From 98f430188c81fd011118cfcc8ab0c191956bff98 Mon Sep 17 00:00:00 2001
From: naielv <naielv@axia4.net>
Date: Wed, 18 Feb 2026 23:22:58 +0100
Subject: [PATCH] Enhance security and input sanitization across multiple files

- Added a new tools.security.php file containing functions for sanitizing filenames, paths, and user inputs to prevent directory traversal and XSS attacks.
- Updated various files to utilize the new sanitization functions (Sf, Si) for user inputs and file operations, ensuring safer handling of data.
- Improved HTML output safety by applying htmlspecialchars to user-generated content in pre-body.php, cal.php, and other relevant files.
- Refactored user authentication and data retrieval processes in tools.auth.php and _login.php to enhance security and maintainability.
- Ensured consistent use of sanitization functions in API endpoints and admin functionalities to mitigate potential security vulnerabilities.
---
 public_html/_incl/pre-body.php          |  4 +-
 public_html/_incl/tools.auth.php        | 17 +++--
 public_html/_incl/tools.security.php    | 82 +++++++++++++++++++++++
 public_html/_login.php                  |  9 +--
 public_html/club/cal.php                | 18 ++---
 public_html/club/edit_data.php          |  2 +-
 public_html/club/upload/index.php       | 10 +--
 public_html/entreaulas/api/comedor.php  |  6 +-
 public_html/entreaulas/aulario.php      |  4 +-
 public_html/entreaulas/comedor.php      |  4 +-
 public_html/entreaulas/diario.php       | 11 +--
 public_html/entreaulas/paneldiario.php  |  5 +-
 public_html/entreaulas/proyectos.php    | 89 +++++++++++++------------
 public_html/sysadmin/aularios.php       | 35 +++++-----
 public_html/sysadmin/centros.php        | 25 +++----
 public_html/sysadmin/reset_password.php |  4 +-
 public_html/sysadmin/users.php          |  6 +-
 17 files changed, 214 insertions(+), 117 deletions(-)
 create mode 100644 public_html/_incl/tools.security.php

diff --git a/public_html/_incl/pre-body.php b/public_html/_incl/pre-body.php
index 2f2b740..d7b6592 100755
--- a/public_html/_incl/pre-body.php
+++ b/public_html/_incl/pre-body.php
@@ -641,8 +641,8 @@ if (!empty($displayName)) {
               <?php } ?>
               <?php if (isset($_GET["_result"])) { ?>
                 <div class="card pad"
-                  style="padding: 10px; background-color: <?php echo $_GET["_resultcolor"] ?? 'lightgreen'; ?>; text-align: center;">
-                  <h3><?php echo $_GET["_result"]; ?></h3>
+                  style="padding: 10px; background-color: <?php echo Si($_GET["_resultcolor"] ?? 'lightgreen'); ?>; text-align: center;">
+                  <h3><?php echo htmlspecialchars($_GET["_result"]); ?></h3>
                 </div>
               <?php } ?>
               <!-- <div class="card pad" style="padding: 15px; background: #ffcc00; color: #000;">
diff --git a/public_html/_incl/tools.auth.php b/public_html/_incl/tools.auth.php
index d5d15b9..58977ec 100644
--- a/public_html/_incl/tools.auth.php
+++ b/public_html/_incl/tools.auth.php
@@ -1,5 +1,6 @@
 <?php
 require_once "tools.session.php";
+require_once "tools.security.php";
 if (!isset($AuthConfig)) {
     $AuthConfig = json_decode(file_get_contents("/DATA/AuthConfig.json"), true);
 }
@@ -7,7 +8,7 @@ $ua = $_SERVER['HTTP_USER_AGENT'];
 if (str_starts_with($ua, "Axia4Auth/")) {
     $username = explode("/", $ua)[1];
     $userpass = explode("/", $ua)[2];
-    $userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
+    $userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($username) . ".json"), true);
     if (!$userdata) {
         header("HTTP/1.1 403 Forbidden");
         die();
@@ -29,7 +30,7 @@ if ($_SESSION["auth_ok"] != true && isset($_COOKIE["auth_user"]) && isset($_COOK
     $username = $_COOKIE["auth_user"];
     $userpass_b64 = $_COOKIE["auth_pass_b64"];
     $userpass = base64_decode($userpass_b64);
-    $userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
+    $userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($username) . ".json"), true);
     if ($userdata && password_verify($userpass, $userdata["password_hash"])) {
         $_SESSION["auth_user"] = $username;
         $_SESSION["auth_data"] = $userdata;
@@ -41,7 +42,7 @@ if ($_SESSION["auth_ok"] != true && isset($_COOKIE["auth_user"]) && isset($_COOK
 if (isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] && isset($_SESSION["auth_user"])) {
     if (isset($AuthConfig["session_load_mode"]) && $AuthConfig["session_load_mode"] === "force") {
         $username = $_SESSION["auth_user"];
-        $userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
+        $userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($username) . ".json"), true);
         $_SESSION["auth_data"] = $userdata;
         $_SESSION["last_reload_time"] = time();
     } elseif (isset($AuthConfig["session_load_mode"]) && $AuthConfig["session_load_mode"] === "never") {
@@ -51,7 +52,7 @@ if (isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] && isset($_SESSION["auth
             $last_reload = $_SESSION["last_reload_time"];
             if (time() - $last_reload > 300) {
                 $username = $_SESSION["auth_user"];
-                $userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
+                $userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($username) . ".json"), true);
                 $_SESSION["auth_data"] = $userdata;
                 $_SESSION["last_reload_time"] = time();
             }
@@ -62,9 +63,11 @@ if (isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] && isset($_SESSION["auth
 }
 
 
-function user_is_authenticated() {
+function user_is_authenticated()
+{
     return isset($_SESSION["auth_ok"]) && $_SESSION["auth_ok"] === true;
 }
-function user_has_permission($perm) {
+function user_has_permission($perm)
+{
     return in_array($perm, $_SESSION["auth_data"]["permissions"] ?? []);
-}
\ No newline at end of file
+}
diff --git a/public_html/_incl/tools.security.php b/public_html/_incl/tools.security.php
new file mode 100644
index 0000000..3b0a3c5
--- /dev/null
+++ b/public_html/_incl/tools.security.php
@@ -0,0 +1,82 @@
+<?php
+
+function Sf($filename) {
+    /**
+     * Sanitize a filename by removing any path information, null bytes, and replacing any characters that are not alphanumeric, dot, hyphen, or underscore with an underscore.
+     * 
+     * This function is designed to prevent directory traversal attacks and ensure that the filename is safe to use in file operations.
+     * 
+     * @param string $filename The input filename to sanitize.
+     * @return string The sanitized filename.
+     */
+    // Remove any path information and null bytes
+    $filename = realpath($filename);
+    if ($filename === false) {
+        $filename = "";
+    }
+    $filename = str_replace("\0", "", $filename);
+    // Replace any characters that are not alphanumeric, dot, hyphen, or underscore with an underscore
+    $filename = preg_replace("/[^a-zA-Z0-9._-]/", "_", $filename);
+    return $filename;
+}
+
+function Sp($path) {
+    /**
+     * Sanitize a file path by removing any null bytes, normalizing directory separators, and preventing directory traversal.
+     * 
+     * This function is designed to ensure that the file path is safe to use in file operations and does not allow for directory traversal attacks.
+     * 
+     * @param string $path The input file path to sanitize.
+     * @return string The sanitized file path.
+     */
+    // Remove any null bytes
+    $path = str_replace("\0", "", $path);
+    // Normalize directory separators
+    $path = str_replace(["/", "\\"], DIRECTORY_SEPARATOR, $path);
+    // Remove any instances of ".." to prevent directory traversal
+    $path = str_replace("..", "", $path);
+    // Remove any leading directory separators
+    $path = ltrim($path, DIRECTORY_SEPARATOR);
+    return $path;
+}
+
+function Si($input) {
+    /**
+     * Sanitize a string input by removing null bytes, trimming whitespace, and converting special characters to HTML entities.
+     * 
+     * This function is designed to prevent XSS attacks and ensure that the input string is safe to use in HTML contexts.
+     * 
+     * @param string $input The input string to sanitize.
+     * @return string The sanitized string.
+     */
+    // Remove any null bytes
+    $input = str_replace("\0", "", $input);
+    // Trim whitespace from the beginning and end of the input
+    $input = trim($input);
+    // Convert special characters to HTML entities to prevent XSS
+    $input = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
+    return $input;
+}
+
+function Sb($input) {
+    /**
+     * Sanitize a boolean input by converting it to a boolean value.
+     * 
+     * This function is designed to ensure that the input is treated as a boolean value, which can be useful for configuration settings or form inputs.
+     * 
+     * @param mixed $input The input value to sanitize.
+     * @return bool The sanitized boolean value.
+     */
+    if (is_bool($input)) {
+        return $input;
+    }
+    if (is_string($input)) {
+        $input = strtolower($input);
+        if (in_array($input, ["true", "1", "yes", "on"])) {
+            return true;
+        } elseif (in_array($input, ["false", "0", "no", "off"])) {
+            return false;
+        }
+    }
+    return (bool)$input;
+}
diff --git a/public_html/_login.php b/public_html/_login.php
index edf6208..ca6b678 100755
--- a/public_html/_login.php
+++ b/public_html/_login.php
@@ -1,12 +1,13 @@
 <?php
-session_start();
+require_once "_incl/tools.session.php";
+require_once "_incl/tools.security.php";
 if (!isset($AuthConfig)) {
     $AuthConfig = json_decode(file_get_contents("/DATA/AuthConfig.json"), true);
 }
 $DOMAIN = $_SERVER["HTTP_X_FORWARDED_HOST"] ?? $_SERVER["HTTP_HOST"];
 if ($_GET["reload_user"] == "1") {
     $user = str_replace("@", "__", $_SESSION["auth_user"]);
-    $userdata = json_decode(file_get_contents("/DATA/Usuarios/$user.json"), true);
+    $userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($user) . ".json"), true);
     $_SESSION['auth_data'] = $userdata;
     $redir = $_GET["redir"] ?? "/";
     header("Location: $redir");
@@ -55,7 +56,7 @@ if ($_GET["google_callback"] == "1") {
     
     $email = $user_info["email"];
     $name = $user_info["name"] ?? explode("@", $email)[0];
-    $userfile = "/DATA/Usuarios/" . strtolower(str_replace("@", "__", $email)) . ".json";
+    $userfile = "/DATA/Usuarios/" . Sf(strtolower(str_replace("@", "__", $email))) . ".json";
     $password = bin2hex(random_bytes(16)); // Generar una contraseña aleatoria para el usuario, aunque no se usará para iniciar sesión
     if (file_exists($userfile)) {
         $userdata = json_decode(file_get_contents($userfile), true);
@@ -123,7 +124,7 @@ if (isset($_POST["user"])) {
     $valid = "";
     $user = trim(strtolower($_POST["user"]));
     $password = $_POST["password"];
-    $userdata = json_decode(file_get_contents("/DATA/Usuarios/$user.json"), true);
+    $userdata = json_decode(file_get_contents("/DATA/Usuarios/" . Sf($user) . ".json"), true);
     if (!isset($userdata["password_hash"])) {
         $_GET["_result"] = "El usuario no existe.";
     }
diff --git a/public_html/club/cal.php b/public_html/club/cal.php
index d6d7bbe..97ba209 100755
--- a/public_html/club/cal.php
+++ b/public_html/club/cal.php
@@ -1,6 +1,8 @@
 <?php
+require_once "../_incl/tools.session.php";
+require_once "../_incl/tools.security.php";
 ini_set("display_errors", 0);
-$file = str_replace('/', '_', $_GET["f"]);
+$file = Sf($_GET["f"]);
 $date = implode("/", array_reverse(explode("-", $file)));
 $val = json_decode(file_get_contents("/DATA/club/IMG/$file/data.json"), true);
 
@@ -15,10 +17,10 @@ require_once "../_incl/pre-body.php"; ?>
     <h1><?php echo $date; ?> - <?php echo $val["title"] ?: "Por definir"; ?></h1>
     <span>
         <a href="/club/" class="btn btn-secondary">Volver a Inicio</a>
-        <a href="/club/edit_data.php?f=<?php echo $file; ?>" class="btn btn-secondary">Cambiar datos</a>
-        <a href="/club/upload/index.php?f=<?php echo $file; ?>" class="btn btn-primary">Subir fotos</a>
+        <a href="/club/edit_data.php?f=<?php echo htmlspecialchars($file); ?>" class="btn btn-secondary">Cambiar datos</a>
+        <a href="/club/upload/index.php?f=<?php echo htmlspecialchars($file); ?>" class="btn btn-primary">Subir fotos</a>
         <?php if (isset($val["mapa"]["url"]) and $val["mapa"]["url"] != ""): ?>
-            <a class="btn btn-secondary" href="<?php echo $val["mapa"]["url"]; ?>" target="_blank">Abrir ruta interactiva</a>
+            <a class="btn btn-secondary" href="<?php echo htmlspecialchars($val["mapa"]["url"]); ?>" target="_blank">Abrir ruta interactiva</a>
         <?php endif; ?>
     </span>
 
@@ -44,14 +46,14 @@ require_once "../_incl/pre-body.php"; ?>
                 } ?>
                 <div style="width: 240px; display: inline-block; margin-bottom: 10px; border: 3px solid black; border-radius: 6.5px; box-sizing: content-box;"
                     class="grid-item">
-                    <?php $dl_url = "foto_dl.php?f=$file/$pname/" . str_replace($persona, "", $foto); ?>
+                    <?php $dl_url = "foto_dl.php?f=" . urlencode("$file/$pname/" . str_replace($persona, "", $foto)); ?>
                     <img class="stack" width="240px" loading="lazy" src="<?php echo $dl_url; ?>&thumbnail=1"
-                        alt="Foto de <?php echo $pname . " - " . str_replace($persona, "", $foto); ?>">
+                        alt="Foto de <?php echo htmlspecialchars($pname . " - " . str_replace($persona, "", $foto)); ?>">
                     <div style="padding: 5px; text-align: center;">
-                        Subido por <?php echo $pname; ?><br>
+                        Subido por <?php echo htmlspecialchars($pname); ?><br>
                         <a href="<?php echo $dl_url; ?>" target="_blank" class="btn btn-secondary">Abrir</a>
                         <a href="<?php echo $dl_url; ?>"
-                            download="<?php echo "CLUB-NK5-$file-$pname-" . str_replace($persona, "", $foto); ?>"
+                            download="<?php echo "CLUB-" . htmlspecialchars($file) . "-" . htmlspecialchars($pname) . "-" . htmlspecialchars(str_replace($persona, "", $foto)); ?>"
                             class="btn btn-secondary">Descargar</a>
                     </div>
                 </div>
diff --git a/public_html/club/edit_data.php b/public_html/club/edit_data.php
index bcb3884..1a7a9bc 100755
--- a/public_html/club/edit_data.php
+++ b/public_html/club/edit_data.php
@@ -1,6 +1,6 @@
 <?php
 ini_set("display_errors", 0);
-$file = str_replace('/', '_', $_GET["f"]);
+$file = Sf($_GET["f"]);
 $date = implode("/", array_reverse(explode("-", $file)));
 $val = json_decode(file_get_contents("/DATA/club/IMG/$file/data.json"), true);
 $config = json_decode(file_get_contents("/DATA/club/config.json"), true);
diff --git a/public_html/club/upload/index.php b/public_html/club/upload/index.php
index 25030fc..dd0cc8a 100755
--- a/public_html/club/upload/index.php
+++ b/public_html/club/upload/index.php
@@ -2,21 +2,23 @@
 $APP_CODE = "club";
 $APP_NAME = "La web del Club<sup>3</sup>";
 $APP_TITLE = "La web del Club";
-require_once "../../_incl/pre-body.php"; ?>
+require_once "../../_incl/pre-body.php";
+require_once "../../_incl/tools.security.php";
+?>
 <div class="card pad">
     <h1>Subir fotos</h1>
     <form action="form.php" method="get">
         <div class="mb-3">
             <label for="n" class="form-label"><b>Tu nombre:</b></label>
-            <input required type="text" id="n" name="n" class="form-control" value="<?php echo $_GET["n"] ?: "";?>" placeholder="Nombre...">
+            <input required type="text" id="n" name="n" class="form-control" value="<?php echo htmlspecialchars($_GET["n"] ?? "");?>" placeholder="Nombre...">
         </div>
         <div class="mb-3">
             <label for="f" class="form-label"><b>Fecha:</b></label>
-            <input required type="date" id="f" name="f" class="form-control" value="<?php echo $_GET["f"] ?: "";?>" placeholder="Fecha...">
+            <input required type="date" id="f" name="f" class="form-control" value="<?php echo htmlspecialchars($_GET["f"] ?? "");?>" placeholder="Fecha...">
         </div>
         <div class="mb-3">
             <label for="p" class="form-label"><b>La contraseña:</b></label>
-            <input required type="text" id="p" name="p" class="form-control" value="" placeholder="Contraseña...">
+            <input required type="text" id="p" name="p" class="form-control" value="<?php echo htmlspecialchars($_GET["p"] ?? "");?>" placeholder="Contraseña...">
         </div>
         <button type="submit" class="btn btn-primary">Continuar...</button>
     </form>
diff --git a/public_html/entreaulas/api/comedor.php b/public_html/entreaulas/api/comedor.php
index b8aba87..6634234 100644
--- a/public_html/entreaulas/api/comedor.php
+++ b/public_html/entreaulas/api/comedor.php
@@ -1,6 +1,6 @@
 <?php
 header("Content-Type: application/json; charset=utf-8");
-
+require_once __DIR__ . "/../_incl/tools.security.php";
 require_once __DIR__ . "/../_incl/auth_redir.php";
 
 // Check permissions
@@ -16,7 +16,7 @@ if ($centro_id === "") {
 }
 
 $action = $_GET["action"] ?? ($_POST["action"] ?? "");
-$aulario_id = $_GET["aulario"] ?? $_POST["aulario"] ?? "";
+$aulario_id = Sf($_GET["aulario"] ?? $_POST["aulario"] ?? "");
 
 // Validate aulario_id
 if ($aulario_id === "") {
@@ -41,7 +41,7 @@ if ($aulario && !empty($aulario["shared_comedor_from"])) {
     $shared_from = $aulario["shared_comedor_from"];
     $shared_aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$shared_from.json";
     if (file_exists($shared_aulario_path)) {
-        $source_aulario_id = $shared_from;
+        $source_aulario_id = Sf($shared_from);
         $is_shared = true;
     }
 }
diff --git a/public_html/entreaulas/aulario.php b/public_html/entreaulas/aulario.php
index 1d502bc..238acd4 100644
--- a/public_html/entreaulas/aulario.php
+++ b/public_html/entreaulas/aulario.php
@@ -1,7 +1,9 @@
 <?php
 require_once "_incl/auth_redir.php";
 require_once "_incl/pre-body.php";
-$aulario_id = $_GET["id"];
+require_once "_incl/tools.security.php";
+
+$aulario_id = Sf($_GET["id"]);
 $centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"];
 $aulario = json_decode(file_get_contents("/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json"), true);
 ?>
diff --git a/public_html/entreaulas/comedor.php b/public_html/entreaulas/comedor.php
index 0988fb6..bc6e56d 100644
--- a/public_html/entreaulas/comedor.php
+++ b/public_html/entreaulas/comedor.php
@@ -5,7 +5,7 @@ if (in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? [])
     die("Access denied");
 }
 
-$aulario_id = $_GET["aulario"] ?? "";
+$aulario_id = Sf($_GET["aulario"] ?? "");
 $centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
 
 if ($aulario_id === "" || $centro_id === "") {
@@ -30,7 +30,7 @@ if ($aulario && !empty($aulario["shared_comedor_from"])) {
 	$shared_from = $aulario["shared_comedor_from"];
 	$shared_aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$shared_from.json";
 	if (file_exists($shared_aulario_path)) {
-		$source_aulario_id = $shared_from;
+		$source_aulario_id = Sf($shared_from);
 		$source_aulario_name = file_exists($shared_aulario_path) ? json_decode(file_get_contents($shared_aulario_path), true)["name"] ?? $shared_from : $shared_from;
 		$is_shared = true;
 	}
diff --git a/public_html/entreaulas/diario.php b/public_html/entreaulas/diario.php
index f0dd7b9..7c941e8 100644
--- a/public_html/entreaulas/diario.php
+++ b/public_html/entreaulas/diario.php
@@ -1,5 +1,6 @@
 <?php
 require_once "_incl/auth_redir.php";
+require_once "_incl/tools.security.php";
 
 // Check if user has docente permission
 if (!in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? [])) {
@@ -7,9 +8,9 @@ if (!in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? [])
     die("Acceso denegado");
 }
 
-$aulario_id = $_GET["aulario"] ?? "";
-$centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
-$alumno = $_GET["alumno"] ?? "";
+$aulario_id = Sf($_GET["aulario"] ?? "");
+$centro_id = Sf($_SESSION["auth_data"]["entreaulas"]["centro"] ?? "");
+$alumno = Sf($_GET["alumno"] ?? "");
 
 if (empty($aulario_id) || empty($centro_id)) {
     require_once "_incl/pre-body.php";
@@ -213,8 +214,8 @@ require_once "_incl/pre-body.php";
 
 <?php
 // Show specific diary entry if requested
-$type = $_GET["type"] ?? "Panel";
-$date = $_GET["date"] ?? date("Y-m-d");
+$type = Sf($_GET["type"] ?? "");
+$date = Sf($_GET["date"] ?? date("Y-m-d"));
 
 if (!empty($type) && !empty($date)) {
     $date = preg_replace('/[^0-9-]/', '', $date); // Sanitize date
diff --git a/public_html/entreaulas/paneldiario.php b/public_html/entreaulas/paneldiario.php
index 6fd45e4..8d16bad 100755
--- a/public_html/entreaulas/paneldiario.php
+++ b/public_html/entreaulas/paneldiario.php
@@ -1,5 +1,6 @@
 <?php
 require_once "_incl/auth_redir.php";
+require_once "_incl/tools.security.php";
 ini_set("display_errors", "0");
 // Funciones auxiliares para el diario
 function getDiarioPath($alumno, $centro_id, $aulario_id) {
@@ -749,7 +750,7 @@ switch ($_GET["action"]) {
     break;
   case "menu":
     // Menú del comedor (nuevo sistema, vista simplificada)
-    $aulario_id = $_GET["aulario"] ?? "";
+    $aulario_id = Sf($_GET["aulario"] ?? '');
     $centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
 
     $source_aulario_id = $aulario_id;
@@ -758,7 +759,7 @@ switch ($_GET["action"]) {
       $aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
       $aulario = file_exists($aulario_path) ? json_decode(file_get_contents($aulario_path), true) : null;
       if ($aulario && !empty($aulario["shared_comedor_from"])) {
-        $shared_from = $aulario["shared_comedor_from"];
+        $shared_from = Sf($aulario["shared_comedor_from"]);
         $shared_aulario_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$shared_from.json";
         if (file_exists($shared_aulario_path)) {
           $source_aulario_id = $shared_from;
diff --git a/public_html/entreaulas/proyectos.php b/public_html/entreaulas/proyectos.php
index 1f458c3..bede5b9 100644
--- a/public_html/entreaulas/proyectos.php
+++ b/public_html/entreaulas/proyectos.php
@@ -1,12 +1,13 @@
 <?php
 require_once "_incl/auth_redir.php";
+require_once "_incl/tools.security.php";
+
 if (in_array("entreaulas:docente", $_SESSION["auth_data"]["permissions"] ?? []) === false) {
   header("HTTP/1.1 403 Forbidden");
   die("Access denied");
 }
 
-
-$aulario_id = $_GET["aulario"] ?? "";
+$aulario_id = Sf($_GET["aulario"] ?? "");
 $centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
 
 if ($aulario_id === "" || $centro_id === "") {
@@ -406,8 +407,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
   }
 
   if ($action === "share_project") {
-    $project_id = $_POST["project_id"] ?? "";
-    $target_aulario = $_POST["target_aulario"] ?? "";
+    $project_id = Sf($_POST["project_id"] ?? "");
+    $target_aulario = Sf($_POST["target_aulario"] ?? "");
 
     if ($project_id !== "" && $target_aulario !== "" && $target_aulario !== $aulario_id) {
       // Only allow sharing local projects
@@ -457,7 +458,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
     if (in_array("entreaulas:proyectos:delete", $_SESSION["auth_data"]["permissions"] ?? []) === false) {
       $error = "No tienes permisos para borrar proyectos.";
     } else {
-      $project_id = $_POST["project_id"] ?? "";
+      $project_id = Sf($_POST["project_id"] ?? "");
       if ($project_id !== "") {
         $project = load_project($proyectos_dir, $project_id);
         $project_dir = find_project_path($proyectos_dir, $project_id);
@@ -483,7 +484,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
   }
 
   if ($action === "edit_project") {
-    $project_id = $_POST["project_id"] ?? "";
+    $project_id = Sf($_POST["project_id"] ?? "");
     $name = trim($_POST["name"] ?? "");
     $description = sanitize_html($_POST["description"] ?? "");
 
@@ -504,15 +505,15 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
   }
 
   if ($action === "add_item") {
-    $project_id = $_POST["project_id"] ?? "";
-    $item_type = $_POST["item_type"] ?? "link";
-    $item_name = trim($_POST["item_name"] ?? "");
-    $item_url = trim($_POST["item_url"] ?? "");
-    $item_content = sanitize_html($_POST["item_content"] ?? "");
-    $videocall_platform = $_POST["videocall_platform"] ?? "jitsi";
-    $videocall_room = trim($_POST["videocall_room"] ?? "");
-    $videocall_url = trim($_POST["videocall_url"] ?? "");
-    $source_aulario_param = $_POST["source_aulario"] ?? "";
+    $project_id = Sf($_POST["project_id"] ?? "");
+    $item_type = Sf($_POST["item_type"] ?? "link");
+    $item_name = trim(Sf($_POST["item_name"] ?? ""));
+    $item_url = trim(Sf($_POST["item_url"] ?? ""));
+    $item_content = sanitize_html(Sf($_POST["item_content"] ?? ""));
+    $videocall_platform = Sf($_POST["videocall_platform"] ?? "jitsi");
+    $videocall_room = trim(Sf($_POST["videocall_room"] ?? ""));
+    $videocall_url = trim(Sf($_POST["videocall_url"] ?? ""));
+    $source_aulario_param = Sf($_POST["source_aulario"] ?? "");
 
     // Determine which directory to use and permission level
     $working_dir = $proyectos_dir;
@@ -524,10 +525,10 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
       // Validate the link
       $linked_projects = $aulario["linked_projects"] ?? [];
       foreach ($linked_projects as $link) {
-        if (($link["source_aulario"] ?? "") === $source_aulario_param &&
-          ($link["project_id"] ?? "") === $project_id
+        if ((Sf($link["source_aulario"] ?? "") === $source_aulario_param) &&
+          (Sf($link["project_id"] ?? "") === $project_id)
         ) {
-          $permission = $link["permission"] ?? "read_only";
+          $permission = Sf($link["permission"] ?? "read_only");
           if ($permission === "full_edit") {
             $working_dir = $proyectos_dir;
           } elseif ($permission === "request_edit") {
@@ -722,8 +723,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
   }
 
   if ($action === "approve_change" || $action === "reject_change") {
-    $change_id = $_POST["change_id"] ?? "";
-    $project_id = $_POST["project_id"] ?? "";
+    $change_id = Sf($_POST["change_id"] ?? "");
+    $project_id = Sf($_POST["project_id"] ?? "");
 
     if (!empty($change_id) && !empty($project_id)) {
       $project_dir = find_project_path($proyectos_dir, $project_id);
@@ -786,15 +787,15 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                   }
 
                   if (in_array(($item["type"] ?? ""), ["file", "pdf_secure"], true) && !empty($change_data["pending_filename"])) {
-                    $pending_file = "$pending_dir/" . $change_data["pending_filename"];
-                    $target_file = "$project_dir/" . $change_data["pending_filename"];
+                    $pending_file = "$pending_dir/" . Sf($change_data["pending_filename"]);
+                    $target_file = "$project_dir/" . Sf($change_data["pending_filename"]);
                     if (file_exists($pending_file)) {
                       if (!is_dir($project_dir)) {
                         mkdir($project_dir, 0755, true);
                       }
                       rename($pending_file, $target_file);
                       if (!empty($item["filename"])) {
-                        $old_path = "$project_dir/" . $item["filename"];
+                        $old_path = "$project_dir/" . Sf($item["filename"]);
                         if (file_exists($old_path)) {
                           unlink($old_path);
                           if (file_exists($old_path . ".eadat")) {
@@ -802,8 +803,8 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                           }
                         }
                       }
-                      $item["filename"] = $change_data["pending_filename"];
-                      $item["original_name"] = $change_data["original_filename"] ?? $change_data["pending_filename"];
+                      $item["filename"] = Sf($change_data["pending_filename"]);
+                      $item["original_name"] = Sf($change_data["original_filename"] ?? $change_data["pending_filename"]);
 
                       $file_meta = [
                         "id" => $item_id,
@@ -851,21 +852,21 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
                 $item["room"] = $change_data["item_room"] ?? "";
               } elseif (in_array($change_data["item_type"], ["file", "pdf_secure"], true) && !empty($change_data["pending_filename"])) {
                 // Move file from pending to project directory
-                $pending_file = "$pending_dir/" . $change_data["pending_filename"];
-                $target_file = "$project_dir/" . $change_data["pending_filename"];
+                $pending_file = "$pending_dir/" . Sf($change_data["pending_filename"]);
+                $target_file = "$project_dir/" . Sf($change_data["pending_filename"]);
 
                 if (file_exists($pending_file)) {
                   if (!is_dir($project_dir)) {
                     mkdir($project_dir, 0755, true);
                   }
                   rename($pending_file, $target_file);
-                  $item["filename"] = $change_data["pending_filename"];
-                  $item["original_name"] = $change_data["original_filename"] ?? $change_data["pending_filename"];
+                  $item["filename"] = Sf($change_data["pending_filename"]);
+                  $item["original_name"] = Sf($change_data["original_filename"] ?? $change_data["pending_filename"]);
 
                   $file_meta = [
                     "id" => $item_id,
-                    "name" => $change_data["item_name"],
-                    "type" => $change_data["item_type"],
+                    "name" => Sf($change_data["item_name"]),
+                    "type" => Sf($change_data["item_type"]),
                     "original_name" => $item["original_name"],
                     "created_at" => $item["created_at"]
                   ];
@@ -886,7 +887,7 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
         } else {
           // Reject - just delete pending file if exists
           if (!empty($change_data["pending_filename"])) {
-            $pending_file = "$pending_dir/" . $change_data["pending_filename"];
+            $pending_file = "$pending_dir/" . Sf($change_data["pending_filename"]);
             if (file_exists($pending_file)) {
               unlink($pending_file);
             }
@@ -901,9 +902,9 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
   }
 
   if ($action === "delete_item") {
-    $project_id = $_POST["project_id"] ?? "";
-    $item_id = $_POST["item_id"] ?? "";
-    $source_aulario_param = $_POST["source_aulario"] ?? "";
+    $project_id = Sf($_POST["project_id"] ?? "");
+    $item_id = Sf($_POST["item_id"] ?? "");
+    $source_aulario_param = Sf($_POST["source_aulario"] ?? "");
 
     // Determine which directory to use based on whether this is a linked project
     $working_dir = $proyectos_dir;
@@ -1010,15 +1011,15 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
   }
 
   if ($action === "edit_item") {
-    $project_id = $_POST["project_id"] ?? "";
-    $item_id = $_POST["item_id"] ?? "";
-    $item_name = trim($_POST["item_name"] ?? "");
-    $item_url = trim($_POST["item_url"] ?? "");
-    $item_content = sanitize_html($_POST["item_content"] ?? "");
-    $videocall_platform = $_POST["edit_videocall_platform"] ?? "jitsi";
-    $videocall_room = trim($_POST["edit_videocall_room"] ?? "");
-    $videocall_url = trim($_POST["edit_videocall_url"] ?? "");
-    $source_aulario_param = $_POST["source_aulario"] ?? "";
+    $project_id = Sf($_POST["project_id"] ?? "");
+    $item_id = Sf($_POST["item_id"] ?? "");
+    $item_name = Sf(trim($_POST["item_name"] ?? ""));
+    $item_url = Sf(trim($_POST["item_url"] ?? ""));
+    $item_content = Sf(sanitize_html($_POST["item_content"] ?? ""));
+    $videocall_platform = Sf($_POST["edit_videocall_platform"] ?? "jitsi");
+    $videocall_room = Sf(trim($_POST["edit_videocall_room"] ?? ""));
+    $videocall_url = Sf(trim($_POST["edit_videocall_url"] ?? ""));
+    $source_aulario_param = Sf($_POST["source_aulario"] ?? "");
 
     $working_dir = $proyectos_dir;
     $permission = "full_edit";
diff --git a/public_html/sysadmin/aularios.php b/public_html/sysadmin/aularios.php
index 94f340c..a8361a1 100644
--- a/public_html/sysadmin/aularios.php
+++ b/public_html/sysadmin/aularios.php
@@ -1,9 +1,10 @@
 <?php
 require_once "_incl/auth_redir.php";
+require_once "_incl/tools.security.php";
 switch ($_GET["form"]) {
     case "delete":
-        $aulario_id = $_POST["aulario_id"];
-        $centro_id = $_POST["centro_id"];
+        $aulario_id = Sf($_POST["aulario_id"] ?? "");
+        $centro_id = Sf($_POST["centro_id"] ?? "");
         $aulario_file = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
         if (!file_exists($aulario_file)) {
             die("Aulario no encontrado.");
@@ -34,14 +35,14 @@ switch ($_GET["form"]) {
         break;
     case "create":
         $user_data = $_SESSION["auth_data"];
-        $centro_id = $_POST["centro"];
+        $centro_id = Sf($_POST["centro"] ?? "");
         if (empty($centro_id) || !is_dir("/DATA/entreaulas/Centros/$centro_id")) {
             die("Centro no válido.");
         }
-        $aulario_id = strtolower(preg_replace("/[^a-zA-Z0-9_-]/", "_", $_POST["name"]));
+        $aulario_id = strtolower(preg_replace("/[^a-zA-Z0-9_-]/", "_", Sf($_POST["name"] ?? "")));
         $aulario_data = [
-            "name" => $_POST["name"],
-            "icon" => $_POST["icon"] ?? "/static/logo-entreaulas.png"
+            "name" => Sf($_POST["name"] ?? ""),
+            "icon" => Sf($_POST["icon"] ?? "/static/logo-entreaulas.png")
         ];
         // Make path recursive (mkdir -p equivalent)
         @mkdir("/DATA/entreaulas/Centros/$centro_id/Aularios/", 0777, true);
@@ -53,18 +54,18 @@ switch ($_GET["form"]) {
         exit();
         break;
     case "save_edit":
-        $aulario_id = $_POST["aulario_id"];
-        $centro_id = $_POST["centro_id"];
+        $aulario_id = Sf($_POST["aulario_id"] ?? "");
+        $centro_id = Sf($_POST["centro_id"] ?? "");
         $aulario_file = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
         if (!file_exists($aulario_file)) {
             die("Aulario no encontrado.");
         }
         $aulario_data = json_decode(file_get_contents($aulario_file), true);
-        $aulario_data["name"] = $_POST["name"];
-        $aulario_data["icon"] = $_POST["icon"];
+        $aulario_data["name"] = Sf($_POST["name"] ?? "");
+        $aulario_data["icon"] = Sf($_POST["icon"] ?? "/static/logo-entreaulas.png");
         
         // Handle shared comedor configuration
-        $share_comedor_from = $_POST["share_comedor_from"] ?? "";
+        $share_comedor_from = Sf($_POST["share_comedor_from"] ?? "");
         
         if (!empty($share_comedor_from) && $share_comedor_from !== "none") {
             $aulario_data["shared_comedor_from"] = $share_comedor_from;
@@ -74,9 +75,9 @@ switch ($_GET["form"]) {
         
         // Handle linked projects configuration
         $linked_projects = [];
-        $linked_aularios = $_POST["linked_aulario"] ?? [];
-        $linked_project_ids = $_POST["linked_project_id"] ?? [];
-        $linked_permissions = $_POST["linked_permission"] ?? [];
+        $linked_aularios = Sf($_POST["linked_aulario"] ?? []);
+        $linked_project_ids = Sf($_POST["linked_project_id"] ?? []);
+        $linked_permissions = Sf($_POST["linked_permission"] ?? []);
         
         for ($i = 0; $i < count($linked_aularios); $i++) {
             if (!empty($linked_aularios[$i]) && !empty($linked_project_ids[$i])) {
@@ -140,8 +141,8 @@ switch ($_GET["action"]) {
 <?php
         break;
     case "edit":
-        $aulario_id = $_GET["aulario"];
-        $centro_id = $_GET["centro"];
+        $aulario_id = Sf($_GET["aulario"] ?? "");
+        $centro_id = Sf($_GET["centro"] ?? "");
         $aulario_file = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id.json";
         if (!file_exists($aulario_file)) {
             die("Aulario no encontrado.");
@@ -384,7 +385,7 @@ switch ($_GET["action"]) {
             <tbody>
                 <?php
                 $user_data = $_SESSION["auth_data"];
-                $centro_filter = $_GET['centro'] ?? "*";
+                $centro_filter = Sf($_GET['centro'] ?? "*");
                 $aulas_filelist = glob("/DATA/entreaulas/Centros/$centro_filter/Aularios/*.json");
                 foreach ($aulas_filelist as $aula_file) {
                     $aula_data = json_decode(file_get_contents($aula_file), true);
diff --git a/public_html/sysadmin/centros.php b/public_html/sysadmin/centros.php
index 4dbbd96..191190f 100644
--- a/public_html/sysadmin/centros.php
+++ b/public_html/sysadmin/centros.php
@@ -1,8 +1,9 @@
 <?php
 require_once "_incl/auth_redir.php";
+require_once "_incl/tools.security.php";
 switch ($_GET["form"]) {
     case "create":
-        $centro_id = $_POST["name"];
+        $centro_id = Sf($_POST["name"] ?? "");
         if (empty($centro_id)) {
             die("Nombre del centro no proporcionado.");
         }
@@ -19,12 +20,12 @@ switch ($_GET["form"]) {
         ini_set("display_errors", 1);
         ini_set('upload_max_filesize', '256M');
         ini_set('post_max_size', '256M');
-        $centro_id = $_GET['centro'] ?? '';
+        $centro_id = Sf($_GET['centro'] ?? '');
         $centro_path = "/DATA/entreaulas/Centros/$centro_id";
         if (!is_dir($centro_path)) {
             die("Centro no válido.");
         }
-        $activity_name = $_POST["name"] ?? '';
+        $activity_name = Sf($_POST["name"] ?? '');
         if (empty($activity_name)) {
             die("Nombre de la actividad no proporcionado.");
         }
@@ -47,8 +48,8 @@ switch ($_GET["form"]) {
         ini_set("display_errors", 1);
         ini_set('upload_max_filesize', '256M');
         ini_set('post_max_size', '256M');
-        $centro_id = $_GET['centro'] ?? '';
-        $activity_name = $_GET['activity'] ?? '';
+        $centro_id = Sf($_GET['centro'] ?? '');
+        $activity_name = Sf($_GET['activity'] ?? '');
         $activity_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/$activity_name";
         if (!is_dir($activity_path)) {
             die("Actividad no válida.");
@@ -58,8 +59,8 @@ switch ($_GET["form"]) {
             $photo_path = "$activity_path/photo.jpg";
             move_uploaded_file($activity_photo["tmp_name"], $photo_path);
         }
-        if ($_POST['nombre'] != $_GET['activity']) {
-            $new_activity_name = $_POST['nombre'];
+        if (Sf($_POST['nombre'] ?? '') != $activity_name) {
+            $new_activity_name = Sf($_POST['nombre'] ?? '');
             $new_activity_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/$new_activity_name";
             if (is_dir($new_activity_path)) {
                 die("Ya existe una actividad con ese nombre.");
@@ -74,8 +75,8 @@ switch ($_GET["form"]) {
 require_once "_incl/pre-body.php"; 
 switch ($_GET["action"]) {
     case "edit_activity":
-        $centro_id = $_GET['centro'] ?? '';
-        $activity_name = $_GET['activity'] ?? '';
+        $centro_id = Sf($_GET['centro'] ?? '');
+        $activity_name = Sf($_GET['activity'] ?? '');
         $activity_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/$activity_name";
         if (!is_dir($activity_path)) {
             die("Actividad no válida.");
@@ -111,7 +112,7 @@ switch ($_GET["action"]) {
 <?php
         break;
     case "new_activity":
-        $centro_id = $_GET['centro'] ?? '';
+        $centro_id = Sf($_GET['centro'] ?? '');
         $centro_path = "/DATA/entreaulas/Centros/$centro_id";
         if (!is_dir($centro_path)) {
             die("Centro no válido.");
@@ -159,7 +160,7 @@ switch ($_GET["action"]) {
 <?php
         break;
     case "edit":
-        $centro_id = $_GET['centro'] ?? '';
+        $centro_id = Sf($_GET['centro'] ?? '');
         $centro_path = "/DATA/entreaulas/Centros/$centro_id";
         if (!is_dir($centro_path)) {
             die("Centro no válido.");
@@ -221,7 +222,7 @@ switch ($_GET["action"]) {
                 foreach ($activities as $activity_path) {
                     $activity_name = basename($activity_path);
                     $image_path = "/DATA/entreaulas/Centros/$centro_id/Panel/Actividades/" . basename($activity_name) . "/photo.jpg";
-                    $image_fetchpath = file_exists($image_path) ? "/entreaulas/_filefetch.php?type=panel_actividades&centro=" . urlencode($centro_id) . "&activity=" . urlencode(basename($activity_name)) : '/static/logo-entreaulas.png';
+                    $image_fetchpath = file_exists($image_path) ? "/entreaulas/_filefetch.php?type=panel_actividades&centro=" . urlencode($centro_id) . "&activity=" . urlencode($activity_name) : '/static/logo-entreaulas.png';
                     echo '<tr>';
                     echo '<td><img src="' . htmlspecialchars($image_fetchpath) . '" alt="Foto" style="height: 50px;"></td>';
                     echo '<td>' . htmlspecialchars($activity_name) . '</td>';
diff --git a/public_html/sysadmin/reset_password.php b/public_html/sysadmin/reset_password.php
index 49a7b46..1026c8f 100644
--- a/public_html/sysadmin/reset_password.php
+++ b/public_html/sysadmin/reset_password.php
@@ -1,9 +1,9 @@
 <?php
 require_once "_incl/auth_redir.php";
-
+require_once "_incl/tools.security.php";
 switch ($_GET['form'] ?? '') {
   case 'save_password':
-    $username = $_POST['username'] ?? '';
+    $username = Sf($_POST['username'] ?? '');
     $new_password = $_POST['new_password'] ?? '';
     $confirm_password = $_POST['confirm_password'] ?? '';
 
diff --git a/public_html/sysadmin/users.php b/public_html/sysadmin/users.php
index ac51f2e..3ebf445 100644
--- a/public_html/sysadmin/users.php
+++ b/public_html/sysadmin/users.php
@@ -1,9 +1,9 @@
 <?php
 require_once "_incl/auth_redir.php";
-
+require_once "_incl/tools.security.php";
 switch ($_GET['form'] ?? '') {
   case 'save_edit':
-    $username = $_POST['username'] ?? '';
+    $username = Sf($_POST['username'] ?? '');
     if (empty($username)) {
       die("Nombre de usuario no proporcionado.");
     }
@@ -104,7 +104,7 @@ switch ($_GET['action'] ?? '') {
     break;
   case 'edit':
     require_once "_incl/pre-body.php";
-    $username = $_GET['user'] ?? '';
+    $username = Sf($_GET['user'] ?? '');
     $userdata = json_decode(file_get_contents("/DATA/Usuarios/$username.json"), true);
 ?>
 <form method="post" action="?form=save_edit">