Fix review comments: remove redundant loop and add XSS escaping

- Remove redundant property assignment loop in Expenses.php - Add esc() to employee name values to prevent XSS vulnerabilities
2026-03-25 02:13:29 -04:00 · 2026-03-17 07:46:51 +00:00
parent 24b2825b31
commit dc1e448bc3
3 changed files with 2 additions and 6 deletions
--- a/app/Controllers/Expenses.php
+++ b/app/Controllers/Expenses.php
@@ -102,10 +102,6 @@ class Expenses extends Secure_Controller
        $data['employees'] = [];
        if ($can_assign_employee) {
            foreach ($this->employee->get_all()->getResult() as $employee) {
-                foreach (get_object_vars($employee) as $property => $value) {
-                    $employee->$property = $value;
-                }
-
                $data['employees'][$employee->person_id] = $employee->first_name . ' ' . $employee->last_name;
            }
        } else {
--- a/app/Views/expenses/form.php
+++ b/app/Views/expenses/form.php
@@ -130,7 +130,7 @@
                    <?= form_dropdown('employee_id', $employees, $expenses_info->employee_id, 'id="employee_id" class="form-control"') ?>
                <?php else: ?>
                    <?= form_hidden('employee_id', $expenses_info->employee_id) ?>
-                    <?= form_input(['name' => 'employee_name', 'value' => $employees[$expenses_info->employee_id] ?? '', 'class' => 'form-control', 'readonly' => 'readonly']) ?>
+                    <?= form_input(['name' => 'employee_name', 'value' => esc($employees[$expenses_info->employee_id] ?? ''), 'class' => 'form-control', 'readonly' => 'readonly']) ?>
                <?php endif; ?>
            </div>
        </div>
--- a/app/Views/receivings/form.php
+++ b/app/Views/receivings/form.php
@@ -55,7 +55,7 @@
                    <?= form_dropdown('employee_id', $employees, $receiving_info['employee_id'], 'id="employee_id" class="form-control"') ?>
                <?php else: ?>
                    <?= form_hidden('employee_id', $receiving_info['employee_id']) ?>
-                    <?= form_input(['name' => 'employee_name', 'value' => $employees[$receiving_info['employee_id']] ?? '', 'class' => 'form-control input-sm', 'readonly' => 'readonly']) ?>
+                    <?= form_input(['name' => 'employee_name', 'value' => esc($employees[$receiving_info['employee_id']] ?? ''), 'class' => 'form-control input-sm', 'readonly' => 'readonly']) ?>
                <?php endif; ?>
            </div>
        </div>