System: sanitise dashboard input and tab selection

GibbonEdu · Jan 24, 2022 · 4a735c6 · 4a735c6
1 parent 62d2298
commit 4a735c6
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 15 deletions.
diff --git a/src/UI/Dashboard/ParentDashboard.php b/src/UI/Dashboard/ParentDashboard.php
@@ -845,12 +845,9 @@ protected function renderChildDashboard($gibbonPersonID, $dateStart)
             $return .= '</div>';
         }
 
+        $defaultTab = preg_replace('/[^0-9]/', '', $_GET['tab'] ?? 0);
 
-        $defaultTab = 0;
-        if (isset($_GET['tab'])) {
-            $defaultTab = $_GET['tab'];
-        }
-        else if (!is_null($parentDashboardDefaultTabCount)) {
+        if (!isset($_GET['tab']) && !is_null($parentDashboardDefaultTabCount)) {
             $defaultTab = $parentDashboardDefaultTabCount-1;
         }
         $return .= "<script type='text/javascript'>";

diff --git a/src/UI/Dashboard/StaffDashboard.php b/src/UI/Dashboard/StaffDashboard.php
@@ -27,6 +27,7 @@
 use Gibbon\Services\Format;
 use Gibbon\Tables\Prefab\EnrolmentTable;
 use Gibbon\Tables\Prefab\FormGroupTable;
+use Gibbon\Data\Validator;
 
 /**
  * Staff Dashboard View Composer
@@ -247,6 +248,7 @@ protected function renderDashboard()
         $timetable = false;
         if (isActionAccessible($guid, $connection2, '/modules/Timetable/tt.php') and $this->session->get('username') != '' and getRoleCategory($this->session->get('gibbonRoleIDCurrent'), $connection2) == 'Staff') {
             $apiEndpoint = (string)Url::fromHandlerRoute('index_tt_ajax.php');
+            $_POST = (new Validator(''))->sanitize($_POST);
             $jsonQuery = [
                 'gibbonTTID' => $_GET['gibbonTTID'] ?? '',
                 'ttDate' => $_POST['ttDate'] ?? '',
@@ -558,11 +560,9 @@ protected function renderDashboard()
             $return .= '</div>';
         }
 
-        $defaultTab = 0;
-        if (isset($_GET['tab'])) {
-            $defaultTab = $_GET['tab'];
-        }
-        else if (!empty($staffDashboardDefaultTabCount)) {
+        $defaultTab = preg_replace('/[^0-9]/', '', $_GET['tab'] ?? 0);
+
+        if (!isset($_GET['tab']) && !empty($staffDashboardDefaultTabCount)) {
             $defaultTab = $staffDashboardDefaultTabCount-1;
         }
 

diff --git a/src/UI/Dashboard/StudentDashboard.php b/src/UI/Dashboard/StudentDashboard.php
@@ -25,6 +25,7 @@
 use Gibbon\Forms\OutputableInterface;
 use Gibbon\Http\Url;
 use Gibbon\Services\Format;
+use Gibbon\Data\Validator;
 
 /**
  * Student Dashboard View Composer
@@ -210,6 +211,7 @@ protected function renderDashboard()
         $timetable = false;
         if (isActionAccessible($guid, $connection2, '/modules/Timetable/tt.php') and $this->session->get('username') != '' and getRoleCategory($this->session->get('gibbonRoleIDCurrent'), $connection2) == 'Student') {
             $apiEndpoint = (string)Url::fromHandlerRoute('index_tt_ajax.php');
+            $_POST = (new Validator(''))->sanitize($_POST);
             $jsonQuery = [
                 'gibbonTTID' => $_GET['gibbonTTID'] ?? '',
                 'ttDate' => $_POST['ttDate'] ?? '',
@@ -305,11 +307,9 @@ protected function renderDashboard()
             $return .= '</div>';
         }
 
-        $defaultTab = 0;
-        if (isset($_GET['tab'])) {
-            $defaultTab = $_GET['tab'];
-        }
-        else if (!is_null($studentDashboardDefaultTabCount)) {
+        $defaultTab = preg_replace('/[^0-9]/', '', $_GET['tab'] ?? 0);
+
+        if (!isset($_GET['tab']) && !is_null($studentDashboardDefaultTabCount)) {
             $defaultTab = $studentDashboardDefaultTabCount-1;
         }
         $return .= "<script type='text/javascript'>";