From 788a4a22133dd29004d639795140ccb713daf54f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Jacquet?=
 <francoisjacquet@users.noreply.github.com>
Date: Tue, 10 May 2022 13:39:19 +0200
Subject: [PATCH] Use json_encode() for AjaxLink() URL + Add use of
 AttrEscape() for onclick / onchange attributes

---
 CHANGES.md                                     |  1 +
 ProgramFunctions/Fields.fnc.php                |  3 ++-
 functions/Date.php                             |  3 ++-
 functions/GetStuList.fnc.php                   | 10 ++++++----
 functions/Inputs.php                           | 16 +++++-----------
 functions/Prompts.php                          |  4 ++--
 modules/Accounting/DailyTransactions.php       |  2 +-
 modules/Attendance/Administration.php          |  4 ++--
 modules/Attendance/Administration_fast.old.php |  9 ++++++++-
 modules/Attendance/DailySummary.php            |  2 +-
 modules/Attendance/Percent.php                 |  2 +-
 modules/Attendance/TakeAttendance.php          |  2 +-
 modules/Grades/Assignments.php                 |  7 ++++---
 modules/Grades/Grades.php                      | 16 ++++++++--------
 modules/Grades/InputFinalGrades.php            |  7 ++++---
 modules/Grades/ReportCardComments.php          | 14 ++++++++------
 modules/Scheduling/Courses.php                 |  7 ++++---
 modules/Scheduling/RequestsReport.php          |  2 +-
 modules/Scheduling/ScheduleReport.php          |  2 +-
 modules/School_Setup/Calendar.php              |  5 +++--
 modules/School_Setup/MarkingPeriods.php        |  5 +++--
 modules/Student_Billing/DailyTransactions.php  |  2 +-
 modules/Students/AssignOtherInfo.php           |  6 +++---
 modules/Students/Student.php                   |  7 ++++---
 modules/Students/StudentFields.php             |  2 +-
 modules/Users/User.php                         |  7 ++++---
 modules/Users/includes/Schedule.inc.php        |  8 +++++---
 27 files changed, 86 insertions(+), 69 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 5e1f595a2..98633a825 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -86,6 +86,7 @@ Changes in 9.0
 - Create / Edit / Delete calendar: use button() in Calendar.php
 - Update Calendars help text in Help_en.php & help.po
 - Add translations for Calendar days legend in rosariosis.po
+- Use json_encode() for AjaxLink() URL, program wide
 
 Changes in 8.9.6
 ----------------
diff --git a/ProgramFunctions/Fields.fnc.php b/ProgramFunctions/Fields.fnc.php
index eecdd2d20..93054b1a8 100644
--- a/ProgramFunctions/Fields.fnc.php
+++ b/ProgramFunctions/Fields.fnc.php
@@ -276,7 +276,8 @@ function GetFieldsForm( $table, $title, $RET, $extra_category_fields = [], $type
 			]
 		);
 
-		$delete_button = '<input type="button" value="' . AttrEscape( _( 'Delete' ) ) . '" onClick="ajaxLink(\'' . $delete_url . '\');" /> ';
+		$delete_button = '<input type="button" value="' . AttrEscape( _( 'Delete' ) ) .
+			'" onclick="' . AttrEscape( 'ajaxLink(' . json_encode( $delete_url ) . ');' ) . '" /> ';
 	}
 
 	ob_start();
diff --git a/functions/Date.php b/functions/Date.php
index 2d551e089..ed25e3de5 100644
--- a/functions/Date.php
+++ b/functions/Date.php
@@ -238,7 +238,8 @@ function PrepareDate( $date, $name_attr = '', $allow_na = true, $options = [] )
 			$add_args_js[] = '(this.form.' . $URL_arg . ' ? \'&' . $URL_arg . '=\' + this.form.' . $URL_arg . '.value : \'\')';
 		}
 
-		$e = ' onchange="ajaxLink( \'' . $date_onchange_href . '\' + ' . implode( '+', $add_args_js ) . ' );"';
+		$e = ' onchange="' . AttrEscape( 'ajaxLink(' . json_encode( $date_onchange_href ) .
+			' + ' . implode( '+', $add_args_js ) . ' );' ) . '"';
 
 		$extraM .= $e;
 
diff --git a/functions/GetStuList.fnc.php b/functions/GetStuList.fnc.php
index 4ad42b376..0fb352fbc 100644
--- a/functions/GetStuList.fnc.php
+++ b/functions/GetStuList.fnc.php
@@ -941,6 +941,8 @@ function makeParents( $student_id, $column )
 		return '';
 	}
 
+	$constraint = '';
+
 	if ( $_ROSARIO['makeParents'] )
 	{
 		$constraint = " AND sjp.STUDENT_RELATION IS NULL";
@@ -980,7 +982,7 @@ function makeParents( $student_id, $column )
 		$img_title = $person['CUSTODY'] == 'Y' ? _( 'Custody' ) :
 			( $person['EMERGENCY'] == 'Y' ? _( 'Emergency' ) : '' );
 
-		$parents .= '<div>' . ( ! empty( $img ) ? button( $img, '', '', '" title="' . $img_title ) . '&nbsp;' : '' );
+		$parents .= '<div>' . ( ! empty( $img ) ? button( $img, '', '', '" title="' . AttrEscape( $img_title ) ) . '&nbsp;' : '' );
 
 		if ( isset( $_REQUEST['_ROSARIO_PDF'] ) )
 		{
@@ -992,10 +994,10 @@ function makeParents( $student_id, $column )
 		$popup_url = URLEscape( 'Modules.php?modname=misc/ViewContact.php&person_id=' .
 			$person['PERSON_ID'] . '&student_id=' . $student_id );
 
-		$parents .= '<a href="#" onclick=\'popups.open(
-				"' . $popup_url . '",
+		$parents .= '<a href="#" onclick="' . AttrEscape( 'popups.open(
+				' . json_encode( $popup_url ) . ',
 				"scrollbars=yes,resizable=yes,width=400,height=300"
-			); return false;\'>' .
+			); return false;' ) . '">' .
 				$person['FIRST_NAME'] . ' ' . $person['LAST_NAME'] .
 			'</a></div>';
 	}
diff --git a/functions/Inputs.php b/functions/Inputs.php
index 2c98d73f9..04df25f1c 100644
--- a/functions/Inputs.php
+++ b/functions/Inputs.php
@@ -497,12 +497,6 @@ function TinyMCEInput( $value, $name, $title = '', $extra = '' )
 
 			$wrapper = '<div class="tinymce-horizontal">';
 		}
-
-		$extra = str_replace(
-			[ 'class="', "class='" ],
-			[ 'class="tinymce ', "class='tinymce " ],
-			$extra
-		);
 	}
 
 	if ( mb_strpos( (string) $extra, 'required' ) !== false )
@@ -1595,8 +1589,8 @@ function NoInput( $value, $title = '' )
 			$value .
 			'</span>' . $ftitle;
 	}
-	else
-		return $value . $ftitle;
+
+	return $value . $ftitle;
 }
 
 
@@ -1613,15 +1607,15 @@ function NoInput( $value, $title = '' )
  */
 function CheckBoxOnclick( $name, $title = '' )
 {
-	$onclick_URL = "'" . PreparePHP_SELF(
+	$onclick_URL = PreparePHP_SELF(
 		$_REQUEST,
 		[],
 		isset( $_REQUEST[ $name ] ) && $_REQUEST[ $name ] == 'Y' ? [ $name => '' ] : [ $name => 'Y' ]
-	) . "'";
+	);
 
 	$input = '<input type="checkbox" name="' . AttrEscape( $name ) . '" value="Y"' .
 		( isset( $_REQUEST[ $name ] ) && $_REQUEST[ $name ] == 'Y' ? ' checked' : '' ) .
-		' onclick="ajaxLink(' . $onclick_URL . ');" />';
+		' onclick="' . AttrEscape( 'ajaxLink(' . json_encode( $onclick_URL ) . ');' ) . '" />';
 
 	if ( $title != '' )
 	{
diff --git a/functions/Prompts.php b/functions/Prompts.php
index 1448ef030..b7d95420e 100644
--- a/functions/Prompts.php
+++ b/functions/Prompts.php
@@ -41,11 +41,11 @@ function DeletePrompt( $title, $action = 'Delete', $remove_modfunc_on_cancel = t
 		PopTable( 'header', _( 'Confirm' ) . ( mb_strpos( $action, ' ' ) === false ? ' '. $action : '' ) );
 
 		echo '<br /><div class="center">' . button( 'warning', '', '', 'bigger' ) .
-			'<h4>' .	sprintf( _( 'Are you sure you want to %s that %s?' ), $action, $title ) . '</h4>
+			'<h4>' . sprintf( _( 'Are you sure you want to %s that %s?' ), $action, $title ) . '</h4>
 			<form action="' . $PHP_tmp_SELF . '" method="POST">' .
 				SubmitButton( _( 'OK' ), 'delete_ok', '' ) .
 				'<input type="button" name="delete_cancel" class="button-primary" value="' . AttrEscape( _( 'Cancel' ) ) . '"
-					onclick="ajaxLink(\'' . $PHP_tmp_SELF_cancel . '\');" />
+					onclick="' . AttrEscape( 'ajaxLink(' . json_encode( $PHP_tmp_SELF_cancel ) . ');' ) . '" />
 			</form>
 		</div><br />';
 
diff --git a/modules/Accounting/DailyTransactions.php b/modules/Accounting/DailyTransactions.php
index ac4607410..0cdca4201 100644
--- a/modules/Accounting/DailyTransactions.php
+++ b/modules/Accounting/DailyTransactions.php
@@ -50,7 +50,7 @@ function _programMenu( $program )
 			'totals' => _( 'Daily Totals' ),
 		],
 		false,
-		'onchange="ajaxLink(\'' . $link . '\' + this.value);" autocomplete="off"',
+		'onchange="' . AttrEscape( 'ajaxLink(' . json_encode( $link ) . ' + this.value);' ) . '" autocomplete="off"',
 		false
 	);
 
diff --git a/modules/Attendance/Administration.php b/modules/Attendance/Administration.php
index 8a3fc87a5..26f636c48 100644
--- a/modules/Attendance/Administration.php
+++ b/modules/Attendance/Administration.php
@@ -522,8 +522,8 @@
 	button(
 		'add',
 		'',
-		'"#" onclick=\'javascript:addHTML("' . str_replace( '"', '\"', _makeCodeSearch() ) .
-		'","code_pulldowns"); return false;\''
+		'"#" onclick="' . AttrEscape( 'addHTML(' . json_encode( _makeCodeSearch() ) .
+			',\'code_pulldowns\'); return false;' ) . '"'
 	) . '</td><td><div id="code_pulldowns">' . $code_pulldowns . '</div></td>' .
 		'<td class="align-right">' . $current_student_link . '</td></tr></table>';
 
diff --git a/modules/Attendance/Administration_fast.old.php b/modules/Attendance/Administration_fast.old.php
index f8ec380b2..eaa0bc3ff 100644
--- a/modules/Attendance/Administration_fast.old.php
+++ b/modules/Attendance/Administration_fast.old.php
@@ -212,7 +212,14 @@
 			'">' . _( 'Current Student' ) . '</a></td><td>';
 	}
 
-	DrawHeader( PrepareDate( $date, '_date' ), '<table><tr><td>' . $current_student_link . button( 'add', '', "# onclick='javascript:addHTML(\"" . str_replace( '"', '\"', _makeCodeSearch() ) . "\",\"code_pulldowns\"); return false;'" ) . '</td><td><div id="code_pulldowns">' . $code_pulldowns . '</div></td></tr></table>' );
+	DrawHeader(
+		PrepareDate( $date, '_date' ),
+		'<table><tr><td>' . $current_student_link .
+		button(
+			'add',
+			'',
+			'"#" onclick="' . AttrEscape( 'addHTML(' . json_encode( _makeCodeSearch() ) . ',\'code_pulldowns\'); return false;' ) . '"'
+		) . '</td><td><div id="code_pulldowns">' . $code_pulldowns . '</div></td></tr></table>' );
 
 	$_REQUEST['search_modfunc'] = 'list';
 	Search( 'student_id', $extra );
diff --git a/modules/Attendance/DailySummary.php b/modules/Attendance/DailySummary.php
index 1cb00669b..369d790d3 100644
--- a/modules/Attendance/DailySummary.php
+++ b/modules/Attendance/DailySummary.php
@@ -36,7 +36,7 @@
 		'absence' => _( 'Absence Summary' ),
 	],
 	false,
-	'onchange="ajaxLink(\'' . $report_link . '\' + this.value);" autocomplete="off"',
+	'onchange="' . AttrEscape( 'ajaxLink(' . json_encode( $report_link ) . ' + this.value);' ) . '" autocomplete="off"',
 	false
 );
 
diff --git a/modules/Attendance/Percent.php b/modules/Attendance/Percent.php
index a8db21ea9..e65e5a788 100644
--- a/modules/Attendance/Percent.php
+++ b/modules/Attendance/Percent.php
@@ -20,7 +20,7 @@
 		'true' => _( 'Average Attendance by Day' ),
 	],
 	false,
-	'onchange="ajaxLink(\'' . $report_link . '\' + this.value);" autocomplete="off"',
+	'onchange="' . AttrEscape( 'ajaxLink(' . json_encode( $report_link ) . ' + this.value);' ) . '" autocomplete="off"',
 	false
 );
 
diff --git a/modules/Attendance/TakeAttendance.php b/modules/Attendance/TakeAttendance.php
index 7da2ae22f..34478c067 100644
--- a/modules/Attendance/TakeAttendance.php
+++ b/modules/Attendance/TakeAttendance.php
@@ -66,7 +66,7 @@
 	issetVal( $_REQUEST['school_period'] ),
 	'school_period',
 	'',
-	'autocomplete="off" onchange=\'ajaxLink(' . json_encode( PreparePHP_SELF( [], [ 'school_period' ] ) ) . ' + "&school_period=" + this.value);\''
+	'autocomplete="off" onchange="' . AttrEscape( 'ajaxLink(' . json_encode( PreparePHP_SELF( [], [ 'school_period' ] ) ) . ' + "&school_period=" + this.value);' ) . '"'
 );
 
 if ( SchoolInfo( 'NUMBER_DAYS_ROTATION' ) !== null )
diff --git a/modules/Grades/Assignments.php b/modules/Grades/Assignments.php
index 7f264dc01..afd7b1b9c 100644
--- a/modules/Grades/Assignments.php
+++ b/modules/Grades/Assignments.php
@@ -522,11 +522,12 @@
 		if ( $is_assignment
 			|| ! $assignment_type_has_assignments )
 		{
-			$delete_url = "'" . URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
+			$delete_url = URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
 				'&modfunc=delete&assignment_type_id=' . $_REQUEST['assignment_type_id'] .
-				'&assignment_id=' . $_REQUEST['assignment_id'] ) . "'";
+				'&assignment_id=' . $_REQUEST['assignment_id'] );
 
-			$delete_button = '<input type="button" value="' . AttrEscape( _( 'Delete' ) ) . '" onClick="javascript:ajaxLink(' . $delete_url . ');" />';
+			$delete_button = '<input type="button" value="' . AttrEscape( _( 'Delete' ) ) .
+				'" onclick="' . AttrEscape( 'ajaxLink(' . json_encode( $delete_url ) . ');' ) . '" />';
 		}
 	}
 
diff --git a/modules/Grades/Grades.php b/modules/Grades/Grades.php
index 9bdb6bfdd..b22e08737 100644
--- a/modules/Grades/Grades.php
+++ b/modules/Grades/Grades.php
@@ -507,15 +507,15 @@
 $stu_RET = GetStuList( $extra );
 //echo '<pre>'; var_dump($stu_RET); echo '</pre>';
 
-$type_onchange_URL = "'" . URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
+$type_onchange_URL = URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
 	'&include_inactive=' . $_REQUEST['include_inactive'] .
 	'&include_all=' . $_REQUEST['include_all'] .
 	( $_REQUEST['assignment_id'] === 'all' ? '&assignment_id=all' : '' ) .
 	( UserStudentID() ? '&student_id=' . UserStudentID() : '' ) .
-	"&type_id=" ) . "'";
+	"&type_id=" );
 
-$type_select = '<select name="type_id" id="type_id" onchange="ajaxLink(' .
-	$type_onchange_URL . ' + this.value);">';
+$type_select = '<select name="type_id" id="type_id" onchange="' .
+	AttrEscape( 'ajaxLink(' . json_encode( $type_onchange_URL ) . ' + this.value);' ) . '">';
 
 $type_select .= '<option value=""' . ( ! $_REQUEST['type_id'] ? ' selected' : '' ) . '>' .
 _( 'All' ) .
@@ -530,14 +530,14 @@
 
 $type_select .= '</select><label for="type_id" class="a11y-hidden">' . _( 'Assignment Types' ) . '</label>';
 
-$assignment_onchange_URL = "'" . URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
+$assignment_onchange_URL = URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
 	'&include_inactive=' . $_REQUEST['include_inactive'] .
 	'&include_all=' . $_REQUEST['include_all'] .
 	'&type_id=' . $_REQUEST['type_id'] .
-	"&assignment_id=" ) . "'";
+	"&assignment_id=" );
 
-$assignment_select = '<select name="assignment_id" id="assignment_id" onchange="ajaxLink(' .
-	$assignment_onchange_URL . ' + this.value);">';
+$assignment_select = '<select name="assignment_id" id="assignment_id" onchange="' .
+	AttrEscape( 'ajaxLink(' . json_encode( $assignment_onchange_URL ) . ' + this.value);' ) . '">';
 
 $assignment_select .= '<option value="">' . _( 'Totals' ) . '</option>';
 
diff --git a/modules/Grades/InputFinalGrades.php b/modules/Grades/InputFinalGrades.php
index 9e8306926..02a8633ad 100644
--- a/modules/Grades/InputFinalGrades.php
+++ b/modules/Grades/InputFinalGrades.php
@@ -1016,10 +1016,11 @@
 	RedirectURL( 'values' );
 }
 
-$mps_onchange_URL = "'" . URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
-	'&include_inactive=' . $_REQUEST['include_inactive'] . "&mp=" ) . "'";
+$mps_onchange_URL = URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
+	'&include_inactive=' . $_REQUEST['include_inactive'] . "&mp=" );
 
-$mps_select = '<select name="mp_select" id="mp_select" onchange="ajaxLink(' . $mps_onchange_URL . ' + this.value);">';
+$mps_select = '<select name="mp_select" id="mp_select" onchange="' .
+	AttrEscape( 'ajaxLink(' . json_encode( $mps_onchange_URL ) . ' + this.value);' ) . '">';
 
 $allow_edit = false;
 
diff --git a/modules/Grades/ReportCardComments.php b/modules/Grades/ReportCardComments.php
index da22169b5..8ed3ca2ff 100644
--- a/modules/Grades/ReportCardComments.php
+++ b/modules/Grades/ReportCardComments.php
@@ -169,11 +169,12 @@
 			$_REQUEST['course_id'] = key( $courses_RET ) . '';
 		}
 
-		$subject_onchange_URL = "'" . URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
-			"&subject_id=" ) . "'";
+		$subject_onchange_URL = URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
+			"&subject_id=" );
 
 		$subject_select = '<label for="subject_id" class="a11y-hidden">' . _( 'Subject' ) . '</label>
-		<select name="subject_id" onchange="ajaxLink(' . $subject_onchange_URL . ' + this.value);">';
+		<select name="subject_id" onchange="' .
+		AttrEscape( 'ajaxLink(' . json_encode( $subject_onchange_URL ) . ' + this.value);' ) . '">';
 
 		//FJ Add No Courses were found error
 
@@ -191,12 +192,13 @@
 
 		$subject_select .= '</select>';
 
-		$course_onchange_URL = "'" . URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
+		$course_onchange_URL = URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
 			'&subject_id=' . $_REQUEST['subject_id'] .
-			"&course_id=" ) . "'";
+			"&course_id=" );
 
 		$course_select  = '<label for="course_id" class="a11y-hidden">' . _( 'Course' ) . '</label>
-		<select name="course_id" onchange="ajaxLink(' . $course_onchange_URL . ' + this.value);">';
+		<select name="course_id" onchange="' .
+		AttrEscape( 'ajaxLink(' . json_encode( $course_onchange_URL ) . ' + this.value);' ) . '">';
 
 		//FJ Add No Courses were found error
 
diff --git a/modules/Scheduling/Courses.php b/modules/Scheduling/Courses.php
index b6820d866..e013a8d0e 100644
--- a/modules/Scheduling/Courses.php
+++ b/modules/Scheduling/Courses.php
@@ -808,12 +808,13 @@
 
 			if ( $can_delete )
 			{
-				$delete_url = "'" . URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
+				$delete_url = URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
 					'&modfunc=delete&subject_id=' . $_REQUEST['subject_id'] .
 					'&course_id=' . $_REQUEST['course_id'] .
-					'&course_period_id=' . $_REQUEST['course_period_id'] ) . "'";
+					'&course_period_id=' . $_REQUEST['course_period_id'] );
 
-				$delete_button = '<input type="button" value="' . AttrEscape( _( 'Delete' ) ) . '" onClick="javascript:ajaxLink(' . $delete_url . ');" />';
+				$delete_button = '<input type="button" value="' . AttrEscape( _( 'Delete' ) ) .
+					'" onclick="' . AttrEscape( 'ajaxLink(' . json_encode( $delete_url ) . ');' ) . '" />';
 			}
 		}
 
diff --git a/modules/Scheduling/RequestsReport.php b/modules/Scheduling/RequestsReport.php
index 263041475..c73d20556 100644
--- a/modules/Scheduling/RequestsReport.php
+++ b/modules/Scheduling/RequestsReport.php
@@ -24,7 +24,7 @@
 		'unfilled' => _( 'Unfilled Requests' ),
 	],
 	false,
-	'onchange="ajaxLink(\'' . $report_link . '\' + this.value);" autocomplete="off"',
+	'onchange="' . AttrEscape( 'ajaxLink(' . json_encode( $report_link ) . ' + this.value);' ) . '" autocomplete="off"',
 	false
 );
 
diff --git a/modules/Scheduling/ScheduleReport.php b/modules/Scheduling/ScheduleReport.php
index d535a9454..18e59dfd2 100644
--- a/modules/Scheduling/ScheduleReport.php
+++ b/modules/Scheduling/ScheduleReport.php
@@ -29,7 +29,7 @@
 		'master' => _( 'Master Schedule Report' ),
 	],
 	false,
-	'onchange="ajaxLink(\'' . $report_link . '\' + this.value);" autocomplete="off"',
+	'onchange="' . AttrEscape( 'ajaxLink(' . json_encode( $report_link ) . ' + this.value);' ) . '" autocomplete="off"',
 	false
 );
 
diff --git a/modules/School_Setup/Calendar.php b/modules/School_Setup/Calendar.php
index fb117a035..aa8723d88 100644
--- a/modules/School_Setup/Calendar.php
+++ b/modules/School_Setup/Calendar.php
@@ -950,7 +950,7 @@
 		}
 
 		//FJ bugfix erase calendar onchange
-		$calendar_onchange_URL = "'" . URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] . "&calendar_id=" ) . "'";
+		$calendar_onchange_URL = URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] . "&calendar_id=" );
 
 		$links = SelectInput(
 			$_REQUEST['calendar_id'],
@@ -958,7 +958,8 @@
 			'<span class="a11y-hidden">' . _( 'Calendar' ) . '</span>',
 			$options,
 			false,
-			' onchange="ajaxLink(' . $calendar_onchange_URL . ' + document.getElementById(\'calendar_id\').value);" ',
+			' onchange="' . AttrEscape( 'ajaxLink(' . json_encode( $calendar_onchange_URL ) .
+				' + document.getElementById("calendar_id").value);' ) . '" ',
 			false
 		);
 
diff --git a/modules/School_Setup/MarkingPeriods.php b/modules/School_Setup/MarkingPeriods.php
index 315d0e17b..290fa97ba 100644
--- a/modules/School_Setup/MarkingPeriods.php
+++ b/modules/School_Setup/MarkingPeriods.php
@@ -443,9 +443,10 @@
 
 			if ( $can_delete )
 			{
-				$delete_URL = "'" . URLEscape( $mp_href . "&modfunc=delete" ) . "'";
+				$delete_URL = URLEscape( $mp_href . "&modfunc=delete" );
 
-				$delete_button = '<input type="button" value="' . AttrEscape( _( 'Delete' ) ) . '" onClick="javascript:ajaxLink(' . $delete_URL . ');" />';
+				$delete_button = '<input type="button" value="' . AttrEscape( _( 'Delete' ) ) .
+					'" onclick="' . AttrEscape( 'ajaxLink(' . json_encode( $delete_URL ) . ');' ) . '" />';
 			}
 		}
 	}
diff --git a/modules/Student_Billing/DailyTransactions.php b/modules/Student_Billing/DailyTransactions.php
index fbc8957d2..319c6de1b 100644
--- a/modules/Student_Billing/DailyTransactions.php
+++ b/modules/Student_Billing/DailyTransactions.php
@@ -50,7 +50,7 @@ function _programMenu( $program )
 			'totals' => _( 'Daily Totals' ),
 		],
 		false,
-		'onchange="ajaxLink(\'' . $link . '\' + this.value);" autocomplete="off"',
+		'onchange="' . AttrEscape( 'ajaxLink(' . json_encode( $link ) . ' + this.value);' ) . '" autocomplete="off"',
 		false
 	);
 
diff --git a/modules/Students/AssignOtherInfo.php b/modules/Students/AssignOtherInfo.php
index 18cd277c2..27525d67a 100644
--- a/modules/Students/AssignOtherInfo.php
+++ b/modules/Students/AssignOtherInfo.php
@@ -234,10 +234,10 @@
 
 		echo '<table class="widefat center"><tr><td><div class="center">';
 
-		$category_onchange_URL = "'" . PreparePHP_SELF( $_REQUEST, [ 'category_id' ] ) . "&category_id='";
+		$category_onchange_URL = PreparePHP_SELF( $_REQUEST, [ 'category_id' ] ) . '&category_id=';
 
-		echo '<select name="category_id" id="category_id" onchange="ajaxLink(' .
-			$category_onchange_URL . ' + this.value);">';
+		echo '<select name="category_id" id="category_id" onchange="' .
+			AttrEscape( 'ajaxLink(' . json_encode( $category_onchange_URL ) . ' + this.value);' ) . '">';
 
 		echo '<option value="">' . _( 'All Categories' ) . '</option>';
 
diff --git a/modules/Students/Student.php b/modules/Students/Student.php
index c64315c33..dc2b8ab0c 100644
--- a/modules/Students/Student.php
+++ b/modules/Students/Student.php
@@ -726,10 +726,11 @@
 
 				if ( $can_delete )
 				{
-					$delete_URL = "'" . URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
-						'&student_id=' . UserStudentID() . "&modfunc=delete" ) . "'";
+					$delete_URL = URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
+						'&student_id=' . UserStudentID() . "&modfunc=delete" );
 
-					$delete_button = '<input type="button" value="' . AttrEscape( _( 'Delete' ) ) . '" onClick="javascript:ajaxLink(' . $delete_URL . ');" />';
+					$delete_button = '<input type="button" value="' . AttrEscape( _( 'Delete' ) ) .
+						'" onclick="' . AttrEscape( 'ajaxLink(' . json_encode( $delete_URL ) . ');' ) . '" />';
 				}
 			}
 		}
diff --git a/modules/Students/StudentFields.php b/modules/Students/StudentFields.php
index 0b2426fb5..0cccbba7d 100644
--- a/modules/Students/StudentFields.php
+++ b/modules/Students/StudentFields.php
@@ -60,7 +60,7 @@ function _fieldsCategoryMenu( $category )
 			'contact' => _( 'Contact Fields' ),
 		],
 		false,
-		'onchange="ajaxLink(\'' . $link . '\' + this.value);" autocomplete="off"',
+		'onchange="' . AttrEscape( 'ajaxLink(' . json_encode( $link ) . ' + this.value);' ) . '" autocomplete="off"',
 		false
 	);
 
diff --git a/modules/Users/User.php b/modules/Users/User.php
index dd2294f70..63068e859 100644
--- a/modules/Users/User.php
+++ b/modules/Users/User.php
@@ -690,10 +690,11 @@
 
 				if ( $can_delete )
 				{
-					$delete_URL = "'" . URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
-						'&staff_id=' . UserStaffID() . "&modfunc=delete" ) . "'";
+					$delete_URL = URLEscape( "Modules.php?modname=" . $_REQUEST['modname'] .
+						'&staff_id=' . UserStaffID() . "&modfunc=delete" );
 
-					$delete_button = '<input type="button" value="' . AttrEscape( _( 'Delete' ) ) . '" onClick="javascript:ajaxLink(' . $delete_URL . ');" />';
+					$delete_button = '<input type="button" value="' . AttrEscape( _( 'Delete' ) ) .
+						'" onclick="' . AttrEscape( 'ajaxLink(' . json_encode( $delete_URL ) . ');' ) . '" />';
 				}
 			}
 		}
diff --git a/modules/Users/includes/Schedule.inc.php b/modules/Users/includes/Schedule.inc.php
index affd878f0..03a5a77d7 100644
--- a/modules/Users/includes/Schedule.inc.php
+++ b/modules/Users/includes/Schedule.inc.php
@@ -12,11 +12,13 @@
 		PopTable( 'footer' );
 	}
 
-	$all_schools_onclick_URL = "'" . ( $_REQUEST['all_schools'] == 'Y' ?
+	$all_schools_onclick_URL = ( $_REQUEST['all_schools'] == 'Y' ?
 		PreparePHP_SELF( $_REQUEST, [], [ 'all_schools' => '' ] ) :
-		PreparePHP_SELF( $_REQUEST, [], [ 'all_schools' => 'Y' ] ) ) . "'";
+		PreparePHP_SELF( $_REQUEST, [], [ 'all_schools' => 'Y' ] ) );
 
-	$input_all_schools = '<input type="checkbox" name="all_schools" value="Y" onclick="ajaxLink(' . $all_schools_onclick_URL . ');"' . ( $_REQUEST['all_schools'] == 'Y' ? 'checked' : '' ) . ' />';
+	$input_all_schools = '<input type="checkbox" name="all_schools" value="Y" onclick="' .
+		AttrEscape( 'ajaxLink(' . json_encode( $all_schools_onclick_URL ) . ');' ) . '"' .
+		( $_REQUEST['all_schools'] == 'Y' ? 'checked' : '' ) . ' />';
 
 	DrawHeader( '<label>' . $input_all_schools . ' ' . _( 'List Courses For All Schools' ) . '</label>' );