XSS Vulnerability Patches and Security Enhancements for Dashboard1

dashboard/pgs/class.peer.php

@@ -10,13 +10,30 @@ class Peer {
    private $LastHeardTime;
    
    public function __construct($Callsign, $IP, $LinkedModule, $Protocol, $ConnectTime, $LastHeardTime) {
-      
-      $this->IP            = $IP;
-      $this->Protocol      = $Protocol;
-      $this->ConnectTime   = ParseTime($ConnectTime);
-      $this->LastHeardTime = ParseTime($LastHeardTime);
-      $this->Callsign      = trim($Callsign);      
-      $this->LinkedModule  = trim($LinkedModule);
+    
+    // Validate and sanitize IP
+    $IP = trim($IP);
+    $this->IP = filter_var($IP, FILTER_VALIDATE_IP) ? $IP : '0.0.0.0';
+    
+    // Validate protocol
+    $Protocol = trim($Protocol);
+    $allowed_protocols = ['DPlus', 'DExtra', 'DCS', 'DMR', 'YSF', 'DEXTRA', 'DPLUS'];
+    $this->Protocol = in_array($Protocol, $allowed_protocols, true) ? $Protocol : 'Unknown';
+    
+    $this->ConnectTime   = ParseTime($ConnectTime);
+    $this->LastHeardTime = ParseTime($LastHeardTime);
+    
+    // Sanitize and validate callsign
+    $Callsign = trim($Callsign);
+    if (preg_match('/^[A-Z0-9]{3,10}$/i', $Callsign)) {
+        $this->Callsign = strtoupper($Callsign);
+    } else {
+        $this->Callsign = 'INVALID';
+    }
+    
+    // Validate LinkedModule (single letter A-Z)
+    $LinkedModule = trim(strtoupper($LinkedModule));
+    $this->LinkedModule = preg_match('/^[A-Z]$/', $LinkedModule) ? $LinkedModule : '';
    }