From c2ff3d8e85a811003b796ca38f5b3290deeaa3aa Mon Sep 17 00:00:00 2001
From: notrinos <trananhphuong83@gmail.com>
Date: Tue, 23 Aug 2022 21:31:52 +0700
Subject: [PATCH] no x-frame-options header set which allow clickjacking
 attack. Fixed.

---
 access/login.php          | 3 +++
 access/password_reset.php | 3 +++
 includes/page/header.inc  | 8 +++++---
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/access/login.php b/access/login.php
index 3c37245..d29e30c 100644
--- a/access/login.php
+++ b/access/login.php
@@ -52,6 +52,9 @@ function defaultCompany() {
 $rtl = isset($_SESSION['language']->dir) ? $_SESSION['language']->dir : 'ltr';
 $onload = !$login_timeout ? "onload='defaultCompany()'" : '';
 
+if (!headers_sent())
+	header("X-Frame-Options: SAMEORIGIN");
+
 echo "<!DOCTYPE html>\n";
 echo "<html dir='".$rtl."' >\n";
 echo "<head profile=\"http://www.w3.org/2005/10/profile\"><title>".$title."</title>\n";
diff --git a/access/password_reset.php b/access/password_reset.php
index 07c63eb..a7eb68e 100644
--- a/access/password_reset.php
+++ b/access/password_reset.php
@@ -32,6 +32,9 @@ function defaultCompany() {
 $rtl = isset($_SESSION['language']->dir) ? $_SESSION['language']->dir : 'ltr';
 $onload = !$login_timeout ? "onload='defaultCompany()'" : '';
 
+if (!headers_sent())
+	header("X-Frame-Options: SAMEORIGIN");
+
 echo "<!DOCTYPE html>\n";
 echo "<html dir='".$rtl."' >\n";
 echo "<head profile=\"http://www.w3.org/2005/10/profile\"><title>".$title."</title>\n";
diff --git a/includes/page/header.inc b/includes/page/header.inc
index ded0e54..dc471d1 100644
--- a/includes/page/header.inc
+++ b/includes/page/header.inc
@@ -41,7 +41,7 @@ function help_url($context=null) {
 		.'&ctxhelp=1&lang='.$country);
 }
 
-function send_css($css = '') {
+function send_css($css='') {
 	global $css_files;
 
 	init_css();
@@ -119,8 +119,10 @@ function page_header($title, $no_menu=false, $is_index=false, $onload='', $js=''
 
 	$encoding = $_SESSION['language']->encoding;
 
-	if (!headers_sent())
+	if (!headers_sent()) {
 		header("Content-type: text/html; charset=$encoding");
+		header("X-Frame-Options: SAMEORIGIN");
+	}
 	
 	echo "<!DOCTYPE html>\n";
 	echo "<html dir='" . $_SESSION['language']->dir . "' >\n";
@@ -145,4 +147,4 @@ function page_header($title, $no_menu=false, $is_index=false, $onload='', $js=''
 	$rend = new renderer();
 	$rend->menu_header($title, $no_menu, $is_index);
 	error_box();
-}
\ No newline at end of file
+}