webERP-team
diff --git a/‎AddCustomerTypeNotes.php
+1-1 b/‎AddCustomerTypeNotes.php
+1-1
diff --git a/‎AuditTrail.php
+1-1 b/‎AuditTrail.php
+1-1
diff --git a/‎BOMExtendedQty.php
+1-1 b/‎BOMExtendedQty.php
+1-1
diff --git a/‎BOMIndented.php
+1-1 b/‎BOMIndented.php
+1-1
diff --git a/‎BOMIndentedReverse.php
+1-1 b/‎BOMIndentedReverse.php
+1-1
diff --git a/‎BOMInquiry.php
+1-1 b/‎BOMInquiry.php
+1-1
diff --git a/‎BOMListing.php
+1-1 b/‎BOMListing.php
+1-1
diff --git a/‎BOMs.php
+10-10 b/‎BOMs.php
+10-10
diff --git a/‎BackupDatabase.php
+1-1 b/‎BackupDatabase.php
+1-1
diff --git a/‎BankReconciliation.php
+1-1 b/‎BankReconciliation.php
+1-1
diff --git a/‎COGSGLPostings.php
+6-6 b/‎COGSGLPostings.php
+6-6
diff --git a/‎CompanyPreferences.php
+1-1 b/‎CompanyPreferences.php
+1-1
diff --git a/‎ConfirmDispatch_Invoice.php
+1-1 b/‎ConfirmDispatch_Invoice.php
+1-1
diff --git a/‎ContractBOM.php
+2-2 b/‎ContractBOM.php
+2-2
diff --git a/‎ContractCosting.php
+1-1 b/‎ContractCosting.php
+1-1
diff --git a/‎ContractOtherReqts.php
+2-2 b/‎ContractOtherReqts.php
+2-2
diff --git a/‎Contracts.php
+2-2 b/‎Contracts.php
+2-2
diff --git a/‎CounterSales.php
+5-5 b/‎CounterSales.php
+5-5
@@ -147,7 +147,7 @@
 }
 if (isset($Id)) {
 	echo '<div class="centre">
-			<a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?DebtorType=' . $DebtorType . '">' . _('Review all notes for this Customer Type') .'</a>
+			<a href="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?DebtorType=' . $DebtorType . '">' . _('Review all notes for this Customer Type') .'</a>
 		</div>';
 }
 
 
@@ -34,7 +34,7 @@
 // Get list of users
 $UserResult = DB_query("SELECT userid FROM www_users",$db);
 
-echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">';
+echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '" method="post">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 echo '<table class="selection">';
 
 
@@ -262,7 +262,7 @@
 
 	echo '<br />
 		<br />
-		<form action=' . htmlspecialchars($_SERVER['PHP_SELF']) . ' method="post">
+		<form action=' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . ' method="post">
 		<table class="selection">
 		<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />
 		<tr>
 
@@ -247,7 +247,7 @@
 
 	echo '<br />
 			<br />
-			<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">
+			<form action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '" method="post">
 			<table class="selection">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 	echo '<tr>
 
@@ -235,7 +235,7 @@
 		_('Search') . '" alt="" />' . ' ' . $title.'</p><br />';
 	echo '<br />
 		<br />
-		<form action=' . htmlspecialchars($_SERVER['PHP_SELF']) . ' method="post">
+		<form action=' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . ' method="post">
 		<table class="selection">
 		<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />
 		<tr>
 
@@ -13,7 +13,7 @@
 }
 
 if (!isset($_POST['StockID'])) {
-	echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">
+	echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '" method="post">
 		<b>
 		<br />
 		</b>
 
@@ -112,7 +112,7 @@
 
 	/*if $FromCriteria is not set then show a form to allow input	*/
 
-		echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="POST">
+		echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '" method="POST">
 			<table class="selection">';
 		echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 
@@ -113,7 +113,7 @@ function DisplayBOMItems($UltimateParent, $Parent, $Component,$Level, $db) {
 				$DrillID='';
 			} else {
 				$DrillText = '<a href="%s&Select=%s">' . _('Drill Down');
-				$DrillLink = htmlspecialchars($_SERVER['PHP_SELF']) . '?';
+				$DrillLink = htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?';
 				$DrillID=$myrow['component'];
 			}
 			if ($ParentMBflag!='M' AND $ParentMBflag!='G'){
@@ -160,12 +160,12 @@ function DisplayBOMItems($UltimateParent, $Parent, $Component,$Level, $db) {
 					ConvertSQLDate($myrow['effectiveto']),
 					$AutoIssue,
 					$QuantityOnHand,
-					htmlspecialchars($_SERVER['PHP_SELF']) . '?',
+					htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?',
 					$Parent,
 					$myrow['component'],
 					$DrillLink,
 					$DrillID,
-					htmlspecialchars($_SERVER['PHP_SELF']) . '?',
+					htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?',
 					$Parent,
 					$myrow['component'],
 					$UltimateParent);
@@ -418,7 +418,7 @@ function DisplayBOMItems($UltimateParent, $Parent, $Component,$Level, $db) {
 			break;
 	}
 
-	echo '<br /><div class="centre"><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">' . _('Select a Different BOM') . '</a></div><br />';
+	echo '<br /><div class="centre"><a href="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '">' . _('Select a Different BOM') . '</a></div><br />';
 	echo '<table class="selection">';
 	// Display Manufatured Parent Items
 	$sql = "SELECT bom.parent,
@@ -437,7 +437,7 @@ function DisplayBOMItems($UltimateParent, $Parent, $Component,$Level, $db) {
 	if( DB_num_rows($result) > 0 ) {
 	 echo '<tr><td><div class="centre">'._('Manufactured parent items').' : ';
 	 while ($myrow = DB_fetch_array($result)){
-	 	   echo (($ix)?', ':'').'<a href="'.htmlspecialchars($_SERVER['PHP_SELF']) . '?Select='.$myrow['parent'].'">'.
+	 	   echo (($ix)?', ':'').'<a href="'.htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?Select='.$myrow['parent'].'">'.
 			$myrow['description'].'&nbsp;('.$myrow['parent'].')</a>';
 			$ix++;
 	 } //end while loop
@@ -460,7 +460,7 @@ function DisplayBOMItems($UltimateParent, $Parent, $Component,$Level, $db) {
 		echo (($reqnl)?'<br />':'').'<tr><td><div class="centre">'._('Assembly parent items').' : ';
 	 	$ix = 0;
 	 	while ($myrow = DB_fetch_array($result)){
-	 	   echo (($ix)?', ':'').'<a href="'.htmlspecialchars($_SERVER['PHP_SELF']) . '?Select='.$myrow['parent'].'">'.
+	 	   echo (($ix)?', ':'').'<a href="'.htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?Select='.$myrow['parent'].'">'.
 			$myrow['description'].'&nbsp;('.$myrow['parent'].')</a>';
 			$ix++;
 	 	} //end while loop
@@ -482,7 +482,7 @@ function DisplayBOMItems($UltimateParent, $Parent, $Component,$Level, $db) {
 		echo (($reqnl)?'<br />':'').'<tr><td><div class="centre">'._('Kit sets').' : ';
 	 	$ix = 0;
 	 	while ($myrow = DB_fetch_array($result)){
-	 	   echo (($ix)?', ':'').'<a href="'.htmlspecialchars($_SERVER['PHP_SELF']) . '?Select='.$myrow['parent'].'">'.
+	 	   echo (($ix)?', ':'').'<a href="'.htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?Select='.$myrow['parent'].'">'.
 			$myrow['description'].'&nbsp;('.$myrow['parent'].')</a>';
 			$ix++;
 	 	} //end while loop
@@ -504,7 +504,7 @@ function DisplayBOMItems($UltimateParent, $Parent, $Component,$Level, $db) {
 		echo (($reqnl)?'<br />':'').'<tr><td><div class="centre">'._('Phantom').' : ';
 	 	$ix = 0;
 	 	while ($myrow = DB_fetch_array($result)){
-	 	   echo (($ix)?', ':'').'<a href="'.htmlspecialchars($_SERVER['PHP_SELF']) . '?Select='.$myrow['parent'].'">'.
+	 	   echo (($ix)?', ':'').'<a href="'.htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?Select='.$myrow['parent'].'">'.
 			$myrow['description'].'&nbsp;('.$myrow['parent'].')</a>';
 			$ix++;
 	 	} //end while loop
@@ -564,7 +564,7 @@ function DisplayBOMItems($UltimateParent, $Parent, $Component,$Level, $db) {
 
 	if (! isset($_GET['delete'])) {
 
-		echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?Select=' . $SelectedParent .'">';
+		echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?Select=' . $SelectedParent .'">';
 		echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 		if (isset($_GET['SelectedComponent']) and $InputError !=1) {
@@ -830,7 +830,7 @@ function DisplayBOMItems($UltimateParent, $Parent, $Component,$Level, $db) {
 if (!isset($SelectedParent)) {
 
 	echo '<p class="page_title_text"><img src="'.$rootpath.'/css/'.$theme.'/images/magnifier.png" title="' . _('Search') . '" alt="" />' . ' ' . $title . '</p>';
-	echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">' .
+	echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '" method="post">' .
 	'<div class="page_help_text">'. _('Select a manufactured part') . ' (' . _('or Assembly or Kit part') . ') ' . _('to maintain the bill of material for using the options below') .  '<br /><font size="1">' . _('Parts must be defined in the stock item entry') . '/' . _('modification screen as manufactured') . ', ' . _('kits or assemblies to be available for construction of a bill of material') .'</div>'. '</font>
      <br />
      <table class="selection" cellpadding="3" colspan="4">
 
@@ -44,7 +44,7 @@
 		prnMsg(_('Once you have downloaded the database backup file to your local machine you should use the link below to delete it - backup files can consume a lot of space on your hosting account and will accumulate if not deleted - they also contain sensitive information which would otherwise be available for others to download!'),'info');
 		echo '<br />
 			<br />
-			<a href="'. htmlspecialchars($_SERVER['PHP_SELF']) . '?BackupFile=' .$BackupFile  .'">' . _('Delete the backup file off the server') . '</a>';
+			<a href="'. htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?BackupFile=' .$BackupFile  .'">' . _('Delete the backup file off the server') . '</a>';
 	} else {
 		prnMsg(_('There was some problem producing a backup using mysqldump. Normally this relates to a permissions issue - the web-server user must have permission to write to the companies directory'),'error');
 	}
 
@@ -8,7 +8,7 @@
 
 include('includes/header.inc');
 
-echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
+echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 echo '<p class="page_title_text"><img src="'.$rootpath.'/css/'.$theme.'/images/money_add.png" title="' . _('Search') . '" alt="" />' . ' ' . $title.'</p><br />';
 
 
@@ -111,9 +111,9 @@
 					$myrow['stkcat'],
 					$myrow['salestype'],
 					$myrow['accountname'],
-					htmlspecialchars($_SERVER['PHP_SELF']) . '?',
+					htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?',
 					$myrow['id'],
-					htmlspecialchars($_SERVER['PHP_SELF']). '?',
+					htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8'). '?',
 					$myrow['id']);
 		}//end while
 		echo '</table>';
@@ -210,9 +210,9 @@
 				$myrow['stkcat'],
 				$myrow['salestype'],
 				$myrow['accountname'],
-				htmlspecialchars($_SERVER['PHP_SELF']) . '?',
+				htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?',
 				$myrow['id'],
-				htmlspecialchars($_SERVER['PHP_SELF']) . '?',
+				htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?',
 				$myrow['id']);
 
 		}//END WHILE LIST LOOP
@@ -222,12 +222,12 @@
 //end of ifs and buts!
 
 if (isset($SelectedCOGSPostingID)) {
-	echo '<div class="centre"><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) .'">' . _('Show all cost of sales posting records') . '</a></div>';
+	echo '<div class="centre"><a href="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') .'">' . _('Show all cost of sales posting records') . '</a></div>';
 }
 
 echo '<br />';
 
-echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
+echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 if (isset($SelectedCOGSPostingID)) {
 
@@ -153,7 +153,7 @@
 	echo '<p class="page_title_text"><img src="'.$rootpath.'/css/'.$theme.'/images/maintenance.png" title="' . _('Search') .
 		'" alt="" />' . ' ' . $title.'</p><br />';
 
-echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '">';
+echo '<form method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 echo '<table class="selection">';
 
 
@@ -266,7 +266,7 @@
 			</table>
 			<br />';
 
-echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier='.$identifier . '" method="post">';
+echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?identifier='.$identifier . '" method="post">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 /***************************************************************
 
@@ -215,7 +215,7 @@
 
 /* This is where the order as selected should be displayed  reflecting any deletions or insertions*/
 
-echo '<form name="ContractBOMForm" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier='.$identifier. '" method="post">';
+echo '<form name="ContractBOMForm" action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?identifier='.$identifier. '" method="post">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 if (count($_SESSION['Contract'.$identifier]->ContractBOM)>0){
@@ -263,7 +263,7 @@
 			  <td>' . $ContractComponent->UOM . '</td>
 			  <td class="number">' . locale_number_format($ContractComponent->ItemCost,$_SESSION['CompanyRecord']['decimalplaces']) . '</td>
 			  <td class="number">' . $DisplayLineTotal . '</td>
-			  <td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier='.$identifier. '&Delete=' . $ContractComponent->ComponentID . '" onclick="return confirm(\'' . _('Are you sure you wish to delete this item from the contract BOM?') . '\');">' . _('Delete') . '</a></td></tr>';
+			  <td><a href="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?identifier='.$identifier. '&Delete=' . $ContractComponent->ComponentID . '" onclick="return confirm(\'' . _('Are you sure you wish to delete this item from the contract BOM?') . '\');">' . _('Delete') . '</a></td></tr>';
 		$TotalCost += $LineTotal;
 	}
 
 
@@ -432,7 +432,7 @@
 
 if ($_SESSION['Contract'.$identifier]->Status ==2){//the contract is an order being processed now
 
-	echo '<form  method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?SelectedContract=' . $_SESSION['Contract'.$identifier]->ContractRef . '&identifier=' . $identifier . '">';
+	echo '<form  method="post" action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?SelectedContract=' . $_SESSION['Contract'.$identifier]->ContractRef . '&identifier=' . $identifier . '">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 	echo '<br />
 		<div class="centre">
 
@@ -75,7 +75,7 @@
 
 /* This is where the other requirement as entered/modified should be displayed reflecting any deletions or insertions*/
 
-echo '<form name="ContractReqtsForm" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier='.$identifier. '" method="post">';
+echo '<form name="ContractReqtsForm" action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?identifier='.$identifier. '" method="post">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 echo '<p class="page_title_text"><img src="'.$rootpath.'/css/'.$theme.'/images/contract.png" title="' . _('Contract Other Requirements') . '" alt="" />  ' . _('Contract Other Requirements') . ' - ' . $_SESSION['Contract'.$identifier]->CustomerName.'</p>';
 
@@ -116,7 +116,7 @@
 			  <td><input type="text" class="number" name="Qty' . $ContractReqtID . '" size="11" value="' . locale_number_format($ContractComponent->Quantity,'Variable')  . '" /></td>
 			  <td><input type="text" class="number" name="CostPerUnit' . $ContractReqtID . '" size="11" value="' . locale_number_format($ContractComponent->CostPerUnit,$_SESSION['CompanyRecord']['decimalplaces']) . '" /></td>
 			  <td class="number">' . $DisplayLineTotal . '</td>
-			  <td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier='.$identifier. '&amp;Delete=' . $ContractReqtID . '" onclick="return confirm(\'' . _('Are you sure you wish to delete this contract requirement?') . '\');">' . _('Delete') . '</a></td>
+			  <td><a href="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?identifier='.$identifier. '&amp;Delete=' . $ContractReqtID . '" onclick="return confirm(\'' . _('Are you sure you wish to delete this contract requirement?') . '\');">' . _('Delete') . '</a></td>
 			  </tr>';
 		$TotalCost += $LineTotal;
 	}
 
@@ -746,7 +746,7 @@
 
 	echo '<p class="page_title_text"><img src="'.$rootpath.'/css/'.$theme.'/images/contract.png" title="' .
 		_('Contract') . '" alt="" />' . ' ' . _('Contract: Select Customer') . '</p>';
-	echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier=' . $identifier .'" name="CustomerSelection" method="post">';
+	echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?identifier=' . $identifier .'" name="CustomerSelection" method="post">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	echo '<table cellpadding="3" colspan="4" class="selection">
@@ -814,7 +814,7 @@
 //end if RequireCustomerSelection
 } else { /*A customer is already selected so get into the contract setup proper */
 
-	echo '<form name="ContractEntry" enctype="multipart/form-data" action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier=' . $identifier . '" method="post">';
+	echo '<form name="ContractEntry" enctype="multipart/form-data" action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?identifier=' . $identifier . '" method="post">';
 	echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 	echo '<p class="page_title_text">
 
@@ -212,7 +212,7 @@
 
 	echo '<br /><br />';
 	prnMsg(_('This sale has been cancelled as requested'),'success');
-	echo '<br /><br /><a href="' .htmlspecialchars($_SERVER['PHP_SELF']) . '">' . _('Start a new Counter Sale') . '</a>';
+	echo '<br /><br /><a href="' .htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '">' . _('Start a new Counter Sale') . '</a>';
 	include('includes/footer.inc');
 	exit;
 
@@ -361,7 +361,7 @@
 
 /* Always do the stuff below */
 
-echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier='.$identifier . '" name="SelectParts" method="post">';
+echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?identifier='.$identifier . '" name="SelectParts" method="post">';
 echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 
 //Get The exchange rate used for GPPercent calculations on adding or amending items
@@ -819,7 +819,7 @@
 		$_SESSION['Items'.$identifier]->TaxGLCodes=$TaxGLCodes;
 		echo '<td class="number">' . locale_number_format($TaxLineTotal ,$_SESSION['Items'.$identifier]->CurrDecimalPlaces) . '</td>';
 		echo '<td class="number">' . locale_number_format($SubTotal + $TaxLineTotal ,$_SESSION['Items'.$identifier]->CurrDecimalPlaces) . '</td>';
-		echo '<td><a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?identifier='.$identifier . '&Delete=' . $OrderLine->LineNumber . '" onclick="return confirm(\'' . _('Are You Sure?') . '\');">' . _('Delete') . '</a></td></tr>';
+		echo '<td><a href="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?identifier='.$identifier . '&Delete=' . $OrderLine->LineNumber . '" onclick="return confirm(\'' . _('Are You Sure?') . '\');">' . _('Delete') . '</a></td></tr>';
 
 		if ($_SESSION['AllowOrderLineItemNarrative'] == 1){
 			echo $RowStarter;
@@ -1980,7 +1980,7 @@ functionalexrate,
 		} else {
 			echo '<img src="'.$rootpath.'/css/'.$theme.'/images/printer.png" title="' . _('Print') . '" alt="" />' . ' ' . '<a target="_blank" href="'.$rootpath.'/PrintCustTransPortrait.php?FromTransNo='.$InvoiceNo.'&InvOrCredit=Invoice&PrintPDF=True">'. _('Print this invoice'). ' (' . _('Portrait') . ')</a><br /><br />';
 		}
-		echo '<br /><br /><a href="' .htmlspecialchars($_SERVER['PHP_SELF']) . '">' . _('Start a new Counter Sale') . '</a></div>';
+		echo '<br /><br /><a href="' .htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '">' . _('Start a new Counter Sale') . '</a></div>';
 
 	}
 	// There were input errors so don't process nuffin
@@ -2197,7 +2197,7 @@ functionalexrate,
 
 		if (isset($SearchResult)) {
 			$j = 1;
-			echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?' . SID .'identifier='.$identifier . '" method="post" name="orderform">';
+			echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?' . SID .'identifier='.$identifier . '" method="post" name="orderform">';
 			echo '<input type="hidden" name="FormID" value="' . $_SESSION['FormID'] . '" />';
 			echo '<table class="table1">';
 			echo '<tr>
Original file line number	Diff line number	Diff line change
`@@ -147,7 +147,7 @@`
`147`	`147`	`}`
`148`	`148`	`if (isset($Id)) {`
`149`	`149`	`echo '<div class="centre">`
`150`		`- <a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '?DebtorType=' . $DebtorType . '">' . _('Review all notes for this Customer Type') .'</a>`
	`150`	`+ <a href="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?DebtorType=' . $DebtorType . '">' . _('Review all notes for this Customer Type') .'</a>`
`151`	`151`	`</div>';`
`152`	`152`	`}`
`153`	`153`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`if (!isset($_POST['StockID'])) {`
`16`		`- echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">`
	`16`	`+ echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '" method="post">`
`17`	`17`	`<b>`
`18`	`18`	`<br />`
`19`	`19`	`</b>`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@`
`44`	`44`	`prnMsg(_('Once you have downloaded the database backup file to your local machine you should use the link below to delete it - backup files can consume a lot of space on your hosting account and will accumulate if not deleted - they also contain sensitive information which would otherwise be available for others to download!'),'info');`
`45`	`45`	`echo '<br />`
`46`	`46`	`<br />`
`47`		`- <a href="'. htmlspecialchars($_SERVER['PHP_SELF']) . '?BackupFile=' .$BackupFile .'">' . _('Delete the backup file off the server') . '</a>';`
	`47`	`+ <a href="'. htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8') . '?BackupFile=' .$BackupFile .'">' . _('Delete the backup file off the server') . '</a>';`
`48`	`48`	`} else {`
`49`	`49`	`prnMsg(_('There was some problem producing a backup using mysqldump. Normally this relates to a permissions issue - the web-server user must have permission to write to the companies directory'),'error');`
`50`	`50`	`}`