Fix XSS in expenses and trips export CSV modal Thanks @tdragon

2026-03-03 20:34:51 +00:00 · 2023-05-09 12:11:42 -04:00
parent 09ff8b710b
commit cb0366b9f7
2 changed files with 4 additions and 4 deletions
--- a/expense_export_modal.php
+++ b/expense_export_modal.php
@@ -18,7 +18,7 @@
                            <div class="input-group-prepend">
                                <span class="input-group-text"><i class="fa fa-fw fa-calendar"></i></span>
                            </div>
-                            <input type="date" class="form-control" name="date_from" max="2999-12-31" value="<?php echo $dtf; ?>">
+                            <input type="date" class="form-control" name="date_from" max="2999-12-31" value="<?php echo htmlentities($dtf); ?>">
                        </div>
                    </div>
@@ -28,7 +28,7 @@
                            <div class="input-group-prepend">
                                <span class="input-group-text"><i class="fa fa-fw fa-calendar"></i></span>
                            </div>
-                            <input type="date" class="form-control" name="date_to" max="2999-12-31" value="<?php echo $dtt; ?>">
+                            <input type="date" class="form-control" name="date_to" max="2999-12-31" value="<?php echo htmlentities($dtt); ?>">
                        </div>
                    </div>
--- a/trip_export_modal.php
+++ b/trip_export_modal.php
@@ -18,7 +18,7 @@
                            <div class="input-group-prepend">
                                <span class="input-group-text"><i class="fa fa-fw fa-calendar"></i></span>
                            </div>
-                            <input type="date" class="form-control" name="date_from" max="2999-12-31" value="<?php echo $dtf; ?>">
+                            <input type="date" class="form-control" name="date_from" max="2999-12-31" value="<?php echo htmlentities($dtf); ?>">
                        </div>
                    </div>
@@ -28,7 +28,7 @@
                            <div class="input-group-prepend">
                                <span class="input-group-text"><i class="fa fa-fw fa-calendar"></i></span>
                            </div>
-                            <input type="date" class="form-control" name="date_to" max="2999-12-31" value="<?php echo $dtt; ?>">
+                            <input type="date" class="form-control" name="date_to" max="2999-12-31" value="<?php echo htmlentities($dtt); ?>">
                        </div>
                    </div>