From d9729b4b01a32557e284ce469a410b24fcb65e62 Mon Sep 17 00:00:00 2001
From: Craig Knudsen <craig@k5n.us>
Date: Thu, 14 Oct 2021 12:22:05 -0400
Subject: [PATCH] Security fixes: XSS and CSRF

---
 access.php             | 15 ++++++---
 admin.php              |  7 ++--
 approve_entry.php      |  5 +--
 assistant_edit.php     |  2 +-
 availability.php       |  2 +-
 category.php           |  2 +-
 catsel.php             |  2 +-
 docadd.php             |  2 ++
 edit_entry.php         |  5 +--
 edit_entry_handler.php |  1 +
 edit_remotes.php       |  2 ++
 edit_report.php        |  1 +
 edit_template.php      |  3 +-
 export.php             |  1 +
 groups.php             | 11 ++++---
 import.php             |  3 +-
 includes/formvars.php  | 72 ++++++++++++++++++++++++++++++++++++++----
 layers.php             | 11 ++++---
 list_unapproved.php    |  1 +
 pref.php               |  5 +--
 purge.php              |  1 +
 reject_entry.php       | 10 +++---
 remotecal_mgmt.php     | 19 +++++++----
 resourcecal_mgmt.php   |  9 ++++--
 search_handler.php     |  1 +
 set_entry_cat.php      |  2 ++
 user_mgmt.php          | 52 +++++++++++++++++++++++++++---
 users_ajax.php         | 35 ++++++++++++++++++--
 view_d.php             |  2 ++
 view_entry.php         | 17 ++++++----
 views_edit.php         |  1 +
 31 files changed, 241 insertions(+), 61 deletions(-)

diff --git a/access.php b/access.php
index fb57d65ef..2420bee44 100644
--- a/access.php
+++ b/access.php
@@ -175,8 +175,9 @@
     <h2>' . translate( 'User Access Control' )
    . ( empty( $user_fullname ) ? '' : ': ' . $user_fullname ) . '</h2>
     ' . display_admin_link( false ) . '
-    <form action="access.php" method="post" name="SelectUser">
-      <select name="guser" onchange="document.SelectUser.submit()">'
+    <form action="access.php" method="post" name="SelectUser">';
+  print_form_key();
+  echo '<select name="guser" onchange="document.SelectUser.submit()">'
   // Add a DEFAULT CONFIGURATION to be used as a mask.
   . '
         <option value="__default__"'
@@ -213,8 +214,9 @@
     // defined in access.php.
     assert( count( $order ) == ACCESS_NUMBER_FUNCTIONS );
 
+    echo '<form action="access.php" method="post" id="accessform" name="accessform">';
+    print_form_key();
     echo '
-    <form action="access.php" method="post" id="accessform" name="accessform">
       <input type="hidden" name="auser" value="' . $guser . '" />
       <input type="hidden" name="guser" value="' . $guser . '" />
       <table>
@@ -282,7 +284,9 @@
     $userlist = get_list_of_users( $guser );
     echo '
     <h2 style="margin-bottom: 2px;">' . $pagetitle . '</h2>
-    <form action="access.php" method="post" name="SelectOther">
+    <form action="access.php" method="post" name="SelectOther">';
+    print_form_key();
+    echo '
       <input type="hidden" name="guser" value="' . $guser . '" />
       <select name="otheruser" onchange="document.SelectOther.submit()">'
     // Add a DEFAULT CONFIGURATION to be used as a mask.
@@ -306,8 +310,9 @@
 if( ! empty( $otheruser ) ) {
   if( $allow_view_other ) {
     $typeStr = translate( 'Type' );
+    echo '<form action="access.php" method="post" name="EditOther">';
+    print_form_key();
     echo '
-    <form action="access.php" method="post" name="EditOther">
       <input type="hidden" name="guser" value="' . $guser . '" />
       <input type="hidden" name="otheruser" value="' . $otheruser . '" /><br />
       <table cellpadding="5">
diff --git a/admin.php b/admin.php
index 3978d8b98..119ce98a9 100644
--- a/admin.php
+++ b/admin.php
@@ -23,9 +23,12 @@ function save_pref ( $prefs, $src ) {
 
       // Validate key name. Should start with "admin_" and not include
       // any unusual characters that might be an SQL injection attack.
-      if ( ! preg_match ( '/admin_[A-Za-z0-9_]+$/', $key ) )
+      if ( $key == 'csrf_form_key' ) {
+        // Ignore this for validation...
+      } else if ( ! preg_match ( '/admin_[A-Za-z0-9_]+$/', $key ) ) {
         die_miserable_death ( str_replace ( 'XXX', $key,
             translate ( 'Invalid setting name XXX.' ) ) );
+     }
     } else {
       $prefix = 'admin_';
       $setting = $key;
@@ -238,7 +241,7 @@ function save_pref ( $prefs, $src ) {
    . '\'dependent,menubar,scrollbars,height=400,width=400,innerHeight=420,'
    . 'outerWidth=420\' );" /></h2>
     <form action="admin.php" method="post" onsubmit="return valid_form( this );"'
-   . ' name="prefform">'
+   . ' name="prefform">' . csrf_form_key()
    . display_admin_link() . '
       <input class="btn btn-primary" type="submit" value="' . $saveStr
    . '" name="" /><br /><br />
diff --git a/approve_entry.php b/approve_entry.php
index 20fbc842d..330733cf5 100644
--- a/approve_entry.php
+++ b/approve_entry.php
@@ -19,8 +19,9 @@
   print_header();
   echo '
     <form action="approve_entry.php' . $q_string
-   . '" method="post" name="add_comments">
-      <table cellspacing="5">
+   . '" method="post" name="add_comments">';
+   print_form_key();
+   echo '<table cellspacing="5">
         <tr>
           <td class="aligncenter alignbottom"><h3>'
    . translate ( 'Additional Comments (optional)' ) . '</h3></td>
diff --git a/assistant_edit.php b/assistant_edit.php
index dcc0667e9..9426a4286 100644
--- a/assistant_edit.php
+++ b/assistant_edit.php
@@ -14,7 +14,7 @@
   '<script type="text/javascript" src="includes/js/assistant_edit.js"></script>' );
 echo '
     <form action="assistant_edit_handler.php" method="post" '
- . 'name="assistanteditform">' . ( $user ? '
+ . 'name="assistanteditform">' . csrf_form_key() . ( $user ? '
       <input type="hidden" name="user" value="' . $user . '" />' : '' ) . '
       <h2>';
 
diff --git a/availability.php b/availability.php
index dd79e52aa..312fa0e64 100644
--- a/availability.php
+++ b/availability.php
@@ -74,7 +74,7 @@
       </div>
     </div><br />
     <form action="availability.php" method="post">
-      ' . daily_matrix ( $date, $users ) . '
+      ' . csrf_form_key() . daily_matrix ( $date, $users ) . '
     </form>
     ' . print_trailer ( false, true, true );
 
diff --git a/category.php b/category.php
index 3f8a0f0b8..9ef8a5e9f 100644
--- a/category.php
+++ b/category.php
@@ -66,7 +66,7 @@
 if ( ( ( $add == '1' ) || ( ! empty ( $id ) ) ) && empty ( $error ) ) {
   echo '
     <form action="category_handler.php" method="post" name="catform" '
-    . 'enctype="multipart/form-data">' . $idStr . '
+    . 'enctype="multipart/form-data">' . csrf_form_key() . $idStr . '
     <div class="form-inline">
     <label class="col-sm-3 col-form-label" for="catname">' . translate ('Category Name') . '</label>
     <input class="form-control" type="text" name="catname" size="20" value="'
diff --git a/catsel.php b/catsel.php
index 8b2c47aa3..a2afec672 100644
--- a/catsel.php
+++ b/catsel.php
@@ -33,7 +33,7 @@
         <th colspan="3">' . translate ( 'Categories' ) . '</th>
       </tr>
       <form action="" method="post" name="editCategories" '
- . 'onSubmit="sendCats( this )">
+ . 'onSubmit="sendCats( this )">' . csrf_form_key() . '
       <tr>
         <td class="aligntop">';
 
diff --git a/docadd.php b/docadd.php
index be42eddf4..ae759df30 100644
--- a/docadd.php
+++ b/docadd.php
@@ -202,6 +202,7 @@
   // Comment
 ?>
 <form action="docadd.php" method="post" name="docform">
+<?php print_form_key(); ?>
 <input type="hidden" name="id" value="<?php echo $id?>" />
 <input type="hidden" name="type" value="C" />
 
@@ -223,6 +224,7 @@
   // Attachment
 ?>
 <form action="docadd.php" method="post" name="docform" enctype="multipart/form-data">
+<?php print_form_key(); ?>
 <input type="hidden" name="id" value="<?php echo $id?>" />
 <input type="hidden" name="type" value="A" />
 <table>
diff --git a/edit_entry.php b/edit_entry.php
index fa870c258..fd989be56 100644
--- a/edit_entry.php
+++ b/edit_entry.php
@@ -101,7 +101,7 @@ function time_selection($prefix, $time = '', $trigger = false)
 $checked = ' checked="checked"';
 $selected = ' selected="selected"';
 
-$eType = getGetValue('eType');
+$eType = getGetValue('eType','event',true);
 $id    = getGetValue('id');
 
 $copy  = getValue('copy', '[01]');
@@ -567,6 +567,7 @@ function time_selection($prefix, $time = '', $trigger = false)
 
 ?>
 <form action="edit_entry_handler.php" method="post" name="editentryform" id="editentryform">
+  <?php print_form_key(); ?>
   <input type="hidden" name="eType" value="<?php echo $eType; ?>" />
   <?php if (!empty($id) && (empty($copy) || $copy != '1')) { ?>
     <input type="hidden" name="cal_id" value="<?php echo $id; ?>" />
@@ -1593,7 +1594,7 @@ function time_selection($prefix, $time = '', $trigger = false)
         <div class="col-auto">
           <input type="button" class="form-check btn btn-primary" value="<?php echo $saveStr; ?>" onclick="validate_and_submit()">
           <?php if ($id > 0 && ($login == $create_by || $single_user == 'Y' || $is_admin)) { ?>
-            <a class="btn btn-danger" href="del_entry.php?id=' <?php echo $id; ?>" onclick="return confirm('<?php etranslate('Are you sure you want to delete this entry?'); ?>');">
+            <a class="btn btn-danger" href="del_entry.php?id=<?php echo $id; ?>&csrf_form_key=<?php echo getFormKey();?>" onclick="return confirm('<?php etranslate('Are you sure you want to delete this entry?'); ?>');">
               <?php etranslate('Delete entry'); ?></a><br />
           <?php } ?>
         </div>
diff --git a/edit_entry_handler.php b/edit_entry_handler.php
index a17ad9e69..df78c6dac 100644
--- a/edit_entry_handler.php
+++ b/edit_entry_handler.php
@@ -1272,6 +1272,7 @@ function sort_byday( $a, $b ) {
     </ul>
     ' // User can confirm conflicts.
   . '<form name="confirm" method="post">';
+  print_form_key();
   foreach ($_POST as $xkey => $xval) {
     if (is_array($xval)) {
       $xkey .= "[]";
diff --git a/edit_remotes.php b/edit_remotes.php
index 540e7bd1f..f22884ca7 100644
--- a/edit_remotes.php
+++ b/edit_remotes.php
@@ -79,10 +79,12 @@
   $urlValue = ( empty ( $remotestemp_url )
     ? '' : htmlspecialchars ( $remotestemp_url ) );
 
+  $formKey = csrf_form_key();
   echo <<<EOT
     <h2>{$lableStr}</h2>
     <form action="edit_remotes_handler.php" method="post" name="prefform"
       onsubmit="return valid_form( this );">
+      ${formKey}
       <table cellpadding="2">
         <tr>
           <td><label for="calid">{$calIdStr}:</label></td>
diff --git a/edit_report.php b/edit_report.php
index 8f69e14a5..d47783be8 100644
--- a/edit_report.php
+++ b/edit_report.php
@@ -207,6 +207,7 @@ function print_options ( $textarea, $option ) {
  . ( $adding_report ? translate ( 'Add Report' ) : translate ( 'Edit Report' ) )
  . '</h2>
     <form action="edit_report_handler.php" method="post" name="reportform">'
+ . csrf_form_key()
  . ( $updating_public ? '
       <input type="hidden" name="public" value="1" />' : '' )
  . ( ! $adding_report ? '
diff --git a/edit_template.php b/edit_template.php
index 1cbe064a8..7ccd5681a 100644
--- a/edit_template.php
+++ b/edit_template.php
@@ -124,7 +124,8 @@
 }
 
 echo '</h2>' . ( ! empty ( $error ) ? print_error ( $error ) : '
-    <form action="edit_template.php" method="post" name="reportform">
+    <form action="edit_template.php" method="post" name="reportform">'
+   . csrf_form_key() . '
       <input type="hidden" name="type" value="' . $type . '" />'
    . ( ! empty ( $ALLOW_USER_HEADER ) && $ALLOW_USER_HEADER == 'Y' && !
     empty ( $user ) && $user != '__system__' ? '
diff --git a/export.php b/export.php
index f58edd2b6..2b3f14593 100644
--- a/export.php
+++ b/export.php
@@ -24,6 +24,7 @@
 print_header ( array ( 'js/export_import.php', 'js/visible.php' ) );
 echo '<h2>' . translate ( 'Export' ) . '</h2>
     <form action="export_handler.php" method="post" name="exportform" id="exportform">
+      ' . print_form_key() . '
       <table class="table">
         <tr>
           <td><label for="exformat">' . translate ( 'Export format' )
diff --git a/groups.php b/groups.php
index 235a3ff58..24cff2e66 100644
--- a/groups.php
+++ b/groups.php
@@ -172,7 +172,8 @@ function load_groups() {
         groups = [];
         $('#group-tbody').html('<tr><td colspan="5"><?php echo $LOADING; ?></td></tr>');
         $.post('users_ajax.php', {
-                action: 'group-list'
+                action: 'group-list',
+                csrf_form_key: '<?php echo getFormKey(); ?>'
             },
             function(data, status) {
                 var stringified = JSON.stringify(data);
@@ -295,7 +296,8 @@ function save_handler() {
                     action: "save-group",
                     id: id,
                     name: name,
-                    users: users
+                    users: users,
+                    csrf_form_key: '<?php echo getFormKey(); ?>'
                 },
                 function(data, status) {
                     console.log('Data: ' + data);
@@ -357,7 +359,8 @@ function delete_handler() {
 
         $.post('users_ajax.php', {
                     action: "delete-group",
-                    id: id
+                    id: id,
+                    csrf_form_key: '<?php echo getFormKey(); ?>'
                 },
                 function(data, status) {
                     console.log('Data: ' + data);
@@ -395,4 +398,4 @@ function(data, status) {
     }
 </script>
 
-<?php echo print_trailer(); ?>
\ No newline at end of file
+<?php echo print_trailer(); ?>
diff --git a/import.php b/import.php
index 9437a7932..e38c97534 100644
--- a/import.php
+++ b/import.php
@@ -123,7 +123,8 @@ function print_categories() {
   $yesStr = translate ( 'Yes' );
   echo '
     <form action="import_handler.php" method="post" name="importform" '
-   . 'enctype="multipart/form-data" onsubmit="return checkExtension()">
+   . 'enctype="multipart/form-data" onsubmit="return checkExtension()">'
+   . print_form_key() . '
       <table class="table">
         <tr>
           <td><label for="importtype">' . translate ( 'Import format' ) . ':</label></td>
diff --git a/includes/formvars.php b/includes/formvars.php
index 522fbd553..033340c74 100644
--- a/includes/formvars.php
+++ b/includes/formvars.php
@@ -22,12 +22,41 @@ function preventHacking_helper($matches) {
   return chr(hexdec($matches[1]));
 }
 function preventHacking ( $name, $instr ) {
+  global $PHP_SELF;
+  $script = basename($PHP_SELF);
+
   $bannedTags = [
     'APPLET', 'BODY', 'EMBED', 'FORM', 'HEAD',
     'HTML', 'IFRAME', 'LINK', 'META', 'NOEMBED',
     'NOFRAMES', 'NOSCRIPT', 'OBJECT', 'SCRIPT'];
   $failed = false;
 
+  // If this is a POST, require a form key to prevent CSRF
+  // Assume all database db changes make use of POST or else
+  // they end in "_handler.php" or are one of a handful of known URLs.
+  if ($script == "login.php" || $script=="register.php" ||
+    $script == "search_handler.php") {
+    // No form token needed
+  } else if ($_SERVER['REQUEST_METHOD'] === 'POST' ||
+    ($_SERVER['REQUEST_METHOD'] === 'GET' &&
+    ($script == 'del_entry.php' ||
+    $script == 'add_entry.php' || $script == 'docdel.php' ||
+    endsWith($script, "_handler.php")))) {
+//echo "KEY CHECK <br>\n";
+    $formKey = $_REQUEST['csrf_form_key'];
+    if ($formKey == $_SESSION['csrf_form_key'] && !empty($_SESSION['csrf_form_key'])) {
+      // Okay to proceed
+//echo "FORM KEY: $formKey \n"; exit;
+    } else {
+      die_miserable_death ( translate ( 'Fatal Error' ) . ': '
+         . translate ( 'Invalid form request' ) );
+    }
+  }
+  //echo "METHOD " . $_SERVER['REQUEST_METHOD'] . "<br>";
+  //echo "PHP_SELF " . $script . "<br>";
+  //print_r ( $_SERVER );
+  //echo "NO ERROR <br>\n"; exit;
+
   if ( is_array ( $instr ) ) {
     for ( $j = 0; $j < count ( $instr ); $j++ ) {
       // First, replace any escape characters like '\x3c'
@@ -41,7 +70,7 @@ function preventHacking ( $name, $instr ) {
     }
     if ( $failed ) {
       die_miserable_death ( translate ( 'Fatal Error' ) . ': '
-         . translate ( 'Invalid data format for' ) . ' ' . $name .
+         . translate ( 'Invalid data format for' ) . '&nbsp;' . $name .
          '<br>Value: ' . htmlspecialchars($instr));
     }
   } else {
@@ -62,6 +91,38 @@ function preventHacking ( $name, $instr ) {
   }
 }
 
+// Function to check the string is ends 
+// with given substring or not
+function endsWith($string, $endString)
+{
+  $len = strlen($endString);
+  if ($len == 0) {
+    return true;
+  }
+  return (substr($string, -$len) === $endString);
+}
+
+/**
+  * Generate a key to include in HTML form to prevent CSRF.
+  */
+function getFormKey() {
+  if (!isset($_SESSION['csrf_form_key'])) {
+    $formKey = bin2hex(openssl_random_pseudo_bytes(32));
+    $_SESSION['csrf_form_key'] = $formKey;
+  } else {
+    $formKey = $_SESSION['csrf_form_key'];
+  }
+  return $formKey;
+}
+
+function csrf_form_key() {
+  return '<input type="hidden" name="csrf_form_key" value="' .
+    getFormKey() . '" />' .  "\n";
+}
+function print_form_key() {
+  echo csrf_form_key ();
+}
+
 
 /**
  * Gets the value resulting from an HTTP POST method.
@@ -103,15 +164,16 @@ function getPostValue($name, $defVal = NULL, $chkXSS = false)
  *
  * @see getPostValue
  */
-function getGetValue($name)
+function getGetValue($name, $devVal=NULL, $chkCSS=false)
 {
   $getName = null;
   if (isset($_GET) && is_array($_GET) && isset($_GET[$name])) {
     $getName = is_array($_GET[$name]) ? array_map('addslashes', $_GET[$name]) :
       addslashes($_GET[$name]);
   }
+  $cleanXSS = $chkXSS ? chkXSS($getName) : true;
   preventHacking($name, $getName);
-  return $getName;
+  return $cleanXSS ? $postName : NULL;
 }
 
 /**
@@ -190,9 +252,7 @@ function chkXSS($name) {
   global $login;
   $cleanXSS = true;
     //add more array elements as needed
-    foreach (array(
-'Ajax.Request',
- 'onerror') as $i) {
+    foreach (array( 'Ajax.Request', 'onerror') as $i) {
       if (preg_match("/$i/i", $name)) {
         activity_log(0, $login, $login, SECURITY_VIOLATION,
                 'Hijack attempt:' . $i);
diff --git a/layers.php b/layers.php
index 183ccfd09..61d297191 100644
--- a/layers.php
+++ b/layers.php
@@ -209,7 +209,8 @@ function set_layer_status(enable) {
         var layerstatus = (enable ? 'enable' : 'disable');
 
         $.post('layers_ajax.php', {
-            action: layerstatus
+            action: layerstatus,
+            csrf_form_key: '<?php echo getFormKey(); ?>'
             <?php
             if ($updating_public) {
               echo ', public: "1"';
@@ -250,7 +251,8 @@ function load_layers() {
         layers = [];
         $('#layerlist').html('<?php echo $LOADING; ?>');
         $.post('layers_ajax.php', {
-            action: 'list'
+            action: 'list',
+            csrf_form_key: '<?php echo getFormKey(); ?>'
             <?php
             if ($updating_public) {
               echo ', public: "1"';
@@ -311,7 +313,8 @@ function edit_window_closed() {
             layeruser: layeruser,
             source: source,
             color: color,
-            dups: dups
+            dups: dups,
+            csrf_form_key: '<?php echo getFormKey(); ?>'
           },
           function(data, status) {
             var stringified = JSON.stringify(data);
@@ -386,4 +389,4 @@ function edit_layer(id) {
     <?php
     echo print_trailer();
 
-    ?>
\ No newline at end of file
+    ?>
diff --git a/list_unapproved.php b/list_unapproved.php
index 6c32d1ac8..fda8cc681 100644
--- a/list_unapproved.php
+++ b/list_unapproved.php
@@ -232,6 +232,7 @@ function list_unapproved ( $user ) {
 echo '
     <form action="list_unapproved.php" name="listunapproved" method="post">
       <table>';
+print_form_key();
 
 for ( $i = 0, $cnt = count ( $app_users ); $i < $cnt; $i++ ) {
   // List unapproved entries for this user.
diff --git a/pref.php b/pref.php
index 3a2fc5f76..83a67cf57 100644
--- a/pref.php
+++ b/pref.php
@@ -200,7 +200,8 @@ function save_pref( $prefs, $src) {
 
 <form action="<?php echo htmlspecialchars($formaction) ?>" method="post" name="prefform">
 <?php
- if ($user)
+print_form_key();
+if ($user)
   echo "<input type=\"hidden\" name=\"user\" value=\"$user\" />\n";
 
 echo display_admin_link();
@@ -210,7 +211,7 @@ function save_pref( $prefs, $src) {
 <div class="form-row">
 <input class="btn btn-primary mr-2" type="submit" value="<?php etranslate ( 'Save Preferences' )?>" name="" />
 <input type="hidden" name="action" value="save"/>
-<a class="btn btn-secondary mr-2" href="pref.php?action=reset&user=<?php echo $user;?>"
+<a class="btn btn-secondary mr-2" href="pref.php?action=reset&user=<?php echo $user;?>&csrf_form_key=<?php echo getFormKey();?>"
   onclick="return confirm('<?php echo $resetConfirm;?>')"><?php etranslate("Reset Preferences");?></a>
 
 <?php if ( $updating_public ) { ?>
diff --git a/purge.php b/purge.php
index 526a60a96..676e4465e 100644
--- a/purge.php
+++ b/purge.php
@@ -117,6 +117,7 @@
 ?>
 
 <form action="purge.php" method="post" name="purgeform" id="purgeform">
+<?php csrf_form_key(); ?>
 <table>
  <tr><td><label for="user" class="colon">
   <?php echo translate ( 'User' );?></label></td>
diff --git a/reject_entry.php b/reject_entry.php
index 691afc1ce..a8b18f71e 100644
--- a/reject_entry.php
+++ b/reject_entry.php
@@ -17,8 +17,9 @@
   echo '
     <form action="reject_entry.php'
    . ( empty ( $_SERVER['QUERY_STRING'] ) ? '' : '?' . $_SERVER['QUERY_STRING'] )
-   . '" method="post" name="add_comments">
-      <table cellspacing="5">
+   . '" method="post" name="add_comments">'.
+  print_form_key ();
+  echo '<table cellspacing="5">
         <tr>
           <td class="aligncenter alignbottom"><h3>'
    . translate ( 'Additional Comments (optional)' ) . '</h3></td>
@@ -37,9 +38,8 @@
    . '</td>
         </tr>
       </table>
-    </form>
-  </body>
-</html>';
+    </form>';
+  print_trailer();
   exit;
 }
 
diff --git a/remotecal_mgmt.php b/remotecal_mgmt.php
index 246cf9c51..338119255 100644
--- a/remotecal_mgmt.php
+++ b/remotecal_mgmt.php
@@ -116,6 +116,7 @@
                     <button type="button" class="close" onclick="$('.alert').hide()">&times;</button>
                 </div>
                 <form class="needs-validation" novalidate name="editUserForm" id="editUserForm">
+                    <?php print_form_key(); ?>
                     <input type="hidden" name="editUserAdd" id="editUserAdd" value="0" />
                     <div class="form-inline" id="divEditUsername">
                         <label class="col-5" for="editUsername" data-toggle="tooltip" data-placement="bottom" title="<?php etranslate('Unique Calendar ID for remote calendar') ?>"><?php etranslate('Calendar ID') ?>: </label>
@@ -169,6 +170,7 @@
                 <div class="p-3"><?php echo $areYouSure; ?></div>
                 <div class="p-3 m-3 text-danger"><?php echo $deleteUserInfo; ?></div>
                 <form name="deleteUserForm" id="deleteUserForm">
+                    <?php print_form_key(); ?>
                     <div class="form-inline" id="divdeleteUsername">
                         <label class="col-5" for="deleteUsername"><?php etranslate('Username') ?>: </label>
                         <input disabled="true" type="text" class="col-7 form-control" id="deleteUsername" name="deleteUsername" />
@@ -280,7 +282,8 @@ function load_users() {
         users = [];
         $('#user-tbody').html('<tr><td colspan="5"><?php echo $LOADING; ?></td></tr>');
         $.post('users_ajax.php', {
-                action: 'remote-cal-list'
+                action: 'remote-cal-list',
+                csrf_form_key: '<?php echo getFormKey(); ?>'
             },
             function(data, status) {
                 var stringified = JSON.stringify(data);
@@ -337,7 +340,8 @@ function reload_events(login) {
 
         $.post('users_ajax.php', {
                     action: "reload-remote-cal",
-                    login: login
+                    login: login,
+                    csrf_form_key: '<?php echo getFormKey(); ?>'
                 },
                 function(data, status) {
                     //console.log('Data: ' + data);
@@ -537,7 +541,8 @@ function save_handler() {
                     firstname: firstname,
                     lastname: lastname,
                     public: public,
-                    url: url
+                    url: url,
+                    csrf_form_key: '<?php echo getFormKey(); ?>'
                 },
                 function(data, status) {
                     console.log('Data: ' + data);
@@ -598,7 +603,8 @@ function delete_handler() {
 
         $.post('users_ajax.php', {
                     action: "delete-remote-cal",
-                    login: login
+                    login: login,
+                    csrf_form_key: '<?php echo getFormKey(); ?>'
                 },
                 function(data, status) {
                     console.log('Data: ' + data);
@@ -664,7 +670,8 @@ function edit_layer_window_closed() {
                 layeruser: layeruser,
                 source: source,
                 color: color,
-                dups: dups
+                dups: dups,
+                csrf_form_key: '<?php echo getFormKey(); ?>'
             },
             function(data, status) {
                 var stringified = JSON.stringify(data);
@@ -691,4 +698,4 @@ function(data, status) {
     });
 </script>
 </body>
-<?php echo print_trailer(); ?>
\ No newline at end of file
+<?php echo print_trailer(); ?>
diff --git a/resourcecal_mgmt.php b/resourcecal_mgmt.php
index 7b70f1769..b2e48085a 100644
--- a/resourcecal_mgmt.php
+++ b/resourcecal_mgmt.php
@@ -222,7 +222,8 @@ function load_users() {
         users = [];
         $('#user-tbody').html('<tr><td colspan="5"><?php echo $LOADING; ?></td></tr>');
         $.post('users_ajax.php', {
-                action: 'resource-cal-list'
+                action: 'resource-cal-list',
+                csrf_form_key: '<?php echo getFormKey(); ?>'
             },
             function(data, status) {
                 var stringified = JSON.stringify(data);
@@ -384,7 +385,8 @@ function save_handler() {
                     admin: admin,
                     firstname: firstname,
                     lastname: lastname,
-                    public: public
+                    public: public,
+                    csrf_form_key: '<?php echo getFormKey(); ?>'
                 },
                 function(data, status) {
                     console.log('Data: ' + data);
@@ -443,7 +445,8 @@ function delete_handler() {
 
         $.post('users_ajax.php', {
                     action: "delete-resource-cal",
-                    login: login
+                    login: login,
+                    csrf_form_key: '<?php echo getFormKey(); ?>'
                 },
                 function(data, status) {
                     console.log('Data: ' + data);
diff --git a/search_handler.php b/search_handler.php
index 6b309b945..d218d24b3 100644
--- a/search_handler.php
+++ b/search_handler.php
@@ -273,6 +273,7 @@
 echo '
       <form action="search.php' . ( ! empty ( $advanced ) ? '?adv=1' : '' )
         . '"  style="margin-left: 13px;" method="post">
+       ' . print_form_key () . '
        <br><input class="btn btn-primary" type="submit" value="'
         . translate ( 'New Search' ) . '" /></form>
     ' . print_trailer ();
diff --git a/set_entry_cat.php b/set_entry_cat.php
index 7ca5957fe..7522d39db 100644
--- a/set_entry_cat.php
+++ b/set_entry_cat.php
@@ -113,12 +113,14 @@
 
 print_header ( array ( 'js/set_entry_cat.php/true' ) );
 
+$formKey = csrf_form_key();
 if ( ! empty ( $error ) )
   echo print_error ( $error );
 else {
   echo <<<EOT
     <h2>{$setCatStr}</h2>
     <form action="set_entry_cat.php" method="post" name="selectcategory">
+      ${formKey}
       <input type="hidden" name="date" value="{$date}" />
       <input type="hidden" name="id" value="{$id}" />
       <table cellpadding="5">
diff --git a/user_mgmt.php b/user_mgmt.php
index 2c33dd679..43b6ec872 100644
--- a/user_mgmt.php
+++ b/user_mgmt.php
@@ -32,6 +32,8 @@
 $invalidEmail = translate('Invalid email address');
 $passwordsMismatchError = translate('The passwords were not identical.');
 $noPasswordError = translate('You have not entered a password.');
+$invalidFirstName = translate('Invalid first name.');
+$invalidLastName = translate('Invalid last name.');
 
 print_header(
     '',
@@ -235,7 +237,8 @@ function load_users() {
         users = [];
         $('#user-tbody').html('<tr><td colspan="5"><?php echo $LOADING; ?></td></tr>');
         $.post('users_ajax.php', {
-                action: 'userlist'
+                action: 'userlist',
+                csrf_form_key: '<?php echo getFormKey(); ?>'
             },
             function(data, status) {
                 var stringified = JSON.stringify(data);
@@ -289,6 +292,32 @@ function validateEmail() {
             return false;
     }
 
+    // Mostly make sure there is no HTML in here.
+    function validateFirstName() {
+        var firstNameRegex = /^[^<>]+$/;
+        var elem = $("#editFirstname").val();
+        // Allow empty
+        if (elem.length == 0)
+            return true;
+        if (elem.match(firstNameRegex))
+            return true;
+        else
+            return false;
+    }
+
+    // Mostly make sure there is no HTML in here.
+    function validateLastName() {
+        var lastNameRegex = /^[^<>]+$/;
+        var elem = $("#editLastname").val();
+        // Allow empty
+        if (elem.length == 0)
+            return true;
+        if (elem.match(lastNameRegex))
+            return true;
+        else
+            return false;
+    }
+
     function edit_user(login) {
         console.log('edit_user(' + login + ')');
         $('#edit-user-dialog-alert').hide();
@@ -377,6 +406,16 @@ function save_handler() {
                 return;
             }
         }
+        if (!validateFirstName()&&false) {
+            $('#errorMessage').html('<?php echo $invalidFirstName; ?>');
+            $('#edit-user-dialog-alert').show();
+            return;
+        }
+        if (!validateLastName()&&false) {
+            $('#errorMessage').html('<?php echo $invalidLastName; ?>');
+            $('#edit-user-dialog-alert').show();
+            return;
+        }
         // Validate email
         if (!validateEmail()) {
             $('#errorMessage').html('<?php echo $invalidEmail; ?>');
@@ -395,7 +434,8 @@ function save_handler() {
                     email: email,
                     is_admin: is_admin, // "Y" or "N"
                     enabled: enabled, // "Y" or "N"
-                    password: password1 // For add only
+                    password: password1, // For add only
+                    csrf_form_key: '<?php echo getFormKey(); ?>'
                 },
                 function(data, status) {
                     console.log('Data: ' + data);
@@ -460,7 +500,8 @@ function change_password_handler() {
         $.post('users_ajax.php', {
                     action: "set-password",
                     login: login,
-                    password: password1
+                    password: password1,
+                    csrf_form_key: '<?php echo getFormKey(); ?>'
                 },
                 function(data, status) {
                     console.log('Data: ' + data);
@@ -513,7 +554,8 @@ function delete_handler() {
 
             $.post('users_ajax.php', {
                         action: "delete",
-                        login: login
+                        login: login,
+                        csrf_form_key: '<?php echo getFormKey(); ?>'
                     },
                     function(data, status) {
                         console.log('Data: ' + data);
@@ -552,4 +594,4 @@ function(data, status) {
     <?php } ?>
 </script>
 </body>
-<?php echo print_trailer(); ?>
\ No newline at end of file
+<?php echo print_trailer(); ?>
diff --git a/users_ajax.php b/users_ajax.php
index fb35f7f00..32b47d309 100644
--- a/users_ajax.php
+++ b/users_ajax.php
@@ -45,6 +45,8 @@
 $notIdenticalStr = translate('The passwords were not identical.');
 $noPasswordStr = translate('You have not entered a password.');
 $blankUserStr = translate('Username cannot be blank.');
+$invalidFirstName = translate('Invalid first name.');
+$invalidLastName = translate('Invalid last name.');
 
 // Make sure this is only called from user_mgmt.php
 if (!empty($_SERVER['HTTP_REFERER'])) {
@@ -82,6 +84,12 @@
   } else if (!$admin_can_add_user) {
     $error = translate('Unsupported action');
   }
+  if (addslashes($firstname) != $firstname || strip_tags_content($firstname) != $firstname) {
+    $error = $invalidFirstName;
+  }
+  if (addslashes($lastname) != $lastname || strip_tags_content($lastname) != $lastname) {
+    $error = $invalidLastName;
+  }
   if (empty($error)) {
     save_user(
       getPostValue('add') == '1' ? true : false,
@@ -187,6 +195,12 @@
   if ($REMOTES_ENABLED != 'Y' || (access_is_enabled() && !access_can_access_function(ACCESS_IMPORT))) {
     $error = $notAuthStr;
   }
+  if (addslashes($firstname) != $firstname || strip_tags_content($firstname) != $firstname) {
+    $error = $invalidFirstName;
+  }
+  if (addslashes($lastname) != $lastname || strip_tags_content($lastname) != $lastname) {
+    $error = $invalidLastName;
+  }
   if (empty($error)) {
     $error = save_remote_calendar(
       getPostValue('add') == '1' ? true : false,
@@ -285,6 +299,12 @@
   if (! $is_admin) {
     $error = $notAuthStr;
   }
+  if (addslashes($firstname) != $firstname || strip_tags_content($firstname) != $firstname) {
+    $error = $invalidFirstName;
+  }
+  if (addslashes($lastname) != $lastname || strip_tags_content($lastname) != $lastname) {
+    $error = $invalidLastName;
+  }
   if (empty($error)) {
     $error = save_resource_calendar(
       getPostValue('add') == '1' ? true : false,
@@ -348,6 +368,10 @@
 exit;
 
 
+function strip_tags_content($text) {
+  return preg_replace('@<(\w+)\b.*?>.*?</\1>@si', '', $text);
+}
+
 // Add/Update a user
 // We ignore password params on an update since there is a separate function
 // for updating passwords.
@@ -355,12 +379,19 @@ function save_user($add, $user, $lastname, $firstname, $is_admin, $enabled, $ema
 {
   global $error, $blankUserStr, $login;
 
-  if (addslashes($user) != $user) {
+  if (addslashes($user) != $user || strip_tags_content($user) != $user) {
     $error = 'Invalid characters in login.';
   } else if ($add && empty($user)) {
     $error = $blankUserStr;
   }
 
+  if (addslashes($firstname) != $firstname || strip_tags_content($firstname) != $firstname) {
+    $error = $invalidFirstName;
+  }
+  if (addslashes($lastname) != $lastname || strip_tags_content($lastname) != $lastname) {
+    $error = $invalidLastName;
+  }
+
   if (empty($error) && $add) {
     // Add user
     user_add_user(
@@ -613,4 +644,4 @@ function save_group($isAdd, $id, $name, $users) {
 
   return [$error, $msg];
 }
-?>
\ No newline at end of file
+?>
diff --git a/view_d.php b/view_d.php
index 569e18143..c49a4d26f 100644
--- a/view_d.php
+++ b/view_d.php
@@ -60,6 +60,7 @@
 $nextStr = translate ( 'Next' );
 $previousStr = translate ( 'Previous' );
 
+$formKey = csrf_form_key();
 echo <<<EOT
     <div class="viewnav">
       <a title="{$previousStr}" class="prev"
@@ -79,6 +80,7 @@
 
     <!-- Hidden form for booking events -->
     <form action="edit_entry.php" method="post" name="schedule">
+      ${formKey}
       <input type="hidden" name="date"
         value="{$thisyear}{$thismonth}{$thisday}" />
       <input type="hidden" name="defusers" value="{$partStr}" />
diff --git a/view_entry.php b/view_entry.php
index 107ccdf8f..73073cc55 100644
--- a/view_entry.php
+++ b/view_entry.php
@@ -783,7 +783,7 @@
       ( $login != '__public__' ) && ! $is_nonuser && $event_status != 'D' ) {
     echo '<div class="row"><div class="col-3">';
     echo '<form action="view_entry.php?id=' . $id
-     . '" method="post" name="setpercentage">
+     . '" method="post" name="setpercentage">' . csrf_form_key() . '
             <input type="hidden" name="others_complete" value="'
      . $others_complete . '" />' . translate ( 'Update Task Percentage' ) . '</div>';
      echo '<div class="col-9"><select name="upercent" id="task_percent">';
@@ -821,6 +821,7 @@
         || user_is_assistant( $login, $a->getLogin() ) || $login == $create_by
         || user_is_assistant( $login, $create_by ) )
       ? '<a class="dropdown-item" href="docdel.php?blid=' . $a->getId()
+       . '&csrf_form_key=' . csrf_form_key()
        . '" onclick="return confirm( \'' . $areYouSureStr . '\' );">'
        . translate('Delete') . '</a>' : '';
     echo '</div></div>' . "\n";
@@ -1043,14 +1044,14 @@ function hideComments() {
     echo '
       <li class="list-group-item"><a title="' . $deleteAllDatesStr
      . '" class="nav" href="del_entry.php?id=' . $id . $u_url
-     . '&amp;override=1" onclick="return confirm( \'' . $areYouSureStr . "\\n\\n"
+     . '&amp;override=1&amp;csrf_form_key=' . getFormKey() . '" onclick="return confirm( \'' . $areYouSureStr . "\\n\\n"
      . $deleteAllStr . '\' );">' . $deleteAllDatesStr . '</a></li>';
     // Don't allow deletion of first event
     if ( ! empty ( $date ) && $date != $orig_date ) {
       $deleteOnlyStr = translate ( 'Delete entry only for this date' );
       echo '
       <li class="list-group-item"><a title="' . $deleteOnlyStr . '" class="nav" href="del_entry.php?id='
-       . $id . $u_url . $rdate . '&amp;override=1" onclick="return confirm( \''
+       . $id . $u_url . $rdate . '&amp;override=1&amp;csrf_form_key=' . getFormKey() . '" onclick="return confirm( \''
        . $areYouSureStr . "\\n\\n" . $deleteAllStr . '\' );">' . $deleteOnlyStr
        . '</a></li>';
     }
@@ -1066,7 +1067,7 @@ function hideComments() {
       <li class="list-group-item"><a title="' . $editEntryStr . '" class="nav" href="edit_entry.php?id='
      . $id . $u_url . '">' . $editEntryStr . '</a></li>
       <li class="list-group-item"><a title="' . $delete_str . '" class="nav" href="del_entry.php?id='
-     . $id . $u_url . $rdate . '" onclick="return confirm( \'' . $areYouSureStr
+     . $id . $u_url . $rdate . '&amp;csrf_form_key=' . getFormKey() . '" onclick="return confirm( \'' . $areYouSureStr
      . "\\n\\n"
      . ( empty ( $user ) || $user == $login || $is_assistant
       ? $deleteAllStr : '' )
@@ -1083,7 +1084,7 @@ function hideComments() {
   translate ( 'This will delete the entry from your XXX calendar.', true );
   echo '
       <li class="list-group-item"><a title="' . $deleteEntryStr . '" class="nav" href="del_entry.php?id='
-   . $id . $u_url . $rdate . '" onclick="return confirm( \'' . $areYouSureStr
+   . $id . $u_url . $rdate . '&amp;csrf_form_key=' . getFormKey() . '" onclick="return confirm( \'' . $areYouSureStr
    . "\\n\\n"
    . str_replace ( 'XXX ',
     ( $is_assistant ? translate ( 'boss' ) . ' ' : '' ), $delFromCalStr )
@@ -1102,8 +1103,8 @@ function hideComments() {
   $is_confidential && $event_status != 'D' && $login != '__public__' && !
   $is_nonuser )
   echo '
-      <li class="list-group-item"><a title="' . $addToMineStr . '" class="nav" href="add_entry.php?id='
-   . $id . '" onclick="return confirm( \''
+      <li class="list-group-item"><a title="' . $addToMineStr . '" class="nav" href="add_entry.php?id=' .
+      $id . '&csrf_form_key=' . getFormKey() . '" onclick="return confirm( \''
    . translate ( 'Do you want to add this entry to your calendar?', true )
    . "\\n\\n" . translate ( 'This will add the entry to your calendar.', true )
    . '\' );">' . $addToMineStr . '</a></li>';
@@ -1148,10 +1149,12 @@ function hideComments() {
   $selectStr = generate_export_select();
   $userStr = ( ! empty ( $user ) ? '<input type="hidden" name="user" value="' .
     $user . '" />' : '' );
+  $formKey = csrf_form_key();
   echo <<<EOT
     <li class="list-group-item">
     <br />
     <form method="post" name="exportform" action="export_handler.php">
+      ${formKey}
       <div class="form-row">
       <label class="form-inline" for="exformat">{$exportThisStr}:&nbsp;</label>
       {$selectStr}
diff --git a/views_edit.php b/views_edit.php
index de7b9869d..370aab69c 100644
--- a/views_edit.php
+++ b/views_edit.php
@@ -25,6 +25,7 @@
 
 <form action="views_edit_handler.php" method="post" name="editviewform">
 <?php
+print_form_key();
 $newview = true;
 $viewname = $viewtype = '';
 $viewisglobal = 'N';