From 932a893d69fe3bfbc6a3a71d76e0acf1aba9fa11 Mon Sep 17 00:00:00 2001
From: infosave2007 <urevich55@gmail.com>
Date: Sat, 8 Nov 2025 13:56:11 +0300
Subject: [PATCH] feat: sanitize client name input to allow only letters,
 numbers, underscores, and dashes

---
 inc/VpnClient.php           |  4 ++++
 templates/servers/view.twig | 19 ++++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/inc/VpnClient.php b/inc/VpnClient.php
index f2d5c61..bca4a9d 100644
--- a/inc/VpnClient.php
+++ b/inc/VpnClient.php
@@ -40,6 +40,10 @@ class VpnClient {
     public static function create(int $serverId, int $userId, string $name, ?int $expiresInDays = null): int {
         $pdo = DB::conn();
         
+        // Sanitize client name (replace spaces and special characters)
+        $name = trim($name);
+        $name = preg_replace('/[^a-zA-Z0-9_-]/', '_', $name);
+        
         // Get server data
         $server = new VpnServer($serverId);
         $serverData = $server->getData();
diff --git a/templates/servers/view.twig b/templates/servers/view.twig
index 63297aa..a95ba29 100644
--- a/templates/servers/view.twig
+++ b/templates/servers/view.twig
@@ -23,7 +23,10 @@
     <div class="bg-white rounded shadow p-6">
       <h3 class="font-bold mb-4">{{ t('clients.create') }}</h3>
       <form method="POST" action="/servers/{{ server.id }}/clients/create" class="space-y-3" id="createClientForm">
-        <input name="name" placeholder="{{ t('clients.name') }}" required class="w-full px-3 py-2 border rounded" id="clientName">
+        <div>
+          <input name="name" placeholder="{{ t('clients.name') }}" required class="w-full px-3 py-2 border rounded" id="clientName" pattern="[a-zA-Z0-9_-]+" title="Only letters, numbers, underscore and dash allowed">
+          <p class="text-xs text-gray-500 mt-1">Spaces and special characters will be replaced with underscore</p>
+        </div>
         <div>
           <label class="block text-sm text-gray-600 mb-1">{{ t('clients.expiration') }}</label>
           <select name="expires_in_days" class="w-full px-3 py-2 border rounded mb-2" id="expirationSelect" onchange="toggleExpirationInput()">
@@ -224,6 +227,20 @@ function toggleTrafficInput() {
 
 document.addEventListener('DOMContentLoaded', function() {
   const form = document.getElementById('createClientForm');
+  const clientNameInput = document.getElementById('clientName');
+  
+  // Auto-sanitize client name on input
+  if (clientNameInput) {
+    clientNameInput.addEventListener('input', function(e) {
+      // Replace spaces and special characters with underscore
+      let value = e.target.value;
+      let sanitized = value.replace(/[^a-zA-Z0-9_-]/g, '_');
+      if (value !== sanitized) {
+        e.target.value = sanitized;
+      }
+    });
+  }
+  
   if (form) {
     form.addEventListener('submit', function(e) {
       const btn = document.getElementById('createClientBtn');