security: fix all LOW priority items from TODO.SECURITY.md

Item 13 — Remove deprecated X-XSS-Protection header - nginx/posterg.conf: header removed (was '1; mode=block') - nginx/SECURITY_HEADERS.md: new file documenting header decisions and explaining why X-XSS-Protection is counterproductive Item 14 — Add rel="noreferrer" to external target="_blank" link - public/admin/thanks.php: rel="noopener" → rel="noopener noreferrer" Item 15 — Explicit (int) casts on all integer HTML outputs - public/index.php: (int) on item id, page numbers - public/search.php: (int) on totalItems, year options, item id, pagination Item 16 — Remove unused DATABASE_PATH constant - config/bootstrap.php: define('DATABASE_PATH', ...) removed docs/TODO.SECURITY.md updated: items 13-16 marked resolved and moved to the ✅ Resolved section.
2026-05-06 11:09:18 +02:00 · 2026-02-08 11:58:51 +01:00
parent 94d110438f
commit f5d3281c43
8 changed files with 490 additions and 221 deletions
--- a/public/admin/thanks.php
+++ b/public/admin/thanks.php
@@ -148,7 +148,7 @@ $pageTitle = "Merci";

                    <?php if ($thesis['baiu_link']): ?>
                    <dt>Lien:</dt>
-                    <dd><a href="<?php echo htmlspecialchars($thesis['baiu_link']); ?>" target="_blank" rel="noopener">
+                    <dd><a href="<?php echo htmlspecialchars($thesis['baiu_link']); ?>" target="_blank" rel="noopener noreferrer">
                        <?php echo htmlspecialchars($thesis['baiu_link']); ?>
                    </a></dd>
                    <?php endif; ?>
--- a/public/index.php
+++ b/public/index.php
@@ -24,7 +24,7 @@ include APP_ROOT . '/includes/header.php';

 <main>
    <?php foreach ($itemsToLoad as $item): ?>
-        <a href="memoire.php?id=<?= $item["id"] ?>" class="card-link">
+        <a href="memoire.php?id=<?= (int)$item["id"] ?>" class="card-link">
            <div class="card">
                <div class="card-content">
                    <h2 class="title"><?= htmlspecialchars($item["title"]) ?></h2>
@@ -43,14 +43,14 @@ include APP_ROOT . '/includes/header.php';
 <?php if ($totalPages > 1): ?>
 <nav class="pagination">
    <?php if ($page > 1): ?>
-        <a href="?page=<?= $page - 1 ?>" class="pagination-previous">Précédent</a>
+        <a href="?page=<?= (int)($page - 1) ?>" class="pagination-previous">Précédent</a>
    <?php endif; ?>

    <?php if ($page < $totalPages): ?>
-        <a href="?page=<?= $page + 1 ?>" class="pagination-next">Suivant</a>
+        <a href="?page=<?= (int)($page + 1) ?>" class="pagination-next">Suivant</a>
    <?php endif; ?>

-    <span class="pagination-info">Page <?= $page ?> sur <?= $totalPages ?></span>
+    <span class="pagination-info">Page <?= (int)$page ?> sur <?= (int)$totalPages ?></span>
 </nav>
 <?php endif; ?>

--- a/public/search.php
+++ b/public/search.php
@@ -160,8 +160,8 @@ include APP_ROOT . '/includes/header.php'; ?>
                  <select name="year">
                    <option value="">Toutes les années</option>
                    <?php foreach ($years as $year): ?>
-                      <option value="<?= $year; ?>" <?= (isset($_GET['year']) && $_GET['year'] == $year) ? 'selected' : ''; ?>>
-                        <?= $year; ?>
+                      <option value="<?= (int)$year; ?>" <?= (isset($_GET['year']) && $_GET['year'] == $year) ? 'selected' : ''; ?>>
+                        <?= (int)$year; ?>
                      </option>
                    <?php endforeach; ?>
                  </select>
@@ -326,14 +326,14 @@ include APP_ROOT . '/includes/header.php'; ?>
    <!-- Search results -->
    <?php if (!empty($searchParams)): ?>
      <div class="notification is-info is-light">
-        <strong><?= $totalItems; ?></strong> résultat<?= $totalItems > 1 ? 's' : ''; ?> trouvé<?= $totalItems > 1 ? 's' : ''; ?>
+        <strong><?= (int)$totalItems; ?></strong> résultat<?= $totalItems > 1 ? 's' : ''; ?> trouvé<?= $totalItems > 1 ? 's' : ''; ?>
      </div>

      <?php if (count($results) > 0): ?>
        <div class="columns is-multiline">
          <?php foreach ($results as $item): ?>
            <div class="column is-one-fifth">
-              <a href="memoire.php?id=<?= $item['id']; ?>" class="card-link">
+              <a href="memoire.php?id=<?= (int)$item['id']; ?>" class="card-link">
                <div class="card">
                  <?php
                  // Get cover image from thesis_files if available
@@ -397,7 +397,7 @@ include APP_ROOT . '/includes/header.php'; ?>
                <li>
                  <a href="?<?= http_build_query(array_merge($_GET, ['page' => $i])); ?>"
                     class="pagination-link <?= $i === $page ? 'is-current' : ''; ?>">
-                    <?= $i; ?>
+                    <?= (int)$i; ?>
                  </a>
                </li>
              <?php endfor; ?>