xss: Dashboard period

JediKev · JediKev · commit 619ce0f620f0 · 2023-03-08T10:50:47.000-06:00
This mitigates a vulnerability reported by @indevi0us where XSS is
possible via the `period` parameter. This sanitizes the parameter values
before using them anywhere.
diff --git a/include/class.report.php b/include/class.report.php
@@ -23,14 +23,21 @@ static function getPermissions() {
 class OverviewReport {
     var $start;
     var $end;
+    static $end_choices = [
+        'now' => 'Up to today',
+        '+7 days' => 'One Week',
+        '+14 days' => 'Two Weeks',
+        '+1 month' => 'One Month',
+        '+3 months' => 'One Quarter'
+    ];
 
     var $format;
 
     function __construct($start, $end='now', $format=null) {
         global $cfg;
 
-        $this->start = $start;
-        $this->end = $end;
+        $this->start = Format::sanitize($start);
+        $this->end = array_key_exists($end, self::$end_choices) ? $end : 'now';
         $this->format = $format ?: $cfg->getDateFormat(true);
     }
 
diff --git a/include/staff/dashboard.inc.php b/include/staff/dashboard.inc.php
@@ -25,23 +25,10 @@
                     ?>" />
             </label>
             <label>
-                <?php echo __( 'period');?>:
+                <?php echo __('period');?>:
                 <select name="period">
-                    <option value="now" selected="selected">
-                        <?php echo __( 'Up to today');?>
-                    </option>
-                    <option value="+7 days">
-                        <?php echo __( 'One Week');?>
-                    </option>
-                    <option value="+14 days">
-                        <?php echo __( 'Two Weeks');?>
-                    </option>
-                    <option value="+1 month">
-                        <?php echo __( 'One Month');?>
-                    </option>
-                    <option value="+3 months">
-                        <?php echo __( 'One Quarter');?>
-                    </option>
+                    <?php foreach ($report::$end_choices as $val=>$desc)
+                            echo "<option value='$val'>" . __($desc) . "</option>"; ?>
                 </select>
             </label>
             <button class="green button action-button muted" type="submit">
