From b7ae179e42a50ac04f7b9e72b4829f0c512ecab9 Mon Sep 17 00:00:00 2001
From: Ahmad Gneady <support@bigprof.com>
Date: Sat, 1 May 2021 13:25:21 +0200
Subject: [PATCH] Sanitize date parameters against reflected XSS.

---
 app/hooks/SummaryReport.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/hooks/SummaryReport.php b/app/hooks/SummaryReport.php
index dbad240..2e597f4 100644
--- a/app/hooks/SummaryReport.php
+++ b/app/hooks/SummaryReport.php
@@ -2111,6 +2111,8 @@ private function date_to_ts($date){
 	}
 	
 	private function valid_app_date($date, $default = false) {
+		// only allow digits, a, p, m, whitespace and valid separators (.,-/) and strip everything else
+		$date = trim(preg_replace('/[^\d\s-\.,\/apm:]/i', '', $date));
 		return $this->date_to_ts($date) ? $date : $default;
 	}