Commit 89ae9de7 authored by François Jacquet's avatar François Jacquet

Fix #291 XSS Use URLEscape() for forms action

parent 45ed0248
...@@ -8,6 +8,7 @@ Changes in 6.8 ...@@ -8,6 +8,7 @@ Changes in 6.8
- Fix Sunday is number 7 in EntryTimes.php - Fix Sunday is number 7 in EntryTimes.php
- Fix SQL error multiple rows returned by subquery in CreateParents.php - Fix SQL error multiple rows returned by subquery in CreateParents.php
- Fix #291 XSS Use URLEscape() for links href, program wide - Fix #291 XSS Use URLEscape() for links href, program wide
- Fix #291 XSS Use URLEscape() for forms action, program wide
- Fix hide remove button for "No Address" in Address.inc.php - Fix hide remove button for "No Address" in Address.inc.php
- Prompt() make Cancel primary button in Prompts.php - Prompt() make Cancel primary button in Prompts.php
- Fix SQL error foreign keys: Roll again Courses when rolling Marking Periods in Rollover.php - Fix SQL error foreign keys: Roll again Courses when rolling Marking Periods in Rollover.php
......
...@@ -14,7 +14,7 @@ $start_date = RequestedDate( 'start', date( 'Y-m' ) . '-01' ); ...@@ -14,7 +14,7 @@ $start_date = RequestedDate( 'start', date( 'Y-m' ) . '-01' );
// Set end date. // Set end date.
$end_date = RequestedDate( 'end', DBDate() ); $end_date = RequestedDate( 'end', DBDate() );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=" method="GET">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=' ) . '" method="GET">';
$header_checkboxes = '<label><input type="checkbox" value="true" name="accounting" id="accounting" ' . $header_checkboxes = '<label><input type="checkbox" value="true" name="accounting" id="accounting" ' .
......
...@@ -7,7 +7,7 @@ $start_date = RequestedDate( 'start', date( 'Y-m' ) . '-01' ); ...@@ -7,7 +7,7 @@ $start_date = RequestedDate( 'start', date( 'Y-m' ) . '-01' );
// Set end date. // Set end date.
$end_date = RequestedDate( 'end', DBDate() ); $end_date = RequestedDate( 'end', DBDate() );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=" method="GET">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&accounting=' ) . '" method="GET">';
$header_checkboxes = '<label><input type="checkbox" value="true" name="accounting" id="accounting" ' . $header_checkboxes = '<label><input type="checkbox" value="true" name="accounting" id="accounting" ' .
( ! isset( $_REQUEST['accounting'] ) ( ! isset( $_REQUEST['accounting'] )
......
...@@ -143,7 +143,7 @@ if ( ! $_REQUEST['modfunc'] ) ...@@ -143,7 +143,7 @@ if ( ! $_REQUEST['modfunc'] )
if ( ! $_REQUEST['print_statements'] && AllowEdit() ) if ( ! $_REQUEST['print_statements'] && AllowEdit() )
{ {
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() ); DrawHeader( '', SubmitButton() );
$options = array(); $options = array();
} }
......
...@@ -136,7 +136,7 @@ if ( ! $_REQUEST['modfunc'] ) ...@@ -136,7 +136,7 @@ if ( ! $_REQUEST['modfunc'] )
if ( empty( $_REQUEST['print_statements'] ) ) if ( empty( $_REQUEST['print_statements'] ) )
{ {
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
if ( AllowEdit() ) if ( AllowEdit() )
{ {
......
...@@ -138,7 +138,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] ) ...@@ -138,7 +138,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] )
if ( empty( $_REQUEST['print_statements'] ) ) if ( empty( $_REQUEST['print_statements'] ) )
{ {
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
if ( AllowEdit() ) if ( AllowEdit() )
{ {
......
...@@ -156,7 +156,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] ) ...@@ -156,7 +156,7 @@ if ( UserStaffID() && ! $_REQUEST['modfunc'] )
if ( empty( $_REQUEST['print_statements'] ) if ( empty( $_REQUEST['print_statements'] )
&& AllowEdit() ) && AllowEdit() )
{ {
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() ); DrawHeader( '', SubmitButton() );
$options = array(); $options = array();
} }
......
...@@ -155,7 +155,7 @@ if ( ! $_REQUEST['modfunc'] ) ...@@ -155,7 +155,7 @@ if ( ! $_REQUEST['modfunc'] )
if ( $_REQUEST['search_modfunc'] === 'list' ) if ( $_REQUEST['search_modfunc'] === 'list' )
{ {
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
DrawHeader( '', SubmitButton( _( 'Add Absences to Selected Students' ) ) ); DrawHeader( '', SubmitButton( _( 'Add Absences to Selected Students' ) ) );
......
...@@ -99,7 +99,7 @@ if ( isset( $_REQUEST['student_id'] ) && $_REQUEST['student_id'] !== 'new' ) ...@@ -99,7 +99,7 @@ if ( isset( $_REQUEST['student_id'] ) && $_REQUEST['student_id'] !== 'new' )
ORDER BY p.SORT_ORDER", $functions ); ORDER BY p.SORT_ORDER", $functions );
$columns = array( 'PERIOD_TITLE' => _( 'Period' ), 'COURSE' => _( 'Course' ), 'ATTENDANCE_CODE' => _( 'Attendance Code' ), 'ATTENDANCE_TEACHER_CODE' => _( 'Teacher\'s Entry' ), 'ATTENDANCE_REASON' => _( 'Comments' ) ); $columns = array( 'PERIOD_TITLE' => _( 'Period' ), 'COURSE' => _( 'Course' ), 'ATTENDANCE_CODE' => _( 'Attendance Code' ), 'ATTENDANCE_TEACHER_CODE' => _( 'Teacher\'s Entry' ), 'ATTENDANCE_REASON' => _( 'Comments' ) );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=student&student_id=' . $_REQUEST['student_id'] . '" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=student&student_id=' . $_REQUEST['student_id'] ) . '" method="POST">';
DrawHeader( ProgramTitle(), '<input type="submit" value="' . _( 'Update' ) . '" />' ); DrawHeader( ProgramTitle(), '<input type="submit" value="' . _( 'Update' ) . '" />' );
DrawHeader( PrepareDate( $date, '_date' ) ); DrawHeader( PrepareDate( $date, '_date' ) );
ListOutput( $schedule_RET, $columns, _( 'Course' ), _( 'Courses' ) ); ListOutput( $schedule_RET, $columns, _( 'Course' ), _( 'Courses' ) );
...@@ -186,7 +186,7 @@ else ...@@ -186,7 +186,7 @@ else
$extra['columns_after']['PERIOD_' . $period['PERIOD_ID']] = $period['SHORT_NAME']; $extra['columns_after']['PERIOD_' . $period['PERIOD_ID']] = $period['SHORT_NAME'];
} }
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( ProgramTitle(), '<input type="submit" value="' . _( 'Update' ) . '" />' ); DrawHeader( ProgramTitle(), '<input type="submit" value="' . _( 'Update' ) . '" />' );
if ( $REQ_codes ) if ( $REQ_codes )
......
...@@ -258,7 +258,7 @@ if ( ! $_REQUEST['modfunc'] ) ...@@ -258,7 +258,7 @@ if ( ! $_REQUEST['modfunc'] )
$LO_RET = DBGet( $sql, $functions ); $LO_RET = DBGet( $sql, $functions );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&table=' . $_REQUEST['table'] . '" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update&table=' . $_REQUEST['table'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() ); DrawHeader( '', SubmitButton() );
echo '<br />'; echo '<br />';
......
...@@ -235,7 +235,7 @@ if ( isset( $_REQUEST['search_modfunc'] ) ...@@ -235,7 +235,7 @@ if ( isset( $_REQUEST['search_modfunc'] )
echo ErrorMessage( $note, 'note' ); echo ErrorMessage( $note, 'note' );
echo '<form action="Modules.php?modname=Attendance/DuplicateAttendance.php&modfunc=&search_modfunc=list&next_modname=Attendance/DuplicateAttendance.php&delete=true" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=Attendance/DuplicateAttendance.php&modfunc=&search_modfunc=list&next_modname=Attendance/DuplicateAttendance.php&delete=true' ) . '" method="POST">';
DrawHeader( '', SubmitButton( _( 'Delete' ) ) ); DrawHeader( '', SubmitButton( _( 'Delete' ) ) );
......
...@@ -46,7 +46,7 @@ if ( ! $_REQUEST['modfunc'] ) ...@@ -46,7 +46,7 @@ if ( ! $_REQUEST['modfunc'] )
$extra['WHERE'] .= CustomFields( 'where', 'student', $extra ); $extra['WHERE'] .= CustomFields( 'where', 'student', $extra );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&list_by_day=' . $_REQUEST['list_by_day'] . '" method="GET">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&list_by_day=' . $_REQUEST['list_by_day'] ) . '" method="GET">';
$advanced_link = 'Modules.php?modname=' . $_REQUEST['modname'] . $advanced_link = 'Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=search&list_by_day=' . $_REQUEST['list_by_day'] . '&modfunc=search&list_by_day=' . $_REQUEST['list_by_day'] .
......
...@@ -37,7 +37,7 @@ if ( empty( $categories_RET ) ) ...@@ -37,7 +37,7 @@ if ( empty( $categories_RET ) )
DrawHeader( $cp_title ); DrawHeader( $cp_title );
} }
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&table=' . $_REQUEST['table'] . '" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&table=' . $_REQUEST['table'] ) . '" method="POST">';
DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) ); DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) );
echo '</form>'; echo '</form>';
...@@ -126,8 +126,8 @@ if ( $fatal_warning ) ...@@ -126,8 +126,8 @@ if ( $fatal_warning )
DrawHeader( $cp_title ); DrawHeader( $cp_title );
} }
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&table=' . $_REQUEST['table'] . '" method="POST">'; '&table=' . $_REQUEST['table'] ) . '" method="POST">';
DrawHeader( DrawHeader(
PrepareDate( PrepareDate(
...@@ -336,8 +336,8 @@ if ( ! empty( $daily_comment ) ) ...@@ -336,8 +336,8 @@ if ( ! empty( $daily_comment ) )
); );
} }
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&table=' . $_REQUEST['table'] . '" method="POST">'; '&table=' . $_REQUEST['table'] ) . '" method="POST">';
DrawHeader( $cp_title, SubmitButton() ); DrawHeader( $cp_title, SubmitButton() );
......
...@@ -49,7 +49,7 @@ foreach ( (array) $periods_RET as $id => $period ) ...@@ -49,7 +49,7 @@ foreach ( (array) $periods_RET as $id => $period )
$period_select .= "</select>"; $period_select .= "</select>";
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="GET">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="GET">';
DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) . ' - ' . $period_select ); DrawHeader( PrepareDate( $date, '_date', false, array( 'submit' => true ) ) . ' - ' . $period_select );
DrawHeader( '', $category_select ); DrawHeader( '', $category_select );
echo '</form>'; echo '</form>';
......
...@@ -281,9 +281,9 @@ if ( ! $_REQUEST['modfunc'] ) ...@@ -281,9 +281,9 @@ if ( ! $_REQUEST['modfunc'] )
if ( $_REQUEST['search_modfunc'] === 'list' ) if ( $_REQUEST['search_modfunc'] === 'list' )
{ {
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=save&include_inactive=' . issetVal( $_REQUEST['include_inactive'], '' ) . '&modfunc=save&include_inactive=' . issetVal( $_REQUEST['include_inactive'], '' ) .
'&_ROSARIO_PDF=true" method="POST">'; '&_ROSARIO_PDF=true' ) . '" method="POST">';
$extra['header_right'] = SubmitButton( _( 'Create Attendance Report for Selected Students' ) ); $extra['header_right'] = SubmitButton( _( 'Create Attendance Report for Selected Students' ) );
} }
......
...@@ -40,7 +40,7 @@ elseif ( isset( $_POST['email_column'] ) ) ...@@ -40,7 +40,7 @@ elseif ( isset( $_POST['email_column'] ) )
if ( empty( $email_column ) ) if ( empty( $email_column ) )
{ {
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
//get Student / Address fields //get Student / Address fields
$student_columns = DBGet( "SELECT 's.CUSTOM_' || f.ID AS COLUMN, f.TITLE, c.TITLE AS CATEGORY $student_columns = DBGet( "SELECT 's.CUSTOM_' || f.ID AS COLUMN, f.TITLE, c.TITLE AS CATEGORY
...@@ -344,7 +344,7 @@ if ( ! $_REQUEST['modfunc'] && ! empty( $email_column ) ) ...@@ -344,7 +344,7 @@ if ( ! $_REQUEST['modfunc'] && ! empty( $email_column ) )
{ {
if ( $_REQUEST['search_modfunc'] === 'list' ) if ( $_REQUEST['search_modfunc'] === 'list' )
{ {
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
$extra['header_right'] = SubmitButton( _( 'Create Parent Accounts for Selected Students' ) ); $extra['header_right'] = SubmitButton( _( 'Create Parent Accounts for Selected Students' ) );
......
...@@ -139,7 +139,7 @@ if ( ! $_REQUEST['modfunc'] || $_REQUEST['search_modfunc'] === 'list' ) ...@@ -139,7 +139,7 @@ if ( ! $_REQUEST['modfunc'] || $_REQUEST['search_modfunc'] === 'list' )
{ {
if ( $_REQUEST['search_modfunc'] === 'list' ) if ( $_REQUEST['search_modfunc'] === 'list' )
{ {
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
$extra['header_right'] = SubmitButton( _( 'Notify Selected Parents' ) ); $extra['header_right'] = SubmitButton( _( 'Notify Selected Parents' ) );
$extra['extra_header_left'] = '<table class="width-100p">'; $extra['extra_header_left'] = '<table class="width-100p">';
......
...@@ -58,7 +58,7 @@ if ( User( 'PROFILE' ) === 'admin' ) ...@@ -58,7 +58,7 @@ if ( User( 'PROFILE' ) === 'admin' )
echo ErrorMessage( $error ); echo ErrorMessage( $error );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
// Preview header. // Preview header.
DrawHeader( RegistrationAdminPreviewHeader(), SubmitButton() ); DrawHeader( RegistrationAdminPreviewHeader(), SubmitButton() );
...@@ -163,7 +163,7 @@ else ...@@ -163,7 +163,7 @@ else
echo ErrorMessage( $error ); echo ErrorMessage( $error );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
DrawHeader( RegistrationIntroHeader(), SubmitButton() ); DrawHeader( RegistrationIntroHeader(), SubmitButton() );
......
...@@ -98,10 +98,10 @@ if ( ! $_REQUEST['modfunc'] ) ...@@ -98,10 +98,10 @@ if ( ! $_REQUEST['modfunc'] )
if ( $_REQUEST['search_modfunc'] === 'list' ) if ( $_REQUEST['search_modfunc'] === 'list' )
{ {
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=save&include_inactive=' . issetVal( $_REQUEST['include_inactive'], '' ) . '&modfunc=save&include_inactive=' . issetVal( $_REQUEST['include_inactive'], '' ) .
'&_search_all_schools=' . issetVal( $_REQUEST['_search_all_schools'], '' ) . '&_search_all_schools=' . issetVal( $_REQUEST['_search_all_schools'], '' ) .
'&accessfunc=' . $accessfunc . '" method="POST">'; '&accessfunc=' . $accessfunc ) . '" method="POST">';
$extra['header_right'] = SubmitButton( $button_label ); $extra['header_right'] = SubmitButton( $button_label );
......
...@@ -223,7 +223,7 @@ if ( ! $_REQUEST['modfunc'] ) ...@@ -223,7 +223,7 @@ if ( ! $_REQUEST['modfunc'] )
'DATA_TYPE' => _makeType( '', 'DATA_TYPE' ), 'DATA_TYPE' => _makeType( '', 'DATA_TYPE' ),
); );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() ); DrawHeader( '', SubmitButton() );
......
...@@ -145,8 +145,8 @@ if ( ! $_REQUEST['modfunc'] ) ...@@ -145,8 +145,8 @@ if ( ! $_REQUEST['modfunc'] )
//FJ teachers need AllowEdit (to edit the input fields) //FJ teachers need AllowEdit (to edit the input fields)
$_ROSARIO['allow_edit'] = true; $_ROSARIO['allow_edit'] = true;
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=save&include_inactive=' . $_REQUEST['include_inactive'] . '" method="POST">'; '&modfunc=save&include_inactive=' . $_REQUEST['include_inactive'] ) . '" method="POST">';
DrawHeader( '', SubmitButton( _( 'Add Referral for Selected Students' ) ) ); DrawHeader( '', SubmitButton( _( 'Add Referral for Selected Students' ) ) );
......
...@@ -172,7 +172,7 @@ if ( ! $_REQUEST['modfunc'] ...@@ -172,7 +172,7 @@ if ( ! $_REQUEST['modfunc']
{ {
$RET = $RET[1]; $RET = $RET[1];
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&referral_id=' . $_REQUEST['referral_id'] . '" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&referral_id=' . $_REQUEST['referral_id'] ) . '" method="POST">';
DrawHeader( '', SubmitButton() ); DrawHeader( '', SubmitButton() );
......
...@@ -106,7 +106,7 @@ if ( ! $_REQUEST['modfunc'] ) ...@@ -106,7 +106,7 @@ if ( ! $_REQUEST['modfunc'] )
$link['remove']['variables'] = array( 'id' => 'ID' ); $link['remove']['variables'] = array( 'id' => 'ID' );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update' ) . '" method="POST">';
DrawHeader( '', SubmitButton() ); DrawHeader( '', SubmitButton() );
......
...@@ -54,7 +54,7 @@ echo ErrorMessage( $error ); ...@@ -54,7 +54,7 @@ echo ErrorMessage( $error );
if ( $_REQUEST['search_modfunc'] === 'list' ) if ( $_REQUEST['search_modfunc'] === 'list' )
{ {
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=save' ) . '" method="POST">';
DrawHeader( '', SubmitButton( _( 'Add Activity to Selected Students' ) ) ); DrawHeader( '', SubmitButton( _( 'Add Activity to Selected Students' ) ) );
echo '<br />'; echo '<br />';
......
...@@ -198,7 +198,7 @@ $stu_RET = GetStuList( $extra ); ...@@ -198,7 +198,7 @@ $stu_RET = GetStuList( $extra );
DrawHeader( ProgramTitle() ); DrawHeader( ProgramTitle() );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
if ( $today > $END_DAY if ( $today > $END_DAY
| $today < $START_DAY | $today < $START_DAY
......
...@@ -85,7 +85,7 @@ else ...@@ -85,7 +85,7 @@ else
} }
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="POST">';
PopTable( 'header', _( 'Allow Eligibility Posting' ) ); PopTable( 'header', _( 'Allow Eligibility Posting' ) );
......
...@@ -142,9 +142,9 @@ if ( UserStudentID() ...@@ -142,9 +142,9 @@ if ( UserStudentID()
'END_DATE' => '&nbsp;', 'END_DATE' => '&nbsp;',
); );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] .
'&modfunc=add&start_date=' . issetVal( $_REQUEST['start_date'], '' ) . '&modfunc=add&start_date=' . issetVal( $_REQUEST['start_date'], '' ) .
'" method="POST">'; '' ) . '" method="POST">';
$columns = array( $columns = array(
'TITLE' => _( 'Activity' ), 'TITLE' => _( 'Activity' ),
......
...@@ -52,7 +52,7 @@ foreach ( (array) $periods_RET as $period ) ...@@ -52,7 +52,7 @@ foreach ( (array) $periods_RET as $period )
$period_select .= '</select>'; $period_select .= '</select>';
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '" method="GET">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] ) . '" method="GET">';
$begin_year = DBGetOne( "SELECT min(date_part('epoch',SCHOOL_DATE)) AS SCHOOL_DATE $begin_year = DBGetOne( "SELECT min(date_part('epoch',SCHOOL_DATE)) AS SCHOOL_DATE
FROM ATTENDANCE_CALENDAR FROM ATTENDANCE_CALENDAR
......
...@@ -63,7 +63,7 @@ $staff_RET = DBGet( "SELECT fst.TRANSACTION_ID,fst.STAFF_ID,fst.SYEAR, ...@@ -63,7 +63,7 @@ $staff_RET = DBGet( "SELECT fst.TRANSACTION_ID,fst.STAFF_ID,fst.SYEAR,
//echo '<pre>'; var_dump($students_RET); echo '</pre>'; //echo '<pre>'; var_dump($students_RET); echo '</pre>';
//echo '<pre>'; var_dump($users_RET); echo '</pre>'; //echo '<pre>'; var_dump($users_RET); echo '</pre>';
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update" method="POST">'; echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&modfunc=update' ) . '" method="POST">';
DrawHeader( '', SubmitButton() ); DrawHeader( '', SubmitButton() );
$columns = array( 'TRANSACTION_ID' => _( 'ID' ), 'ACCOUNT_ID' => _( 'Account ID' ), 'SYEAR' => _( 'School Year' ), 'FULL_NAME' => _( 'Student' ), 'STUDENTS' => _( 'Students' ), 'SCHOOL_ID' => _( 'School' ) ); $columns = array( 'TRANSACTION_ID' => _( 'ID' ), 'ACCOUNT_ID' => _( 'Account ID' ), 'SYEAR' => _( 'School Year' ), 'FULL_NAME' => _( 'Student' ), 'STUDENTS' => _( 'Students' ), 'SCHOOL_ID' => _( 'School' ) );
ListOutput( $students_RET, $columns, 'Student Transaction w/o School', 'Student Transactions w/o School', false, array(), array( 'save' => false, 'search' => false ) ); ListOutput( $students_RET, $columns, 'Student Transaction w/o School', 'Student Transactions w/o School', false, array(), array( 'save' => false, 'search' => false ) );
......
...@@ -301,8 +301,8 @@ else ...@@ -301,8 +301,8 @@ else
$LO_columns = array( 'ID' => _( 'ID' ), 'SCHOOL_DATE' => _( 'Date' ), 'DESCRIPTION' => _( 'Description' ) ); $LO_columns = array( 'ID' => _( 'ID' ), 'SCHOOL_DATE' => _( 'Date' ), 'DESCRIPTION' => _( 'Description' ) );
echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id'] . echo '<form action="' . URLEscape( 'Modules.php?modname=' . $_REQUEST['modname'] . '&menu_id=' . $_REQUEST['menu_id'] .
'&month=' . $_REQUEST['month'] . '&year=' . $_REQUEST['year'] . '" method="POST">'; '&month=' . $_REQUEST['month'] . '&year=' . $_REQUEST['year'] ) . '" method="POST">';