Commit 89ae9de7 authored by François Jacquet's avatar François Jacquet
Browse files

Fix #291 XSS Use URLEscape() for forms action

parent 45ed0248
......@@ -8,6 +8,7 @@ Changes in 6.8
- Fix Sunday is number 7 in EntryTimes.php
- Fix SQL error multiple rows returned by subquery in CreateParents.php
- Fix #291 XSS Use URLEscape() for links href, program wide
- Fix #291 XSS Use URLEscape() for forms action, program wide
- Fix hide remove button for "No Address" in Address.inc.php
- Prompt() make Cancel primary button in Prompts.php
- Fix SQL error foreign keys: Roll again Courses when rolling Marking Periods in Rollover.php
......
......@@ -14,7 +14,7 @@ $start_date = RequestedDate( 'start', date( 'Y-m' ) . '-01' );
// Set end date.
$end_date = RequestedDate( 'end', DBDate() );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=" method="GET">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=' ) . '" method="GET">';
$header_checkboxes = '<label><input type="checkbox" value="true" name="accounting" id="accounting" ' .
......
......@@ -7,7 +7,7 @@ $start_date = RequestedDate( 'start', date( 'Y-m' ) . '-01' );
// Set end date.
$end_date = RequestedDate( 'end', DBDate() );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=" method="GET">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=' ) . '" method="GET">';
$header_checkboxes = '<label><input type="checkbox" value="true" name="accounting" id="accounting" ' .
( ! isset( $_REQUEST['accounting'] )
......
......@@ -143,7 +143,7 @@ if ( ! $_REQUEST['modfunc'] )
if ( ! $_REQUEST['print_statements'] && AllowEdit() )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() );
$options = array();
}
......
......@@ -136,7 +136,7 @@ if ( ! $_REQUEST['modfunc'] )
if ( empty( $_REQUEST['print_statements'] ) )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
if ( AllowEdit() )
{
......
......@@ -138,7 +138,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] )
if ( empty( $_REQUEST['print_statements'] ) )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
if ( AllowEdit() )
{
......
......@@ -156,7 +156,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] )
if ( empty( $_REQUEST['print_statements'] )
&& AllowEdit() )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() );
$options = array();
}
......
......@@ -155,7 +155,7 @@ if ( ! $_REQUEST['modfunc'] )
if ( $_REQUEST['search_modfunc'] === 'list' )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
DrawHeader( '', SubmitButton( _( 'Add Absences to Selected Students' ) ) );
......
......@@ -99,7 +99,7 @@ if ( isset( $_REQUEST['student_id'] ) && $_REQUEST['student_id'] !== 'new' )
ORDER BY p.SORT_ORDER", $functions );
$columns = array( 'PERIOD_TITLE' => _( 'Period' ), 'COURSE' => _( 'Course' ), 'ATTENDANCE_CODE' => _( 'Attendance Code' ), 'ATTENDANCE_TEACHER_CODE' => _( 'Teacher\'s Entry' ), 'ATTENDANCE_REASON' => _( 'Comments' ) );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=student&student_id=' . $_REQUEST['student_id'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=student&student_id=' . $_REQUEST['student_id'] ) . '" method="POST">';
DrawHeader( ProgramTitle(), '<input type="submit" value="' . _( 'Update' ) . '" />' );
DrawHeader( PrepareDate( $date, '_date' ) );
ListOutput( $schedule_RET, $columns, _( 'Course' ), _( 'Courses' ) );
......@@ -186,7 +186,7 @@ else
$extra['columns_after']['PERIOD_' . $period['PERIOD_ID']] = $period['SHORT_NAME'];
}
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( ProgramTitle(), '<input type="submit" value="' . _( 'Update' ) . '" />' );
if ( $REQ_codes )
......
......@@ -258,7 +258,7 @@ if ( ! $_REQUEST['modfunc'] )
$LO_RET = DBGet( $sql, $functions );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&table=' . $_REQUEST['table'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&table=' . $_REQUEST['table'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() );
echo '<br />';
......
......@@ -235,7 +235,7 @@ if ( isset( $_REQUEST['search_modfunc'] )
echo ErrorMessage( $note, 'note' );
echo '<form action="Modules.php?modname=Attendance/DuplicateAttendance.php&modfunc=&search_modfunc=list&next_modname=Attendance/DuplicateAttendance.php&delete=true" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=Attendance/DuplicateAttendance.php&modfunc=&search_modfunc=list&next_modname=Attendance/DuplicateAttendance.php&delete=true' ) . '" method="POST">';
DrawHeader( '', SubmitButton( _( 'Delete' ) ) );
......
......@@ -46,7 +46,7 @@ if ( ! $_REQUEST['modfunc'] )
$extra['WHERE'] .= CustomFields( 'where', 'student', $extra );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&list_by_day=' . $_REQUEST['list_by_day'] . '" method="GET">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&list_by_day=' . $_REQUEST['list_by_day'] ) . '" method="GET">';
$advanced_link = 'Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=search&list_by_day=' . $_REQUEST['list_by_day'] .
......
......@@ -37,7 +37,7 @@ if ( empty( $categories_RET ) )
DrawHeader( $cp_title );
}
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&table=' . $_REQUEST['table'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&table=' . $_REQUEST['table'] ) . '" method="POST">';
DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) );
echo '</form>';
......@@ -126,8 +126,8 @@ if ( $fatal_warning )
DrawHeader( $cp_title );
}
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
'&table=' . $_REQUEST['table'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&table=' . $_REQUEST['table'] ) . '" method="POST">';
DrawHeader(
PrepareDate(
......@@ -336,8 +336,8 @@ if ( ! empty( $daily_comment ) )
);
}
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
'&table=' . $_REQUEST['table'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&table=' . $_REQUEST['table'] ) . '" method="POST">';
DrawHeader( $cp_title, SubmitButton() );
......
......@@ -49,7 +49,7 @@ foreach ( (array) $periods_RET as $id => $period )
$period_select .= "</select>";
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="GET">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="GET">';
DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) . ' - ' . $period_select );
DrawHeader( '', $category_select );
echo '</form>';
......
......@@ -281,9 +281,9 @@ if ( ! $_REQUEST['modfunc'] )
if ( $_REQUEST['search_modfunc'] === 'list' )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=save&include_inactive=' . issetVal( $_REQUEST['include_inactive'], '' ) .
'&_ROSARIO_PDF=true" method="POST">';
'&_ROSARIO_PDF=true' ) . '" method="POST">';
$extra['header_right'] = SubmitButton( _( 'Create Attendance Report for Selected Students' ) );
}
......
......@@ -40,7 +40,7 @@ elseif ( isset( $_POST['email_column'] ) )
if ( empty( $email_column ) )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
//get Student / Address fields
$student_columns = DBGet( "SELECT 's.CUSTOM_' || f.ID AS COLUMN, f.TITLE, c.TITLE AS CATEGORY
......@@ -344,7 +344,7 @@ if ( ! $_REQUEST['modfunc'] && ! empty( $email_column ) )
{
if ( $_REQUEST['search_modfunc'] === 'list' )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
$extra['header_right'] = SubmitButton( _( 'Create Parent Accounts for Selected Students' ) );
......
......@@ -139,7 +139,7 @@ if ( ! $_REQUEST['modfunc'] || $_REQUEST['search_modfunc'] === 'list' )
{
if ( $_REQUEST['search_modfunc'] === 'list' )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
$extra['header_right'] = SubmitButton( _( 'Notify Selected Parents' ) );
$extra['extra_header_left'] = '<table class="width-100p">';
......
......@@ -58,7 +58,7 @@ if ( User( 'PROFILE' ) === 'admin' )
echo ErrorMessage( $error );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
// Preview header.
DrawHeader( RegistrationAdminPreviewHeader(), SubmitButton() );
......@@ -163,7 +163,7 @@ else
echo ErrorMessage( $error );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
DrawHeader( RegistrationIntroHeader(), SubmitButton() );
......
......@@ -98,10 +98,10 @@ if ( ! $_REQUEST['modfunc'] )
if ( $_REQUEST['search_modfunc'] === 'list' )
{
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=save&include_inactive=' . issetVal( $_REQUEST['include_inactive'], '' ) .
'&_search_all_schools=' . issetVal( $_REQUEST['_search_all_schools'], '' ) .
'&accessfunc=' . $accessfunc . '" method="POST">';
'&accessfunc=' . $accessfunc ) . '" method="POST">';
$extra['header_right'] = SubmitButton( $button_label );
......
......@@ -223,7 +223,7 @@ if ( ! $_REQUEST['modfunc'] )
'DATA_TYPE' => _makeType( '', 'DATA_TYPE' ),
);
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() );
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment