Merge branch 'develop' of git@github.com:Dolibarr/dolibarr.git into

develop

htdocs/comm/action/index.php

@@ -2001,9 +2001,14 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
 								$nextindextouse++; // Prepare to use next color
 							}
 						}
-						//print '|'.($color).'='.($idusertouse?$idusertouse:0).'='.$colorindex.'<br>';
-						// Define color  // @suppress-next-line PhanPluginPrintfIncompatibleArgumentType
-						$color = sprintf("%02x%02x%02x", $theme_datacolor[$colorindex][0], $theme_datacolor[$colorindex][1], $theme_datacolor[$colorindex][2]);
+						if (isset($theme_datacolor[$colorindex])) {
+							$color = sprintf("%02x%02x%02x", $theme_datacolor[$colorindex][0], $theme_datacolor[$colorindex][1], $theme_datacolor[$colorindex][2]);
+						} elseif (getDolGlobalString('THEME_ELDY_BACKBODY')) {
+							require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
+							$color = colorArrayToHex(explode(',', getDolGlobalString('THEME_ELDY_BACKBODY')));
+						} else {
+							$color = "ffffff";
+						}
 					}
 					$cssclass = $cssclass.' eventday_'.$ymd;
 
@@ -2377,7 +2382,7 @@ function show_day_events($db, $day, $month, $year, $monthshown, $style, &$eventa
 function dol_color_minus($color, $minus, $minusunit = 16)
 {
 	$newcolor = $color;
-	if ($minusunit == 16) {
+	if ($minusunit == 16 && is_array($newcolor)) {
 		$newcolor[0] = dechex(max(min(hexdec($newcolor[0]) - $minus, 15), 0));
 		$newcolor[2] = dechex(max(min(hexdec($newcolor[2]) - $minus, 15), 0));
 		$newcolor[4] = dechex(max(min(hexdec($newcolor[4]) - $minus, 15), 0));

htdocs/compta/bank/class/paymentvarious.class.php

@@ -834,6 +834,7 @@ public function getKanbanView($option = '', $arraydata = null)
 
 		$selected = (empty($arraydata['selected']) ? 0 : $arraydata['selected']);
 		$bankline = ((empty($arraydata['bankline']) || empty($arraydata['bankline']->id)) ? 0 : $arraydata['bankline']);
+		$formatedaccountancycode = (empty($arraydata['formatedaccountancycode']) ? '' : $arraydata['formatedaccountancycode']);
 
 		$return = '<div class="box-flex-item box-flex-grow-zero">';
 		$return .= '<div class="info-box info-box-sm">';
@@ -854,9 +855,14 @@ public function getKanbanView($option = '', $arraydata = null)
 				$return .= ' - <span class="info-box-label">'.$this->type_payment.'</span>';
 			}
 		}
-		if (property_exists($this, 'accountancy_code')) {
+		if (!empty($formatedaccountancycode)) {
+			$return .= '<br><span class="opacitymedium">'.$langs->trans("Account").'</span> : <span class="info-box-label" title="'.$this->accountancy_code.'">';
+			$return .= $formatedaccountancycode;
+			$return .= '</span>';
+		} elseif (property_exists($this, 'accountancy_code')) {
 			$return .= '<br><span class="opacitymedium">'.$langs->trans("Account").'</span> : <span class="info-box-label" title="'.$this->accountancy_code.'">'.$this->accountancy_code.'</span>';
 		}
+
 		if (property_exists($this, 'amount')) {
 			$return .= '<br><span class="opacitymedium">'.$langs->trans("Debit").'</span> : <span class="info-box-label amount">'.price($this->amount).'</span>';
 		}

htdocs/compta/bank/various_payment/list.php

@@ -33,7 +33,9 @@
 require_once DOL_DOCUMENT_ROOT.'/core/lib/accounting.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/accountancy/class/accountingaccount.class.php';
 require_once DOL_DOCUMENT_ROOT.'/accountancy/class/accountingjournal.class.php';
-require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
+if (isModEnabled('project')) {
+	require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
+}
 
 /**
  * @var Conf $conf
@@ -253,7 +255,7 @@
 if ($arrayfields['bank']['checked']) {
 	$accountstatic = new Account($db);
 }
-if ($arrayfields['project']['checked']) {
+if (isModEnabled('project') && $arrayfields['project']['checked']) {
 	$proj = new Project($db);
 }
 
@@ -548,7 +550,7 @@
 }
 
 // Project
-if ($arrayfields['project']['checked']) {
+if (isModEnabled('project') && $arrayfields['project']['checked']) {
 	print '<td class="liste_titre">';
 	// TODO
 	print '</td>';
@@ -653,7 +655,7 @@
 	print_liste_field_titre($arrayfields['type']['label'], $_SERVER["PHP_SELF"], 'type', '', $param, '', $sortfield, $sortorder, 'center ');
 	$totalarray['nbfield']++;
 }
-if ($arrayfields['project']['checked']) {
+if (isModEnabled('project') && $arrayfields['project']['checked']) {
 	print_liste_field_titre($arrayfields['project']['label'], $_SERVER["PHP_SELF"], 'fk_project', '', $param, '', $sortfield, $sortorder);
 	$totalarray['nbfield']++;
 }
@@ -716,25 +718,23 @@
 	$variousstatic->label = $obj->label;
 	$variousstatic->datep = $obj->datep;
 	$variousstatic->type_payment = $obj->payment_code;
-
+	$variousstatic->accountancy_code = $obj->accountancy_code;
 	$variousstatic->amount = $obj->amount;
 
-	$accountingaccount->fetch(0, $obj->accountancy_code, 1);
-	$variousstatic->accountancy_code = $accountingaccount->getNomUrl(0, 0, 1, $obj->accountingaccount, 1);
-
 	if ($mode == 'kanban') {
 		if ($obj->fk_bank > 0) {
 			$bankline->fetch($obj->fk_bank);
 		} else {
 			$bankline->id = 0;
 		}
+		$accountingaccount->fetch(0, $obj->accountancy_code, 1);
 
 		if ($i == 0) {
 			print '<tr class="trkanban"><td colspan="'.$savnbfield.'">';
 			print '<div class="box-flex-container kanban">';
 		}
 		// Output Kanban
-		print $variousstatic->getKanbanView('', array('selected' => in_array($object->id, $arrayofselected), 'bankline' => $bankline));
+		print $variousstatic->getKanbanView('', array('selected' => in_array($object->id, $arrayofselected), 'bankline' => $bankline, 'formatedaccountancycode' => $accountingaccount->getNomUrl(0, 0, 1, $obj->accountancy_code, 1)));
 		if ($i == ($imaxinloop) - 1) {
 			print '</div>';
 			print '</td></tr>';
@@ -805,7 +805,7 @@
 		}
 
 		// Project
-		if ($arrayfields['project']['checked']) {
+		if (isModEnabled('project') && $arrayfields['project']['checked']) {
 			print '<td class="nowraponall">';
 			if ($obj->fk_project > 0 && is_object($proj)) {
 				$proj->fetch($obj->fk_project);

htdocs/core/class/doleditor.class.php

@@ -205,6 +205,8 @@ public function Create($noprint = 0, $morejs = '', $disallowAnyContent = true, $
 		$found = 0;
 		$out = '';
 
+		$this->content = ($this->content ?? ''); // to avoid htmlspecialchars(): Passing null to parameter #1 ($string) of type string is deprecated
+
 		if (in_array($this->tool, array('textarea', 'ckeditor'))) {
 			$found = 1;
 			//$out.= '<textarea id="'.$this->htmlname.'" name="'.$this->htmlname.'" '.($this->readonly?' disabled':'').' rows="'.$this->rows.'"'.(preg_match('/%/',$this->cols)?' style="margin-top: 5px; width: '.$this->cols.'"':' cols="'.$this->cols.'"').' class="flat">';

htdocs/core/js/lib_head.js.php

@@ -1069,11 +1069,11 @@ function document_preview(file, type, title)
 
 		};
 		img.src = file;
-
 	}
 
+	/* This function is local to document_preview. Variables like file, type, title, object_width and object_height are global inside this function */
 	function show_preview(mode) {
-		/* console.log("mode="+mode+" file="+file+" type="+type+" width="+width+" height="+height); */
+		/* console.log("mode="+mode+" file="+file+" type="+type+" title=title+" width="+width+" height="+height); */
 		var newElem = '<object name="objectpreview" data="'+file+'" type="'+type+'" width="'+object_width+'" height="'+object_height+'" param="noparam"></object>';
 
 		optionsbuttons = {}

htdocs/core/lib/functions.lib.php

@@ -1903,6 +1903,20 @@ function dol_escape_js($stringtoescape, $mode = 0, $noescapebackslashn = 0)
 	return strtr($stringtoescape, $substitjs);
 }
 
+/**
+ *  Returns text escaped by RFC 3986 for inclusion into a clicable link.
+ *  This method can be used on the ...in links like href="javascript:..." because when clicking on such links, the browserfirst decode the strind
+ *  and then interpret content that can be javascript.
+ *  Usage of this escapement should be limited to links href="javascript:...". For common URL, use urlencode instead.
+ *
+ *  @param	string		$stringtoescape		String to escape
+ *  @return string							Escaped string.
+ */
+function dol_escape_uri($stringtoescape)
+{
+	return rawurlencode($stringtoescape);
+}
+
 /**
  *  Returns text escaped for inclusion into javascript code
  *
@@ -11853,12 +11867,13 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param
 	if ($isAllowedForPreview) {
 		$tmpurl = DOL_URL_ROOT.'/document.php?modulepart='.urlencode($modulepart).'&attachment=0&file='.urlencode($relativepath).($param ? '&'.$param : '');
 		$title = $langs->transnoentities("Preview");
-		//$title = '%27-alert(document.domain)-%27';
-		//$tmpurl = 'file='.urlencode("'-alert(document.domain)-'_small.jpg");
+		//$title = '%27-alert(document.domain)-%27';							// An example of js injection into a corrupted title string, that should be blocked by the dol_escape_uri().
+		//$tmpurl = 'file='.urlencode("'-alert(document.domain)-'_small.jpg");	// An example of tmpurl that should be blocked by the dol_escape_uri()
 
-		// We need to urlencode the parameter after the dol_escape_js($tmpurl) because  $tmpurl may contain n url with param file=abc%27def if file has a ' inside.
-		// and when we click on href with this javascript string, a urlcode is done by browser, converted the %27 of file param
-		return 'javascript:document_preview(\''.urlencode(dol_escape_js($tmpurl)).'\', \''.urlencode(dol_mimetype($relativepath)).'\', \''.urlencode(dol_escape_js($title)).'\')';
+		// We need to do a dol_escape_uri() on the full string after the javascript: because such parts are the URI and when we click on such links, a RFC3986 decode is done,
+		// by the browser, converting the %27 (like when having param file=abc%27def), or when having a corrupted title), into a ', BEFORE interpreting the content that can be a js code.
+		// Using the dol_escape_uri guarantee that we encode for URI so decode retrieve original expected value.
+		return 'javascript:'.dol_escape_uri('document_preview(\''.dol_escape_js($tmpurl).'\', \''.dol_escape_js(dol_mimetype($relativepath)).'\', \''.dol_escape_js($title).'\')');
 	} else {
 		return '';
 	}