From 4a735c66187d43a512746512c14ab70faefe6d36 Mon Sep 17 00:00:00 2001
From: Sandra Kuipers <sandra@skuipers.com>
Date: Mon, 24 Jan 2022 08:51:58 +0800
Subject: [PATCH] System: sanitise dashboard input and tab selection

---
 src/UI/Dashboard/ParentDashboard.php  |  7 ++-----
 src/UI/Dashboard/StaffDashboard.php   | 10 +++++-----
 src/UI/Dashboard/StudentDashboard.php | 10 +++++-----
 3 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/src/UI/Dashboard/ParentDashboard.php b/src/UI/Dashboard/ParentDashboard.php
index 2472a8f99e..64d53869bd 100644
--- a/src/UI/Dashboard/ParentDashboard.php
+++ b/src/UI/Dashboard/ParentDashboard.php
@@ -845,12 +845,9 @@ protected function renderChildDashboard($gibbonPersonID, $dateStart)
             $return .= '</div>';
         }
 
+        $defaultTab = preg_replace('/[^0-9]/', '', $_GET['tab'] ?? 0);
 
-        $defaultTab = 0;
-        if (isset($_GET['tab'])) {
-            $defaultTab = $_GET['tab'];
-        }
-        else if (!is_null($parentDashboardDefaultTabCount)) {
+        if (!isset($_GET['tab']) && !is_null($parentDashboardDefaultTabCount)) {
             $defaultTab = $parentDashboardDefaultTabCount-1;
         }
         $return .= "<script type='text/javascript'>";
diff --git a/src/UI/Dashboard/StaffDashboard.php b/src/UI/Dashboard/StaffDashboard.php
index 1d879293aa..146929348f 100644
--- a/src/UI/Dashboard/StaffDashboard.php
+++ b/src/UI/Dashboard/StaffDashboard.php
@@ -27,6 +27,7 @@
 use Gibbon\Services\Format;
 use Gibbon\Tables\Prefab\EnrolmentTable;
 use Gibbon\Tables\Prefab\FormGroupTable;
+use Gibbon\Data\Validator;
 
 /**
  * Staff Dashboard View Composer
@@ -247,6 +248,7 @@ protected function renderDashboard()
         $timetable = false;
         if (isActionAccessible($guid, $connection2, '/modules/Timetable/tt.php') and $this->session->get('username') != '' and getRoleCategory($this->session->get('gibbonRoleIDCurrent'), $connection2) == 'Staff') {
             $apiEndpoint = (string)Url::fromHandlerRoute('index_tt_ajax.php');
+            $_POST = (new Validator(''))->sanitize($_POST);
             $jsonQuery = [
                 'gibbonTTID' => $_GET['gibbonTTID'] ?? '',
                 'ttDate' => $_POST['ttDate'] ?? '',
@@ -558,11 +560,9 @@ protected function renderDashboard()
             $return .= '</div>';
         }
 
-        $defaultTab = 0;
-        if (isset($_GET['tab'])) {
-            $defaultTab = $_GET['tab'];
-        }
-        else if (!empty($staffDashboardDefaultTabCount)) {
+        $defaultTab = preg_replace('/[^0-9]/', '', $_GET['tab'] ?? 0);
+        
+        if (!isset($_GET['tab']) && !empty($staffDashboardDefaultTabCount)) {
             $defaultTab = $staffDashboardDefaultTabCount-1;
         }
 
diff --git a/src/UI/Dashboard/StudentDashboard.php b/src/UI/Dashboard/StudentDashboard.php
index 16a7f67996..8430367038 100644
--- a/src/UI/Dashboard/StudentDashboard.php
+++ b/src/UI/Dashboard/StudentDashboard.php
@@ -25,6 +25,7 @@
 use Gibbon\Forms\OutputableInterface;
 use Gibbon\Http\Url;
 use Gibbon\Services\Format;
+use Gibbon\Data\Validator;
 
 /**
  * Student Dashboard View Composer
@@ -210,6 +211,7 @@ protected function renderDashboard()
         $timetable = false;
         if (isActionAccessible($guid, $connection2, '/modules/Timetable/tt.php') and $this->session->get('username') != '' and getRoleCategory($this->session->get('gibbonRoleIDCurrent'), $connection2) == 'Student') {
             $apiEndpoint = (string)Url::fromHandlerRoute('index_tt_ajax.php');
+            $_POST = (new Validator(''))->sanitize($_POST);
             $jsonQuery = [
                 'gibbonTTID' => $_GET['gibbonTTID'] ?? '',
                 'ttDate' => $_POST['ttDate'] ?? '',
@@ -305,11 +307,9 @@ protected function renderDashboard()
             $return .= '</div>';
         }
 
-        $defaultTab = 0;
-        if (isset($_GET['tab'])) {
-            $defaultTab = $_GET['tab'];
-        }
-        else if (!is_null($studentDashboardDefaultTabCount)) {
+        $defaultTab = preg_replace('/[^0-9]/', '', $_GET['tab'] ?? 0);
+
+        if (!isset($_GET['tab']) && !is_null($studentDashboardDefaultTabCount)) {
             $defaultTab = $studentDashboardDefaultTabCount-1;
         }
         $return .= "<script type='text/javascript'>";