[Web-erp-svn] SF.net SVN: web-erp:[4734] trunk

[<dai...@us...>]

Revision: 4734
          http://web-erp.svn.sourceforge.net/web-erp/?rev=4734&view=rev
Author:   daintree
Date:     2011-10-29 03:26:27 +0000 (Sat, 29 Oct 2011)
Log Message:
-----------
security fixes per adv...@ht...

Modified Paths:
--------------
    trunk/AccountGroups.php
    trunk/AccountSections.php
    trunk/AddCustomerContacts.php
    trunk/AddCustomerNotes.php
    trunk/AddCustomerTypeNotes.php
    trunk/AgedDebtors.php
    trunk/AgedSuppliers.php
    trunk/Areas.php
    trunk/AuditTrail.php
    trunk/BOMExtendedQty.php
    trunk/BOMIndented.php
    trunk/BOMIndentedReverse.php
    trunk/BOMInquiry.php
    trunk/BOMListing.php
    trunk/BOMs.php
    trunk/BackupDatabase.php
    trunk/BankAccounts.php
    trunk/BankMatching.php
    trunk/BankReconciliation.php
    trunk/COGSGLPostings.php
    trunk/CompanyPreferences.php
    trunk/ConfirmDispatch_Invoice.php
    trunk/ContractBOM.php
    trunk/ContractCosting.php
    trunk/ContractOtherReqts.php
    trunk/Contracts.php
    trunk/CounterSales.php
    trunk/CreditStatus.php
    trunk/Credit_Invoice.php
    trunk/Currencies.php
    trunk/CustEDISetup.php
    trunk/CustLoginSetup.php
    trunk/CustWhereAlloc.php
    trunk/CustomerAllocations.php
    trunk/CustomerBranches.php
    trunk/CustomerInquiry.php
    trunk/CustomerReceipt.php
    trunk/CustomerTransInquiry.php
    trunk/CustomerTypes.php
    trunk/Customers.php
    trunk/DailyBankTransactions.php
    trunk/DailySalesInquiry.php
    trunk/DebtorsAtPeriodEnd.php
    trunk/DeliveryDetails.php
    trunk/DiscountCategories.php
    trunk/DiscountMatrix.php
    trunk/EDIMessageFormat.php
    trunk/EmailCustTrans.php
    trunk/ExchangeRateTrend.php
    trunk/FTP_RadioBeacon.php
    trunk/Factors.php
    trunk/FixedAssetCategories.php
    trunk/FixedAssetDepreciation.php
    trunk/FixedAssetItems.php
    trunk/FixedAssetLocations.php
    trunk/FixedAssetRegister.php
    trunk/FixedAssetTransfer.php
    trunk/FormDesigner.php
    trunk/FreightCosts.php
    trunk/GLAccountCSV.php
    trunk/GLAccountInquiry.php
    trunk/GLAccountReport.php
    trunk/GLAccounts.php
    trunk/GLBalanceSheet.php
    trunk/GLBudgets.php
    trunk/GLJournal.php
    trunk/GLProfit_Loss.php
    trunk/GLTagProfit_Loss.php
    trunk/GLTags.php
    trunk/GLTrialBalance.php
    trunk/GLTrialBalance_csv.php
    trunk/GeocodeSetup.php
    trunk/GoodsReceived.php
    trunk/InventoryPlanning.php
    trunk/InventoryPlanningPrefSupplier.php
    trunk/InventoryQuantities.php
    trunk/InventoryValuation.php
    trunk/Labels.php
    trunk/Locations.php
    trunk/MRP.php
    trunk/MRPCalendar.php
    trunk/MRPCreateDemands.php
    trunk/MRPDemandTypes.php
    trunk/MRPDemands.php
    trunk/MRPPlannedPurchaseOrders.php
    trunk/MRPPlannedWorkOrders.php
    trunk/MRPReport.php
    trunk/MRPReschedules.php
    trunk/MRPShortages.php
    trunk/OffersReceived.php
    trunk/OutstandingGRNs.php
    trunk/PDFBankingSummary.php
    trunk/PDFChequeListing.php
    trunk/PDFCustTransListing.php
    trunk/PDFCustomerList.php
    trunk/PDFDIFOT.php
    trunk/PDFDeliveryDifferences.php
    trunk/PDFLowGP.php
    trunk/PDFOrderStatus.php
    trunk/PDFOrdersInvoiced.php
    trunk/PDFPeriodStockTransListing.php
    trunk/PDFPickingList.php
    trunk/PDFPriceList.php
    trunk/PDFPrintLabel.php
    trunk/PDFRemittanceAdvice.php
    trunk/PDFStockCheckComparison.php
    trunk/PDFStockLocTransfer.php
    trunk/PDFStockTransfer.php
    trunk/PDFSuppTransListing.php
    trunk/POReport.php
    trunk/PO_AuthorisationLevels.php
    trunk/PO_AuthoriseMyOrders.php
    trunk/PO_Header.php
    trunk/PO_Items.php
    trunk/PO_PDFPurchOrder.php
    trunk/PO_SelectOSPurchOrder.php
    trunk/PO_SelectPurchOrder.php
    trunk/PageSecurity.php
    trunk/PaymentMethods.php
    trunk/PaymentTerms.php
    trunk/Payments.php
    trunk/PcAssignCashToTab.php
    trunk/PcAuthorizeExpenses.php
    trunk/PcClaimExpensesFromTab.php
    trunk/PcExpenses.php
    trunk/PcExpensesTypeTab.php
    trunk/PcReportTab.php
    trunk/PcTabs.php
    trunk/PcTypeTabs.php
    trunk/Prices.php
    trunk/PricesBasedOnMarkUp.php
    trunk/PricesByCost.php
    trunk/Prices_Customer.php
    trunk/PrintCustStatements.php
    trunk/PrintCustTrans.php
    trunk/PrintCustTransPortrait.php
    trunk/PurchData.php
    trunk/RecurringSalesOrders.php
    trunk/ReorderLevel.php
    trunk/ReorderLevelLocation.php
    trunk/ReprintGRN.php
    trunk/ReverseGRN.php
    trunk/SMTPServer.php
    trunk/SalesAnalReptCols.php
    trunk/SalesAnalRepts.php
    trunk/SalesByTypePeriodInquiry.php
    trunk/SalesCategories.php
    trunk/SalesCategoryPeriodInquiry.php
    trunk/SalesGLPostings.php
    trunk/SalesGraph.php
    trunk/SalesInquiry.php
    trunk/SalesPeople.php
    trunk/SalesTopItemsInquiry.php
    trunk/SalesTypes.php
    trunk/SecurityTokens.php
    trunk/SelectCompletedOrder.php
    trunk/SelectContract.php
    trunk/SelectCreditItems.php
    trunk/SelectCustomer.php
    trunk/SelectGLAccount.php
    trunk/SelectOrderItems.php
    trunk/SelectProduct.php
    trunk/SelectRecurringSalesOrder.php
    trunk/SelectSalesOrder.php
    trunk/SelectSupplier.php
    trunk/SelectWorkOrder.php
    trunk/ShipmentCosting.php
    trunk/Shipments.php
    trunk/Shippers.php
    trunk/Shipt_Select.php
    trunk/SpecialOrder.php
    trunk/StockAdjustments.php
    trunk/StockCategories.php
    trunk/StockCheck.php
    trunk/StockCostUpdate.php
    trunk/StockCounts.php
    trunk/StockDispatch.php
    trunk/StockLocMovements.php
    trunk/StockLocStatus.php
    trunk/StockLocTransfer.php
    trunk/StockLocTransferReceive.php
    trunk/StockMovements.php
    trunk/StockQuantityByDate.php
    trunk/StockReorderLevel.php
    trunk/StockSerialItemResearch.php
    trunk/StockStatus.php
    trunk/StockTransfers.php
    trunk/StockUsage.php
    trunk/Stocks.php
    trunk/SuppContractChgs.php
    trunk/SuppCreditGRNs.php
    trunk/SuppFixedAssetChgs.php
    trunk/SuppInvGRNs.php
    trunk/SuppLoginSetup.php
    trunk/SuppPaymentRun.php
    trunk/SuppPriceList.php
    trunk/SuppShiptChgs.php
    trunk/SuppTransGLAnalysis.php
    trunk/SupplierAllocations.php
    trunk/SupplierBalsAtPeriodEnd.php
    trunk/SupplierContacts.php
    trunk/SupplierCredit.php
    trunk/SupplierInquiry.php
    trunk/SupplierInvoice.php
    trunk/SupplierTenders.php
    trunk/SupplierTransInquiry.php
    trunk/SupplierTypes.php
    trunk/Suppliers.php
    trunk/SystemParameters.php
    trunk/Tax.php
    trunk/TaxAuthorities.php
    trunk/TaxAuthorityRates.php
    trunk/TaxCategories.php
    trunk/TaxGroups.php
    trunk/TaxProvinces.php
    trunk/TopItems.php
    trunk/UnitsOfMeasure.php
    trunk/UpgradeDatabase.php
    trunk/UserSettings.php
    trunk/WOSerialNos.php
    trunk/WWW_Access.php
    trunk/WWW_Users.php
    trunk/WhereUsedInquiry.php
    trunk/WorkCentres.php
    trunk/WorkOrderCosting.php
    trunk/WorkOrderEntry.php
    trunk/WorkOrderIssue.php
    trunk/WorkOrderReceive.php
    trunk/Z_BottomUpCosts.php
    trunk/Z_ChangeBranchCode.php
    trunk/Z_ChangeCustomerCode.php
    trunk/Z_ChangeStockCategory.php
    trunk/Z_ChangeStockCode.php
    trunk/Z_CheckDebtorsControl.php
    trunk/Z_CreateCompanyTemplateFile.php
    trunk/Z_DataExport.php
    trunk/Z_DeleteSalesTransActions.php
    trunk/Z_ImportChartOfAccounts.php
    trunk/Z_ImportGLAccountGroups.php
    trunk/Z_ImportGLAccountSections.php
    trunk/Z_ImportPartCodes.php
    trunk/Z_MakeNewCompany.php
    trunk/Z_ReApplyCostToSA.php
    trunk/Z_RePostGLFromPeriod.php
    trunk/Z_ReverseSuppPaymentRun.php
    trunk/Z_UpdateChartDetailsBFwd.php
    trunk/Z_Upgrade3.10.php
    trunk/Z_Upgrade_3.04-3.05.php
    trunk/Z_Upgrade_3.05-3.06.php
    trunk/Z_Upgrade_3.07-3.08.php
    trunk/Z_Upgrade_3.08-3.09.php
    trunk/Z_Upgrade_3.09-3.10.php
    trunk/Z_Upgrade_3.10-3.11.php
    trunk/Z_Upgrade_3.11-4.00.php
    trunk/Z_poAddLanguage.php
    trunk/Z_poEditLangHeader.php
    trunk/Z_poEditLangModule.php
    trunk/Z_poEditLangRemaining.php
    trunk/Z_poRebuildDefault.php
    trunk/api/api_session.inc
    trunk/config.distrib.php
    trunk/doc/Manual/ManualContents.php
    trunk/doc/Manual/ManualGettingStarted.html
    trunk/includes/InputSerialItems.php
    trunk/includes/InputSerialItemsExisting.php
    trunk/includes/InputSerialItemsKeyed.php
    trunk/includes/InputSerialItemsSequential.php
    trunk/includes/Login.php
    trunk/includes/OutputSerialItems.php
    trunk/includes/header.inc
    trunk/includes/session.inc
    trunk/includes/tcpdf/config/tcpdf_config.php
    trunk/includes/tcpdf/config/tcpdf_config_alt.php
    trunk/index.php
    trunk/install/save.php
    trunk/locale/de_DE.utf8/Manual/ManualContents.php
    trunk/locale/de_DE.utf8/Manual/ManualGettingStarted.html
    trunk/locale/zh_CN.utf8/Manual/ManualContents.php
    trunk/locale/zh_CN.utf8/Manual/ManualGettingStarted.html
    trunk/locale/zh_HK.utf8/Manual/ManualContents.php
    trunk/locale/zh_HK.utf8/Manual/ManualGettingStarted.html
    trunk/reportwriter/FormMaker.php
    trunk/reportwriter/ReportMaker.php

Removed Paths:
-------------
    trunk/phpinfo.php

Modified: trunk/AccountGroups.php
===================================================================
--- trunk/AccountGroups.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/AccountGroups.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -263,8 +263,8 @@
 			<td>' . $myrow[2] . '</td>
 			<td>' . $PandLText . '</td>
 			<td>' . $myrow[4] . '</td>';
-		echo '<td><a href="' . $_SERVER['PHP_SELF'] . '?SelectedAccountGroup=' . htmlentities($myrow[0], ENT_QUOTES,'UTF-8') . '">' . _('Edit') . '</a></td>';
-		echo '<td><a href="' . $_SERVER['PHP_SELF'] . '?SelectedAccountGroup=' . htmlentities($myrow[0], ENT_QUOTES,'UTF-8') . '&amp;delete=1" onclick="return confirm(\'' . _('Are you sure you wish to delete this account group?') . '\');">' . _('Delete') .'</a></td></tr>';
+		echo '<td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?SelectedAccountGroup=' . htmlentities($myrow[0], ENT_QUOTES,'UTF-8') . '">' . _('Edit') . '</a></td>';
+		echo '<td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?SelectedAccountGroup=' . htmlentities($myrow[0], ENT_QUOTES,'UTF-8') . '&amp;delete=1" onclick="return confirm(\'' . _('Are you sure you wish to delete this account group?') . '\');">' . _('Delete') .'</a></td></tr>';
 
 	} //END WHILE LIST LOOP
 	echo '</table>';
@@ -272,12 +272,12 @@
 
 
 if (isset($_POST['SelectedAccountGroup']) OR isset($_GET['SelectedAccountGroup'])) {
-	echo '<br /><div class="centre"><a href="' . $_SERVER['PHP_SELF'] .'">' . _('Review Account Groups') . '</a></div>';
+	echo '<br /><div class="centre"><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) .'">' . _('Review Account Groups') . '</a></div>';
 }
 
 if (! isset($_GET['delete'])) {
 
-	echo '<br /><form method="post" id="AccountGroups" action="' . $_SERVER['PHP_SELF'] . '">';
+	echo '<br /><form method="post" id="AccountGroups" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 

Modified: trunk/AccountSections.php
===================================================================
--- trunk/AccountSections.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/AccountSections.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -193,11 +193,11 @@
 		}
 
 		echo '<td>' . $myrow[0] . '</td><td>' . $myrow[1] . '</td>';
-		echo '<td><a href="' . $_SERVER['PHP_SELF'] . '?SelectedSectionID=' . $myrow[0] . '">' . _('Edit') . '</a></td>';
+		echo '<td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?SelectedSectionID=' . $myrow[0] . '">' . _('Edit') . '</a></td>';
 		if ( $myrow[0] == '1' || $myrow[0] == '2' ) {
 			echo '<td><b>'._('Restricted').'</b></td>';
 		} else {
-			echo '<td><a href="' . $_SERVER['PHP_SELF'] . '?SelectedSectionID=' . $myrow[0] . '&amp;delete=1">' . _('Delete') .'</a></td>';
+			echo '<td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?SelectedSectionID=' . $myrow[0] . '&amp;delete=1">' . _('Delete') .'</a></td>';
 		}
 		echo '</tr>';
 	} //END WHILE LIST LOOP
@@ -206,12 +206,12 @@
 
 
 if (isset($_POST['SelectedSectionID']) or isset($_GET['SelectedSectionID'])) {
-	echo '<div class="centre"><a href="' . $_SERVER['PHP_SELF'] . '">' . _('Review Account Sections') . '</a></div>';
+	echo '<div class="centre"><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">' . _('Review Account Sections') . '</a></div>';
 }
 
 if (! isset($_GET['delete'])) {
 
-	echo '<form method="post" name="AccountSections" action="' . $_SERVER['PHP_SELF'] .  '">';
+	echo '<form method="post" name="AccountSections" action="' . htmlspecialchars($_SERVER['PHP_SELF']) .  '">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	if (isset($_GET['SelectedSectionID'])) {

Modified: trunk/AddCustomerContacts.php
===================================================================
--- trunk/AddCustomerContacts.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/AddCustomerContacts.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -154,10 +154,10 @@
 				$myrow['email'],
 				$myrow['email'],
 				$myrow['notes'],
-				$_SERVER['PHP_SELF'] . '?',
+				htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 				$myrow['contid'],
 				$myrow['debtorno'],
-				$_SERVER['PHP_SELF'] . '?',
+				htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 				$myrow['contid'],
 				$myrow['debtorno']);
 
@@ -166,12 +166,12 @@
 	echo '</table>';
 }
 if (isset($Id)) {  
-	echo '<div class="centre"><a href="' . $_SERVER['PHP_SELF'] . '?DebtorNo='.$DebtorNo .'">' . _('Review all contacts for this Customer') . '</a></div>';
+	echo '<div class="centre"><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?DebtorNo='.$DebtorNo .'">' . _('Review all contacts for this Customer') . '</a></div>';
 }
 
 if (!isset($_GET['delete'])) {
 
-	echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '?DebtorNo='.$DebtorNo.'">';
+	echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?DebtorNo='.$DebtorNo.'">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	if (isset($Id)) {

Modified: trunk/AddCustomerNotes.php
===================================================================
--- trunk/AddCustomerNotes.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/AddCustomerNotes.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -135,10 +135,10 @@
 				$myrow[3],
 				$myrow[2],
 				$myrow[5],
-				$_SERVER['PHP_SELF'] . '?',
+				htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 				$myrow[0],
 				$myrow[1],
-				$_SERVER['PHP_SELF'] . '?',
+				htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 				$myrow[0],
 				$myrow[1]);
 
@@ -147,13 +147,13 @@
 	echo '</table>';
 }
 if (isset($Id)) {
-	echo '<div class="centre"><a href="'.$_SERVER['PHP_SELF'] . '?DebtorNo='.$DebtorNo.'">'._('Review all notes for this Customer').'</a></div>';
+	echo '<div class="centre"><a href="'.htmlspecialchars($_SERVER['PHP_SELF']) . '?DebtorNo='.$DebtorNo.'">'._('Review all notes for this Customer').'</a></div>';
 }
 echo '<br />';
 
 if (!isset($_GET['delete'])) {
 
-	echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '?' . SID . '&DebtorNo='.$DebtorNo.'">';
+	echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?' . SID . '&DebtorNo='.$DebtorNo.'">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	if (isset($Id)) {

Modified: trunk/AddCustomerTypeNotes.php
===================================================================
--- trunk/AddCustomerTypeNotes.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/AddCustomerTypeNotes.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -126,10 +126,10 @@
 				$myrow[3],
 				$myrow[2],
 				$myrow[5],
-				$_SERVER['PHP_SELF'] . '?',
+				htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 				$myrow[0],
 				$myrow[1],
-				$_SERVER['PHP_SELF'] . '?',
+				htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 				$myrow[0],
 				$myrow[1]);
 
@@ -138,14 +138,14 @@
 	echo '</table>';
 }
 if (isset($Id)) {  ?>
-	<div class="cantre"><a href="<?php echo $_SERVER['PHP_SELF'] . '?' . SID .'&DebtorType='.$DebtorType;?>"><?=_('Review all notes for this Customer Type')?></a></div>
+	<div class="cantre"><a href="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) . '?' . SID .'&DebtorType='.$DebtorType;?>"><?=_('Review all notes for this Customer Type')?></a></div>
 <?php } ?>
 <p>
 
 <?php
 if (!isset($_GET['delete'])) {
 
-	echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '?DebtorType='.$DebtorType.'">';
+	echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?DebtorType='.$DebtorType.'">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	if (isset($Id)) {

Modified: trunk/AgedDebtors.php
===================================================================
--- trunk/AgedDebtors.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/AgedDebtors.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -457,7 +457,7 @@
 
 	/*if $FromCriteria is not set then show a form to allow input	*/
 
-		echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">
+		echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">
 			<table>';
 		echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 

Modified: trunk/AgedSuppliers.php
===================================================================
--- trunk/AgedSuppliers.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/AgedSuppliers.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -271,7 +271,7 @@
 
 	/*if $FromCriteria is not set then show a form to allow input	*/
 
-		echo '<form sction="' . $_SERVER['PHP_SELF'] . '" method="post">
+		echo '<form sction="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">
 			<table class="selection">';
 		echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 

Modified: trunk/Areas.php
===================================================================
--- trunk/Areas.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/Areas.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -161,8 +161,8 @@
 		}
 		echo '<td>' . $myrow[0] . '</td>
 			<td>' . $myrow[1] . '</td>';
-		echo '<td><a href="' . $_SERVER['PHP_SELF'] . '?SelectedArea=' . $myrow[0] . '">' . _('Edit') . '</a></td>';
-		echo '<td><a href="' . $_SERVER['PHP_SELF'] . '?SelectedArea=' . $myrow[0] . '&delete=yes" onclick="return confirm(\'' . _('Are you sure you wish to delete this sales area?') . '\');">' . _('Delete') . '</a></td>';
+		echo '<td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?SelectedArea=' . $myrow[0] . '">' . _('Edit') . '</a></td>';
+		echo '<td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?SelectedArea=' . $myrow[0] . '&delete=yes" onclick="return confirm(\'' . _('Are you sure you wish to delete this sales area?') . '\');">' . _('Delete') . '</a></td>';
 		echo '<td><a href="SelectCustomer.php'. '?Area=' . $myrow[0] . '">' . _('View Customers from this Area') . '</a></td>';
 	}
 	//END WHILE LIST LOOP
@@ -172,13 +172,13 @@
 //end of ifs and buts!
 
 if (isset($SelectedArea)) {
-	echo '<div class="centre"><a href="' . $_SERVER['PHP_SELF'] . '">' . _('Review Areas Defined') . '</a></div>';
+	echo '<div class="centre"><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">' . _('Review Areas Defined') . '</a></div>';
 }
 
 
 if (!isset($_GET['delete'])) {
 
-	echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '"><br />';
+	echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '"><br />';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	if (isset($SelectedArea)) {

Modified: trunk/AuditTrail.php
===================================================================
--- trunk/AuditTrail.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/AuditTrail.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -34,7 +34,7 @@
 // Get list of users
 $UserResult = DB_query("SELECT userid FROM www_users",$db);
 
-echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">';
+echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 echo '<table class="selection">';
 

Modified: trunk/BOMExtendedQty.php
===================================================================
--- trunk/BOMExtendedQty.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/BOMExtendedQty.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -260,7 +260,7 @@
 
 	echo '<br />
 			<br />
-			<form action=' . $_SERVER['PHP_SELF'] . ' method="post">
+			<form action=' . htmlspecialchars($_SERVER['PHP_SELF']) . ' method="post">
 			<table class="selection">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 	echo '<tr>

Modified: trunk/BOMIndented.php
===================================================================
--- trunk/BOMIndented.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/BOMIndented.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -247,7 +247,7 @@
 
 	echo '<br />
 			<br />
-			<form action="' . $_SERVER['PHP_SELF'] . '" method="post">
+			<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">
 			<table class="selection">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 	echo '<tr><td>' . _('Part') . ':</td>

Modified: trunk/BOMIndentedReverse.php
===================================================================
--- trunk/BOMIndentedReverse.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/BOMIndentedReverse.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -236,7 +236,7 @@
 		_('Search') . '" alt="" />' . ' ' . $title.'</p><br />';
 	echo '<br />
 			<br />
-			<form action=' . $_SERVER['PHP_SELF'] . ' method="post">
+			<form action=' . htmlspecialchars($_SERVER['PHP_SELF']) . ' method="post">
 			<table class="selection">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 	echo '<tr><td>' . _('Part') . ':</td>

Modified: trunk/BOMInquiry.php
===================================================================
--- trunk/BOMInquiry.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/BOMInquiry.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -13,7 +13,7 @@
 }
 
 if (!isset($_POST['StockID'])) {
-	echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post"><b><br /></b>'.
+	echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post"><b><br /></b>'.
 	'<div class="page_help_text">'. _('Select a manufactured part') . ' (' . _('or Assembly or Kit part') . ') ' .
 	 _('to view the costed bill of materials') . '<br /><font size=1>' .
 	 _('Parts must be defined in the stock item entry') . '/' . _('modification screen as manufactured') .

Modified: trunk/BOMListing.php
===================================================================
--- trunk/BOMListing.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/BOMListing.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -112,7 +112,7 @@
 
 	/*if $FromCriteria is not set then show a form to allow input	*/
 
-		echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="POST">
+		echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="POST">
 			<table class="selection">';
 		echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 

Modified: trunk/BOMs.php
===================================================================
--- trunk/BOMs.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/BOMs.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -113,7 +113,7 @@
 				$DrillID='';
 			} else {
 				$DrillText = '<a href="%s&Select=%s">' . _('Drill Down');
-				$DrillLink = $_SERVER['PHP_SELF'] . '?';
+				$DrillLink = htmlspecialchars($_SERVER['PHP_SELF']) . '?';
 				$DrillID=$myrow[0];
 			}
 			if ($ParentMBflag!='M' AND $ParentMBflag!='G'){
@@ -155,12 +155,12 @@
 					ConvertSQLDate($myrow[6]),
 					$AutoIssue,
 					$QuantityOnHand,
-					$_SERVER['PHP_SELF'] . '?',
+					htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 					$Parent,
 					$myrow[0],
 					$DrillLink,
 					$DrillID,
-					$_SERVER['PHP_SELF'] . '?',
+					htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 					$Parent,
 					$myrow[0],
 					$UltimateParent);
@@ -413,7 +413,7 @@
 			break;
 	}
 
-	echo '<br /><div class=centre><a href="' . $_SERVER['PHP_SELF'] . '">' . _('Select a Different BOM') . '</a></div><br />';
+	echo '<br /><div class=centre><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">' . _('Select a Different BOM') . '</a></div><br />';
 	echo '<table class="selection">';
 	// Display Manufatured Parent Items
 	$sql = "SELECT bom.parent,
@@ -432,7 +432,7 @@
 	if( DB_num_rows($result) > 0 ) {
 	 echo '<tr><td><div class="centre">'._('Manufactured parent items').' : ';
 	 while ($myrow = DB_fetch_array($result)){
-	 	   echo (($ix)?', ':'').'<a href="'.$_SERVER['PHP_SELF'] . '?Select='.$myrow['parent'].'">'.
+	 	   echo (($ix)?', ':'').'<a href="'.htmlspecialchars($_SERVER['PHP_SELF']) . '?Select='.$myrow['parent'].'">'.
 			$myrow['description'].'&nbsp;('.$myrow['parent'].')</a>';
 			$ix++;
 	 } //end while loop
@@ -455,7 +455,7 @@
 		echo (($reqnl)?'<br />':'').'<tr><td><div class="centre">'._('Assembly parent items').' : ';
 	 	$ix = 0;
 	 	while ($myrow = DB_fetch_array($result)){
-	 	   echo (($ix)?', ':'').'<a href="'.$_SERVER['PHP_SELF'] . '?Select='.$myrow['parent'].'">'.
+	 	   echo (($ix)?', ':'').'<a href="'.htmlspecialchars($_SERVER['PHP_SELF']) . '?Select='.$myrow['parent'].'">'.
 			$myrow['description'].'&nbsp;('.$myrow['parent'].')</a>';
 			$ix++;
 	 	} //end while loop
@@ -477,7 +477,7 @@
 		echo (($reqnl)?'<br />':'').'<tr><td><div class="centre">'._('Kit sets').' : ';
 	 	$ix = 0;
 	 	while ($myrow = DB_fetch_array($result)){
-	 	   echo (($ix)?', ':'').'<a href="'.$_SERVER['PHP_SELF'] . '?Select='.$myrow['parent'].'">'.
+	 	   echo (($ix)?', ':'').'<a href="'.htmlspecialchars($_SERVER['PHP_SELF']) . '?Select='.$myrow['parent'].'">'.
 			$myrow['description'].'&nbsp;('.$myrow['parent'].')</a>';
 			$ix++;
 	 	} //end while loop
@@ -499,7 +499,7 @@
 		echo (($reqnl)?'<br />':'').'<tr><td><div class="centre">'._('Phantom').' : ';
 	 	$ix = 0;
 	 	while ($myrow = DB_fetch_array($result)){
-	 	   echo (($ix)?', ':'').'<a href="'.$_SERVER['PHP_SELF'] . '?Select='.$myrow['parent'].'">'.
+	 	   echo (($ix)?', ':'').'<a href="'.htmlspecialchars($_SERVER['PHP_SELF']) . '?Select='.$myrow['parent'].'">'.
 			$myrow['description'].'&nbsp;('.$myrow['parent'].')</a>';
 			$ix++;
 	 	} //end while loop
@@ -559,7 +559,7 @@
 
 	if (! isset($_GET['delete'])) {
 
-		echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '?Select=' . $SelectedParent .'">';
+		echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?Select=' . $SelectedParent .'">';
 		echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 		if (isset($_GET['SelectedComponent']) and $InputError !=1) {
@@ -825,7 +825,7 @@
 if (!isset($SelectedParent)) {
 
 	echo '<p class="page_title_text"><img src="'.$rootpath.'/css/'.$theme.'/images/magnifier.png" title="' . _('Search') . '" alt="">' . ' ' . $title . '</p>';
-	echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">' .
+	echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">' .
 	'<div class="page_help_text">'. _('Select a manufactured part') . ' (' . _('or Assembly or Kit part') . ') ' . _('to maintain the bill of material for using the options below') .  '<br /><font size="1">' . _('Parts must be defined in the stock item entry') . '/' . _('modification screen as manufactured') . ', ' . _('kits or assemblies to be available for construction of a bill of material') .'</div>'. '</font>
      <br />
      <table class="selection" cellpadding="3" colspan="4">

Modified: trunk/BackupDatabase.php
===================================================================
--- trunk/BackupDatabase.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/BackupDatabase.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -44,7 +44,7 @@
 		prnMsg(_('Once you have downloaded the database backup file to your local machine you should use the link below to delete it - backup files can consume a lot of space on your hosting account and will accumulate if not deleted - they also contain sensitive information which would otherwise be available for others to download!'),'info');
 		echo '<br />
 			<br />
-			<a href="'. $_SERVER['PHP_SELF'] . '?BackupFile=' .$BackupFile  .'">' . _('Delete the backup file off the server') . '</a>';
+			<a href="'. htmlspecialchars($_SERVER['PHP_SELF']) . '?BackupFile=' .$BackupFile  .'">' . _('Delete the backup file off the server') . '</a>';
 	} else {
 		prnMsg(_('There was some problem producing a backup using mysqldump. Normally this relates to a permissions issue - the web-server user must have permission to write to the companies directory'),'error');
 	}

Modified: trunk/BankAccounts.php
===================================================================
--- trunk/BankAccounts.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/BankAccounts.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -231,9 +231,9 @@
 			$myrow['bankaddress'],
 			$myrow['currcode'],
 			$DefaultBankAccount,
-			$_SERVER['PHP_SELF'],
+			htmlspecialchars($_SERVER['PHP_SELF']),
 			$myrow['accountcode'],
-			$_SERVER['PHP_SELF'],
+			htmlspecialchars($_SERVER['PHP_SELF']),
 			$myrow['accountcode']);
 
 	}
@@ -245,11 +245,11 @@
 
 if (isset($SelectedBankAccount)) {
 	echo '<br />';
-	echo '<div class="centre"><p><a href="' . $_SERVER['PHP_SELF'] . '">' . _('Show All Bank Accounts Defined') . '</a></div>';
+	echo '<div class="centre"><p><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">' . _('Show All Bank Accounts Defined') . '</a></div>';
 	echo '<br />';
 }
 
-echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '">';
+echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 if (isset($SelectedBankAccount) AND !isset($_GET['delete'])) {

Modified: trunk/BankMatching.php
===================================================================
--- trunk/BankMatching.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/BankMatching.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -77,7 +77,7 @@
 
 echo '<div class="page_help_text">' . _('Use this screen to match webERP Receipts and Payments to your Bank Statement.  Check your bank statement and click the check-box when you find the matching transaction.') . '</div><br />';
 
-echo '<form action="'. $_SERVER['PHP_SELF'] . '" method=post>';
+echo '<form action="'. htmlspecialchars($_SERVER['PHP_SELF']) . '" method=post>';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 echo '<input type="hidden" name="Type" value="' . $Type . '">';

Modified: trunk/BankReconciliation.php
===================================================================
--- trunk/BankReconciliation.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/BankReconciliation.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -8,7 +8,7 @@
 
 include('includes/header.inc');
 
-echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '">';
+echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 echo '<p class="page_title_text"><img src="'.$rootpath.'/css/'.$theme.'/images/money_add.png" title="' . _('Search') . '" alt="" />' . ' ' . $title.'</p><br />';
 

Modified: trunk/COGSGLPostings.php
===================================================================
--- trunk/COGSGLPostings.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/COGSGLPostings.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -110,9 +110,9 @@
 				$myrow['stkcat'],
 				$myrow['salestype'],
 				$myrow['accountname'],
-				$_SERVER['PHP_SELF'] . '?',
+				htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 				$myrow['id'],
-				$_SERVER['PHP_SELF']. '?',
+				htmlspecialchars($_SERVER['PHP_SELF']). '?',
 				$myrow['id']);
 		}//end while
 		echo '</table>';
@@ -208,9 +208,9 @@
 				$myrow['stkcat'],
 				$myrow['salestype'],
 				$myrow['salestype'],
-				$_SERVER['PHP_SELF'] . '?',
+				htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 				$myrow['id'],
-				$_SERVER['PHP_SELF'] . '?',
+				htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 				$myrow['id']);
 	
 		}//END WHILE LIST LOOP
@@ -220,12 +220,12 @@
 //end of ifs and buts!
 
 if (isset($SelectedCOGSPostingID)) {
-	echo '<div class="centre"><a href="' . $_SERVER['PHP_SELF'] .'">' . _('Show all cost of sales posting records') . '</a></div>';
+	echo '<div class="centre"><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) .'">' . _('Show all cost of sales posting records') . '</a></div>';
 }
 
 echo '<br />';
 
-echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '">';
+echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 if (isset($SelectedCOGSPostingID)) {

Modified: trunk/CompanyPreferences.php
===================================================================
--- trunk/CompanyPreferences.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/CompanyPreferences.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -153,7 +153,7 @@
 	echo '<p class="page_title_text"><img src="'.$rootpath.'/css/'.$theme.'/images/maintenance.png" title="' . _('Search') .
 		'" alt="" />' . ' ' . $title.'</p><br />';
 
-echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '">';
+echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 echo '<table class="selection">';
 

Modified: trunk/ConfirmDispatch_Invoice.php
===================================================================
--- trunk/ConfirmDispatch_Invoice.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/ConfirmDispatch_Invoice.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -252,7 +252,7 @@
 			</table>
 			<br />';
 
-echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">';
+echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 /***************************************************************

Modified: trunk/ContractBOM.php
===================================================================
--- trunk/ContractBOM.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/ContractBOM.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -219,7 +219,7 @@
 
 /* This is where the order as selected should be displayed  reflecting any deletions or insertions*/
 
-echo '<form name="ContractBOMForm" action="' . $_SERVER['PHP_SELF'] . '?identifier='.$identifier. '" method="post">';
+echo '<form name="ContractBOMForm" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier='.$identifier. '" method="post">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 if (count($_SESSION['Contract'.$identifier]->ContractBOM)>0){
@@ -263,7 +263,7 @@
 			  <td>' . $ContractComponent->UOM . '</td>
 			  <td class="number">' . $ContractComponent->ItemCost . '</td>
 			  <td class="number">' . $DisplayLineTotal . '</td>
-			  <td><a href="' . $_SERVER['PHP_SELF'] . '?identifier='.$identifier. '&Delete=' . $ContractComponent->ComponentID . '">' . _('Delete') . '</a></td></tr>';
+			  <td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier='.$identifier. '&Delete=' . $ContractComponent->ComponentID . '">' . _('Delete') . '</a></td></tr>';
 		$TotalCost += $LineTotal;
 	}
 

Modified: trunk/ContractCosting.php
===================================================================
--- trunk/ContractCosting.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/ContractCosting.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -428,7 +428,7 @@
 
 if ($_SESSION['Contract'.$identifier]->Status ==2){//the contract is an order being processed now
 
-	echo '<form  method="post" action="' . $_SERVER['PHP_SELF'] . '?' .SID .'&amp;SelectedContract=' . $_SESSION['Contract'.$identifier]->ContractRef . '&amp;identifier=' . $identifier . '">';
+	echo '<form  method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?' .SID .'&amp;SelectedContract=' . $_SESSION['Contract'.$identifier]->ContractRef . '&amp;identifier=' . $identifier . '">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 	echo '<br /><div class="centre"><input type="submit" name="CloseContract" value="' . _('Close Contract') .  '" onclick="return confirm(\'' . _('Closing the contract will prevent further stock being issued to it and charges being made against it. Variances will be taken to the profit and loss account. Are You Sure?') . '\');" /></div>';
 	echo '</form>';

Modified: trunk/ContractOtherReqts.php
===================================================================
--- trunk/ContractOtherReqts.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/ContractOtherReqts.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -75,7 +75,7 @@
 
 /* This is where the other requirement as entered/modified should be displayed reflecting any deletions or insertions*/
 
-echo '<form name="ContractReqtsForm" action="' . $_SERVER['PHP_SELF'] . '?identifier='.$identifier. '" method="post">';
+echo '<form name="ContractReqtsForm" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier='.$identifier. '" method="post">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 echo '<p class="page_title_text"><img src="'.$rootpath.'/css/'.$theme.'/images/contract.png" title="' . _('Contract Other Requirements') . '" alt="" />  ' . _('Contract Other Requirements') . ' - ' . $_SESSION['Contract'.$identifier]->CustomerName.'</p>';
 
@@ -114,7 +114,7 @@
 			  <td><input type="text" class="number" name="Qty' . $ContractReqtID . '" size="11" value="' . $ContractComponent->Quantity  . '" /></td>
 			  <td><input type="text" class="number" name="CostPerUnit' . $ContractReqtID . '" size="11" value="' . $ContractComponent->CostPerUnit . '" /></td>
 			  <td class="number">' . $DisplayLineTotal . '</td>
-			  <td><a href="' . $_SERVER['PHP_SELF'] . '?' . SID . 'identifier='.$identifier. '&amp;Delete=' . $ContractReqtID . '">' . _('Delete') . '</a></td></tr>';
+			  <td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?' . SID . 'identifier='.$identifier. '&amp;Delete=' . $ContractReqtID . '">' . _('Delete') . '</a></td></tr>';
 		$TotalCost += $LineTotal;
 	}
 

Modified: trunk/Contracts.php
===================================================================
--- trunk/Contracts.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/Contracts.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -748,7 +748,7 @@
 
 	echo '<p class="page_title_text"><img src="'.$rootpath.'/css/'.$theme.'/images/contract.png" title="' .
 		_('Contract') . '" alt="" />' . ' ' . _('Contract: Select Customer') . '</p>';
-	echo '<form action="' . $_SERVER['PHP_SELF'] . '?identifier=' . $identifier .'" name="CustomerSelection" method="post">';
+	echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier=' . $identifier .'" name="CustomerSelection" method="post">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	echo '<table cellpadding="3" colspan="4" class="selection">
@@ -816,7 +816,7 @@
 //end if RequireCustomerSelection
 } else { /*A customer is already selected so get into the contract setup proper */
 
-	echo '<form name="ContractEntry" enctype="multipart/form-data" action="' . $_SERVER['PHP_SELF'] . '?identifier=' . $identifier . '" method="post">';
+	echo '<form name="ContractEntry" enctype="multipart/form-data" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier=' . $identifier . '" method="post">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	echo '<p class="page_title_text">

Modified: trunk/CounterSales.php
===================================================================
--- trunk/CounterSales.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/CounterSales.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -213,7 +213,7 @@
 
 	echo '<br /><br />';
 	prnMsg(_('This sale has been cancelled as requested'),'success');
-	echo '<br /><br /><a href="' .$_SERVER['PHP_SELF'] . '">' . _('Start a new Counter Sale') . '</a>';
+	echo '<br /><br /><a href="' .htmlspecialchars($_SERVER['PHP_SELF']) . '">' . _('Start a new Counter Sale') . '</a>';
 	include('includes/footer.inc');
 	exit;
 
@@ -362,7 +362,7 @@
 
 /* Always do the stuff below */
 
-echo '<form action="' . $_SERVER['PHP_SELF'] . '?identifier='.$identifier . '" name="SelectParts" method="post">';
+echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier='.$identifier . '" name="SelectParts" method="post">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 //Get The exchange rate used for GPPercent calculations on adding or amending items
@@ -809,7 +809,7 @@
 		$_SESSION['Items'.$identifier]->TaxGLCodes=$TaxGLCodes;
 		echo '<td class="number">' . locale_number_format($TaxLineTotal ,$_SESSION['Items'.$identifier]->CurrDecimalPlaces) . '</td>';
 		echo '<td class="number">' . locale_number_format($SubTotal + $TaxLineTotal ,$_SESSION['Items'.$identifier]->CurrDecimalPlaces) . '</td>';
-		echo '<td><a href="' . $_SERVER['PHP_SELF'] . '?identifier='.$identifier . '&Delete=' . $OrderLine->LineNumber . '" onclick="return confirm(\'' . _('Are You Sure?') . '\');">' . _('Delete') . '</a></td></tr>';
+		echo '<td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier='.$identifier . '&Delete=' . $OrderLine->LineNumber . '" onclick="return confirm(\'' . _('Are You Sure?') . '\');">' . _('Delete') . '</a></td></tr>';
 
 		if ($_SESSION['AllowOrderLineItemNarrative'] == 1){
 			echo $RowStarter;
@@ -1970,7 +1970,7 @@
 		} else {
 			echo '<img src="'.$rootpath.'/css/'.$theme.'/images/printer.png" title="' . _('Print') . '" alt="" />' . ' ' . '<a target="_blank" href="'.$rootpath.'/PrintCustTransPortrait.php?FromTransNo='.$InvoiceNo.'&InvOrCredit=Invoice&PrintPDF=True">'. _('Print this invoice'). ' (' . _('Portrait') . ')</a><br /><br />';
 		}
-		echo '<br /><br /><a href="' .$_SERVER['PHP_SELF'] . '">' . _('Start a new Counter Sale') . '</a></div>';
+		echo '<br /><br /><a href="' .htmlspecialchars($_SERVER['PHP_SELF']) . '">' . _('Start a new Counter Sale') . '</a></div>';
 
 	}
 	// There were input errors so don't process nuffin
@@ -2186,7 +2186,7 @@
 
 		if (isset($SearchResult)) {
 			$j = 1;
-			echo '<form action="' . $_SERVER['PHP_SELF'] . '?' . SID .'identifier='.$identifier . '" method="post" name="orderform">';
+			echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?' . SID .'identifier='.$identifier . '" method="post" name="orderform">';
 			echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 			echo '<table class="table1">';
 			echo '<tr><td><input type="hidden" name="previous" value="'.strval($Offset-1).'" /><input tabindex="'.strval($j+7).'" type="submit" name="Prev" value="'._('Prev').'" /></td>';

Modified: trunk/CreditStatus.php
===================================================================
--- trunk/CreditStatus.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/CreditStatus.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -175,9 +175,9 @@
 			$myrow['reasoncode'],
 			$myrow['reasondescription'],
 			$DissallowText,
-			$_SERVER['PHP_SELF'],
+			htmlspecialchars($_SERVER['PHP_SELF']),
 			$myrow['reasoncode'],
-			$_SERVER['PHP_SELF'],
+			htmlspecialchars($_SERVER['PHP_SELF']),
 			$myrow['reasoncode']);
 	
 	} //END WHILE LIST LOOP
@@ -186,12 +186,12 @@
 } //end of ifs and buts!
 
 if (isset($SelectedReason)) {
-	echo '<div class="centre"><a href="' . $_SERVER['PHP_SELF'] . '">' . _('Show Defined Credit Status Codes') . '</a></div>';
+	echo '<div class="centre"><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">' . _('Show Defined Credit Status Codes') . '</a></div>';
 }
 
 if (!isset($_GET['delete'])) {
 
-	echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '">';
+	echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	if (isset($SelectedReason) and ($InputError!=1)) {

Modified: trunk/Credit_Invoice.php
===================================================================
--- trunk/Credit_Invoice.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/Credit_Invoice.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -256,7 +256,7 @@
 
 if (!isset($_POST['ProcessCredit'])) {
 
-	echo '<form action="' . $_SERVER['PHP_SELF'] .'" method="post">';
+	echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) .'" method="post">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 
@@ -378,7 +378,7 @@
 
 		echo '<td class="number">' . $DisplayTaxAmount . '</td>
 			<td class="number">' . $DisplayGrossLineTotal . '</td>
-			<td><a href="' . $_SERVER['PHP_SELF'] . '?Delete=' . $LnItm->LineNumber . '"  onclick="return confirm(\'' . _('Are you sure you wish to delete this item from the credit?') . '\');">' . _('Delete') . '</a></td></tr>';
+			<td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?Delete=' . $LnItm->LineNumber . '"  onclick="return confirm(\'' . _('Are you sure you wish to delete this item from the credit?') . '\');">' . _('Delete') . '</a></td></tr>';
 
 		echo '<tr' . $RowStarter . '><td colspan="12"><textarea tabindex=' . $j .'  name="Narrative_' . $LnItm->LineNumber . '" cols=100% rows=1>' . $LnItm->Narrative . '</textarea><br /><hr></td></tr>';
 		$j++;

Modified: trunk/Currencies.php
===================================================================
--- trunk/Currencies.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/Currencies.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -264,10 +264,10 @@
 					$myrow['decimalplaces'],
 					locale_number_format($myrow['rate'],5),
 					locale_number_format(GetCurrencyRate($myrow['currabrev'],$CurrencyRatesArray),5),
-					$_SERVER['PHP_SELF'] . '?',
+					htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 					$myrow['currabrev'],
 					_('Edit'),
-					$_SERVER['PHP_SELF'] . '?',
+					htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 					$myrow['currabrev'],
 					_('Delete'),
 					$rootpath,
@@ -298,14 +298,14 @@
 
 
 if (isset($SelectedCurrency)) {
-	echo '<div class="centre"><a href="' .$_SERVER['PHP_SELF']  . '">'._('Show all currency definitions').'</a></div>';
+	echo '<div class="centre"><a href="' .htmlspecialchars($_SERVER['PHP_SELF'])  . '">'._('Show all currency definitions').'</a></div>';
 }
 
 echo '<br />';
 
 if (!isset($_GET['delete'])) {
 
-	echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '">';
+	echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	if (isset($SelectedCurrency) AND $SelectedCurrency!='') {

Modified: trunk/CustEDISetup.php
===================================================================
--- trunk/CustEDISetup.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/CustEDISetup.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -69,7 +69,7 @@
 	}
 }
 
-echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '">';
+echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 echo '<br /><table class="selection">';
 

Modified: trunk/CustLoginSetup.php
===================================================================
--- trunk/CustLoginSetup.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/CustLoginSetup.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -112,7 +112,7 @@
 
 }
 
-echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '">';
+echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 echo '<table class="selection">

Modified: trunk/CustWhereAlloc.php
===================================================================
--- trunk/CustWhereAlloc.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/CustWhereAlloc.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -6,7 +6,7 @@
 $title = _('Customer How Paid Inquiry');
 include('includes/header.inc');
 
-echo '<form action="' . $_SERVER['PHP_SELF'] . '" method=post>';
+echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method=post>';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 echo '<p class="page_title_text"><img src="'.$rootpath.'/css/'.$theme.'/images/money_add.png" title="' .

Modified: trunk/CustomerAllocations.php
===================================================================
--- trunk/CustomerAllocations.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/CustomerAllocations.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -336,7 +336,7 @@
 
 	if (isset($_POST['AllocTrans'])) {
 		// Page called with trans number
-		echo '<form action="' . $_SERVER['PHP_SELF'] . '" method=post>';
+		echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method=post>';
 		echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 		echo '<input type=hidden name="AllocTrans" value="' . $_POST['AllocTrans'] . '" />';
 
@@ -473,7 +473,7 @@
 					<td>' . ConvertSQLDate($myrow['trandate']) . '</td>
 					<td class=number>' . locale_number_format($myrow['total'],2) . '</td>
 					<td class=number>' . locale_number_format($myrow['total']-$myrow['alloc'],2) . '</td>';
-			echo '<td><a href=' . $_SERVER['PHP_SELF']. '?AllocTrans=' . $myrow['id'] . '>' . _('Allocate') . '</a></td></tr>';
+			echo '<td><a href=' . htmlspecialchars($_SERVER['PHP_SELF']). '?AllocTrans=' . $myrow['id'] . '>' . _('Allocate') . '</a></td></tr>';
 		}
 		DB_free_result($result);
 		echo '</table><p>';
@@ -511,7 +511,7 @@
 
 		$k=0;
 		while ($myrow = DB_fetch_array($result)) {
-			$allocate = '<a href=' . $_SERVER['PHP_SELF']. '?' . SID . '&AllocTrans=' . $myrow['id'] . '>' . _('Allocate') . '</a>';
+			$allocate = '<a href=' . htmlspecialchars($_SERVER['PHP_SELF']). '?' . SID . '&AllocTrans=' . $myrow['id'] . '>' . _('Allocate') . '</a>';
 
 			if ( $curDebtor != $myrow['debtorno'] ) {
 				if ( $curTrans > 1 ) {

Modified: trunk/CustomerBranches.php
===================================================================
--- trunk/CustomerBranches.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/CustomerBranches.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -408,11 +408,11 @@
 				$myrow[8],
 				$myrow[9],
 				($myrow[11]?_('No'):_('Yes')),
-				$_SERVER['PHP_SELF'],
+				htmlspecialchars($_SERVER['PHP_SELF']),
 				$DebtorNo,
 				urlencode($myrow[1]),
 				_('Edit'),
-				$_SERVER['PHP_SELF'],
+				htmlspecialchars($_SERVER['PHP_SELF']),
 				$DebtorNo,
 				urlencode($myrow[1]),
 				_('Delete Branch'));
@@ -456,7 +456,7 @@
 }
 
 if (!isset($_GET['delete'])) {
-	echo '<form method="post" action="' . $_SERVER['PHP_SELF'] .'">';
+	echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) .'">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	if (isset($SelectedBranch)) {
@@ -532,7 +532,7 @@
 		echo '<p Class="page_title_text"><img src="'.$rootpath.'/css/'.$theme.'/images/customer.png" title="' . _('Customer') .
 			'" alt="">' . ' ' . _('Change Details for Branch'). ' '. $SelectedBranch . '</p>';
 		if (isset($SelectedBranch)) {
-			echo '<div class="centre"><a href=' . $_SERVER['PHP_SELF'] . '?DebtorNo=' . $DebtorNo. '>' . _('Show all branches defined for'). ' '. $DebtorNo . '</a></div>';
+			echo '<div class="centre"><a href=' . htmlspecialchars($_SERVER['PHP_SELF']) . '?DebtorNo=' . $DebtorNo. '>' . _('Show all branches defined for'). ' '. $DebtorNo . '</a></div>';
 		}
 		echo '<br /><table class="selection">';
 		echo '<tr><th colspan=2><div class="centre"><b>'._('Change Branch').'</b></th></tr>';

Modified: trunk/CustomerInquiry.php
===================================================================
--- trunk/CustomerInquiry.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/CustomerInquiry.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -147,7 +147,7 @@
 	</tr>
 	</table>';
 
-echo '<br /><div class="centre"><form action="' . $_SERVER['PHP_SELF'] . '" method=post>';
+echo '<br /><div class="centre"><form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method=post>';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 echo _('Show all transactions after') . ': <input tabindex=1 type="text" class="date" alt="' .$_SESSION['DefaultDateFormat']. '" id="datepicker" name="TransAfterDate" value="' . $_POST['TransAfterDate'] . '" maxlength =10 size=12>' . '<input tabindex=2 type="submit" name="Refresh Inquiry" value="' . _('Refresh Inquiry') . '"></div>
 </form>

Modified: trunk/CustomerReceipt.php
===================================================================
--- trunk/CustomerReceipt.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/CustomerReceipt.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -702,7 +702,7 @@
 /*set up the form whatever */
 
 
-echo '<form action="' . $_SERVER['PHP_SELF'] . '?Type='.$_GET['Type'] . '" method="post" name="form1">';
+echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?Type='.$_GET['Type'] . '" method="post" name="form1">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 /*show the batch header details and the entries in the batch so far */
@@ -862,7 +862,7 @@
 				<td>' . stripslashes($ReceiptItem->CustomerName) . '</td>
 				<td>'.$ReceiptItem->GLCode.' - '.$myrow['accountname'].'</td>
 				<td>'.$ReceiptItem->Narrative . '</td>
-				<td><a href="' . $_SERVER['PHP_SELF'] . '?Delete=' . $ReceiptItem->ID . '&Type=' . $_GET['Type']. '">' . _('Delete') . '</a></td>
+				<td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?Delete=' . $ReceiptItem->ID . '&Type=' . $_GET['Type']. '">' . _('Delete') . '</a></td>
 			</tr>';
 		$BatchTotal= $BatchTotal + $ReceiptItem->Amount;
 	}

Modified: trunk/CustomerTransInquiry.php
===================================================================
--- trunk/CustomerTransInquiry.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/CustomerTransInquiry.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -10,7 +10,7 @@
 echo '<div class="page_help_text">' . _('Choose which type of transaction to report on.') . '</div>
 	<br />';
 
-echo '<form action="' . $_SERVER['PHP_SELF'] . '" method=post>';
+echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method=post>';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 echo '<table cellpadding=2 class=selection><tr>';

Modified: trunk/CustomerTypes.php
===================================================================
--- trunk/CustomerTypes.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/CustomerTypes.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -204,9 +204,9 @@
 		</tr>',
 		$myrow[0],
 		$myrow[1],
-		$_SERVER['PHP_SELF'] . '?', 
+		htmlspecialchars($_SERVER['PHP_SELF']) . '?', 
 		$myrow[0],
-		$_SERVER['PHP_SELF'] . '?', 
+		htmlspecialchars($_SERVER['PHP_SELF']) . '?', 
 		$myrow[0]);
 	}
 	//END WHILE LIST LOOP
@@ -216,11 +216,11 @@
 //end of ifs and buts!
 if (isset($SelectedType)) {
 
-	echo '<div class="centre"><p><a href="' . $_SERVER['PHP_SELF'] . '">' . _('Show All Types Defined') . '</a></div><p>';
+	echo '<div class="centre"><p><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">' . _('Show All Types Defined') . '</a></div><p>';
 }
 if (! isset($_GET['delete'])) {
 
-	echo '<form method="post" action="' . $_SERVER['PHP_SELF'] .  '">';
+	echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) .  '">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 	echo '<p><table class=selection>'; //Main table
 

Modified: trunk/Customers.php
===================================================================
--- trunk/Customers.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/Customers.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -443,11 +443,11 @@
 	}
 
 	if ($SetupErrors>0) {
-		echo '<br /><div class=centre><a href="'.$_SERVER['PHP_SELF'] .'" >'._('Click here to continue').'</a></div>';
+		echo '<br /><div class=centre><a href="'.htmlspecialchars($_SERVER['PHP_SELF']) .'" >'._('Click here to continue').'</a></div>';
 		include('includes/footer.inc');
 		exit;
 	}
-	echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '">';
+	echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	echo '<input type="hidden" name="New" value="Yes" />';
@@ -618,7 +618,7 @@
 
 //DebtorNo exists - either passed when calling the form or from the form itself
 
-	echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '">';
+	echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 	echo '<table class=selection cellspacing=4>
 			<tr><td valign=top><table class=selection>';
@@ -981,7 +981,7 @@
 				$myrow['notes'],
 				$myrow['contid'],
 				$myrow['debtorno'],
-				$_SERVER['PHP_SELF'] . '?',
+				htmlspecialchars($_SERVER['PHP_SELF']) . '?',
 				$myrow['contid'],
 				$myrow['debtorno']);
 		}

Modified: trunk/DailyBankTransactions.php
===================================================================
--- trunk/DailyBankTransactions.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/DailyBankTransactions.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -10,7 +10,7 @@
 	 _('Search') . '" alt="" />' . ' ' . $title.'</p>';
 
 if (!isset($_POST['Show'])) {
-	echo '<form action="' . $_SERVER['PHP_SELF'] . '" method=post>';
+	echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method=post>';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	echo '<table class=selection>';
@@ -132,7 +132,7 @@
 		echo '</table>';
 	} //end if no bank trans in the range to show
 	
-	echo '<form action="' . $_SERVER['PHP_SELF'] . '" method=post>';
+	echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method=post>';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 	echo '<br /><div class="centre"><input type="submit" name="Return" value="' . _('Select Another Date'). '"></div>';
 	echo '</form>';

Modified: trunk/DailySalesInquiry.php
===================================================================
--- trunk/DailySalesInquiry.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/DailySalesInquiry.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -10,7 +10,7 @@
 echo '<p class="page_title_text"><img src="'.$rootpath.'/css/'.$theme.'/images/transactions.png" title="' . _('Daily Sales') . '" alt="" />' . ' ' . _('Daily Sales') . '</p>';
 echo '<div class="page_help_text">' . _('Select the month to show daily sales for') . '</div><br />';
 
-echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">';
+echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 echo '<table cellpadding=2 class=selection><tr>';

Modified: trunk/DebtorsAtPeriodEnd.php
===================================================================
--- trunk/DebtorsAtPeriodEnd.php	2011-10-28 05:07:04 UTC (rev 4733)
+++ trunk/DebtorsAtPeriodEnd.php	2011-10-29 03:26:27 UTC (rev 4734)
@@ -129,7 +129,7 @@
 
 	/*if $FromCriteria is not set then show a form to allow input	*/
 
-		echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">
+		echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">
 				<table class="selection">';
 		echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 

Modified: trunk/DeliveryDetails.php
===================================================================
--- ...
 
[truncated message content]