Sanitize date parameters against reflected XSS.

bigprof-software · May 1, 2021 · b7ae179 · b7ae179
1 parent e123503
commit b7ae179
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/app/hooks/SummaryReport.php b/app/hooks/SummaryReport.php
@@ -2111,6 +2111,8 @@ private function date_to_ts($date){
 	}
 
 	private function valid_app_date($date, $default = false) {
+		// only allow digits, a, p, m, whitespace and valid separators (.,-/) and strip everything else
+		$date = trim(preg_replace('/[^\d\s-\.,\/apm:]/i', '', $date));
 		return $this->date_to_ts($date) ? $date : $default;
 	}