From b97aac7c4b5dcb38a67c11d85869a433ed7c2d3f Mon Sep 17 00:00:00 2001
From: bison-paolo <bison.paolo@gmail.com>
Date: Thu, 24 Nov 2016 17:04:46 +0100
Subject: [PATCH] Fixed XSS issues

---
 cis/menu.php                           | 6 ++++--
 cis/private/lehre/lesson.php           | 3 ++-
 cis/private/lvplan/stpl_week.php       | 5 +++--
 cis/private/tools/suche.php            | 5 ++++-
 cis/private/tools/zeitaufzeichnung.php | 3 ++-
 include/functions.inc.php              | 5 +++--
 6 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/cis/menu.php b/cis/menu.php
index 089271e44..09859c413 100644
--- a/cis/menu.php
+++ b/cis/menu.php
@@ -103,12 +103,14 @@ ob_start();
 
 		if(isset($_GET['content_id']) && $_GET['content_id'] != '')
 		{
-			$content_id = $_GET['content_id'];
+			// Uses urlencode to avoid XSS issues
+			$content_id = urlencode($_GET['content_id']);
 		}
 		else
 		{
 			$content_id = CIS_MENU_ENTRY_CONTENT;
-		} ?>
+		}
+	?>
 
 		<ul id="menu">
 			<?php if($content_id != CIS_MENU_ENTRY_CONTENT): ?>
diff --git a/cis/private/lehre/lesson.php b/cis/private/lehre/lesson.php
index b499fef1a..91fdb2293 100755
--- a/cis/private/lehre/lesson.php
+++ b/cis/private/lehre/lesson.php
@@ -64,7 +64,8 @@ $lv_obj->load($lvid);
 $lv=$lv_obj;
 
 if(isset($_GET['studiensemester_kurzbz']))
-	$studiensemester_kurzbz=$_GET['studiensemester_kurzbz'];
+	// Uses urlencode to avoid XSS issues
+	$studiensemester_kurzbz = urlencode($_GET['studiensemester_kurzbz']);
 else
 	$studiensemester_kurzbz='';
 
diff --git a/cis/private/lvplan/stpl_week.php b/cis/private/lvplan/stpl_week.php
index 478d08eab..2a36bae4a 100644
--- a/cis/private/lvplan/stpl_week.php
+++ b/cis/private/lvplan/stpl_week.php
@@ -55,10 +55,11 @@ if (isset($_GET['datum']))
 if (isset($_POST['datum']))
 	$datum=$_POST['datum'];
 
+// Uses urlencode to avoid XSS issues
 if (isset($_GET['ort_kurzbz']))
-	$ort_kurzbz=$_GET['ort_kurzbz'];
+	$ort_kurzbz = urlencode($_GET['ort_kurzbz']);
 else if (isset($_POST['ort_kurzbz']))
-	$ort_kurzbz=$_POST['ort_kurzbz'];
+	$ort_kurzbz = urlencode($_POST['ort_kurzbz']);
 else
 	$ort_kurzbz=null;
 
diff --git a/cis/private/tools/suche.php b/cis/private/tools/suche.php
index a12206a29..62074cfbd 100755
--- a/cis/private/tools/suche.php
+++ b/cis/private/tools/suche.php
@@ -61,7 +61,10 @@ echo '<h1>',$p->t('tools/suche'),'</h1>';
 
 $search = (isset($_REQUEST['search'])?$_REQUEST['search']:'');
 
-echo '<form action="',$_SERVER['PHP_SELF'],'" name="searchform" method="GET">
+// Uses htmlspecialchars to avoid XSS issues
+$self = htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8");
+
+echo '<form action="',$self,'" name="searchform" method="GET">
 	<input type="search" placeholder="'.$p->t('tools/suchbegriff').' ..." size="40" name="search" value="',$db->convert_html_chars($search),'" />
 	<img src="../../../skin/images/search.png" onclick="document.searchform.submit()" height="15px" class="suchicon"/>
 	</form><br>';
diff --git a/cis/private/tools/zeitaufzeichnung.php b/cis/private/tools/zeitaufzeichnung.php
index b093f8ea8..8ca3c9304 100755
--- a/cis/private/tools/zeitaufzeichnung.php
+++ b/cis/private/tools/zeitaufzeichnung.php
@@ -86,7 +86,8 @@ $activities_str = "'".implode("','", $activities)."'";
 $gesperrt_bis = '2015-08-31';
 $sperrdatum = date('c', strtotime($gesperrt_bis));
 
-$zeitaufzeichnung_id = (isset($_GET['zeitaufzeichnung_id'])?$_GET['zeitaufzeichnung_id']:'');
+// Uses urlencode to avoid XSS issues
+$zeitaufzeichnung_id = urlencode(isset($_GET['zeitaufzeichnung_id'])?$_GET['zeitaufzeichnung_id']:'');
 $projekt_kurzbz = (isset($_POST['projekt'])?$_POST['projekt']:'');
 $oe_kurzbz_1 = (isset($_POST['oe_kurzbz_1'])?$_POST['oe_kurzbz_1']:'');
 $oe_kurzbz_2 = (isset($_POST['oe_kurzbz_2'])?$_POST['oe_kurzbz_2']:'');
diff --git a/include/functions.inc.php b/include/functions.inc.php
index fe9d3ee92..fa98a8ece 100755
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -784,11 +784,12 @@ function getSprache()
 	{
 		if(isset($_COOKIE['sprache']))
 		{
-			$sprache=$_COOKIE['sprache'];
+			// Uses urlencode to avoid XSS issues
+			$sprache = urlencode($_COOKIE['sprache']);
 		}
 		else
 		{
-			$sprache=DEFAULT_LANGUAGE;
+			$sprache = DEFAULT_LANGUAGE;
 		}
 		setSprache($sprache);
 	}