Add sme more htmlemtities for consistency

2023-03-05 20:06:42 -05:00 · 2023-03-05 20:06:42 -05:00 · a711bed38c
parent 9a3266190c
commit a711bed38c
10 changed files with 12 additions and 14 deletions
--- a/check_login.php
+++ b/check_login.php
@ -30,7 +30,7 @@ $session_user_id = $_SESSION['user_id'];

 $sql = mysqli_query($mysqli, "SELECT * FROM users, user_settings WHERE users.user_id = user_settings.user_id AND users.user_id = $session_user_id");
 $row = mysqli_fetch_array($sql);
-$session_name = mysqli_real_escape_string($mysqli, $row['user_name']);
+$session_name = sanitizeInput($row['user_name']);
 $session_email = $row['user_email'];
 $session_avatar = $row['user_avatar'];
 $session_token = $row['user_token'];
--- a/clients.php
+++ b/clients.php
@ -148,7 +148,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));

                            $client_tag_id_array[] = $client_tag_id;
                            if (empty($client_tag_color)) {
-                                $client_tag_name_display_array[] = "<small class='text-secondary'>$client_tag_name</small> ";
+                                $client_tag_name_display_array[] = "<small class='text-secondary'><i class='fa fa-fw fa-$client_tag_icon'></i>$client_tag_name</small> ";
                            } else {
                                $client_tag_name_display_array[] = "<span class='badge bg-$client_tag_color'><i class='fa fa-fw fa-$client_tag_icon'></i> $client_tag_name</span> ";
                            }
--- a/get_settings.php
+++ b/get_settings.php
@ -58,7 +58,7 @@ $config_ticket_next_number = intval($row['config_ticket_next_number']);
 $config_ticket_from_name = $row['config_ticket_from_name'];
 $config_ticket_from_email = $row['config_ticket_from_email'];
 $config_ticket_email_parse = intval($row['config_ticket_email_parse']);
-$config_ticket_client_general_notifications = $row['config_ticket_client_general_notifications'];
+$config_ticket_client_general_notifications = intval($row['config_ticket_client_general_notifications']);

 // Alerts
 $config_enable_cron = intval($row['config_enable_cron']);
--- a/guest_header.php
+++ b/guest_header.php
@ -20,7 +20,7 @@ $browser = sanitizeInput(getWebBrowser($ua));
    <meta http-equiv="x-ua-compatible" content="ie=edge">
    <meta name="robots" content="noindex">

-    <title><?php echo $config_app_name; ?></title>
+    <title><?php echo htmlentities($config_app_name); ?></title>

    <!-- Font Awesome Icons -->
    <link rel="stylesheet" href="plugins/fontawesome-free/css/all.min.css">
--- a/guest_view_invoice.php
+++ b/guest_view_invoice.php
@ -73,8 +73,6 @@ if (!empty($company_logo)) {
 $company_locale = htmlentities($row['company_locale']);
 $config_invoice_footer = htmlentities($row['config_invoice_footer']);
 $config_stripe_enable = intval($row['config_stripe_enable']);
-$config_stripe_publishable = $row['config_stripe_publishable'];
-$config_stripe_secret = $row['config_stripe_secret'];

 //Set Currency Format
 $currency_format = numfmt_create($company_locale, NumberFormatter::CURRENCY);
--- a/guest_view_item.php
+++ b/guest_view_item.php
@ -7,7 +7,7 @@ header('Pragma: no-cache');
 require_once("guest_header.php"); ?>

    <br>
-    <h1> <?php echo $config_app_name ?> Guest sharing </h1>
+    <h1> <?php echo htmlentities($config_app_name); ?> Guest sharing </h1>
    <hr>

 <?php
--- a/header.php
+++ b/header.php
@ -15,7 +15,7 @@ header("X-Frame-Options: DENY");
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  <meta name="robots" content="noindex">

-  <title><?php echo "$session_company_name | $config_app_name"; ?></title>
+  <title><?php echo htmlentities($session_company_name); ?> | <?php echo htmlentities($config_app_name); ?></title>

  <!-- Font Awesome Icons -->
  <link rel="stylesheet" href="plugins/fontawesome-free/css/all.min.css">
--- a/portal/portal_header.php
+++ b/portal/portal_header.php
@ -12,7 +12,7 @@ header("X-Frame-Options: DENY");
 <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
-    <title><?php echo $config_app_name; ?> | Client Portal - Tickets</title>
+    <title><?php echo htmlentities($config_app_name); ?> | Client Portal - Tickets</title>

    <!-- Tell the browser to be responsive to screen width -->
    <meta name="viewport" content="width=device-width, initial-scale=1">
@ -32,7 +32,7 @@ header("X-Frame-Options: DENY");

 <nav class="navbar navbar-expand-lg navbar-dark bg-dark">
    <div class="container">
-        <a class="navbar-brand" href="index.php"><?php echo $config_app_name ?></a>
+        <a class="navbar-brand" href="index.php"><?php echo htmlentities($config_app_name); ?></a>
        <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
            <span class="navbar-toggler-icon"></span>
        </button>
@ -55,7 +55,7 @@ header("X-Frame-Options: DENY");
            <ul class="nav navbar-nav pull-right">
                <li class="nav-item dropdown">
                    <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-toggle="dropdown">
-                        <?php echo $session_contact_name ?>
+                        <?php echo htmlentities($session_contact_name); ?>
                    </a>
                    <div class="dropdown-menu" aria-labelledby="navbarDropdown">
                        <a class="dropdown-item" href="profile.php">Profile</a>
--- a/settings_api.php
+++ b/settings_api.php
@ -31,7 +31,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
        <div class="card-body">
            <form autocomplete="off">
                <div class="input-group">
-                    <input type="search" class="form-control col-md-4" name="q" value="<?php if (isset($q)) { echo strip_tags(htmlentities($q)); } ?>" placeholder="Search keys">
+                    <input type="search" class="form-control col-md-4" name="q" value="<?php if (isset($q)) { echo stripslashes(htmlentities($q)); } ?>" placeholder="Search keys">
                    <div class="input-group-append">
                        <button class="btn btn-primary"><i class="fa fa-search"></i></button>
                    </div>
--- a/user_profile.php
+++ b/user_profile.php
@ -21,13 +21,13 @@ $sql_recent_logs = mysqli_query($mysqli, "SELECT * FROM logs

                <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
                    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
-                    <input type="hidden" name="existing_file_name" value="<?php echo $session_avatar; ?>">
+                    <input type="hidden" name="existing_file_name" value="<?php echo htmlentities($session_avatar); ?>">

                    <center class="mb-3 px-5">
                        <?php if (empty($session_avatar)) { ?>
                            <i class="fas fa-user-circle fa-8x text-secondary"></i>
                        <?php } else { ?>
-                            <img alt="User avatar" src="<?php echo "uploads/users/$session_user_id/$session_avatar"; ?>" class="img-fluid">
+                            <img alt="User avatar" src="<?php echo "uploads/users/$session_user_id/" . htmlentities($session_avatar); ?>" class="img-fluid">
                        <?php } ?>
                        <h4 class="text-secondary mt-2"><?php echo htmlentities($session_user_role_display); ?></h4>
                    </center>