From ff621bce350f537ee5653556ababb4c84fb1461a Mon Sep 17 00:00:00 2001
From: Josh North <josh.north@point808.com>
Date: Wed, 11 Aug 2021 20:12:35 -0400
Subject: [PATCH] CSP tweaks again, login uid fix, mild cleanup

---
 inc/footer.inc.php |  6 ++--
 inc/header.inc.php | 80 ++++++++++++++++++++++------------------------
 index.php          | 32 +++++++++----------
 printvwf.php       | 48 ++++++++++++++--------------
 reports.php        |  6 ++--
 signin.php         |  8 ++---
 signout.php        |  2 +-
 7 files changed, 90 insertions(+), 92 deletions(-)

diff --git a/inc/footer.inc.php b/inc/footer.inc.php
index eb2b094..aaf8260 100755
--- a/inc/footer.inc.php
+++ b/inc/footer.inc.php
@@ -31,14 +31,14 @@
       <?php } ?>
     </div>
   </div>
-  <script nonce="<?=$_SESSION['nonce']?>">window.jQuery || document.write('<script src="js/jquery.min.js"><\/script>')</script>
-  <script nonce="<?=$_SESSION['nonce']?>">
+  <script nonce="<?=$_SESSION['nonceStr']?>">window.jQuery || document.write('<script src="js/jquery.min.js"><\/script>')</script>
+  <script nonce="<?=$_SESSION['nonceStr']?>">
     var popoverTriggerList = [].slice.call(document.querySelectorAll('[data-bs-toggle="popover"]'))
     var popoverList = popoverTriggerList.map(function (popoverTriggerEl) {
       return new bootstrap.Popover(popoverTriggerEl)
     })
   </script>
-  <script src="js/bootstrap.min.js" nonce="<?=$_SESSION['nonce']?>"></script>
+  <script src="js/bootstrap.min.js" nonce="<?=$_SESSION['nonceStr']?>"></script>
 <!-- END FOOTER CONTENT -->
 </body>
 </html>
diff --git a/inc/header.inc.php b/inc/header.inc.php
index 4f789be..e8541e9 100644
--- a/inc/header.inc.php
+++ b/inc/header.inc.php
@@ -57,7 +57,8 @@
         } else {
             $sessuserid='2';
         }
-    $session_user = $Users->getUserInfo($sessuserid, "1", "0"); }
+        }
+    $session_user = $Users->getUserInfo((int)$sessuserid, "1", "0"); 
     if (isset($session_user)) {                                                 // GET UID OR SET TO KIOSK
         $uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
     $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang');               // SETUP LANGUAGE
@@ -80,18 +81,15 @@
     $timeplus = new DateTime($StaticFunctions->getUTC(), new DateTimeZone('UTC')); // DUMB WAY TO CALCULATE SOME TIMES
     $timeplus->setTimezone(new DateTimeZone("$timezone"));
     $timenow = $timeplus->format('Y-m-d H:i:s');
-    $_SESSION['nonce']= base64_encode(random_bytes(32));
-    $noncestring="nonce-".$_SESSION['nonce'];
-    $urlsrc=basename($_SERVER['PHP_SELF']);
-      header("X-Frame-Options: SAMEORIGIN");
-      header("X-Content-Type-Options: nosniff");
-      //header("Content-Security-Policy: default-src '$urlsrc'; script-src '$urlsrc'");
-      header("Content-Security-Policy: default-src '$noncestring' 'self'; script-src '$noncestring' 'self' ; script-src-elem '$noncestring' 'self'; script-src-attr '$noncestring' 'self'; style-src '$noncestring' 'self'; style-src-elem '$noncestring' 'self'; style-src-attr '$noncestring' 'self'; img-src '$noncestring' 'self' data:; connect-src '$noncestring' 'self'; frame-src '$noncestring' 'self'; font-src '$noncestring' 'self'; media-src '$noncestring' 'self'; object-src '$noncestring' 'self'; manifest-src '$noncestring' 'self'; worker-src '$noncestring' 'self'; prefetch-src '$noncestring' 'self'; form-action '$noncestring' 'self'; frame-ancestors '$noncestring' 'self'");
-      //header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
-      if (!empty($_GET['a'])) {
-        echo '<pre>' . print_r($_POST, true) . '</pre>';
-        echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');
-      }
+    $_SESSION['nonceStr'] = base64_encode(random_bytes(32));
+    $nonceHeader="nonce-".$_SESSION['nonceStr'];
+    $urlsrc=basename(filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL));
+    header("X-Frame-Options: SAMEORIGIN");
+    header("X-Content-Type-Options: nosniff");
+    header("Content-Security-Policy: default-src '$nonceHeader' 'self'; script-src '$nonceHeader' 'self' ; script-src-elem '$nonceHeader' 'self'; script-src-attr '$nonceHeader' 'self'; style-src '$nonceHeader' 'self'; style-src-elem '$nonceHeader' 'self'; style-src-attr '$nonceHeader' 'self'; img-src '$nonceHeader' 'self' data:; connect-src '$nonceHeader' 'self'; frame-src '$nonceHeader' 'self'; font-src '$nonceHeader' 'self'; media-src '$nonceHeader' 'self'; object-src '$nonceHeader' 'self'; manifest-src '$nonceHeader' 'self'; worker-src '$nonceHeader' 'self'; prefetch-src '$nonceHeader' 'self'; form-action '$nonceHeader' 'self'; frame-ancestors '$nonceHeader' 'self'");
+    if (!empty($_GET['a'])) {
+      echo '<pre>' . print_r($_POST, true) . '</pre>';
+      echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); }
 ?>
 <!doctype html>
 <html lang="<?php echo $app_disp_lang; ?>">
@@ -102,33 +100,33 @@
   <link rel="manifest" href="manifest.webmanifest">
   <meta name="apple-mobile-web-app-capable" content="yes">
   <meta name="apple-mobile-web-app-title" content="<?php echo $transLang['APP_NAME']; ?>">
-  <link rel="apple-touch-icon" href="assets/touch-logo.png?v3" nonce="<?=$_SESSION['nonce']?>">
+  <link rel="apple-touch-icon" href="assets/touch-logo.png?v3" nonce="<?=$_SESSION['nonceStr']?>">
   <meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
-<?php if (basename($_SERVER['PHP_SELF']) == 'signin_display.php'): ?>  <meta http-equiv="refresh" content="5; url=index.php" /><?php endif; ?>
-  <link rel="stylesheet" href="css/bootstrap.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/sticky-footer-navbar.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/all.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/fontawesome.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/brands.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/regular.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/animate.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/datatables.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/styles.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/tempusdominus-bootstrap-4.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
+<?php if (basename(filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL)) == 'signin_display.php'): ?>  <meta http-equiv="refresh" content="5; url=index.php" /><?php endif; ?>
+  <link rel="stylesheet" href="css/bootstrap.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/sticky-footer-navbar.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/all.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/fontawesome.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/brands.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/regular.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/animate.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/datatables.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/styles.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/tempusdominus-bootstrap-4.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
   <meta name="description" content="<?php echo $transLang['META_DESC']; ?>" />
-  <script src="js/jquery.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/bootstrap.bundle.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/datatables.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/buttons.flash.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/buttons.html5.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/buttons.print.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/dataTables.buttons.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/jszip.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/pdfmake.min.js?v46" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/vfs_fonts.js?v4" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/moment.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/tempusdominus-bootstrap-4.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/jSignature.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
+  <script src="js/jquery.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/bootstrap.bundle.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/datatables.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/buttons.flash.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/buttons.html5.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/buttons.print.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/dataTables.buttons.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/jszip.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/pdfmake.min.js?v46" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/vfs_fonts.js?v4" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/moment.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/tempusdominus-bootstrap-4.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/jSignature.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
   <title><?php echo $StaticFunctions->getTitle($app_current_pagename, $app_disp_lang); ?></title>
 </head>
 <!-- END HEAD -->
@@ -137,7 +135,7 @@
 <!-- START NAVBAR -->
   <nav class="navbar navbar-expand-lg navbar-light bg-light mb-2">
     <div class="container-fluid">
-      <a class="navbar-brand" href="index.php"><img src="<?php echo $StaticFunctions->getLogo(); ?>" width="120" height="60" alt="" nonce="<?=$_SESSION['nonce']?>"></a>
+      <a class="navbar-brand" href="index.php"><img src="<?php echo $StaticFunctions->getLogo(); ?>" width="120" height="60" alt="" nonce="<?=$_SESSION['nonceStr']?>"></a>
       <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbar"><span class="navbar-toggler-icon"></span></button>
       <div class="collapse navbar-collapse" id="navbar">
         <ul class="navbar-nav me-auto mb-2 mb-lg-0">
@@ -225,13 +223,13 @@
       </div>
     </div>
   </div>
-  <script nonce="<?=$_SESSION['nonce']?>">
+  <script nonce="<?=$_SESSION['nonceStr']?>">
     $(".changelang").change(function(e){
       e.preventDefault();
       $(this).closest("form").submit();
     });
   </script>
-  <script nonce="<?=$_SESSION['nonce']?>">
+  <script nonce="<?=$_SESSION['nonceStr']?>">
     $(document).ready(function () {
       //POP MODAL IF NO COOKIE
       if ( document.cookie.indexOf("app_site=") < 0) {
diff --git a/index.php b/index.php
index 59081b2..c66b317 100644
--- a/index.php
+++ b/index.php
@@ -81,7 +81,7 @@
     $app_current_pagename = $transLang['STR_COMMON_HOME'];                                 // PAGE SETUP
     $app_current_pageicon = '<i class="fas fa-home"></i> ';
     require_once("inc/header.inc.php");
-    $urlsrc=basename($_SERVER['PHP_SELF']);
+    $urlsrc=basename(filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL));
       header("X-Frame-Options: SAMEORIGIN");
       header("X-Content-Type-Options: nosniff");
       //header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
@@ -107,7 +107,7 @@
   <div class="container-fluid">
     <div class="row row-cols-1">
       <div class="col d-grid gap-2">
-        <button class="btn btn-outline-danger btn-lg btn-block" tabindex="-1" role="button" aria-disabled="true" disabled><i class="fas fa-4x fa-sign-in-alt"></i><img src="<?php echo $StaticFunctions->getLogoText(); ?>" height="140" width="370" nonce="<?=$_SESSION['nonce']?>"></img><i class="fas fa-4x fa-sign-out-alt"></i><br /><h1><?php echo $transLang['APP_NAME']; ?></h1></button>
+        <button class="btn btn-outline-danger btn-lg btn-block" tabindex="-1" role="button" aria-disabled="true" disabled><i class="fas fa-4x fa-sign-in-alt"></i><img src="<?php echo $StaticFunctions->getLogoText(); ?>" height="140" width="370" nonce="<?=$_SESSION['nonceStr']?>"></img><i class="fas fa-4x fa-sign-out-alt"></i><br /><h1><?php echo $transLang['APP_NAME']; ?></h1></button>
       </div>
     </div>
   </div>
@@ -306,7 +306,7 @@ $form_data = filter_input_array(INPUT_POST, [
   if (0 === $row_count): else: $page_count = (int)ceil($row_count / $StaticFunctions->getPageRows()); if($page_num > $page_count): $page_num = 1; endif; endif;
 ?>
 <!-- modals -->
-  <script nonce="<?=$_SESSION['nonce']?>">
+  <script nonce="<?=$_SESSION['nonceStr']?>">
     $(document).on("click", ".open-voidModal", function (e) {
       e.preventDefault();
       var _self = $(this);
@@ -365,7 +365,7 @@ $form_data = filter_input_array(INPUT_POST, [
         <ul class="pagination pagination-sm">
           <li class="page-item disabled"><a class="page-link" href="#" tabindex="-1"><?php echo $transLang['STR_COMMON_PAGE']; ?></a></li>
           <?php for ($i = 1; $i <= $page_count; $i++): ?>
-          <li class="page-item<?php if ($i === $page_num): echo ' active'; else: echo ' '; endif; ?>"><a class="page-link" href="<?php echo $_SERVER['PHP_SELF'] . '?pnum=' . $i; ?>"><?php echo $i; ?></a></li>
+          <li class="page-item<?php if ($i === $page_num): echo ' active'; else: echo ' '; endif; ?>"><a class="page-link" href="<?php echo filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL) . '?pnum=' . $i; ?>"><?php echo $i; ?></a></li>
           <?php endfor; ?>
         </ul>
       </div>
@@ -391,7 +391,7 @@ $form_data = filter_input_array(INPUT_POST, [
                 <div class="input-group input-group-sm mb-0">
                   <span class="input-group-text" data-bs-toggle="datetimepicker" data-target=".datetimepicker-fd_manualTimeDate">Sign In Date/Time&nbsp;<i class="fas fa-clock"></i></span>
                   <input placeholder="" name="fd_manualTimeDate" type="text" class="form-control bg-white datetimepicker-input datetimepicker-fd_manualTimeDate" id="datetimepicker-fd_manualTimeDate" data-toggle="datetimepicker" data-target=".datetimepicker-fd_manualTimeDate"/>
-                  <script type="text/javascript" nonce="<?=$_SESSION['nonce']?>">
+                  <script type="text/javascript" nonce="<?=$_SESSION['nonceStr']?>">
                     $(function () {
                       $('.datetimepicker-fd_manualTimeDate').datetimepicker({'timeZone': '<?php echo $timezone; ?>', 'sideBySide':true, 'format':'YYYY-MM-DD HH:mm:ss', 'allowInputToggle': true });
                     });
@@ -467,7 +467,7 @@ $form_data = filter_input_array(INPUT_POST, [
                 <div class="input-group input-group-sm mb-0">
                   <span class="input-group-text" data-bs-toggle="datetimepicker" data-target=".datetimepicker-form_data_workstart"><?php echo $transLang['STR_VENDORINFO_WORKSTART_TITLE']; ?>&nbsp;<i class="fas fa-clock"></i></span>
                   <input placeholder="" name="form_data_workstart" type="text" class="form-control bg-white datetimepicker-input datetimepicker-form_data_workstart" id="datetimepicker-form_data_workstart" data-toggle="datetimepicker" data-target=".datetimepicker-form_data_workstart"/>
-                  <script type="text/javascript" nonce="<?=$_SESSION['nonce']?>">
+                  <script type="text/javascript" nonce="<?=$_SESSION['nonceStr']?>">
                     $(function () {
                       $('.datetimepicker-form_data_workstart').datetimepicker({'timeZone': '<?php echo $timezone; ?>', 'sideBySide':true, 'format':'YYYY-MM-DD HH:mm:ss', 'allowInputToggle': true, 'defaultDate':'<?php echo $timenow; ?>'  });
                     });
@@ -478,7 +478,7 @@ $form_data = filter_input_array(INPUT_POST, [
                 <div class="input-group input-group-sm mb-0">
                   <span class="input-group-text" data-bs-toggle="datetimepicker" data-target=".datetimepicker-form_data_workend"><?php echo $transLang['STR_VENDORINFO_WORKEND_TITLE']; ?>&nbsp;<i class="fas fa-clock"></i></span>
                   <input placeholder="" name="form_data_workend" type="text" class="form-control bg-white datetimepicker-input datetimepicker-form_data_workend" id="datetimepicker-form_data_workend" data-toggle="datetimepicker" data-target=".datetimepicker-form_data_workend"/>
-                  <script type="text/javascript" nonce="<?=$_SESSION['nonce']?>">
+                  <script type="text/javascript" nonce="<?=$_SESSION['nonceStr']?>">
                     $(function () {
                       $('.datetimepicker-form_data_workend').datetimepicker({'timeZone': '<?php echo $timezone; ?>', 'sideBySide':true, 'format':'YYYY-MM-DD HH:mm:ss', 'allowInputToggle': true, 'defaultDate':'<?php echo date('Y-m-d H:i:s', time()+43200); ?>'  });
                     });
@@ -487,7 +487,7 @@ $form_data = filter_input_array(INPUT_POST, [
               </div>
             </div>
             </div>
-            <script type="text/javascript" nonce="<?=$_SESSION['nonce']?>">
+            <script type="text/javascript" nonce="<?=$_SESSION['nonceStr']?>">
               $('#vendorrequiredswitch').change(function() {
                 var checkedEscortValue=$("#vendorrequiredswitch").is(":checked");
                 if (checkedEscortValue === true) {
@@ -548,7 +548,7 @@ $form_data = filter_input_array(INPUT_POST, [
                 </div>
               </div>
             </div>
-            <script type="text/javascript" nonce="<?=$_SESSION['nonce']?>">
+            <script type="text/javascript" nonce="<?=$_SESSION['nonceStr']?>">
               $('#escortrequiredswitch').change(function() {
                 var checkedEscortValue=$("#escortrequiredswitch").is(":checked");
                 if (checkedEscortValue === true) {
@@ -946,8 +946,8 @@ if ($db_vendorinfo_workcompleted === 1 && $db_vendorinfo_sitecleanup === 1) { $f
                     <span class="badge bg-light text-dark"><?php echo $transLang[$VisitTypeInfo->getInfoVisitType("%", $row['visits_reason'])[0]["visittypes_name"]]; ?></span>
                   </div>
                 </td>
-                <td class="small"><?php echo $row['visits_lastname'] . ", " . $row['visits_firstname']; ?><br><img src="<?php echo $row['visits_signature']; ?>" width="200" height="50" nonce="<?=$_SESSION['nonce']?>"></img></td>
-                <td class="small"><?php if (!empty($row['visits_escort'])) {echo $row['visits_escort'] . '<br /><img src="' . $row['visits_escort_signature'] . '" width="200" height="50" nonce="'.$_SESSION['nonce'].'"></img>'; } ?></td>
+                <td class="small"><?php echo $row['visits_lastname'] . ", " . $row['visits_firstname']; ?><br><img src="<?php echo $row['visits_signature']; ?>" width="200" height="50" nonce="<?=$_SESSION['nonceStr']?>"></img></td>
+                <td class="small"><?php if (!empty($row['visits_escort'])) {echo $row['visits_escort'] . '<br /><img src="' . $row['visits_escort_signature'] . '" width="200" height="50" nonce="'.$_SESSION['nonceStr'].'"></img>'; } ?></td>
                 <td class="small">
 <?php if($row['visits_approved'] === 2) { ?>
                   <div>
@@ -992,7 +992,7 @@ if ($db_vendorinfo_workcompleted === 1 && $db_vendorinfo_sitecleanup === 1) { $f
                   <div class="input-group input-group-sm mb-0">
                     <span class="input-group-text" data-bs-toggle="datetimepicker" data-target=".datetimepicker-<?php echo $visitid; ?>"><i class="fas fa-clock"></i></span>
                     <input placeholder="<?php echo $transLang['OPTIONAL']; ?>" name="outtime" type="text" class="form-control form-control-sm bg-white datetimepicker-input datetimepicker-<?php echo $visitid; ?>" id="datetimepicker-<?php echo $visitid; ?>" data-toggle="datetimepicker" data-target=".datetimepicker-<?php echo $visitid; ?>"/>
-                    <script type="text/javascript" nonce="<?=$_SESSION['nonce']?>">
+                    <script type="text/javascript" nonce="<?=$_SESSION['nonceStr']?>">
                       $(function () {
                         $('.datetimepicker-<?php echo $visitid; ?>').datetimepicker({'timeZone': '<?php echo $timezone; ?>', 'sideBySide':true, 'format':'YYYY-MM-DD HH:mm:ss', 'allowInputToggle': true });
                       });
@@ -1015,7 +1015,7 @@ if ($db_vendorinfo_workcompleted === 1 && $db_vendorinfo_sitecleanup === 1) { $f
                   <input class="form-control form-control-sm bg-white<?php if( isset($id_reference_error) && $id_reference_error === 1 && $_POST['approvevisit'] == $visitid ) { echo " is-invalid"; } ?>" type="text" id="id_reference-<?php echo $visitid; ?>" name="id_reference">
                   <div class="invalid-feedback"><?php echo $transLang['STR_COMMON_REQUIRED']; ?></div>
                 </div>
-                <script type="text/javascript" nonce="<?=$_SESSION['nonce']?>">
+                <script type="text/javascript" nonce="<?=$_SESSION['nonceStr']?>">
                   $('#id_type-<?php echo $visitid; ?>').change(function() {
                     if ($(this).val() === "1") {
                       $('#ticket-<?php echo $visitid; ?>').show();
@@ -1043,7 +1043,7 @@ if ($db_vendorinfo_workcompleted === 1 && $db_vendorinfo_sitecleanup === 1) { $f
                 <div id="citizen-ban-<?php echo $visitid; ?>" name="ban-<?php echo $visitid; ?>" class="input-group input-group-sm mb-0">
                   <span class="badge bg-danger"><?php echo $transLang['STR_COMMON_SANCTIONED']; ?></span>
                 </div>
-                <script type="text/javascript" nonce="<?=$_SESSION['nonce']?>">
+                <script type="text/javascript" nonce="<?=$_SESSION['nonceStr']?>">
                   $('#citizen-<?php echo $visitid; ?>').change(function() {
                     var controlbox = $(this);
                     var isSanctioned = controlbox.find(':selected').data('sanctioned');
@@ -1095,7 +1095,7 @@ if ($db_vendorinfo_workcompleted === 1 && $db_vendorinfo_sitecleanup === 1) { $f
                   <div class="input-group input-group-sm mb-0">
                     <span class="input-group-text" data-bs-toggle="datetimepicker" data-target=".datetimepicker-<?php echo $visitid; ?>"><i class="fas fa-clock"></i></span>
                     <input placeholder="<?php echo $transLang['OPTIONAL']; ?>" name="outtime" type="text" class="form-control form-control-sm bg-white datetimepicker-input datetimepicker-<?php echo $visitid; ?>" id="datetimepicker-<?php echo $visitid; ?>" data-toggle="datetimepicker" data-target=".datetimepicker-<?php echo $visitid; ?>" />
-                    <script type="text/javascript" nonce="<?=$_SESSION['nonce']?>">
+                    <script type="text/javascript" nonce="<?=$_SESSION['nonceStr']?>">
                       $(function () {
                         $('.datetimepicker-<?php echo $visitid; ?>').datetimepicker({'sideBySide':true, 'format':'YYYY-MM-DD HH:mm:ss', 'allowInputToggle': true });
                       });
@@ -1122,7 +1122,7 @@ if ($db_vendorinfo_workcompleted === 1 && $db_vendorinfo_sitecleanup === 1) { $f
         <ul class="pagination pagination-sm">
           <li class="page-item disabled"><a class="page-link" href="#" tabindex="-1"><?php echo $transLang['STR_COMMON_PAGE']; ?></a></li>
           <?php for ($i = 1; $i <= $page_count; $i++): ?>
-          <li class="page-item<?php if ($i === $page_num): echo ' active'; else: echo ' '; endif; ?>"><a class="page-link" href="<?php echo $_SERVER['PHP_SELF'] . '?pnum=' . $i; ?>"><?php echo $i; ?></a></li>
+          <li class="page-item<?php if ($i === $page_num): echo ' active'; else: echo ' '; endif; ?>"><a class="page-link" href="<?php echo filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL) . '?pnum=' . $i; ?>"><?php echo $i; ?></a></li>
           <?php endfor; ?>
         </ul>
       </div>
diff --git a/printvwf.php b/printvwf.php
index bed6655..c9a9f48 100644
--- a/printvwf.php
+++ b/printvwf.php
@@ -99,32 +99,32 @@
   <link rel="manifest" href="manifest.webmanifest">
   <meta name="apple-mobile-web-app-capable" content="yes">
   <meta name="apple-mobile-web-app-title" content="<?php echo $transLang['STR_VENDORINFO_FORM_TITLE']; ?>">
-  <link rel="apple-touch-icon" href="assets/touch-logo.png?v3" nonce="<?=$_SESSION['nonce']?>">
+  <link rel="apple-touch-icon" href="assets/touch-logo.png?v3" nonce="<?=$_SESSION['nonceStr']?>">
   <meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
-  <link rel="stylesheet" href="css/bootstrap.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/sticky-footer-navbar.css?v3" nonce="<?=$_SESSION['nonce']?>">
-  <link rel="stylesheet" href="css/all.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/fontawesome.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/brands.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/regular.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/animate.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/datatables.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/styles.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
-  <link rel="stylesheet" href="css/tempusdominus-bootstrap-4.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
+  <link rel="stylesheet" href="css/bootstrap.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/sticky-footer-navbar.css?v3" nonce="<?=$_SESSION['nonceStr']?>">
+  <link rel="stylesheet" href="css/all.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/fontawesome.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/brands.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/regular.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/animate.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/datatables.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/styles.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
+  <link rel="stylesheet" href="css/tempusdominus-bootstrap-4.min.css?v3" nonce="<?=$_SESSION['nonceStr']?>"/>
   <meta name="description" content="<?php echo $transLang['META_DESC']; ?>" />
-  <script src="js/jquery.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/bootstrap.bundle.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/datatables.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/buttons.flash.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/buttons.html5.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/buttons.print.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/dataTables.buttons.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/jszip.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/pdfmake.min.js?v46" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/vfs_fonts.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/moment.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/tempusdominus-bootstrap-4.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
-  <script src="js/jSignature.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
+  <script src="js/jquery.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/bootstrap.bundle.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/datatables.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/buttons.flash.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/buttons.html5.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/buttons.print.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/dataTables.buttons.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/jszip.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/pdfmake.min.js?v46" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/vfs_fonts.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/moment.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/tempusdominus-bootstrap-4.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
+  <script src="js/jSignature.min.js?v3" nonce="<?=$_SESSION['nonceStr']?>"></script>
   <title><?php echo $transLang['STR_VENDORINFO_FORM_TITLE']; ?></title>
 </head>
 <!-- END HEAD -->
diff --git a/reports.php b/reports.php
index 663e239..7962caa 100644
--- a/reports.php
+++ b/reports.php
@@ -154,12 +154,12 @@ $form_data = filter_input_array(INPUT_POST, [
           <div class="input-group">
             <span class="input-group-text date form-control-lg" data-bs-toggle="datetimepicker" data-target=".datetimepicker-2"><i class="fas fa-calendar"></i>&nbsp <?php echo $transLang['END']; ?></span>
             <input name="endtime" type="text" class="form-control form-control-lg bg-white datetimepicker-input datetimepicker-2" id="datetimepicker-2" data-toggle="datetimepicker" data-target=".datetimepicker-2" required />
-            <script type="text/javascript" nonce="<?=$_SESSION['nonce']?>">
+            <script type="text/javascript" nonce="<?=$_SESSION['nonceStr']?>">
               $(function () {
                 $('.datetimepicker-1').datetimepicker({defaultDate:'<?php if (isset($form_data['starttime'])) { echo $form_data['starttime']; }; ?>', 'sideBySide':true, 'format':'YYYY-MM-DD HH:mm:ss', 'allowInputToggle': true });
               });
             </script>
-            <script type="text/javascript" nonce="<?=$_SESSION['nonce']?>">
+            <script type="text/javascript" nonce="<?=$_SESSION['nonceStr']?>">
               $(function () {
                 $('.datetimepicker-2').datetimepicker({defaultDate:'<?php if (isset($form_data['endtime'])) { echo $form_data['endtime']; }; ?>', 'sideBySide':true, 'format':'YYYY-MM-DD HH:mm:ss', 'allowInputToggle': true });
               });
@@ -380,7 +380,7 @@ $form_data = filter_input_array(INPUT_POST, [
             </div>
         </div>
 <?php } ?>
-        <script nonce="<?=$_SESSION['nonce']?>">
+        <script nonce="<?=$_SESSION['nonceStr']?>">
             $(document).ready(function() {
                 $('#report').DataTable( {
                     "order": [[ 0, "desc" ]],
diff --git a/signin.php b/signin.php
index 8c5d1d0..9ea2822 100644
--- a/signin.php
+++ b/signin.php
@@ -156,7 +156,7 @@ if(empty($form_data['fd_formAction'])){
       </div>
     </form>
   </div>
-  <script nonce="<?=$_SESSION['nonce']?>">
+  <script nonce="<?=$_SESSION['nonceStr']?>">
     // Example starter JavaScript for disabling form submissions if there are invalid fields
     (function() {
       'use strict';
@@ -278,7 +278,7 @@ if(empty($form_data['fd_formAction'])){
           <div class="input-group mb-3">
             <span class="input-group-text" data-bs-toggle="datetimepicker" data-target=".datetimepicker-fd_workEndTime"><?=$transLang['STR_VENDORINFO_WORKEND_TITLE']?>&nbsp;<i class="fas fa-clock"></i></span>
             <input name="fd_workEndTime" type="text" class="form-control form-control-sm bg-white datetimepicker-input datetimepicker-fd_workEndTime" id="datetimepicker-fd_workEndTime" data-toggle="datetimepicker" data-target=".datetimepicker-fd_workEndTime"/>
-            <script type="text/javascript" nonce="<?=$_SESSION['nonce']?>">
+            <script type="text/javascript" nonce="<?=$_SESSION['nonceStr']?>">
               $(function () {
                 $('.datetimepicker-fd_workStartTime').datetimepicker({'timeZone': '<?php echo $timezone; ?>', 'sideBySide':true, 'format':'YYYY-MM-DD HH:mm:ss', 'allowInputToggle': true, 'defaultDate':'<?php echo $timenow; ?>' });
                 $('.datetimepicker-fd_workEndTime').datetimepicker({'timeZone': '<?php echo $timezone; ?>', 'sideBySide':true, 'format':'YYYY-MM-DD HH:mm:ss', 'allowInputToggle': true, 'defaultDate':'<?php echo date('Y-m-d H:i:s', time()+43200); ?>' });
@@ -388,7 +388,7 @@ if(empty($form_data['fd_formAction'])){
         </div>
       </div>
       <?php } ?>
-      <script nonce="<?=$_SESSION['nonce']?>">
+      <script nonce="<?=$_SESSION['nonceStr']?>">
         $(document).ready(function() {
           // Init jSignature for Visitor field, onchange store in text field
           var $vsignature = $("#vsignature").jSignature({ width:"100%", height: 200 });
@@ -457,7 +457,7 @@ if(empty($form_data['fd_formAction'])){
           </div>
         </div>
       </div>
-      <script nonce="<?=$_SESSION['nonce']?>">
+      <script nonce="<?=$_SESSION['nonceStr']?>">
         $(document).ready(function() {
           // Init jSignature for Escort field, onchange store in text field
           var $esignature = $("#esignature").jSignature({ width:"100%", height: 200 });
diff --git a/signout.php b/signout.php
index 74e9b81..fed592f 100644
--- a/signout.php
+++ b/signout.php
@@ -173,7 +173,7 @@ if(empty($form_data['fd_formAction'])){
       </div>
     </div>
   </div>
-  <script nonce="<?=$_SESSION['nonce']?>">
+  <script nonce="<?=$_SESSION['nonceStr']?>">
     setTimeout(function(){ window.location.href = 'index.php'; }, 5000);
   </script>
 <!-- SIGNOUT ACKNOWLEGEMENT END-->