diff --git a/client/contact_add.php b/client/contact_add.php index 0cf023a7..423c2a7c 100644 --- a/client/contact_add.php +++ b/client/contact_add.php @@ -27,9 +27,7 @@ if ($session_contact_primary == 0 && !$session_contact_is_technical_contact) {
- - - +
diff --git a/client/contact_edit.php b/client/contact_edit.php index 9abd5e41..092b5fcb 100644 --- a/client/contact_edit.php +++ b/client/contact_edit.php @@ -57,10 +57,8 @@ if ($row) {
+ - - -
diff --git a/client/documents.php b/client/documents.php index 1ab42840..f87d1603 100644 --- a/client/documents.php +++ b/client/documents.php @@ -90,6 +90,7 @@ $documents_sql = mysqli_query($mysqli, "SELECT document_id, document_name, docum
+
@@ -136,6 +137,7 @@ $documents_sql = mysqli_query($mysqli, "SELECT document_id, document_name, docum
+
diff --git a/client/post.php b/client/post.php index 6c939ddf..caad4e6c 100644 --- a/client/post.php +++ b/client/post.php @@ -12,6 +12,8 @@ require_once 'functions.php'; if (isset($_POST['add_ticket'])) { + validateCSRFToken($_POST['csrf_token']); + $subject = sanitizeInput($_POST['subject']); $details = mysqli_real_escape_string($mysqli, ($_POST['details'])); $category = intval($_POST['category']); @@ -82,6 +84,8 @@ if (isset($_POST['add_ticket'])) { if (isset($_POST['add_ticket_comment'])) { + validateCSRFToken($_POST['csrf_token']); + $ticket_id = intval($_POST['ticket_id']); $comment = mysqli_real_escape_string($mysqli, $_POST['comment']); @@ -187,6 +191,8 @@ if (isset($_POST['add_ticket_comment'])) { if (isset($_GET['approve_ticket_task'])) { + validateCSRFToken($_GET['csrf_token']); + $task_id = intval($_GET['approve_ticket_task']); $approval_id = intval($_GET['approval_id']); $url_key = sanitizeInput($_GET['approval_url_key']); @@ -224,6 +230,8 @@ if (isset($_GET['approve_ticket_task'])) { if (isset($_POST['add_ticket_feedback'])) { + validateCSRFToken($_POST['csrf_token']); + $ticket_id = intval($_POST['ticket_id']); $feedback = sanitizeInput($_POST['add_ticket_feedback']); @@ -254,6 +262,8 @@ if (isset($_POST['add_ticket_feedback'])) { if (isset($_GET['resolve_ticket'])) { + validateCSRFToken($_GET['csrf_token']); + $ticket_id = intval($_GET['resolve_ticket']); // Get ticket details for logging @@ -286,6 +296,9 @@ if (isset($_GET['resolve_ticket'])) { } if (isset($_GET['reopen_ticket'])) { + + validateCSRFToken($_GET['csrf_token']); + $ticket_id = intval($_GET['reopen_ticket']); // Get ticket details for logging @@ -319,6 +332,8 @@ if (isset($_GET['reopen_ticket'])) { if (isset($_GET['close_ticket'])) { + validateCSRFToken($_GET['csrf_token']); + $ticket_id = intval($_GET['close_ticket']); // Get ticket details for logging @@ -363,6 +378,8 @@ if (isset($_GET['logout'])) { if (isset($_POST['edit_profile'])) { + validateCSRFToken($_POST['csrf_token']); + $new_password = $_POST['new_password']; if (!empty($new_password)) { @@ -379,14 +396,16 @@ if (isset($_POST['edit_profile'])) { if (isset($_POST['add_contact'])) { + validateCSRFToken($_POST['csrf_token']); + if ($session_contact_primary == 0 && !$session_contact_is_technical_contact) { redirect("post.php?logout"); } $contact_name = sanitizeInput($_POST['contact_name']); $contact_email = sanitizeInput($_POST['contact_email']); - $contact_technical = intval($_POST['contact_technical']); - $contact_billing = intval($_POST['contact_billing']); + $contact_technical = intval($_POST['contact_technical'] ?? 0); + $contact_billing = intval($_POST['contact_billing'] ?? 0); $contact_auth_method = sanitizeInput($_POST['contact_auth_method']); // Check the email isn't already in use @@ -426,6 +445,8 @@ if (isset($_POST['add_contact'])) { if (isset($_POST['edit_contact'])) { + validateCSRFToken($_POST['csrf_token']); + if ($session_contact_primary == 0 && !$session_contact_is_technical_contact) { redirect("post.php?logout"); } @@ -433,8 +454,8 @@ if (isset($_POST['edit_contact'])) { $contact_id = intval($_POST['contact_id']); $contact_name = sanitizeInput($_POST['contact_name']); $contact_email = sanitizeInput($_POST['contact_email']); - $contact_technical = intval($_POST['contact_technical']); - $contact_billing = intval($_POST['contact_billing']); + $contact_technical = intval($_POST['contact_technical'] ?? 0); + $contact_billing = intval($_POST['contact_billing'] ?? 0); $contact_auth_method = sanitizeInput($_POST['contact_auth_method']); // Get the existing contact_user_id - we look it up ourselves so the user can't just overwrite random users @@ -476,6 +497,8 @@ if (isset($_POST['edit_contact'])) { if (isset($_GET['add_payment_by_provider'])) { + validateCSRFToken($_GET['csrf_token']); + $invoice_id = intval($_GET['invoice_id']); $saved_payment_id = intval($_GET['add_payment_by_provider']); @@ -672,6 +695,8 @@ if (isset($_GET['add_payment_by_provider'])) { if (isset($_POST['create_stripe_customer'])) { + validateCSRFToken($_POST['csrf_token']); + if ($session_contact_primary == 0 && !$session_contact_is_billing_contact) { redirect("post.php?logout"); } @@ -758,6 +783,8 @@ if (isset($_POST['create_stripe_customer'])) { if (isset($_GET['create_stripe_checkout'])) { + validateCSRFToken($_GET['csrf_token']); + // This page is called by autopay_setup_stripe.js, returns a Checkout Session client_secret if ($session_contact_primary == 0 && !$session_contact_is_billing_contact) { @@ -828,6 +855,8 @@ if (isset($_GET['create_stripe_checkout'])) { if (isset($_GET['stripe_save_card'])) { + validateCSRFToken($_GET['csrf_token']); + if ($session_contact_primary == 0 && !$session_contact_is_billing_contact) { redirect("post.php?logout"); } @@ -957,6 +986,8 @@ if (isset($_GET['stripe_save_card'])) { if (isset($_GET['delete_saved_payment'])) { + validateCSRFToken($_GET['csrf_token']); + if ($session_contact_primary == 0 && !$session_contact_is_billing_contact) { redirect("post.php?logout"); } @@ -1059,6 +1090,8 @@ if (isset($_GET['delete_saved_payment'])) { if (isset($_POST['set_recurring_payment'])) { + validateCSRFToken($_POST['csrf_token']); + $recurring_invoice_id = intval($_POST['recurring_invoice_id']); $saved_payment_id = intval($_POST['saved_payment_id']); @@ -1111,6 +1144,8 @@ if (isset($_POST['set_recurring_payment'])) { if (isset($_POST['client_add_document'])) { + validateCSRFToken($_POST['csrf_token']); + // Permission check - only primary or technical contacts can create documents if ($session_contact_primary == 0 && !$session_contact_is_technical_contact) { redirect("post.php?logout"); @@ -1155,6 +1190,8 @@ if (isset($_POST['client_add_document'])) { if (isset($_POST['client_upload_document'])) { + validateCSRFToken($_POST['csrf_token']); + // Permission check - only primary or technical contacts can upload documents if ($session_contact_primary == 0 && !$session_contact_is_technical_contact) { redirect("post.php?logout"); diff --git a/client/profile.php b/client/profile.php index fae47819..11a3e1e9 100644 --- a/client/profile.php +++ b/client/profile.php @@ -31,6 +31,7 @@ require_once 'includes/inc_all.php';

Password

+
@@ -47,4 +48,3 @@ require_once 'includes/inc_all.php'; 0) { ?> +
@@ -108,7 +109,7 @@ if (!$stripe_public_key || !$stripe_secret_key) { $exp_year = nullable_htmlentities($pm->card->exp_year); echo "
  • $brand x$last4 | Exp. $exp_month/$exp_year"; - echo " – Remove
    • "; + echo " – Remove"; } } catch (Exception $e) { $error = $e->getMessage(); diff --git a/client/ticket.php b/client/ticket.php index 35009da0..8d96c563 100644 --- a/client/ticket.php +++ b/client/ticket.php @@ -97,7 +97,7 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
    - Resolve ticket + Resolve ticket
    @@ -176,7 +176,7 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
  • - Approve task - Approve task - Please ask your contact to approve this task
    • @@ -198,6 +198,7 @@ if (isset($_GET['id']) && intval($_GET['id'])) { +
    @@ -216,11 +217,11 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
    - Reopen ticket + Reopen ticket
    - Close ticket + Close ticket
    @@ -231,6 +232,7 @@ if (isset($_GET['id']) && intval($_GET['id'])) {

    Ticket closed. Please rate your ticket

    +