPOSTISSET('lang') ? GETPOST('lang', 'aZ09') : (empty($_COOKIE['weblangs-shortcode']) ? 'auto' : preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['weblangs-shortcode'])));
 
 	$pagelangs->setDefaultLang($websitepage->lang ? $websitepage->lang : $weblangs->shortlang);
 
 
 	if (!defined('USEDOLIBARREDITOR') && (in_array($websitepage->type_container, array('menu', 'other')) || empty($websitepage->status)))

+ 1 - 1
htdocs/main.inc.php
View File 

@@ -521,7 +521,7 @@ if (!defined('NOLOGIN'))
 
 
 		$allowedmethodtopostusername = 2;
 
 		if (defined('MAIN_AUTHENTICATION_POST_METHOD')) $allowedmethodtopostusername = constant('MAIN_AUTHENTICATION_POST_METHOD');
 
-		$usertotest = (!empty($_COOKIE['login_dolibarr']) ? $_COOKIE['login_dolibarr'] : GETPOST("username", "alpha", $allowedmethodtopostusername));
 
+		$usertotest = (!empty($_COOKIE['login_dolibarr']) ? preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['login_dolibarr']) : GETPOST("username", "alpha", $allowedmethodtopostusername));
 
 		$passwordtotest = GETPOST('password', 'none', $allowedmethodtopostusername);
 
 		$entitytotest = (GETPOST('entity', 'int') ? GETPOST('entity', 'int') : (!empty($conf->entity) ? $conf->entity : 1));

+ 3 - 3
htdocs/takepos/index.php
View File 

@@ -48,7 +48,7 @@ $setterminal = GETPOST('setterminal', 'int');
 
 if ($_SESSION["takeposterminal"] == "")
 
 {
 
 	if ($conf->global->TAKEPOS_NUM_TERMINALS == "1") $_SESSION["takeposterminal"] = 1; // Use terminal 1 if there is only 1 terminal
 
-	elseif (!empty($_COOKIE["takeposterminal"])) $_SESSION["takeposterminal"] = $_COOKIE["takeposterminal"]; // Restore takeposterminal from previous session
 
+	elseif (!empty($_COOKIE["takeposterminal"])) $_SESSION["takeposterminal"] = preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE["takeposterminal"]); // Restore takeposterminal from previous session
 
 }
 
 
 if ($setterminal > 0)
 
@@ -544,7 +544,7 @@ function Search2(keyCodeForEnter) {
 
 				if ($('#search').val() == data[0]['barcode'] && 'thirdparty' == data[0]['object']) {
 
 					console.log("There is only 1 answer with barcode matching the search, so we change the thirdparty "+data[0]['rowid']);
 
 					ChangeThirdparty(data[0]['rowid']);
 
-				} 
+				}
 
 				else if ($('#search').val() == data[0]['barcode'] && 'product' == data[0]['object']) {
 
 					console.log("There is only 1 answer with barcode matching the search, so we add the product in basket");
 
 					ClickProduct(0);
 
@@ -562,7 +562,7 @@ function Search2(keyCodeForEnter) {
 
 			}
 
 		});
 
 	}
 
-	
+
 
 }
 
 
 function Edit(number) {