From 3f5f7c7c8a70774bdbd8e5ccf0d0c69422cebe44 Mon Sep 17 00:00:00 2001
From: Nikhil N <n.nikhil@vtiger.com>
Date: Wed, 29 Nov 2023 12:38:54 +0530
Subject: [PATCH] #security::XSS: In Dashboard Name

---
 languages/en_us/Vtiger.php              |  1 +
 modules/Vtiger/actions/DashBoardTab.php | 21 ++++++++++++---------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/languages/en_us/Vtiger.php b/languages/en_us/Vtiger.php
index 02418eab4..ecb68bcbc 100644
--- a/languages/en_us/Vtiger.php
+++ b/languages/en_us/Vtiger.php
@@ -1393,6 +1393,7 @@ $languageStrings = array(
 	'LBL_RELATED_MODULES_PERMISSION_DENIED' => 'Related modules permission is denied',
 	'LBL_RECORD_PERMISSION_DENIED' => 'Record permissions denied',
 	'LBL_MASS_SELECT' => 'Mass Select',
+	'LBL_DASHBOARD_TAB_INVALID' => 'Invalid Tab Name ',
 );
 
 $jsLanguageStrings = array(
diff --git a/modules/Vtiger/actions/DashBoardTab.php b/modules/Vtiger/actions/DashBoardTab.php
index a67ed527c..b1a7153ab 100644
--- a/modules/Vtiger/actions/DashBoardTab.php
+++ b/modules/Vtiger/actions/DashBoardTab.php
@@ -42,21 +42,24 @@ class Vtiger_DashBoardTab_Action extends Vtiger_Action_Controller {
 	 */
 	function addTab(Vtiger_Request $request) {
 		$moduleName = $request->getModule();
-		$tabName = $request->getRaw('tabName');
-
-		$dashBoardModel = Vtiger_DashBoard_Model::getInstance($moduleName);
-		$tabExist = $dashBoardModel->checkTabExist($tabName);
-		$tabLimitExceeded = $dashBoardModel->checkTabsLimitExceeded();
+		$tabName = vtlib_purify($request->getRaw('tabName'));
 		$response = new Vtiger_Response();
 		$response->setEmitType(Vtiger_Response::$EMIT_JSON);
+		if(!empty($tabName)) {
+			$dashBoardModel = Vtiger_DashBoard_Model::getInstance($moduleName);
+			$tabExist = $dashBoardModel->checkTabExist($tabName);
+			$tabLimitExceeded = $dashBoardModel->checkTabsLimitExceeded();
 
 		if ($tabLimitExceeded) {
 			$response->setError(100, vtranslate('LBL_TABS_LIMIT_EXCEEDED', $moduleName));
-		} else if ($tabExist) {
-			$response->setError(100, vtranslate('LBL_DASHBOARD_TAB_ALREADY_EXIST', $moduleName));
+			} else if ($tabExist) {
+					$response->setError(100, vtranslate('LBL_DASHBOARD_TAB_ALREADY_EXIST', $moduleName));
+			} else {
+					$tabData = $dashBoardModel->addTab($tabName);
+					$response->setResult($tabData);
+			}
 		} else {
-			$tabData = $dashBoardModel->addTab($tabName);
-			$response->setResult($tabData);
+			$response->setError(100, vtranslate('LBL_DASHBOARD_TAB_INVALID', $moduleName));
 		}
 		$response->emit();
 	}
-- 
GitLab