Fix XSS vulnerability reported by Tree Lion

bigprof-software · Dec 27, 2023 · edb404c · edb404c
1 parent 6afb656
commit edb404c
Showing 1 changed file with 67 additions and 67 deletions.
diff --git a/app/hooks/applicants_and_tenants_filter.php b/app/hooks/applicants_and_tenants_filter.php
@@ -1,56 +1,56 @@
-<?php 
-	if(!isset($Translation)){ @header('Location: index.php'); exit; }
-
-	$advanced_search_mode = 0;
-	$search_mode_session_key = substr('spm_' . basename(__FILE__), 0, -4);
-	if(isset($_REQUEST['advanced_search_mode'])) {
-		/* if user explicitly sets search mode by clicking Filter_x from the filters page, 
-		 * apply requested mode, and store into session */
-		$advanced_search_mode = intval($_REQUEST['advanced_search_mode']) ? 1 : 0;
-		$_SESSION[$search_mode_session_key] = $advanced_search_mode;
-
-	} elseif(isset($_SESSION[$search_mode_session_key])) {
-		/* otherwise, check if search mode for given table is specified in user's 
-		 * session and apply it */
-		$advanced_search_mode = intval($_SESSION[$search_mode_session_key]) ? 1 : 0;
-	}
-?>
-
-	<input type="hidden" name="advanced_search_mode" value="<?php echo $advanced_search_mode; ?>" id="advanced_search_mode">
-	<script>
-		$j(function(){
-			$j('.btn.search_mode').appendTo('.page-header h1');
-			$j('.btn.search_mode').click(function(){
-				var mode = parseInt($j('#advanced_search_mode').val());
-				$j('#advanced_search_mode').val(1 - mode);
-				if(typeof(beforeApplyFilters) == 'function') beforeApplyFilters();
-				return true;
-			});
-		})
-	</script>
-
-<?php if($advanced_search_mode){ ?>
-	<button class="btn btn-lg btn-success pull-right search_mode" id="simple_search_mode" type="submit" name="Filter_x" value="1">Switch to simple search mode</button>
-	<script>
-		$j(function() {
-			$j('#simple_search_mode').click(function() {
-				if(!confirm('If you switch to simple search mode, any filters defined here will be lost! Do you still which to proceed?')) return false;
-				$j('.clear_filter').click();
-			})		
-		})
-	</script>
-	<?php include(dirname(__FILE__) . '/../defaultFilters.php'); ?>
-
-<?php }else{ ?>
-
-	<button class="btn btn-lg btn-default pull-right search_mode" type="submit" name="Filter_x" value="1">Switch to advanced search mode</button>
-			<!-- %datetimePicker% -->
-
-			<div class="page-header"><h1>
-				<a href="applicants_and_tenants_view.php" style="text-decoration: none; color: inherit;">
-					<img src="resources/table_icons/account_balances.png"> 					Applicants and tenants Filters</a>
-			</h1></div>
-
+<?php 
+	if(!isset($Translation)){ @header('Location: index.php'); exit; }
+
+	$advanced_search_mode = 0;
+	$search_mode_session_key = substr('spm_' . basename(__FILE__), 0, -4);
+	if(isset($_REQUEST['advanced_search_mode'])) {
+		/* if user explicitly sets search mode by clicking Filter_x from the filters page, 
+		 * apply requested mode, and store into session */
+		$advanced_search_mode = intval($_REQUEST['advanced_search_mode']) ? 1 : 0;
+		$_SESSION[$search_mode_session_key] = $advanced_search_mode;
+
+	} elseif(isset($_SESSION[$search_mode_session_key])) {
+		/* otherwise, check if search mode for given table is specified in user's 
+		 * session and apply it */
+		$advanced_search_mode = intval($_SESSION[$search_mode_session_key]) ? 1 : 0;
+	}
+?>
+
+	<input type="hidden" name="advanced_search_mode" value="<?php echo $advanced_search_mode; ?>" id="advanced_search_mode">
+	<script>
+		$j(function(){
+			$j('.btn.search_mode').appendTo('.page-header h1');
+			$j('.btn.search_mode').click(function(){
+				var mode = parseInt($j('#advanced_search_mode').val());
+				$j('#advanced_search_mode').val(1 - mode);
+				if(typeof(beforeApplyFilters) == 'function') beforeApplyFilters();
+				return true;
+			});
+		})
+	</script>
+
+<?php if($advanced_search_mode){ ?>
+	<button class="btn btn-lg btn-success pull-right search_mode" id="simple_search_mode" type="submit" name="Filter_x" value="1">Switch to simple search mode</button>
+	<script>
+		$j(function() {
+			$j('#simple_search_mode').click(function() {
+				if(!confirm('If you switch to simple search mode, any filters defined here will be lost! Do you still which to proceed?')) return false;
+				$j('.clear_filter').click();
+			})		
+		})
+	</script>
+	<?php include(dirname(__FILE__) . '/../defaultFilters.php'); ?>
+
+<?php }else{ ?>
+
+	<button class="btn btn-lg btn-default pull-right search_mode" type="submit" name="Filter_x" value="1">Switch to advanced search mode</button>
+			<!-- %datetimePicker% -->
+
+			<div class="page-header"><h1>
+				<a href="applicants_and_tenants_view.php" style="text-decoration: none; color: inherit;">
+					<img src="resources/table_icons/account_balances.png"> 					Applicants and tenants Filters</a>
+			</h1></div>
+
 
 	<div class="row" style="border-bottom: dotted 2px #DDD;">
 
@@ -90,15 +90,15 @@
 			</div>
 	<script>
 		//for population
-		var filterValue_13 = '<?php echo htmlspecialchars($FilterValue[ 1 ]); ?>';
+		var filterValue_13 = <?php echo json_encode($FilterValue[1]); ?>;
 		$j(function () {
 			if (filterValue_13) {
-				$j("input[class =filter_13][value ='" + filterValue_13 + "']").attr("checked", "checked");
+				$j(`input[class=filter_13][value="${filterValue_13}"]`).prop("checked", true);
 			}
 		})
 	</script>
-
-			<!-- ########################################################## -->
+
+			<!-- ########################################################## -->
 
 	<div class="row vspacer-lg" style="border-bottom: dotted 2px #DDD;" >
 
@@ -129,8 +129,8 @@
 
 			</div>
 
-
-			<!-- ########################################################## -->
+
+			<!-- ########################################################## -->
 
 	<div class="row vspacer-lg" style="border-bottom: dotted 2px #DDD;" >
 
@@ -153,8 +153,8 @@
 			</div>
 
 
-
-			<!-- ########################################################## -->
+
+			<!-- ########################################################## -->
 
 	<div class="row vspacer-lg" style="border-bottom: dotted 2px #DDD;" >
 
@@ -177,8 +177,8 @@
 			</div>
 
 
-
-			<!-- ########################################################## -->
+
+			<!-- ########################################################## -->
 
 	<div class="row vspacer-lg" style="border-bottom: dotted 2px #DDD;" >
 
@@ -201,8 +201,8 @@
 			</div>
 
 
-
-			<!-- ########################################################## -->
+
+			<!-- ########################################################## -->
 
 		<?php $si = 8; ?>
 		<?php for($afi = $si; $afi <= 12; $afi++) { ?>
@@ -402,6 +402,6 @@ function beforeCancelFilters(){
 			</style>
 
 
-
-
+
+
 <?php } ?>