Reflected XSS and Unauthorized Access in /admin/class schedule/delete_batch.php

### Reflected XSS and Unauthorized Access in /admin/class schedule/delete_batch.php

**Describe the bug**  
The class schedule deletion endpoint `/admin/class schedule/delete_batch.php` lacks proper administrator permission checks (unauthorized access vulnerability). Additionally, the `batch` parameter from the POST request is directly concatenated into the HTML response without any HTML escaping (e.g., `htmlspecialchars`), leading to a reflected Cross‑Site Scripting (XSS) vulnerability.

**Steps to reproduce**  
1. Access the system (no login is required to trigger the vulnerability, but the endpoint is located in the admin directory; however, the absence of permission checks allows unauthorized access).  
2. Send the following POST request using a tool like Burp Suite, curl, or Postman:  

POST /admin/class%20schedule/delete_batch.php HTTP/1.1
Host: 127.0.0.1:3000
Content-Type: application/x-www-form-urlencoded

batch=<script>alert('XSS_POC')</script>

3. The server responds with an HTML page containing the injected script: `Batch '<script>alert('XSS_POC')</script>' schedules deleted successfully.` The script executes in the browser, confirming both unauthorized access and reflected XSS.

**Describe the solution**  
1. **Add authentication and authorization:** Verify that the current user has administrator privileges before processing the deletion request. For example, check session data or a valid token.  
2. **Escape output:** Use `htmlspecialchars()` to encode any user‑supplied data before including it in HTML output.  

Screenshots

![](https://pic1.imgdb.cn/item/69c0ea0ddc921df82a0b4ad9.png)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Reflected XSS and Unauthorized Access in /admin/class schedule/delete_batch.php #242