Use validCardinal on Id's cuz we don't trust the db or Object

ZoneMinder · Jan 25, 2024 · b5757a2 · b5757a2
1 parent 559d6ed
commit b5757a2
Showing 1 changed file with 3 additions and 7 deletions.
diff --git a/web/ajax/modals/group.php b/web/ajax/modals/group.php
@@ -48,7 +48,7 @@ function parentGrpSelect($newGroup) {
   $options = array(''=>'None');
 
   foreach ( dbFetchAll($sql, null, $kids) as $option ) {
-    $options[$option['Id']] = str_repeat('&nbsp;&nbsp;', $Groups[$option['Id']]->depth()) . $option['Name'];
+    $options[validCardinal($option['Id'])] = str_repeat('&nbsp;&nbsp;', $Groups[$option['Id']]->depth()).$option['Name'];
   }
 
   return htmlSelect('newGroup[ParentId]', $options, $newGroup->ParentId(), array('data-on-change'=>'configModalBtns'));
@@ -61,7 +61,7 @@ function monitorList($newGroup) {
   $monitorIds = $newGroup->MonitorIds();
   foreach ( $monitors as $monitor ) {
     if ( visibleMonitor($monitor['Id']) ) {
-      $result .= '<option value="' .$monitor['Id']. '"' .( in_array( $monitor['Id'], $monitorIds ) ? ' selected="selected"' : ''). '>' .validHtmlStr($monitor['Name']). '</option>'.PHP_EOL;
+      $result .= '<option value="' .validCardinal($monitor['Id']). '"' .( in_array( $monitor['Id'], $monitorIds ) ? ' selected="selected"' : ''). '>' .validHtmlStr($monitor['Name']). '</option>'.PHP_EOL;
     }
   }
 
@@ -78,14 +78,10 @@ function monitorList($newGroup) {
 }
 
 if ( !empty($_REQUEST['gid']) ) {
-  $newGroup = new ZM\Group($_REQUEST['gid']);
+  $newGroup = new ZM\Group(validCardinal($_REQUEST['gid']));
 } else {
   $newGroup = new ZM\Group();
 }
-
-//
-// BEGIN HTML
-//
 ?>
 <div id="groupModal" class="modal" tabindex="-1" role="dialog">
   <div class="modal-dialog" role="document">