Security: Replace HTML form with FormValidator to avoid possible XSS when searching session category

1 year ago · 7080b9be8b
parent e6999a97c4
commit 7080b9be8b
1 changed files with 10 additions and 11 deletions
--- a/main/session/session_category_list.php
+++ b/main/session/session_category_list.php
@ -32,7 +32,7 @@ $sort = isset($_GET['sort']) && in_array($_GET['sort'], $columns) ? Security::re
 $idChecked = isset($_REQUEST['idChecked']) ? Security::remove_XSS($_REQUEST['idChecked']) : null;
 $order = $_REQUEST['order'] ?? 'ASC';
 $order = $order === 'ASC' ? 'DESC' : 'ASC';
-$keyword = isset($_REQUEST['keyword']) ? Security::remove_XSS($_REQUEST['keyword']) : null;
+$keyword = null;

 if ($action === 'delete_on_session' || $action === 'delete_off_session') {
    $delete_session = $action === 'delete_on_session' ? true : false;
@ -42,6 +42,14 @@ if ($action === 'delete_on_session' || $action === 'delete_off_session') {
    exit();
 }

+$frmSearch = new FormValidator('search', 'get', 'session_category_list.php', '', [], FormValidator::LAYOUT_INLINE);
+$frmSearch->addText('keyword', get_lang('Search'), false);
+$frmSearch->addButtonSearch(get_lang('Search'));
+
+if ($frmSearch->validate()) {
+    $keyword = $frmSearch->exportValues()['keyword'];
+}
+
 $interbreadcrumb[] = ['url' => 'session_list.php', 'name' => get_lang('SessionList')];

 if (isset($_GET['search']) && $_GET['search'] === 'advanced') {
@ -114,16 +122,7 @@ if (isset($_GET['search']) && $_GET['search'] === 'advanced') {
            </div>
            <div class="col-md-6">
                <div class="pull-right">
-                    <form method="POST" action="session_category_list.php" class="form-inline">
-                        <div class="form-group">
-                            <input class="form-control" type="text" name="keyword" value="<?php echo $keyword; ?>"
-                                   aria-label="<?php echo get_lang('Search'); ?>"/>
-                            <button class="btn btn-default" type="submit" name="name"
-                                    value="<?php echo get_lang('Search'); ?>"><em
-                                        class="fa fa-search"></em> <?php echo get_lang('Search'); ?></button>
-                            <!-- <a href="session_list.php?search=advanced"><?php echo get_lang('AdvancedSearch'); ?></a> -->
-                        </div>
-                    </form>
+                    <?php echo $frmSearch->returnForm(); ?>
                </div>
            </div>
        </div>