From c5ab15ca64a3d3c10e581cc60d8c45c6c09e94f4 Mon Sep 17 00:00:00 2001
From: FrancescoUK <francesco.lodolo.uk@gmail.com>
Date: Sun, 14 Feb 2016 13:05:42 +0000
Subject: [PATCH] Revert post TRUE change for XSS filtering (#116)

---
 application/controllers/Items.php | 31 ++++++++++++++++---------------
 application/controllers/Sales.php | 25 ++++++++++++++-----------
 2 files changed, 30 insertions(+), 26 deletions(-)

diff --git a/application/controllers/Items.php b/application/controllers/Items.php
index 6f328175d..a3ee6bc85 100644
--- a/application/controllers/Items.php
+++ b/application/controllers/Items.php
@@ -21,13 +21,13 @@ class Items extends Secure_area implements iData_controller
 		$items = $this->Item->get_all($stock_location, $lines_per_page, $limit_from);
 		$data['links'] = $this->_initialize_pagination($this->Item, $lines_per_page, $limit_from);
 		
-		// assume year 2010 as starting date for OSPOS
+		// set 01/01/2010 as starting date for OSPOS
 		$start_of_time = date($this->config->item('dateformat'), mktime(0,0,0,1,1,2010));
 		$today = date($this->config->item('dateformat'));
 
-		$start_date = $this->input->post('start_date') != null ? $this->input->post('start_date', TRUE) : $start_of_time;
+		$start_date = $this->input->post('start_date') != null ? $this->input->post('start_date') : $start_of_time;
 		$start_date_formatter = date_create_from_format($this->config->item('dateformat'), $start_date);
-		$end_date = $this->input->post('end_date') != null ? $this->input->post('end_date', TRUE) : $today;
+		$end_date = $this->input->post('end_date') != null ? $this->input->post('end_date') : $today;
 		$end_date_formatter = date_create_from_format($this->config->item('dateformat'), $end_date);
 		
 		$data['start_date'] = $start_date_formatter->format($this->config->item('dateformat'));
@@ -53,35 +53,36 @@ class Items extends Secure_area implements iData_controller
 	*/
 	function search()
 	{
-		$search = $this->input->post('search', TRUE);
-		$this->item_lib->set_item_location($this->input->post('stock_location', TRUE));
-		$limit_from = $this->input->post('limit_from', TRUE);
+		$search = $this->input->post('search');
+		$this->item_lib->set_item_location($this->input->post('stock_location'));
+		$limit_from = $this->input->post('limit_from');
 		$lines_per_page = $this->Appconfig->get('lines_per_page');
 
-		// assume year 2010 as starting date for OSPOS
+		// set 01/01/2010 as starting date for OSPOS
 		$start_of_time = date($this->config->item('dateformat'), mktime(0,0,0,1,1,2010));
 		$today = date($this->config->item('dateformat'));
 
-		$start_date = $this->input->post('start_date') != null ? $this->input->post('start_date', TRUE) : $start_of_time;
+		$start_date = $this->input->post('start_date') != null ? $this->input->post('start_date') : $start_of_time;
 		$start_date_formatter = date_create_from_format($this->config->item('dateformat'), $start_date);
-		$end_date = $this->input->post('end_date') != null ? $this->input->post('end_date', TRUE) : $today;
+		$end_date = $this->input->post('end_date') != null ? $this->input->post('end_date') : $today;
 		$end_date_formatter = date_create_from_format($this->config->item('dateformat'), $end_date);
 		
 		$filters = array('start_date' => $start_date_formatter->format('Y-m-d'), 
 						'end_date' => $end_date_formatter->format('Y-m-d'),
 						'stock_location_id' => $this->item_lib->get_item_location(),
-						'empty_upc' => $this->input->post('empty_upc', TRUE) != null,
-						'low_inventory' => $this->input->post('low_inventory', TRUE) != null, 
-						'is_serialized' => $this->input->post('is_serialized', TRUE) != null,
-						'no_description' => $this->input->post('no_description', TRUE) != null,
-						'search_custom' => $this->input->post('search_custom', TRUE) != null,
-						'is_deleted' => $this->input->post('is_deleted', TRUE) != null);
+						'empty_upc' => $this->input->post('empty_upc') != null,
+						'low_inventory' => $this->input->post('low_inventory') != null, 
+						'is_serialized' => $this->input->post('is_serialized') != null,
+						'no_description' => $this->input->post('no_description') != null,
+						'search_custom' => $this->input->post('search_custom') != null,
+						'is_deleted' => $this->input->post('is_deleted') != null);
 		
 		$items = $this->Item->search($search, $filters, $lines_per_page, $limit_from);
 		$data_rows = get_items_manage_table_data_rows($items, $this);
 		$total_rows = $this->Item->get_found_rows($search, $filters);
 		$links = $this->_initialize_pagination($this->Item, $lines_per_page, $limit_from, $total_rows, 'search');
 		$data_rows = get_items_manage_table_data_rows($items, $this);
+
 		// do not move this line to be after the json_encode otherwise the searhc function won't work!!
 		$this->_remove_duplicate_cookies();
 		
diff --git a/application/controllers/Sales.php b/application/controllers/Sales.php
index 5ee475acf..09f813bbd 100644
--- a/application/controllers/Sales.php
+++ b/application/controllers/Sales.php
@@ -33,9 +33,9 @@ class Sales extends Secure_area
 
 			$today = date($this->config->item('dateformat'));
 
-			$start_date = $this->input->post('start_date') != null ? $this->input->post('start_date', TRUE) : $today;
+			$start_date = $this->input->post('start_date') != null ? $this->input->post('start_date') : $today;
 			$start_date_formatter = date_create_from_format($this->config->item('dateformat'), $start_date);
-			$end_date = $this->input->post('end_date') != null ? $this->input->post('end_date', TRUE) : $today;
+			$end_date = $this->input->post('end_date') != null ? $this->input->post('end_date') : $today;
 			$end_date_formatter = date_create_from_format($this->config->item('dateformat'), $end_date);
 
 			$sale_type   = 'all';
@@ -92,16 +92,17 @@ class Sales extends Secure_area
 	{
 		$this->Sale->create_sales_items_temp_table();
 
-		$search = $this->input->post('search', TRUE);
-		$only_invoices = $this->input->post('only_invoices', TRUE);
-		$only_cash = $this->input->post('only_cash', TRUE);
-		$limit_from = $this->input->post('limit_from', TRUE);
+		$search = $this->input->post('search');
+		$only_invoices = $this->input->post('only_invoices');
+		$only_cash = $this->input->post('only_cash');
+		$limit_from = $this->input->post('limit_from');
 		$lines_per_page = $this->Appconfig->get('lines_per_page');
 
 		$today = date($this->config->item('dateformat'));
-		$start_date = $this->input->post('start_date') != null ? $this->input->post('start_date', TRUE) : $today;
+
+		$start_date = $this->input->post('start_date') != null ? $this->input->post('start_date') : $today;
 		$start_date_formatter = date_create_from_format($this->config->item('dateformat'), $start_date);
-		$end_date = $this->input->post('end_date') != null ? $this->input->post('end_date', TRUE) : $today;
+		$end_date = $this->input->post('end_date') != null ? $this->input->post('end_date') : $today;
 		$end_date_formatter = date_create_from_format($this->config->item('dateformat'), $end_date);
 
 		$is_valid_receipt = isset($search) ? $this->sale_lib->is_valid_receipt($search) : FALSE;
@@ -123,6 +124,8 @@ class Sales extends Secure_area
 		$links = $this->_initialize_pagination($this->Sale, $lines_per_page, $limit_from, $total_rows, 'search', $only_invoices);
 		$sale_rows = get_sales_manage_table_data_rows($sales, $this);
 		$payment_summary = get_sales_manage_payments_summary($payments, $sales, $this);
+
+		// do not move this line to be after the json_encode otherwise the searhc function won't work!!
 		$this->_remove_duplicate_cookies();
 		
 		echo json_encode(array('total_rows' => $total_rows, 'rows' => $sale_rows, 'pagination' => $links, 'payment_summary' => $payment_summary));
@@ -151,8 +154,8 @@ class Sales extends Secure_area
 
 	function suggest()
 	{
-		$search = $this->input->post('q', TRUE);
-		$limit = $this->input->post('limit', TRUE);
+		$search = $this->input->post('q');
+		$limit = $this->input->post('limit');
 		$suggestions = $this->Sale->get_search_suggestions($search, $limit);
 
 		echo implode("\n",$suggestions);
@@ -670,7 +673,7 @@ class Sales extends Secure_area
 	
 	function save($sale_id)
 	{
-		$start_date_formatter = date_create_from_format($this->config->item('dateformat') . ' ' . $this->config->item('timeformat'), $this->input->post('date', TRUE));
+		$start_date_formatter = date_create_from_format($this->config->item('dateformat') . ' ' . $this->config->item('timeformat'), $this->input->post('date'));
 
 		$sale_data = array(
 			'sale_time' => $start_date_formatter->format('Y-m-d H:i:s'),