Merge branch EC.fixes1

Squashed commit of the following:

commit 90a2d60549a6859c5801e7cb32f73029f0109655
Merge: 99c62b3 87304b4
Author: drlippman <drlippman@yahoo.com>
Date:   Mon Jul 2 20:23:56 2018 -0700

    Merge branch 'master' into EC.fixes1

    # Conflicts:
    #	course/courseshowitems.php

commit 99c62b3
Merge: 088b2c8 bda7c84
Author: drlippman <drlippman@yahoo.com>
Date:   Wed Jun 20 10:48:28 2018 -0700

    Merge branch 'master' into EC.fixes1

commit 088b2c8
Author: drlippman <drlippman@yahoo.com>
Date:   Mon Jun 18 10:41:33 2018 -0700

    more fix the fixes

commit 5574d08
Merge: 04c55b0 9faef55
Author: drlippman <drlippman@yahoo.com>
Date:   Thu Jun 14 09:45:59 2018 -0700

    Merge branch 'EC.fixes1' of github.com:drlippman/IMathAS into EC.fixes1

commit 04c55b0
Author: drlippman <drlippman@yahoo.com>
Date:   Thu Jun 14 09:45:25 2018 -0700

    Bug fix gb-viewasid

commit 9faef55
Author: David Lippman <drlippman@gmail.com>
Date:   Thu May 31 11:37:31 2018 -0700

    Replace unserialize with safe alt in importitems

commit d0360d7
Author: drlippman <drlippman@yahoo.com>
Date:   Thu May 31 09:00:49 2018 -0700

    Merge EC fixes

    update jquery version
    rebuild assessment_min.js

commit d624083
Merge: 327e5bf 14ce20c
Author: David Lippman <drlippman@yahoo.com>
Date:   Thu May 24 20:08:31 2018 -0700

    Merge branch 'master' into EC.fixes1

commit 327e5bf
Author: David Lippman <drlippman@yahoo.com>
Date:   Thu May 24 20:08:00 2018 -0700

    Fixes round 6

commit 5bc8387
Merge: 6fab661 65b2f7d
Author: drlippman <drlippman@yahoo.com>
Date:   Wed May 16 20:26:15 2018 -0700

    Merge branch 'master' into EC.fixes1

commit 6fab661
Author: drlippman <drlippman@yahoo.com>
Date:   Wed May 16 19:55:00 2018 -0700

    Encode stuff that doesn't really need to be encoded

    to make checkmarx happy

commit c3f81b5
Author: drlippman <drlippman@yahoo.com>
Date:   Wed May 16 19:22:57 2018 -0700

    Remove local copy of MathJax

commit 05c79b9
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Fri Apr 27 11:34:52 2018 -0500

    fixes round 5 4-27-2018

commit d89e23a
Merge: ddfba0f 88926e3
Author: drlippman <drlippman@yahoo.com>
Date:   Mon Apr 30 17:27:22 2018 -0700

    Merge branch 'master' into EC.fixes1

    # Conflicts:
    #	course/gb-viewasid.php
    #	course/gradebook.php
    #	javascript/assessment_min.js

commit ddfba0f
Author: drlippman <drlippman@yahoo.com>
Date:   Tue Apr 24 17:18:42 2018 -0700

    fix the fixes round 4

commit 88d2f45
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Wed Apr 18 09:42:04 2018 -0500

    updating actions.php

commit 5ea43b7
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Wed Apr 18 08:47:06 2018 -0500

    add fix back in for gradebook

commit 9c38185
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Wed Apr 18 08:45:40 2018 -0500

    revert gradebook

commit 7afcfbc
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Tue Apr 17 15:28:45 2018 -0500

    EC fixes round 4 - 4/17/2018

commit fb139fa
Merge: 3572b81 da018b8
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Tue Apr 17 15:20:56 2018 -0500

    Merge branch 'EC.fixes1' of github.com:drlippman/IMathAS into fixes

commit 3572b81
Merge: e64cdcc 8f296ba
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Tue Apr 17 15:20:32 2018 -0500

    Merge branch 'master' of github.com:drlippman/IMathAS into fixes

commit da018b8
Merge: e3878fc 8f296ba
Author: drlippman <drlippman@yahoo.com>
Date:   Mon Apr 16 20:54:17 2018 -0700

    Merge branch 'master' into EC.fixes1

commit e3878fc
Author: drlippman <drlippman@yahoo.com>
Date:   Wed Apr 11 20:42:24 2018 -0700

    Fix the fixes round 3

commit e64cdcc
Merge: bda94b0 cd18db2
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Wed Apr 11 13:39:27 2018 -0500

    Merge branch 'EC.fixes1' of github.com:drlippman/IMathAS into fixes

commit cd18db2
Merge: 40a8d3f b2f6df0
Author: David Lippman <drlippman@gmail.com>
Date:   Wed Apr 11 11:21:15 2018 -0700

    Merge branch 'master' into EC.fixes1

commit bda94b0
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Tue Apr 10 09:45:38 2018 -0500

    EC updates round 3 4-10-2018

commit 85fb741
Merge: 40a8d3f b2f6df0
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Tue Apr 10 09:42:37 2018 -0500

    Merge branch 'master' of github.com:drlippman/IMathAS into fixes

commit 40a8d3f
Author: drlippman <drlippman@yahoo.com>
Date:   Tue Apr 3 21:16:22 2018 -0700

    fix the fixes round 2

commit b83b00e
Merge: 8afa2f8 8dae162
Author: drlippman <drlippman@yahoo.com>
Date:   Tue Apr 3 20:25:15 2018 -0700

    Merge branch 'fixes' of https://github.com/ejrasmussen1/IMathAS into EC.fixes1

commit 8dae162
Merge: 30d41b0 8afa2f8
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Tue Apr 3 15:58:54 2018 -0500

    merge fix

commit 8afa2f8
Merge: 582c439 7a6de0d
Author: drlippman <drlippman@yahoo.com>
Date:   Tue Apr 3 13:44:09 2018 -0700

    Merge branch 'EC.fixes1' of github.com:drlippman/IMathAS into EC.fixes1

commit 582c439
Author: drlippman <drlippman@yahoo.com>
Date:   Fri Mar 23 12:06:40 2018 -0700

    Fix the fixes

commit c2fa84e
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Thu Mar 22 08:58:21 2018 -0500

    Adding updates into fixes branch

commit 30d41b0
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Tue Apr 3 13:59:04 2018 -0500

    EC fixes round 2 4/3/2018

commit 249c885
Merge: ef68f5b 87653db
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Tue Apr 3 13:55:22 2018 -0500

    merge fix

commit ef68f5b
Merge: e6ed757 8f2e1e0
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Thu Mar 29 10:03:20 2018 -0500

    Merge branch 'master' of github.com:drlippman/IMathAS into fixes

commit 7a6de0d
Author: drlippman <drlippman@yahoo.com>
Date:   Fri Mar 23 12:06:40 2018 -0700

    Fix the fixes

commit 632a55c
Merge: eb9b40b e6ed757
Author: drlippman <drlippman@yahoo.com>
Date:   Fri Mar 23 10:20:24 2018 -0700

    Merge branch 'fixes' of https://github.com/ejrasmussen1/IMathAS into EC.fixes1

commit e6ed757
Author: Eric Rasmussen <erasmussen@eaglecrk.com>
Date:   Thu Mar 22 08:58:21 2018 -0500

    Adding updates into fixes branch

DEembedq.php

@@ -115,13 +115,13 @@
 	$pts = getpts($after);
 
 	$params = array('action'=>'updatescore', 'id'=>$qsetid, 'score'=>$pts, 'redisplay'=>"$seed;$rawafter;{$lastanswers[0]}");
-
+	
 	if (isset($_POST['auth'])) {
 		//DB $query = "SELECT password FROM imas_users WHERE SID='".$_POST['auth']."'";
 		//DB $result = mysql_query($query) or die("Query failed: $query: " . mysql_error());
 		//DB $row = mysql_fetch_row($result);
 		$stm = $DBH->prepare("SELECT password FROM imas_users WHERE SID=:SID");
-		$stm->execute(array(':SID'=>$_POST['auth']));
+		$stm->execute(array(':SID'=>Sanitize::stripHtmlTags($_POST['auth'])));
 		$row = $stm->fetch(PDO::FETCH_NUM);
 		$sig = $row[0];
 	} else {

OEAembedq.php

@@ -40,7 +40,7 @@
 	setcookie("OEAembeduserprefs", json_encode(array(
 		'graphdisp'=>$sessiondata['userprefs']['graphdisp'],
 		'drawentry'=>$sessiondata['userprefs']['drawentry']
-		)));
+		)),0,'','',false,true);
 }
 foreach(array('graphdisp','mathdisp','useed') as $key) {
 	$sessiondata[$key] = $sessiondata['userprefs'][$key];
@@ -170,7 +170,7 @@ function sendresizemsg() {
 		//DB $result = mysql_query($query) or die("Query failed: $query: " . mysql_error());
 		//DB $row = mysql_fetch_row($result);
 		$stm = $DBH->prepare("SELECT password FROM imas_users WHERE SID=:SID");
-		$stm->execute(array(':SID'=>$_POST['auth']));
+		$stm->execute(array(':SID'=>Sanitize::stripHtmlTags($_POST['auth'])));
 		$row = $stm->fetch(PDO::FETCH_NUM);
 		$key = $row[0];
 		$jwtcheck = json_decode(json_encode(JWT::decode($_POST['jwtchk'], $key)), true);
@@ -289,7 +289,7 @@ function sendresizemsg() {
 		//DB $result = mysql_query($query) or die("Query failed: $query: " . mysql_error());
 		//DB $row = mysql_fetch_row($result);
 		$stm = $DBH->prepare("SELECT password FROM imas_users WHERE SID=:SID");
-		$stm->execute(array(':SID'=>$QS['auth']));
+		$stm->execute(array(':SID'=>Sanitize::stripHtmlTags($QS['auth'])));
 		$key = $stm->fetchColumn(0);
 
 		echo '<input type="hidden" name="jwtchk" value="'.JWT::encode($verarr,$key).'"/>';

actions.php

@@ -37,6 +37,7 @@
 		$_POST['email'] = Sanitize::emailAddress(trim($_POST['email']));
 		$_POST['firstname'] = Sanitize::stripHtmlTags(trim($_POST['firstname']));
 		$_POST['lastname'] = Sanitize::stripHtmlTags(trim($_POST['lastname']));
+		$_POST['courseid'] = Sanitize::courseId(trim($_POST['courseid']));
 
 		$error .= checkNewUserValidation();
 
@@ -69,7 +70,7 @@
 			$homelayout = '|0,1,2||0,1';
 		}
 		if (isset($_POST['courseselect']) && $_POST['courseselect']>0) {
-			$_POST['courseid'] = $_POST['courseselect'];
+			$_POST['courseid'] = Sanitize::courseId(trim($_POST['courseselect']));
 			$_POST['ekey'] = '';
 		}
 		if (!isset($_GET['confirmed'])) {
@@ -229,7 +230,7 @@
 
 		$query = "UPDATE imas_users SET rights=10 WHERE id=:id AND rights=0";
 		$stm = $DBH->prepare($query);
-		$stm->execute(array(':id'=>$_GET['id']));
+		$stm->execute(array(':id'=>Sanitize::onlyInt($_GET['id'])));
 
 		if ($stm->rowCount()>0) {
 			require("header.php");
@@ -294,7 +295,7 @@
 				echo "Invalid Username.  <a href=\"index.php$gb\">Try again</a>";
 				exit;
 			}
-			header('Location: ' . $GLOBALS['basesiteurl'] . "/index.php");
+			header('Location: ' . $GLOBALS['basesiteurl'] . "/index.php?r=" . Sanitize::randomQueryStringParam());
 		} else if (isset($_POST['pw1'])) {
 			if ($_POST['pw1']!=$_POST['pw2']) {
 				echo 'Passwords do not match.  <a href="forms.php?action=resetpw&code='.Sanitize::encodeUrlParam($_POST['code'])
@@ -334,7 +335,7 @@
 			exit;
 		} else if (isset($_GET['code'])) {
 			//moved to forms.php - keep redirect for to keep old links working for now.
-			header('Location: ' . $GLOBALS['basesiteurl'] . '/action=resetpw&id='.Sanitize::onlyInt($_GET['id']).'&code='.Sanitize::encodeUrlParam($code));
+			header('Location: ' . $GLOBALS['basesiteurl'] . '/action=resetpw&id='.Sanitize::onlyInt($_GET['id']).'&code='.Sanitize::encodeUrlParam($code) . "&r=" . Sanitize::randomQueryStringParam());
 		}
 	} else if ($_GET['action']=="lookupusername") {
 		require_once("init_without_validate.php");
@@ -411,7 +412,7 @@
 		$stm->execute(array($sessionid));
 		$_SESSION = array();
 		if (isset($_COOKIE[session_name()])) {
-			setcookie(session_name(), '', time()-42000, '/');
+			setcookie(session_name(), '', time()-42000, '/', null, false, true);
 		}
 		session_destroy();
 	} else if ($_GET['action']=="chgpwd" || $_GET['action']=="forcechgpwd") {
@@ -570,7 +571,7 @@
 		}
 	} else if ($_POST['action']=="unenroll") {
 		if ($myrights < 6) {
-			echo "<html><body>\nError: Guests can't unenroll from courses</body></html";
+			echo "<html><body>\nError: Guests can't unenroll from courses</body></html>";
 			exit;
 		}
 		if (!isset($_GET['cid'])) {
@@ -790,7 +791,7 @@
 	if ($isgb) {
 		echo '<html><body>Changes Recorded.  <input type="button" onclick="parent.GB_hide()" value="Done" /></body></html>';
 	} else {
-		header('Location: ' . $GLOBALS['basesiteurl'] . "/index.php");
+		header('Location: ' . $GLOBALS['basesiteurl'] . "/index.php?r=" . Sanitize::randomQueryStringParam());
 	}
 
 

admin/actions.php

@@ -389,7 +389,8 @@
 		$stm->execute(array(':sessionid'=>$sessionid));
 		$_SESSION = array();
 		if (isset($_COOKIE[session_name()])) {
-			setcookie(session_name(), '', time()-42000, '/');
+			setcookie(session_name(), '', time()-42000, '/', '',false ,true );
+
 		}
 		session_destroy();
 		break;

admin/addremoveteachers.php

@@ -37,7 +37,8 @@ function getTeachers($cid) {
 		if ($row['name']==null) {
 			$row['name'] = _('Default');
 		}
-		$out[] = array("id"=>$row['id'], "name"=>$row['LastName'].', '.$row['FirstName'].' ('.$row['name'].')');
+		$userdisplayname = $row['LastName'].', '.$row['FirstName'].' ('.$row['name'].')';
+		$out[] = array("id"=>Sanitize::onlyInt($row['id']), "name"=>Sanitize::encodeStringForDisplay($userdisplayname));
 	}
 	return $out;
 }
@@ -50,7 +51,7 @@ function getTeachers($cid) {
 	$toremove[] = $cid;
 	$stm->execute($toremove);
 
-	echo json_encode(getTeachers($cid));
+	echo json_encode(getTeachers($cid), JSON_HEX_TAG);
 	exit;
 } else if (isset($_POST['add'])) {
 	$stm = $DBH->prepare("SELECT userid FROM imas_teachers WHERE courseid=?");
@@ -66,7 +67,7 @@ function getTeachers($cid) {
 	$stm = $DBH->prepare("INSERT INTO imas_teachers (userid,courseid) VALUES $ph");
 	$stm->execute($exarr);
 
-	echo json_encode(getTeachers($cid));
+	echo json_encode(getTeachers($cid), JSON_HEX_TAG);
 	exit;
 } else if (isset($_POST['loadgroup'])) {
 	$stm = $DBH->prepare("SELECT userid FROM imas_teachers WHERE courseid=?");
@@ -82,21 +83,21 @@ function getTeachers($cid) {
 		if ($row['rights']==76 || $row['rights']==77) {continue;}
 		$out[] = array("id"=>$row['id'], "name"=>$row['LastName'].', '.$row['FirstName']);
 	}
-	echo json_encode($out);
+	echo json_encode($out, JSON_HEX_TAG);
 	exit;
 } else if (isset($_POST['search'])) {
 	$stm = $DBH->prepare("SELECT userid FROM imas_teachers WHERE courseid=?");
 	$stm->execute(array($cid));
 	$existing = $stm->fetchAll(PDO::FETCH_COLUMN, 0);
 
 	require("../includes/userutils.php");
-	$possible_teachers = searchForUser($_POST['search'], true, true);
+	$possible_teachers = searchForUser(Sanitize::stripHtmlTags($_POST['search']), true, true);
 	$out = array();
 	foreach ($possible_teachers as $row) {
 		if (in_array($row['id'], $existing)) { continue; }
 		$out[] = array("id"=>$row['id'], "name"=>$row['LastName'].', '.$row['FirstName'].' ('.$row['name'].')');
 	}
-	echo json_encode($out);
+	echo json_encode($out, JSON_HEX_TAG);
 	exit;
 }
 

admin/admin.php

@@ -19,7 +19,7 @@
  if ($myrights>=75) {
 	 if (isset($_GET['showcourses'])) {
      $showcourses = Sanitize::onlyInt($_GET['showcourses']);
-		 setcookie('showcourses', $showcourses);
+		 setcookie('showcourses', $showcourses,0,'','',false,true);
 	 } else if (isset($_COOKIE['showcourses'])) {
 		 $showcourses = $_COOKIE['showcourses'];
 	 } else {
@@ -31,7 +31,7 @@
  if ($myrights==100) {
 	 if (isset($_GET['showusers'])) {
      $showusers = Sanitize::onlyInt($_GET['showusers']);
-		 setcookie('showusers', $showusers);
+		 setcookie('showusers', $showusers, 0,'','',false,true);
 	 } else if (isset($_COOKIE['showusers'])) {
 		 $showusers = Sanitize::onlyInt($_COOKIE['showusers']);
 	 } else {

admin/admin2.php

@@ -71,7 +71,7 @@ function getRoleNameByRights($rights) {
 
     //only one match - redirect to user details page
     if (count($possible_users)==1) {
-      header('Location: ' . $GLOBALS['basesiteurl'] . "/admin/userdetails.php?id=".Sanitize::encodeUrlParam($possible_users[0]['id']));
+      header('Location: ' . $GLOBALS['basesiteurl'] . "/admin/userdetails.php?id=".Sanitize::encodeUrlParam($possible_users[0]['id']). "&r=" .Sanitize::randomQueryStringParam());
     	exit;
     }
 
@@ -80,7 +80,8 @@ function getRoleNameByRights($rights) {
 
   } else if (!empty($_GET['findgroup'])) {
     $hasp1 = false;
-    $words = preg_split('/\s+/', trim(preg_replace('/[^\w\s]/','',$_GET['findgroup'])));
+    $findGroup = Sanitize::stripHtmlTags($_GET['findgroup']);
+    $words = preg_split('/\s+/', trim(preg_replace('/[^\w\s]/','',$findGroup)));
     $likearr = array();
     foreach ($words as $v) {
       $likearr[] = '%'.$v.'%';
@@ -101,7 +102,7 @@ function getRoleNameByRights($rights) {
     }
     //only one match - redirect to user details page
     if (count($possible_groups)==1) {
-      header('Location: ' . $GLOBALS['basesiteurl'] . "/admin/admin2.php?groupdetails=".Sanitize::encodeUrlParam($possible_groups[0]['id']));
+      header('Location: ' . $GLOBALS['basesiteurl'] . "/admin/admin2.php?groupdetails=".Sanitize::encodeUrlParam($possible_groups[0]['id']). "&r=" .Sanitize::randomQueryStringParam());
       exit;
     }
     //sort by priority

admin/approvepending.php

@@ -9,23 +9,23 @@
 } else {
 	$offset = 0;
 }
-
+$uid = Sanitize::onlyInt($_POST['id']);
 if (isset($_GET['go'])) {
 	if (isset($_POST['skip'])) {
 		$offset++;
 	} else 	if (isset($_POST['deny'])) {
 		//DB $query = "UPDATE imas_users SET rights=10 WHERE id='{$_POST['id']}'";
 		//DB mysql_query($query) or die("Query failed : " . mysql_error());
 		$stm = $DBH->prepare("UPDATE imas_users SET rights=10 WHERE id=:id");
-		$stm->execute(array(':id'=>$_POST['id']));
+		$stm->execute(array(':id'=>$uid));
 		if (isset($CFG['GEN']['enrollonnewinstructor'])) {
 			require("../includes/unenroll.php");
 			foreach ($CFG['GEN']['enrollonnewinstructor'] as $rcid) {
-				unenrollstu($rcid, array(intval($_POST['id'])));
+				unenrollstu($rcid, array($uid));
 			}
 		}
 		$stm = $DBH->prepare("UPDATE imas_instr_acct_reqs SET status=10 WHERE userid=:id");
-		$stm->execute(array(':id'=>$_POST['id']));
+		$stm->execute(array(':id'=>$uid));
 	} else 	if (isset($_POST['approve'])) {
 		if ($_POST['group']>-1) {
 			$group = intval($_POST['group']);
@@ -42,16 +42,16 @@
 		//DB $query = "UPDATE imas_users SET rights=40,groupid=$group WHERE id='{$_POST['id']}'";
 		//DB mysql_query($query) or die("Query failed : " . mysql_error());
 		$stm = $DBH->prepare("UPDATE imas_users SET rights=40,groupid=:groupid WHERE id=:id");
-		$stm->execute(array(':groupid'=>$group, ':id'=>$_POST['id']));
+		$stm->execute(array(':groupid'=>$group, ':id'=>$uid));
 
 		$stm = $DBH->prepare("UPDATE imas_instr_acct_reqs SET status=11 WHERE userid=:id");
-		$stm->execute(array(':id'=>$_POST['id']));
+		$stm->execute(array(':id'=>$uid));
 
 		//DB $query = "SELECT FirstName,SID,email FROM imas_users WHERE id='{$_POST['id']}'";
 		//DB $result = mysql_query($query) or die("Query failed : " . mysql_error());
 		//DB $row = mysql_fetch_row($result);
 		$stm = $DBH->prepare("SELECT FirstName,SID,email FROM imas_users WHERE id=:id");
-		$stm->execute(array(':id'=>$_POST['id']));
+		$stm->execute(array(':id'=>$uid));
 		$row = $stm->fetch(PDO::FETCH_NUM);
 
 		$headers  = 'MIME-Version: 1.0' . "\r\n";
@@ -66,7 +66,7 @@
 			mail($row[2],$installname . ' Account Approval',$message,$headers);
 		}
 	}
-	header('Location: ' . $GLOBALS['basesiteurl'] . "/admin/approvepending.php?skipn=$offset");
+	header('Location: ' . $GLOBALS['basesiteurl'] . "/admin/approvepending.php?skipn=$offset&r=".Sanitize::randomQueryStringParam());
 	exit;
 }
 
@@ -101,7 +101,7 @@
 	echo '<input type="hidden" name="email" value="' . Sanitize::encodeStringForDisplay($row[4]) . '"/>';
 	echo '<input type="hidden" name="id" value="' . Sanitize::encodeStringForDisplay($row[0]) . '"/>';
 	echo '<p>Username: ' . Sanitize::encodeStringForDisplay($row[1]) . '<br/>Name: ' . Sanitize::encodeStringForDisplay($row[2]) . ', ' . Sanitize::encodeStringForDisplay($row[3]) . ' (' . Sanitize::encodeStringForDisplay($row[4]) . ')</p>';
-	echo '<p>Request made: '.$reqdate.'</p>';
+	echo '<p>Request made: '.Sanitize::encodeStringForDisplay($reqdate).'</p>';
 	$school = '';
 	if ($details != '') {
 		$cleanDetails = sanitizeNewInstructorRequestLog($details);
@@ -235,7 +235,7 @@ function sanitizeNewInstructorRequestLog($logtext) {
 	if (!empty($verificationUrl)) {
 		if (!empty($sanitizedLogText)) $sanitizedLogText .= "<br/>";
 		//$verificationUrl is html so dont sanitize
-		$sanitizedLogText .= "VerificationURL: " . $verificationUrl;
+		$sanitizedLogText .= "VerificationURL: " . Sanitize::outgoingHtml($verificationUrl);
 	}
 	if (!empty($phone)) {
 		if (!empty($sanitizedLogText)) $sanitizedLogText .= "<br/>";

admin/approvepending2.php

@@ -4,53 +4,56 @@
 
 if ($myrights<100 && ($myspecialrights&64)!=64) {exit;}
 
+$newStatus = Sanitize::onlyInt($_POST['newstatus']);
+$instId = Sanitize::onlyInt($_POST['userid']);
 //handle ajax postback
-if (isset($_POST['newstatus'])) {
+if (!empty($newStatus)) {
 	$stm = $DBH->prepare("SELECT reqdata FROM imas_instr_acct_reqs WHERE userid=?");
-	$stm->execute(array($_POST['userid']));
+	$stm->execute(array($instId));
 	$reqdata = json_decode($stm->fetchColumn(0), true);
-	
+
 	if (!isset($reqdata['actions'])) {
 		$reqdata['actions'] = array();
 	}
 	$reqdata['actions'][] = array(
 		'by'=>$userid,
 		'on'=>time(),
-		'status'=>$_POST['newstatus']);
+		'status'=>$newStatus);
 
 	$stm = $DBH->prepare("UPDATE imas_instr_acct_reqs SET status=?,reqdata=? WHERE userid=?");
-	$stm->execute(array($_POST['newstatus'], json_encode($reqdata), $_POST['userid']));
+	$stm->execute(array($newStatus, json_encode($reqdata), $instId));
 
-	if ($_POST['newstatus']==10) { //deny
+	if ($newStatus==10) { //deny
 		$stm = $DBH->prepare("UPDATE imas_users SET rights=10 WHERE id=:id");
-		$stm->execute(array(':id'=>$_POST['userid']));
+		$stm->execute(array(':id'=>$instId));
 		if (isset($CFG['GEN']['enrollonnewinstructor'])) {
 			require("../includes/unenroll.php");
 			foreach ($CFG['GEN']['enrollonnewinstructor'] as $rcid) {
-				unenrollstu($rcid, array(intval($_POST['userid'])));
+				unenrollstu($rcid, array(intval($instId)));
 			}
 		}
-	} else if ($_POST['newstatus']==11) { //approve
+	} else if ($newStatus==11) { //approve
 		if ($_POST['group']>-1) {
-			$group = intval($_POST['group']);
+			$group = Sanitize::onlyInt($_POST['group']);
 		} else if (trim($_POST['newgroup'])!='') {
+			$newGroupName = Sanitize::stripHtmlTags(trim($_POST['newgroup']));
 			$stm = $DBH->prepare("SELECT id FROM imas_groups WHERE name REGEXP ?");
-			$stm->execute(array('^[[:space:]]*'.str_replace('.','[.]',preg_replace('/\s+/', '[[:space:]]+', trim($_POST['newgroup']))).'[[:space:]]*$'));
+			$stm->execute(array('^[[:space:]]*'.str_replace('.','[.]',preg_replace('/\s+/', '[[:space:]]+', $newGroupName)).'[[:space:]]*$'));
 			$group = $stm->fetchColumn(0);
 			if ($group === false) {
 				$stm = $DBH->prepare("INSERT INTO imas_groups (name) VALUES (:name)");
-				$stm->execute(array(':name'=>$_POST['newgroup']));
+				$stm->execute(array(':name'=>$newGroupName));
 				$group = $DBH->lastInsertId();
 			}
 		} else {
 			$group = 0;
 		}
 
 		$stm = $DBH->prepare("UPDATE imas_users SET rights=40,groupid=:groupid WHERE id=:id");
-		$stm->execute(array(':groupid'=>$group, ':id'=>$_POST['userid']));
+		$stm->execute(array(':groupid'=>$group, ':id'=>$instId));
 
 		$stm = $DBH->prepare("SELECT FirstName,SID,email FROM imas_users WHERE id=:id");
-		$stm->execute(array(':id'=>$_POST['userid']));
+		$stm->execute(array(':id'=>$instId));
 		$row = $stm->fetch(PDO::FETCH_NUM);
 
 		$headers  = 'MIME-Version: 1.0' . "\r\n";
@@ -240,7 +243,7 @@ function getGroups() {
 </div>
 
 <script type="text/javascript">
-var groups = <?php echo json_encode(getGroups()); ?>;
+var groups = <?php echo json_encode(getGroups(), JSON_HEX_TAG); ?>;
 function normalizeGroupName(grpname) {
 	grpname = grpname.toLowerCase();
 	grpname = grpname.replace(/\b(sd|cc|su|of|hs|hsd|usd|isd|school|unified|public|county|district|college|community|university|univ|state|\.edu|www\.|a|the)\b/g, "");
@@ -269,8 +272,8 @@ function normalizeGroupName(grpname) {
 	el: '#app',
 	data: {
 		groups: groups,
-		toApprove: <?php echo json_encode(getReqData()); ?>,
-		fieldTitles: <?php echo json_encode($reqFields);?>,
+		toApprove: <?php echo json_encode(getReqData(), JSON_HEX_TAG); ?>,
+		fieldTitles: <?php echo json_encode($reqFields, JSON_HEX_TAG);?>,
 		activeUser: -1,
 		activeUserStatus: -1,
 		activeUserIndex: -1,

admin/calendarfeed.php

@@ -10,7 +10,7 @@
 }
 //check token.  It was signed with user's password, so runs with their authority
 try {
-	$JWTsess = JWT::decode($_REQUEST['t']);
+	$JWTsess = JWT::decode(Sanitize::stripHtmlTags($_REQUEST['t']));
 } catch (Exception $e) {
 	echo "Error:", $e->getMessage();
 	exit;