FIX #yogosha11755

htdocs/public/emailing/mailing-unsubscribe.php

@@ -157,6 +157,10 @@ if (!empty($tag) && ($unsuscrib == '1')) {
 
 	header("Content-type: text/html; charset=".$conf->file->character_set_client);
 
+	// Security options
+	header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
+	header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
+
 	print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">';
 	print "\n";
 	print "<html>\n";

htdocs/public/members/public_card.php

@@ -147,16 +147,8 @@ $db->close();
  */
 function llxHeaderVierge($title, $head = "")
 {
-	global $user, $conf, $langs;
-
-	header("Content-type: text/html; charset=".$conf->file->character_set_client);
-	print "<html>\n";
-	print "<head>\n";
-	print "<title>".$title."</title>\n";
-	if ($head) {
-		print $head."\n";
-	}
-	print "</head>\n";
+	top_htmlhead($head, $title);
+
 	print '<body class="public_body">'."\n";
 }
 

htdocs/public/members/public_list.php

@@ -65,16 +65,8 @@ $langs->loadLangs(array("main", "members", "companies", "other"));
  */
 function llxHeaderVierge($title, $head = "")
 {
-	global $user, $conf, $langs;
-
-	header("Content-type: text/html; charset=".$conf->file->character_set_client);
-	print "<html>\n";
-	print "<head>\n";
-	print "<title>".$title."</title>\n";
-	if ($head) {
-		print $head."\n";
-	}
-	print "</head>\n";
+	top_htmlhead($head, $title);
+
 	print '<body class="public_body">'."\n";
 }
 
@@ -151,13 +143,13 @@ if ($result) {
 	print '<table class="public_border centpercent">';
 
 	print '<tr class="public_liste_titre">';
-	print '<td><a href="'.$_SERVER["PHP_SELF"].'?page='.$page.'&sortorder=ASC&sortfield=firstname">'.dolGetFirstLastname($langs->trans("Firstname"), $langs->trans("Lastname")).'</a></td>';
-	print '<td><a href="'.$_SERVER["PHP_SELF"].'?page='.$page.'&sortorder=ASC&sortfield=societe">'.$langs->trans("Company").'</a></td>'."\n";
+	print '<th class="left"><a href="'.$_SERVER["PHP_SELF"].'?page='.$page.'&sortorder=ASC&sortfield=firstname">'.dolGetFirstLastname($langs->trans("Firstname"), $langs->trans("Lastname")).'</a></th>';
+	print '<th class="left"><a href="'.$_SERVER["PHP_SELF"].'?page='.$page.'&sortorder=ASC&sortfield=societe">'.$langs->trans("Company").'</a></th>'."\n";
 	//print_liste_field_titre("DateOfBirth", $_SERVER["PHP_SELF"],"birth",'',$param,$sortfield,$sortorder); // est-ce nécessaire ??
-	print_liste_field_titre("EMail", $_SERVER["PHP_SELF"], "email", '', $param, '', $sortfield, $sortorder, 'public_');
-	print_liste_field_titre("Zip", $_SERVER["PHP_SELF"], "zip", "", $param, '', $sortfield, $sortorder, 'public_');
-	print_liste_field_titre("Town", $_SERVER["PHP_SELF"], "town", "", $param, '', $sortfield, $sortorder, 'public_');
-	print_liste_field_titre("Photo", $_SERVER["PHP_SELF"], "", "", $param, '', $sortfield, $sortorder, 'public_');
+	print_liste_field_titre("EMail", $_SERVER["PHP_SELF"], "email", '', $param, '', $sortfield, $sortorder, 'left public_');
+	print_liste_field_titre("Zip", $_SERVER["PHP_SELF"], "zip", "", $param, '', $sortfield, $sortorder, 'left public_');
+	print_liste_field_titre("Town", $_SERVER["PHP_SELF"], "town", "", $param, '', $sortfield, $sortorder, 'left public_');
+	print_liste_field_titre("Photo", $_SERVER["PHP_SELF"], "", "", $param, '', $sortfield, $sortorder, 'center public_');
 	print "</tr>\n";
 
 	while ($i < $num && $i < $conf->liste_limit) {
@@ -170,7 +162,7 @@ if ($result) {
 		print '<td>'.$objp->zip.'</td>'."\n";
 		print '<td>'.$objp->town.'</td>'."\n";
 		if (isset($objp->photo) && $objp->photo != '') {
-			print '<td>';
+			print '<td class="center">';
 			print $form->showphoto('memberphoto', $objp, 64);
 			print '</td>'."\n";
 		} else {

htdocs/public/test/test_arrays.php

@@ -44,6 +44,10 @@ $usedolheader = 1; // 1 = Test inside a dolibarr page, 0 = Use hard coded header
 
 if (empty($usedolheader)) {
 	header("Content-type: text/html; charset=UTF8");
+
+	// Security options
+	header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
+	header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
 	?>
 	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 	<html>

htdocs/public/test/test_badges.php

@@ -12,6 +12,16 @@ if ($dolibarr_main_prod) {
 	accessforbidden('Access forbidden when $dolibarr_main_prod is set to 1');
 }
 
+/*
+ * View
+ */
+
+header("Content-type: text/html; charset=UTF8");
+
+// Security options
+header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
+header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
+
 ?>
 <!doctype html>
 <html lang="en">

htdocs/public/test/test_csrf.php

@@ -34,6 +34,11 @@ if ($dolibarr_main_prod) {
  * View
  */
 
+header("Content-type: text/html; charset=UTF8");
+
+// Security options
+header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
+header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
 ?>
 
 This is a form to test if a CSRF exists into a Dolibarr page.<br>

htdocs/public/test/test_exec.php

@@ -41,17 +41,6 @@ if (!defined("NOSESSION")) {
 	define("NOSESSION", '1');
 }
 
-print "*** SHOW SESSION STATUS<br>\n";
-print "Legend:<br>\n";
-print 'PHP_SESSION_DISABLED='.PHP_SESSION_DISABLED."<br>\n";
-print 'PHP_SESSION_NONE='.PHP_SESSION_NONE."<br>\n";
-print 'PHP_SESSION_ACTIVE='.PHP_SESSION_ACTIVE."<br>\n";
-print '<br>';
-
-print 'session_status='.session_status().' (before main.inc.php)<br>';
-
-print '<br><br>'."\n";
-
 require '../../main.inc.php';
 
 // Security
@@ -64,6 +53,12 @@ if ($dolibarr_main_prod) {
  * View
  */
 
+header("Content-type: text/html; charset=UTF8");
+
+// Security options
+header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
+header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
+
 print "*** TEST READ OF /tmp/test.txt FILE<br>\n";
 
 $out='';

htdocs/public/test/test_sessionlock.php

@@ -41,6 +41,17 @@ if (!defined("NOSESSION")) {
 	define("NOSESSION", '1');
 }
 
+
+// Special
+// We add header and output some content before the include of main.inc.php !!
+// Because we need to So we can make
+header("Content-type: text/html; charset=UTF8");
+
+// Security options
+header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
+header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
+
+
 print "Legend:<br>\n";
 print 'PHP_SESSION_DISABLED='.PHP_SESSION_DISABLED."<br>\n";
 print 'PHP_SESSION_NONE='.PHP_SESSION_NONE."<br>\n";