Fix #291 XSS Use URLEscape() for forms action

CHANGES.md

@@ -8,6 +8,7 @@ Changes in 6.8
 - Fix Sunday is number 7 in EntryTimes.php
 - Fix SQL error multiple rows returned by subquery in CreateParents.php
 - Fix #291 XSS Use URLEscape() for links href, program wide
+- Fix #291 XSS Use URLEscape() for forms action, program wide
 - Fix hide remove button for "No Address" in Address.inc.php
 - Prompt() make Cancel primary button in Prompts.php
 - Fix SQL error foreign keys: Roll again Courses when rolling Marking Periods in Rollover.php

modules/Accounting/DailyTotals.php

@@ -14,7 +14,7 @@ $start_date = RequestedDate( 'start', date( 'Y-m' ) . '-01' );
 // Set end date.
 $end_date = RequestedDate( 'end', DBDate() );
 
-echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=" method="GET">';
+echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=' ) . '" method="GET">';
 
 
 $header_checkboxes = '<label><input type="checkbox" value="true" name="accounting" id="accounting" ' .

modules/Accounting/DailyTransactions.php

@@ -7,7 +7,7 @@ $start_date = RequestedDate( 'start', date( 'Y-m' ) . '-01' );
 // Set end date.
 $end_date = RequestedDate( 'end', DBDate() );
 
-echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=" method="GET">';
+echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=' ) . '" method="GET">';
 
 $header_checkboxes = '<label><input type="checkbox" value="true" name="accounting" id="accounting" ' .
 ( ! isset( $_REQUEST['accounting'] )

modules/Accounting/Expenses.php

@@ -143,7 +143,7 @@ if ( ! $_REQUEST['modfunc'] )
 
 	if ( ! $_REQUEST['print_statements'] && AllowEdit() )
 	{
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname']  ) . '" method="POST">';
 		DrawHeader( '', SubmitButton() );
 		$options = array();
 	}

modules/Accounting/Incomes.php

@@ -136,7 +136,7 @@ if ( ! $_REQUEST['modfunc'] )
 
 	if ( empty( $_REQUEST['print_statements'] ) )
 	{
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname']  ) . '" method="POST">';
 
 		if ( AllowEdit() )
 		{

modules/Accounting/Salaries.php

@@ -138,7 +138,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] )
 
 	if ( empty( $_REQUEST['print_statements'] ) )
 	{
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname']  ) . '" method="POST">';
 
 		if ( AllowEdit() )
 		{

modules/Accounting/StaffPayments.php

@@ -156,7 +156,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] )
 	if ( empty( $_REQUEST['print_statements'] )
 		&& AllowEdit() )
 	{
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname']  ) . '" method="POST">';
 		DrawHeader( '', SubmitButton() );
 		$options = array();
 	}

modules/Attendance/AddAbsences.php

@@ -155,7 +155,7 @@ if ( ! $_REQUEST['modfunc'] )
 
 	if ( $_REQUEST['search_modfunc'] === 'list' )
 	{
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
 
 		DrawHeader( '', SubmitButton( _( 'Add Absences to Selected Students' ) ) );
 

modules/Attendance/Administration_fast.old.php

@@ -99,7 +99,7 @@ if ( isset( $_REQUEST['student_id'] ) && $_REQUEST['student_id'] !== 'new' )
 	ORDER BY p.SORT_ORDER", $functions );
 
 	$columns = array( 'PERIOD_TITLE' => _( 'Period' ), 'COURSE' => _( 'Course' ), 'ATTENDANCE_CODE' => _( 'Attendance Code' ), 'ATTENDANCE_TEACHER_CODE' => _( 'Teacher\'s Entry' ), 'ATTENDANCE_REASON' => _( 'Comments' ) );
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=student&student_id=' . $_REQUEST['student_id'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=student&student_id=' . $_REQUEST['student_id']  ) . '" method="POST">';
 	DrawHeader( ProgramTitle(), '<input type="submit" value="' . _( 'Update' ) . '" />' );
 	DrawHeader( PrepareDate( $date, '_date' ) );
 	ListOutput( $schedule_RET, $columns, _( 'Course' ), _( 'Courses' ) );
@@ -186,7 +186,7 @@ else
 		$extra['columns_after']['PERIOD_' . $period['PERIOD_ID']] = $period['SHORT_NAME'];
 	}
 
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname']  ) . '" method="POST">';
 	DrawHeader( ProgramTitle(), '<input type="submit" value="' . _( 'Update' ) . '" />' );
 
 	if ( $REQ_codes )

modules/Attendance/AttendanceCodes.php

@@ -258,7 +258,7 @@ if ( ! $_REQUEST['modfunc'] )
 
 	$LO_RET = DBGet( $sql, $functions );
 
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&table=' . $_REQUEST['table'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&table=' . $_REQUEST['table']  ) . '" method="POST">';
 	DrawHeader( '', SubmitButton() );
 	echo '<br />';
 

modules/Attendance/DuplicateAttendance.php

@@ -235,7 +235,7 @@ if ( isset( $_REQUEST['search_modfunc'] )
 
 		echo ErrorMessage( $note, 'note' );
 
-		echo '<form action="Modules.php?modname=Attendance/DuplicateAttendance.php&modfunc=&search_modfunc=list&next_modname=Attendance/DuplicateAttendance.php&delete=true" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=Attendance/DuplicateAttendance.php&modfunc=&search_modfunc=list&next_modname=Attendance/DuplicateAttendance.php&delete=true' ) . '" method="POST">';
 
 		DrawHeader( '', SubmitButton( _( 'Delete' ) ) );
 

modules/Attendance/Percent.php

@@ -46,7 +46,7 @@ if ( ! $_REQUEST['modfunc'] )
 
 	$extra['WHERE'] .= CustomFields( 'where', 'student', $extra );
 
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&list_by_day=' . $_REQUEST['list_by_day'] . '" method="GET">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&list_by_day=' . $_REQUEST['list_by_day']  ) . '" method="GET">';
 
 	$advanced_link = 'Modules.php?modname=' . $_REQUEST['modname'] .
 		'&modfunc=search&list_by_day=' . $_REQUEST['list_by_day'] .

modules/Attendance/TakeAttendance.php

@@ -37,7 +37,7 @@ if ( empty(  $categories_RET  ) )
 		DrawHeader( $cp_title );
 	}
 
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&table=' . $_REQUEST['table'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&table=' . $_REQUEST['table']  ) . '" method="POST">';
 	DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) );
 	echo '</form>';
 
@@ -126,8 +126,8 @@ if ( $fatal_warning )
 		DrawHeader( $cp_title );
 	}
 
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
-		'&table=' . $_REQUEST['table'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
+		'&table=' . $_REQUEST['table']  ) . '" method="POST">';
 
 	DrawHeader(
 		PrepareDate(
@@ -336,8 +336,8 @@ if ( ! empty( $daily_comment ) )
 	);
 }
 
-echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
-	'&table=' . $_REQUEST['table'] . '" method="POST">';
+echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
+	'&table=' . $_REQUEST['table']  ) . '" method="POST">';
 
 DrawHeader( $cp_title, SubmitButton() );
 

modules/Attendance/TeacherCompletion.php

@@ -49,7 +49,7 @@ foreach ( (array) $periods_RET as $id => $period )
 
 $period_select .= "</select>";
 
-echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="GET">';
+echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname']  ) . '" method="GET">';
 DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) . ' - ' . $period_select );
 DrawHeader( '', $category_select );
 echo '</form>';

modules/Custom/AttendanceSummary.php

@@ -281,9 +281,9 @@ if ( ! $_REQUEST['modfunc'] )
 
 	if ( $_REQUEST['search_modfunc'] === 'list' )
 	{
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
 			'&modfunc=save&include_inactive=' . issetVal( $_REQUEST['include_inactive'], '' ) .
-			'&_ROSARIO_PDF=true" method="POST">';
+			'&_ROSARIO_PDF=true' ) . '" method="POST">';
 
 		$extra['header_right'] = SubmitButton( _( 'Create Attendance Report for Selected Students' ) );
 	}

modules/Custom/CreateParents.php

@@ -40,7 +40,7 @@ elseif ( isset( $_POST['email_column'] ) )
 
 if ( empty( $email_column ) )
 {
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname']  ) . '" method="POST">';
 
 	//get Student / Address fields
 	$student_columns = DBGet( "SELECT 's.CUSTOM_' || f.ID AS COLUMN, f.TITLE, c.TITLE AS CATEGORY
@@ -344,7 +344,7 @@ if ( ! $_REQUEST['modfunc'] && ! empty( $email_column ) )
 {
 	if ( $_REQUEST['search_modfunc'] === 'list' )
 	{
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
 
 		$extra['header_right'] = SubmitButton( _( 'Create Parent Accounts for Selected Students' ) );
 

modules/Custom/NotifyParents.php

@@ -139,7 +139,7 @@ if ( ! $_REQUEST['modfunc'] || $_REQUEST['search_modfunc'] === 'list' )
 {
 	if ( $_REQUEST['search_modfunc'] === 'list' )
 	{
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
 		$extra['header_right'] = SubmitButton( _( 'Notify Selected Parents' ) );
 
 		$extra['extra_header_left'] = '<table class="width-100p">';

modules/Custom/Registration.php

@@ -58,7 +58,7 @@ if ( User( 'PROFILE' ) === 'admin' )
 
 		echo ErrorMessage( $error );
 
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
 
 		// Preview header.
 		DrawHeader( RegistrationAdminPreviewHeader(), SubmitButton() );
@@ -163,7 +163,7 @@ else
 
 		echo ErrorMessage( $error );
 
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
 
 		DrawHeader( RegistrationIntroHeader(), SubmitButton() );
 

modules/Custom/RemoveAccess.php

@@ -98,10 +98,10 @@ if ( ! $_REQUEST['modfunc'] )
 
 	if ( $_REQUEST['search_modfunc'] === 'list' )
 	{
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
 			'&modfunc=save&include_inactive=' . issetVal( $_REQUEST['include_inactive'], '' ) .
 			'&_search_all_schools=' . issetVal( $_REQUEST['_search_all_schools'], '' ) .
-			'&accessfunc=' . $accessfunc . '" method="POST">';
+			'&accessfunc=' . $accessfunc  ) . '" method="POST">';
 
 		$extra['header_right'] = SubmitButton( $button_label );
 

modules/Discipline/DisciplineForm.php

@@ -223,7 +223,7 @@ if ( ! $_REQUEST['modfunc'] )
 		'DATA_TYPE' => _makeType( '', 'DATA_TYPE' ),
 	);
 
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname']  ) . '" method="POST">';
 
 	DrawHeader( '', SubmitButton() );
 

modules/Discipline/MakeReferral.php

@@ -145,8 +145,8 @@ if ( ! $_REQUEST['modfunc'] )
 		//FJ teachers need AllowEdit (to edit the input fields)
 		$_ROSARIO['allow_edit'] = true;
 
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
-			'&modfunc=save&include_inactive=' . $_REQUEST['include_inactive'] . '" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
+			'&modfunc=save&include_inactive=' . $_REQUEST['include_inactive']  ) . '" method="POST">';
 
 		DrawHeader( '', SubmitButton( _( 'Add Referral for Selected Students' ) ) );
 

modules/Discipline/Referrals.php

@@ -172,7 +172,7 @@ if ( ! $_REQUEST['modfunc']
 	{
 		$RET = $RET[1];
 
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&referral_id=' . $_REQUEST['referral_id'] . '" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&referral_id=' . $_REQUEST['referral_id']  ) . '" method="POST">';
 
 		DrawHeader( '', SubmitButton() );
 

modules/Eligibility/Activities.php

@@ -106,7 +106,7 @@ if ( ! $_REQUEST['modfunc'] )
 
 	$link['remove']['variables'] = array( 'id' => 'ID' );
 
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update' ) . '" method="POST">';
 
 	DrawHeader( '', SubmitButton() );
 

modules/Eligibility/AddActivity.php

@@ -54,7 +54,7 @@ echo ErrorMessage( $error );
 
 if ( $_REQUEST['search_modfunc'] === 'list' )
 {
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
 	DrawHeader( '', SubmitButton( _( 'Add Activity to Selected Students' ) ) );
 	echo '<br />';
 

modules/Eligibility/EnterEligibility.php

@@ -198,7 +198,7 @@ $stu_RET = GetStuList( $extra );
 
 DrawHeader( ProgramTitle() );
 
-echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
+echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname']  ) . '" method="POST">';
 
 if ( $today > $END_DAY
 	| $today < $START_DAY

modules/Eligibility/EntryTimes.php

@@ -85,7 +85,7 @@ else
 }
 
 
-echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
+echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname']  ) . '" method="POST">';
 
 PopTable( 'header', _( 'Allow Eligibility Posting' ) );
 

modules/Eligibility/Student.php

@@ -142,9 +142,9 @@ if ( UserStudentID()
 		'END_DATE' => ' ',
 	);
 
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] .
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
 		'&modfunc=add&start_date=' . issetVal( $_REQUEST['start_date'], '' ) .
-		'" method="POST">';
+		'' ) . '" method="POST">';
 
 	$columns = array(
 		'TITLE' => _( 'Activity' ),

modules/Eligibility/TeacherCompletion.php

@@ -52,7 +52,7 @@ foreach ( (array) $periods_RET as $period )
 
 $period_select .= '</select>';
 
-echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="GET">';
+echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname']  ) . '" method="GET">';
 
 $begin_year = DBGetOne( "SELECT min(date_part('epoch',SCHOOL_DATE)) AS SCHOOL_DATE
 	FROM ATTENDANCE_CALENDAR

modules/Food_Service/AssignSchool.php

@@ -63,7 +63,7 @@ $staff_RET = DBGet( "SELECT fst.TRANSACTION_ID,fst.STAFF_ID,fst.SYEAR,
 //echo '<pre>'; var_dump($students_RET); echo '</pre>';
 //echo '<pre>'; var_dump($users_RET); echo '</pre>';
 
-echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update" method="POST">';
+echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update' ) . '" method="POST">';
 DrawHeader( '', SubmitButton() );
 $columns = array( 'TRANSACTION_ID' => _( 'ID' ), 'ACCOUNT_ID' => _( 'Account ID' ), 'SYEAR' => _( 'School Year' ), 'FULL_NAME' => _( 'Student' ), 'STUDENTS' => _( 'Students' ), 'SCHOOL_ID' => _( 'School' ) );
 ListOutput( $students_RET, $columns, 'Student Transaction w/o School', 'Student Transactions w/o School', false, array(), array( 'save' => false, 'search' => false ) );

modules/Food_Service/DailyMenus.php

@@ -301,8 +301,8 @@ else
 
 	$LO_columns = array( 'ID' => _( 'ID' ), 'SCHOOL_DATE' => _( 'Date' ), 'DESCRIPTION' => _( 'Description' ) );
 
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id'] .
-		'&month=' . $_REQUEST['month'] . '&year=' . $_REQUEST['year'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id'] .
+		'&month=' . $_REQUEST['month'] . '&year=' . $_REQUEST['year']  ) . '" method="POST">';
 
 	DrawHeader(
 		PrepareDate(

modules/Food_Service/MenuItems.php

@@ -387,7 +387,7 @@ if ( ! $_REQUEST['modfunc'] )
 	$LO_ret = DBGet( $sql, $functions );
 	//echo '<pre>'; var_dump($LO_ret); echo '</pre>';
 
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&tab_id=' . $_REQUEST['tab_id'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&tab_id=' . $_REQUEST['tab_id']  ) . '" method="POST">';
 	DrawHeader( '', SubmitButton() );
 	echo '<br />';
 

modules/Food_Service/Menus.php

@@ -257,7 +257,7 @@ if ( ! $_REQUEST['modfunc'] )
 
 	$LO_ret = DBGet( $sql, $functions );
 
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&tab_id=' . $_REQUEST['tab_id'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&tab_id=' . $_REQUEST['tab_id']  ) . '" method="POST">';
 	DrawHeader( '', SubmitButton() );
 	echo '<br />';
 

modules/Food_Service/Students/Accounts.php

@@ -138,7 +138,7 @@ if ( UserStudentID() && ! $_REQUEST['modfunc'] )
 		AND SYEAR='" . UserSyear() . "'
 		AND (START_DATE<=CURRENT_DATE AND (END_DATE IS NULL OR CURRENT_DATE<=END_DATE)))" ) );
 
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update' ) . '" method="POST">';
 
 	DrawHeader(
 		CheckBoxOnclick(

modules/Food_Service/Students/Reminders.php

@@ -191,7 +191,7 @@ if ( ! $_REQUEST['modfunc'] )
 {
 	if ( $_REQUEST['search_modfunc'] === 'list' )
 	{
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save&_ROSARIO_PDF=true" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save&_ROSARIO_PDF=true' ) . '" method="POST">';
 		//DrawHeader('',SubmitButton('Create Reminders for Selected Students'));
 		//FJ add translation
 		$extra['header_right'] = SubmitButton( _( 'Create Reminders for Selected Students' ) );

modules/Food_Service/Students/ServeMenus.php

@@ -114,7 +114,7 @@ if ( UserStudentID() && ! $_REQUEST['modfunc'] )
 
 	$student = $student[1];
 
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=submit&menu_id=' . $_REQUEST['menu_id'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=submit&menu_id=' . $_REQUEST['menu_id']  ) . '" method="POST">';
 
 	DrawHeader(
 		'',
@@ -235,7 +235,7 @@ if ( UserStudentID() && ! $_REQUEST['modfunc'] )
 		);
 
 		echo '<br />';
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=add&menu_id=' . $_REQUEST['menu_id'] . '" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=add&menu_id=' . $_REQUEST['menu_id']  ) . '" method="POST">';
 
 		ListOutput( $LO_ret, $columns, 'Item', 'Items', $link, array(), $extra );
 

modules/Food_Service/Students/Transactions.php

@@ -89,7 +89,7 @@ if ( UserStudentID()
 	$student = $student[1];
 
 	//$PHP_tmp_SELF = PreparePHP_SELF();
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
 
 	DrawHeader( '', ResetButton( _( 'Cancel' ) ) . SubmitButton() );
 

modules/Food_Service/TakeMenuCounts.php

@@ -56,7 +56,7 @@ $calendar_RET = DBGet( "SELECT MINUTES FROM ATTENDANCE_CALENDAR WHERE CALENDAR_I
 
 if ( ! $calendar_RET[1]['MINUTES'] )
 {
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id']  ) . '" method="POST">';
 	DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) );
 	echo '</form>';
 	ErrorMessage( array( _( 'The selected date is not a school day!' ) ), 'fatal' );
@@ -64,7 +64,7 @@ if ( ! $calendar_RET[1]['MINUTES'] )
 
 if ( GetCurrentMP( $course_RET[1]['MP'], $date ) != $course_RET[1]['MARKING_PERIOD_ID'] )
 {
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id']  ) . '" method="POST">';
 	DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) );
 	echo '</form>';
 	ErrorMessage( array( _( 'This period does not meet in the marking period of the selected date.' ) ), 'fatal' );
@@ -90,7 +90,7 @@ switch ( $day )
 
 if ( mb_strpos( $days, $day ) === false )
 {
-	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&table=' . $_REQUEST['table'] . '" method="POST">';
+	echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&table=' . $_REQUEST['table']  ) . '" method="POST">';
 	DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) );
 	echo '</form>';
 	ErrorMessage( array( _( 'This period does not meet on the selected date.' ) ), 'fatal' );
@@ -156,7 +156,7 @@ if ( $completed[1]['COMPLETED'] )
 	$note[] = button( 'check' ) . _( 'You have taken lunch counts today for this period.' );
 }
 
-echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
+echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname']  ) . '" method="POST">';
 DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) . $date_note, SubmitButton() );
 
 echo ErrorMessage( $note, 'note' );

modules/Food_Service/TeacherCompletion.php

@@ -145,11 +145,11 @@ if ( empty( $_REQUEST['period'] ) )
 	}
 }
 
-echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">';
+echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname']  ) . '" method="POST">';
 DrawHeader( PrepareDate( $date, '_date' ) . ' : ' . $period_select . ' : <input type=submit value=' . _( 'Go' ) . '>' );
 echo '</form>';
 
-echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=add&menu_id=' . $_REQUEST['menu_id'] . '" method="POST">';
+echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=add&menu_id=' . $_REQUEST['menu_id']  ) . '" method="POST">';
 
 if ( count( (array) $menus_RET ) > 1 )
 {

modules/Food_Service/Users/Accounts.php

@@ -152,7 +152,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] )
 
 	if ( $staff['ACCOUNT_ID'] )
 	{
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update' ) . '" method="POST">';
 
 		DrawHeader(
 			'',
@@ -165,7 +165,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] )
 	}
 	else
 	{
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=create" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=create' ) . '" method="POST">';
 		DrawHeader( '', SubmitButton( _( 'Create Account' ) ) );
 	}
 

modules/Food_Service/Users/Reminders.php

@@ -101,7 +101,7 @@ if ( ! $_REQUEST['modfunc'] || $_REQUEST['search_modfunc'] === 'list' )
 {
 	if ( $_REQUEST['search_modfunc'] === 'list' )
 	{
-		echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save&_ROSARIO_PDF=true" method="POST">';
+		echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save&_ROSARIO_PDF=true' ) . '" method="POST">';
 		DrawHeader( '', SubmitButton( _( 'Create Reminders for Selected Users' ) ) );
 	}
 

modules/Food_Service/Users/ServeMenus.php

@@ -69,7 +69,7 @@ if ( UserStaffID()
 
 	$staff = $staff[1];