20/2/18 Exson: sanitize scripts name in footer.inc and forbidden the …

…use of InputSerialItemsSequential.php without login.

doc/Change.log

@@ -1,5 +1,5 @@
 webERP Change Log
-
+20/2/18  Exson: sanitize scripts name in footer.inc and forbidden the use of InputSerialItemsSequential.php without login. 
 19/2/18  PaulT: Stocks.php: Fix navigation bar handling to avoid stockid loss and also disable navigation submit when at the first (or last) item. Change also adds a closing table tag, removes an extra double quote from two attributes, and a minor message layout improvement.
 17/2/18  PaulT: PO_SelectOSPurchOrder.php: Derived from Tim's code: add default current dates. (there may not yet be any purchorders records) / PaulT: do not show the order list table when there are no records to show. (avoids a table heading output without any associated row data)
 17/2/18  Tim (PaulT commit): MiscFunctions.js: Set the calendar click and change handlers to reference the localStorage DateFormat instead of the element's "alt" attribute value. (Know that this update requires the localStorage change applied with commit 7973)

includes/InputSerialItemsSequential.php

@@ -11,6 +11,10 @@
 */
 
 //we start with a batch or serial no header and need to display something for verification...
+if (!isset($_SESSION['DatabaseName'])){
+	die;
+}
+
 global $tableheader;
 
 if (isset($_GET['LineNo'])){

includes/footer.php

@@ -38,7 +38,7 @@
 echo '<div>
 	<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">
 	<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />
-	<input type="hidden" name="ScriptName" value="' . $ScriptName . '" />
+	<input type="hidden" name="ScriptName" value="' . htmlspecialchars($ScriptName,ENT_QUOTES,'UTF-8') . '" />
 	<input type="hidden" name="Title" value="' . $Title . '" />
 	' . $ShowAdd . $ShowDel . '