Commit 89ae9de7 authored by François Jacquet's avatar François Jacquet

Fix #291 XSS Use URLEscape() for forms action

parent 45ed0248
......@@ -8,6 +8,7 @@ Changes in 6.8
- Fix Sunday is number 7 in EntryTimes.php
- Fix SQL error multiple rows returned by subquery in CreateParents.php
- Fix #291 XSS Use URLEscape() for links href, program wide
- Fix #291 XSS Use URLEscape() for forms action, program wide
- Fix hide remove button for "No Address" in Address.inc.php
- Prompt() make Cancel primary button in Prompts.php
- Fix SQL error foreign keys: Roll again Courses when rolling Marking Periods in Rollover.php
......
......@@ -14,7 +14,7 @@ $start_date = RequestedDate( 'start', date( 'Y-m' ) . '-01' );
// Set end date.
$end_date = RequestedDate( 'end', DBDate() );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=" method="GET">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=' ) . '" method="GET">';
$header_checkboxes = '<label><input type="checkbox" value="true" name="accounting" id="accounting" ' .
......
......@@ -7,7 +7,7 @@ $start_date = RequestedDate( 'start', date( 'Y-m' ) . '-01' );
// Set end date.
$end_date = RequestedDate( 'end', DBDate() );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=" method="GET">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=' ) . '" method="GET">';
$header_checkboxes = '<label><input type="checkbox" value="true" name="accounting" id="accounting" ' .
( ! isset( $_REQUEST['accounting'] )
......
......@@ -143,7 +143,7 @@ if ( ! $_REQUEST['modfunc'] )
if ( ! $_REQUEST['print_statements'] && AllowEdit() )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() );
$options = array();
}
......
......@@ -136,7 +136,7 @@ if ( ! $_REQUEST['modfunc'] )
if ( empty( $_REQUEST['print_statements'] ) )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
if ( AllowEdit() )
{
......
......@@ -138,7 +138,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] )
if ( empty( $_REQUEST['print_statements'] ) )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
if ( AllowEdit() )
{
......
......@@ -156,7 +156,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] )
if ( empty( $_REQUEST['print_statements'] )
&& AllowEdit() )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() );
$options = array();
}
......
......@@ -155,7 +155,7 @@ if ( ! $_REQUEST['modfunc'] )
if ( $_REQUEST['search_modfunc'] === 'list' )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
DrawHeader( '', SubmitButton( _( 'Add Absences to Selected Students' ) ) );
......
......@@ -99,7 +99,7 @@ if ( isset( $_REQUEST['student_id'] ) && $_REQUEST['student_id'] !== 'new' )
ORDER BY p.SORT_ORDER", $functions );
$columns = array( 'PERIOD_TITLE' => _( 'Period' ), 'COURSE' => _( 'Course' ), 'ATTENDANCE_CODE' => _( 'Attendance Code' ), 'ATTENDANCE_TEACHER_CODE' => _( 'Teacher\'s Entry' ), 'ATTENDANCE_REASON' => _( 'Comments' ) );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=student&student_id=' . $_REQUEST['student_id'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=student&student_id=' . $_REQUEST['student_id'] ) . '" method="POST">';
DrawHeader( ProgramTitle(), '<input type="submit" value="' . _( 'Update' ) . '" />' );
DrawHeader( PrepareDate( $date, '_date' ) );
ListOutput( $schedule_RET, $columns, _( 'Course' ), _( 'Courses' ) );
......@@ -186,7 +186,7 @@ else
$extra['columns_after']['PERIOD_' . $period['PERIOD_ID']] = $period['SHORT_NAME'];
}
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( ProgramTitle(), '<input type="submit" value="' . _( 'Update' ) . '" />' );
if ( $REQ_codes )
......
......@@ -258,7 +258,7 @@ if ( ! $_REQUEST['modfunc'] )
$LO_RET = DBGet( $sql, $functions );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&table=' . $_REQUEST['table'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&table=' . $_REQUEST['table'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() );
echo '<br />';
......
......@@ -235,7 +235,7 @@ if ( isset( $_REQUEST['search_modfunc'] )
echo ErrorMessage( $note, 'note' );
echo '<form action="Modules.php?modname=Attendance/DuplicateAttendance.php&modfunc=&search_modfunc=list&next_modname=Attendance/DuplicateAttendance.php&delete=true" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=Attendance/DuplicateAttendance.php&modfunc=&search_modfunc=list&next_modname=Attendance/DuplicateAttendance.php&delete=true' ) . '" method="POST">';
DrawHeader( '', SubmitButton( _( 'Delete' ) ) );
......
......@@ -46,7 +46,7 @@ if ( ! $_REQUEST['modfunc'] )
$extra['WHERE'] .= CustomFields( 'where', 'student', $extra );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&list_by_day=' . $_REQUEST['list_by_day'] . '" method="GET">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&list_by_day=' . $_REQUEST['list_by_day'] ) . '" method="GET">';
$advanced_link = 'Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=search&list_by_day=' . $_REQUEST['list_by_day'] .
......
......@@ -37,7 +37,7 @@ if ( empty( $categories_RET ) )
DrawHeader( $cp_title );
}
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&table=' . $_REQUEST['table'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&table=' . $_REQUEST['table'] ) . '" method="POST">';
DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) );
echo '</form>';
......@@ -126,8 +126,8 @@ if ( $fatal_warning )
DrawHeader( $cp_title );
}
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
'&table=' . $_REQUEST['table'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&table=' . $_REQUEST['table'] ) . '" method="POST">';
DrawHeader(
PrepareDate(
......@@ -336,8 +336,8 @@ if ( ! empty( $daily_comment ) )
);
}
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
'&table=' . $_REQUEST['table'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&table=' . $_REQUEST['table'] ) . '" method="POST">';
DrawHeader( $cp_title, SubmitButton() );
......
......@@ -49,7 +49,7 @@ foreach ( (array) $periods_RET as $id => $period )
$period_select .= "</select>";
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="GET">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="GET">';
DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) . ' - ' . $period_select );
DrawHeader( '', $category_select );
echo '</form>';
......
......@@ -281,9 +281,9 @@ if ( ! $_REQUEST['modfunc'] )
if ( $_REQUEST['search_modfunc'] === 'list' )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=save&include_inactive=' . issetVal( $_REQUEST['include_inactive'], '' ) .
'&_ROSARIO_PDF=true" method="POST">';
'&_ROSARIO_PDF=true' ) . '" method="POST">';
$extra['header_right'] = SubmitButton( _( 'Create Attendance Report for Selected Students' ) );
}
......
......@@ -40,7 +40,7 @@ elseif ( isset( $_POST['email_column'] ) )
if ( empty( $email_column ) )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
//get Student / Address fields
$student_columns = DBGet( "SELECT 's.CUSTOM_' || f.ID AS COLUMN, f.TITLE, c.TITLE AS CATEGORY
......@@ -344,7 +344,7 @@ if ( ! $_REQUEST['modfunc'] && ! empty( $email_column ) )
{
if ( $_REQUEST['search_modfunc'] === 'list' )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
$extra['header_right'] = SubmitButton( _( 'Create Parent Accounts for Selected Students' ) );
......
......@@ -139,7 +139,7 @@ if ( ! $_REQUEST['modfunc'] || $_REQUEST['search_modfunc'] === 'list' )
{
if ( $_REQUEST['search_modfunc'] === 'list' )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
$extra['header_right'] = SubmitButton( _( 'Notify Selected Parents' ) );
$extra['extra_header_left'] = '<table class="width-100p">';
......
......@@ -58,7 +58,7 @@ if ( User( 'PROFILE' ) === 'admin' )
echo ErrorMessage( $error );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
// Preview header.
DrawHeader( RegistrationAdminPreviewHeader(), SubmitButton() );
......@@ -163,7 +163,7 @@ else
echo ErrorMessage( $error );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
DrawHeader( RegistrationIntroHeader(), SubmitButton() );
......
......@@ -98,10 +98,10 @@ if ( ! $_REQUEST['modfunc'] )
if ( $_REQUEST['search_modfunc'] === 'list' )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=save&include_inactive=' . issetVal( $_REQUEST['include_inactive'], '' ) .
'&_search_all_schools=' . issetVal( $_REQUEST['_search_all_schools'], '' ) .
'&accessfunc=' . $accessfunc . '" method="POST">';
'&accessfunc=' . $accessfunc ) . '" method="POST">';
$extra['header_right'] = SubmitButton( $button_label );
......
......@@ -223,7 +223,7 @@ if ( ! $_REQUEST['modfunc'] )
'DATA_TYPE' => _makeType( '', 'DATA_TYPE' ),
);
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() );
......
......@@ -145,8 +145,8 @@ if ( ! $_REQUEST['modfunc'] )
//FJ teachers need AllowEdit (to edit the input fields)
$_ROSARIO['allow_edit'] = true;
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=save&include_inactive=' . $_REQUEST['include_inactive'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=save&include_inactive=' . $_REQUEST['include_inactive'] ) . '" method="POST">';
DrawHeader( '', SubmitButton( _( 'Add Referral for Selected Students' ) ) );
......
......@@ -172,7 +172,7 @@ if ( ! $_REQUEST['modfunc']
{
$RET = $RET[1];
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&referral_id=' . $_REQUEST['referral_id'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&referral_id=' . $_REQUEST['referral_id'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() );
......
......@@ -106,7 +106,7 @@ if ( ! $_REQUEST['modfunc'] )
$link['remove']['variables'] = array( 'id' => 'ID' );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update' ) . '" method="POST">';
DrawHeader( '', SubmitButton() );
......
......@@ -54,7 +54,7 @@ echo ErrorMessage( $error );
if ( $_REQUEST['search_modfunc'] === 'list' )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
DrawHeader( '', SubmitButton( _( 'Add Activity to Selected Students' ) ) );
echo '<br />';
......
......@@ -198,7 +198,7 @@ $stu_RET = GetStuList( $extra );
DrawHeader( ProgramTitle() );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
if ( $today > $END_DAY
| $today < $START_DAY
......
......@@ -85,7 +85,7 @@ else
}
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
PopTable( 'header', _( 'Allow Eligibility Posting' ) );
......
......@@ -142,9 +142,9 @@ if ( UserStudentID()
'END_DATE' => '&nbsp;',
);
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=add&start_date=' . issetVal( $_REQUEST['start_date'], '' ) .
'" method="POST">';
'' ) . '" method="POST">';
$columns = array(
'TITLE' => _( 'Activity' ),
......
......@@ -52,7 +52,7 @@ foreach ( (array) $periods_RET as $period )
$period_select .= '</select>';
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="GET">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="GET">';
$begin_year = DBGetOne( "SELECT min(date_part('epoch',SCHOOL_DATE)) AS SCHOOL_DATE
FROM ATTENDANCE_CALENDAR
......
......@@ -63,7 +63,7 @@ $staff_RET = DBGet( "SELECT fst.TRANSACTION_ID,fst.STAFF_ID,fst.SYEAR,
//echo '<pre>'; var_dump($students_RET); echo '</pre>';
//echo '<pre>'; var_dump($users_RET); echo '</pre>';
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update' ) . '" method="POST">';
DrawHeader( '', SubmitButton() );
$columns = array( 'TRANSACTION_ID' => _( 'ID' ), 'ACCOUNT_ID' => _( 'Account ID' ), 'SYEAR' => _( 'School Year' ), 'FULL_NAME' => _( 'Student' ), 'STUDENTS' => _( 'Students' ), 'SCHOOL_ID' => _( 'School' ) );
ListOutput( $students_RET, $columns, 'Student Transaction w/o School', 'Student Transactions w/o School', false, array(), array( 'save' => false, 'search' => false ) );
......
......@@ -301,8 +301,8 @@ else
$LO_columns = array( 'ID' => _( 'ID' ), 'SCHOOL_DATE' => _( 'Date' ), 'DESCRIPTION' => _( 'Description' ) );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id'] .
'&month=' . $_REQUEST['month'] . '&year=' . $_REQUEST['year'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id'] .
'&month=' . $_REQUEST['month'] . '&year=' . $_REQUEST['year'] ) . '" method="POST">';
DrawHeader(
PrepareDate(
......
......@@ -387,7 +387,7 @@ if ( ! $_REQUEST['modfunc'] )
$LO_ret = DBGet( $sql, $functions );
//echo '<pre>'; var_dump($LO_ret); echo '</pre>';
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&tab_id=' . $_REQUEST['tab_id'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&tab_id=' . $_REQUEST['tab_id'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() );
echo '<br />';
......
......@@ -257,7 +257,7 @@ if ( ! $_REQUEST['modfunc'] )
$LO_ret = DBGet( $sql, $functions );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&tab_id=' . $_REQUEST['tab_id'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&tab_id=' . $_REQUEST['tab_id'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() );
echo '<br />';
......
......@@ -138,7 +138,7 @@ if ( UserStudentID() && ! $_REQUEST['modfunc'] )
AND SYEAR='" . UserSyear() . "'
AND (START_DATE<=CURRENT_DATE AND (END_DATE IS NULL OR CURRENT_DATE<=END_DATE)))" ) );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update' ) . '" method="POST">';
DrawHeader(
CheckBoxOnclick(
......
......@@ -191,7 +191,7 @@ if ( ! $_REQUEST['modfunc'] )
{
if ( $_REQUEST['search_modfunc'] === 'list' )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save&_ROSARIO_PDF=true" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save&_ROSARIO_PDF=true' ) . '" method="POST">';
//DrawHeader('',SubmitButton('Create Reminders for Selected Students'));
//FJ add translation
$extra['header_right'] = SubmitButton( _( 'Create Reminders for Selected Students' ) );
......
......@@ -114,7 +114,7 @@ if ( UserStudentID() && ! $_REQUEST['modfunc'] )
$student = $student[1];
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=submit&menu_id=' . $_REQUEST['menu_id'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=submit&menu_id=' . $_REQUEST['menu_id'] ) . '" method="POST">';
DrawHeader(
'',
......@@ -235,7 +235,7 @@ if ( UserStudentID() && ! $_REQUEST['modfunc'] )
);
echo '<br />';
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=add&menu_id=' . $_REQUEST['menu_id'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=add&menu_id=' . $_REQUEST['menu_id'] ) . '" method="POST">';
ListOutput( $LO_ret, $columns, 'Item', 'Items', $link, array(), $extra );
......
......@@ -89,7 +89,7 @@ if ( UserStudentID()
$student = $student[1];
//$PHP_tmp_SELF = PreparePHP_SELF();
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
DrawHeader( '', ResetButton( _( 'Cancel' ) ) . SubmitButton() );
......
......@@ -56,7 +56,7 @@ $calendar_RET = DBGet( "SELECT MINUTES FROM ATTENDANCE_CALENDAR WHERE CALENDAR_I
if ( ! $calendar_RET[1]['MINUTES'] )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id'] ) . '" method="POST">';
DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) );
echo '</form>';
ErrorMessage( array( _( 'The selected date is not a school day!' ) ), 'fatal' );
......@@ -64,7 +64,7 @@ if ( ! $calendar_RET[1]['MINUTES'] )
if ( GetCurrentMP( $course_RET[1]['MP'], $date ) != $course_RET[1]['MARKING_PERIOD_ID'] )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id'] ) . '" method="POST">';
DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) );
echo '</form>';
ErrorMessage( array( _( 'This period does not meet in the marking period of the selected date.' ) ), 'fatal' );
......@@ -90,7 +90,7 @@ switch ( $day )
if ( mb_strpos( $days, $day ) === false )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&table=' . $_REQUEST['table'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&table=' . $_REQUEST['table'] ) . '" method="POST">';
DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) );
echo '</form>';
ErrorMessage( array( _( 'This period does not meet on the selected date.' ) ), 'fatal' );
......@@ -156,7 +156,7 @@ if ( $completed[1]['COMPLETED'] )
$note[] = button( 'check' ) . _( 'You have taken lunch counts today for this period.' );
}
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) . $date_note, SubmitButton() );
echo ErrorMessage( $note, 'note' );
......
......@@ -145,11 +145,11 @@ if ( empty( $_REQUEST['period'] ) )
}
}
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( PrepareDate( $date, '_date' ) . ' : ' . $period_select . ' : <input type=submit value=' . _( 'Go' ) . '>' );
echo '</form>';
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=add&menu_id=' . $_REQUEST['menu_id'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=add&menu_id=' . $_REQUEST['menu_id'] ) . '" method="POST">';
if ( count( (array) $menus_RET ) > 1 )
{
......
......@@ -152,7 +152,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] )
if ( $staff['ACCOUNT_ID'] )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update' ) . '" method="POST">';
DrawHeader(
'',
......@@ -165,7 +165,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] )
}
else
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=create" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=create' ) . '" method="POST">';
DrawHeader( '', SubmitButton( _( 'Create Account' ) ) );
}
......
......@@ -101,7 +101,7 @@ if ( ! $_REQUEST['modfunc'] || $_REQUEST['search_modfunc'] === 'list' )
{
if ( $_REQUEST['search_modfunc'] === 'list' )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save&_ROSARIO_PDF=true" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save&_ROSARIO_PDF=true' ) . '" method="POST">';
DrawHeader( '', SubmitButton( _( 'Create Reminders for Selected Users' ) ) );
}
......
......@@ -69,7 +69,7 @@ if ( UserStaffID()
$staff = $staff[1];
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=submit&menu_id=' . $_REQUEST['menu_id'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=submit&menu_id=' . $_REQUEST['menu_id'] ) . '" method="POST">';
DrawHeader(
'',
......@@ -172,7 +172,7 @@ if ( UserStaffID()
echo '<br />';
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=add&menu_id=' . $_REQUEST['menu_id'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=add&menu_id=' . $_REQUEST['menu_id'] ) . '" method="POST">';