From 386a5e2bfa797627c8d12abfc1d39be2bd14a4c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Jacquet?=
 <francoisjacquet@users.noreply.github.com>
Date: Wed, 4 May 2022 14:26:42 +0200
Subject: [PATCH] Restrict Price / Amount / Balance input number range

---
 CHANGES.md                                     |  1 +
 classes/core/StaffWidget.php                   |  8 ++++----
 classes/core/Widget.php                        | 12 ++++++------
 modules/Accounting/functions.inc.php           |  4 ++--
 modules/Food_Service/MenuItems.php             |  2 +-
 modules/Food_Service/Students/Transactions.php |  2 +-
 modules/Food_Service/Users/Transactions.php    |  2 +-
 modules/School_Setup/Configuration.php         |  6 +++---
 modules/Student_Billing/MassAssignFees.php     |  2 +-
 modules/Student_Billing/MassAssignPayments.php |  2 +-
 modules/Student_Billing/functions.inc.php      |  4 ++--
 11 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index cb9483db7..268b594de 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -76,6 +76,7 @@ Changes in 9.0
 - Remove Student Assignment Submission files on delete in Assignments.php, thank to @khanhchauminh
 - Add microseconds to filename format to make it harder to predict in Assignments.php & StudentAssignments.fnc.php, thanks to @khanhchauminh
 - Restrict Sort Order input number range, program wide
+- Restrict Price / Amount / Balance input number range, program wide, thanks to @nhienit2010
 
 Changes in 8.9.5
 ----------------
diff --git a/classes/core/StaffWidget.php b/classes/core/StaffWidget.php
index 28d4543be..3dbb40dd1 100644
--- a/classes/core/StaffWidget.php
+++ b/classes/core/StaffWidget.php
@@ -148,8 +148,8 @@ function html( $value = '' )
 			<input type="radio" name="fsa_bal_ge" value="" checked /> &lt;</label>&nbsp;
 		<label  class="sizep2">
 			<input type="radio" name="fsa_bal_ge" value="Y" /> &ge;</label>
-		<input name="fsa_balance" id="fsa_balance" type="number" step="any"' .
-			( $value ? ' value="' . AttrEscape( $value ) . '"' : '') . ' />
+		<input name="fsa_balance" id="fsa_balance" type="number" step="0.01"' .
+			( $value ? ' value="' . AttrEscape( $value ) . '"' : '') . ' min="-999999999999999" max="999999999999999" />
 		</td></tr>';
 	}
 }
@@ -388,8 +388,8 @@ function html()
 	{
 		return '<tr class="st"><td>' . _( 'Staff Payroll Balance' ) . '</td><td><label>' .
 		_( 'Between' ) .
-		' <input type="number" name="balance_low" step="any" /></label> <label>&amp;
-		<input type="number" name="balance_high" step="any" /></label>
+		' <input type="number" name="balance_low" step="0.01" min="-999999999999999" max="999999999999999" /></label> <label>&amp;
+		<input type="number" name="balance_high" step="0.01" min="-999999999999999" max="999999999999999" /></label>
 		</td></tr>';
 	}
 }
diff --git a/classes/core/Widget.php b/classes/core/Widget.php
index 308333dc6..21b3706fa 100644
--- a/classes/core/Widget.php
+++ b/classes/core/Widget.php
@@ -604,9 +604,9 @@ function html()
 		}
 
 		return $html . '</td><td><label>' . _( 'Between' ) .
-		' <input type="number" name="gpa_low" min="0" step="0.01" /></label>' .
+		' <input type="number" name="gpa_low" min="0" max="99999" step="0.01" /></label>' .
 		' <label>&amp;' .
-		' <input type="number" name="gpa_high" min="0" step="0.01" /></label>
+		' <input type="number" name="gpa_high" min="0" max="99999" step="0.01" /></label>
 		</td></tr>';
 	}
 }
@@ -1091,9 +1091,9 @@ function extra( $extra )
 	function html()
 	{
 		return '<tr class="st"><td>' . _( 'Balance' ) . '</td><td><label>' . _( 'Between' ) .
-		' <input type="number" name="balance_low" step="any" /></label>' .
+		' <input type="number" name="balance_low" step="0.01" min="-999999999999999" max="999999999999999" /></label>' .
 		' <label>&amp;' .
-		' <input type="number" name="balance_high" step="any" /></label>
+		' <input type="number" name="balance_high" step="0.01" min="-999999999999999" max="999999999999999" /></label>
 		</td></tr>';
 	}
 }
@@ -1895,8 +1895,8 @@ function html( $value = '' )
 			<input type="radio" name="fsa_bal_ge" value="" checked /> &lt;</label>&nbsp;
 		<label  class="sizep2">
 			<input type="radio" name="fsa_bal_ge" value="Y" /> &ge;</label>
-		<input name="fsa_balance" id="fsa_balance" type="number" step="any"' .
-			( $value ? ' value="' . AttrEscape( $value ) . '"' : '') . ' />
+		<input name="fsa_balance" id="fsa_balance" type="number" step="0.01"' .
+			( $value ? ' value="' . AttrEscape( $value ) . '"' : '') . ' min="-999999999999999" max="999999999999999" />
 		</td></tr>';
 	}
 }
diff --git a/modules/Accounting/functions.inc.php b/modules/Accounting/functions.inc.php
index 6d32eeb50..46cc65ff8 100644
--- a/modules/Accounting/functions.inc.php
+++ b/modules/Accounting/functions.inc.php
@@ -39,7 +39,7 @@ function _makeIncomesTextInput( $value, $column )
 
 	if ( $column === 'AMOUNT' )
 	{
-		$extra = ' type="number" step="any"';
+		$extra = ' type="number" step="0.01" max="999999999999" min="-999999999999"';
 	}
 	elseif ( ! $value )
 	{
@@ -106,7 +106,7 @@ function _makePaymentsTextInput( $value, $name )
 
 	if ( $name === 'AMOUNT' )
 	{
-		$extra = ' type="number" step="any"';
+		$extra = ' type="number" step="0.01" max="999999999999" min="-999999999999"';
 	}
 	elseif ( ! $value )
 	{
diff --git a/modules/Food_Service/MenuItems.php b/modules/Food_Service/MenuItems.php
index 2220d0c03..23db4df54 100644
--- a/modules/Food_Service/MenuItems.php
+++ b/modules/Food_Service/MenuItems.php
@@ -484,7 +484,7 @@ function makeTextInput( $value, $name )
 	}
 	elseif ( mb_strpos( $name, 'PRICE' ) !== false )
 	{
-		$extra = ' type="number" step="any" min="-9999999" max="9999999"';
+		$extra = ' type="number" step="0.01" min="-999999999" max="999999999"';
 	}
 	else
 	{
diff --git a/modules/Food_Service/Students/Transactions.php b/modules/Food_Service/Students/Transactions.php
index f8cfee245..87d9e52b1 100644
--- a/modules/Food_Service/Students/Transactions.php
+++ b/modules/Food_Service/Students/Transactions.php
@@ -175,7 +175,7 @@ function options_locale( $option )
 				'',
 				'values[AMOUNT]',
 				'',
-				'type="number" step="any" max="9999999" min="0" required'
+				'type="number" step="0.01" max="999999999999" min="0" required'
 			);
 
 			$link['add']['html']['remove'] = button( 'add' );
diff --git a/modules/Food_Service/Users/Transactions.php b/modules/Food_Service/Users/Transactions.php
index ee1a9a7ef..aa84ec5e9 100644
--- a/modules/Food_Service/Users/Transactions.php
+++ b/modules/Food_Service/Users/Transactions.php
@@ -149,7 +149,7 @@ function options_locale( $option )
 				'',
 				'values[AMOUNT]',
 				'',
-				'type="number" step="any" max="9999999" min="0" required'
+				'type="number" step="0.01" max="999999999999" min="0" required'
 			);
 
 			$link['add']['html']['remove'] = button( 'add' );
diff --git a/modules/School_Setup/Configuration.php b/modules/School_Setup/Configuration.php
index 69b0f7ca0..ff24cfd38 100644
--- a/modules/School_Setup/Configuration.php
+++ b/modules/School_Setup/Configuration.php
@@ -686,21 +686,21 @@
 				ProgramConfig( 'food_service', 'FOOD_SERVICE_BALANCE_WARNING' ),
 				'values[PROGRAM_CONFIG][food_service][FOOD_SERVICE_BALANCE_WARNING]',
 				_( 'Food Service Balance minimum amount for warning' ),
-				' type="number" step="any" required'
+				' type="number" step="0.01" max="999999999999" min="-999999999999" required'
 			) . '</td></tr>';
 
 			echo '<tr><td>' . TextInput(
 				ProgramConfig( 'food_service', 'FOOD_SERVICE_BALANCE_MINIMUM' ),
 				'values[PROGRAM_CONFIG][food_service][FOOD_SERVICE_BALANCE_MINIMUM]',
 				_( 'Food Service Balance minimum amount' ),
-				' type="number" step="any" required'
+				' type="number" step="0.01" max="999999999999" min="-999999999999" required'
 			) . '</td></tr>';
 
 			echo '<tr><td>' . TextInput(
 				ProgramConfig( 'food_service', 'FOOD_SERVICE_BALANCE_TARGET' ),
 				'values[PROGRAM_CONFIG][food_service][FOOD_SERVICE_BALANCE_TARGET]',
 				_( 'Food Service Balance target amount' ),
-				' type="number" step="any" required'
+				' type="number" step="0.01" max="999999999999" min="-999999999999" required'
 			) . '</td></tr></table>';
 		}
 
diff --git a/modules/Student_Billing/MassAssignFees.php b/modules/Student_Billing/MassAssignFees.php
index 7211246cb..c9db0af38 100644
--- a/modules/Student_Billing/MassAssignFees.php
+++ b/modules/Student_Billing/MassAssignFees.php
@@ -72,7 +72,7 @@
 			'',
 			'amount',
 			_( 'Amount' ),
-			' type="number" step="any" required'
+			' type="number" step="0.01" max="999999999999" min="-999999999999" required'
 		) . '</td></tr>';
 
 		echo '<tr><td>' . DateInput( '', 'due', _( 'Due Date' ), false ) . '</td></tr>';
diff --git a/modules/Student_Billing/MassAssignPayments.php b/modules/Student_Billing/MassAssignPayments.php
index 85e98bd3b..21f9770b9 100644
--- a/modules/Student_Billing/MassAssignPayments.php
+++ b/modules/Student_Billing/MassAssignPayments.php
@@ -72,7 +72,7 @@
 			'',
 			'amount',
 			_( 'Amount' ),
-			'  type="number" step="any" required'
+			'  type="number" step="0.01" max="999999999999" min="-999999999999" required'
 		) . '</td></tr>';
 
 		echo '<tr><td>' . DateInput(
diff --git a/modules/Student_Billing/functions.inc.php b/modules/Student_Billing/functions.inc.php
index d9d7d432e..b4b6357c1 100644
--- a/modules/Student_Billing/functions.inc.php
+++ b/modules/Student_Billing/functions.inc.php
@@ -115,7 +115,7 @@ function _makeFeesTextInput( $value, $name )
 
 	if ( $name === 'AMOUNT' )
 	{
-		$extra = ' type="number" step="any"';
+		$extra = ' type="number" step="0.01" max="999999999999" min="-999999999999"';
 	}
 	elseif ( ! $value )
 	{
@@ -173,7 +173,7 @@ function _makePaymentsTextInput( $value, $name )
 
 	if ( $name === 'AMOUNT' )
 	{
-		$extra = ' type="number" step="any"';
+		$extra = ' type="number" step="0.01" max="999999999999" min="-999999999999"';
 	}
 	elseif ( ! $value )
 	{