From a3eeda2dc5caf33862956d6c3e148bd4fcb2bc6e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 14 Feb 2026 13:19:56 +0000
Subject: [PATCH] =?UTF-8?q?Fix=20security=20issues=20in=20=C2=BFQui=C3=A9n?=
 =?UTF-8?q?=20soy=3F=20flow?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: naielv <109038805+naielv@users.noreply.github.com>
---
 public_html/entreaulas/_filefetch.php  | 11 ++++++++---
 public_html/entreaulas/paneldiario.php | 14 ++++++++++----
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/public_html/entreaulas/_filefetch.php b/public_html/entreaulas/_filefetch.php
index db239db..c2e012d 100755
--- a/public_html/entreaulas/_filefetch.php
+++ b/public_html/entreaulas/_filefetch.php
@@ -7,9 +7,14 @@ header("Access-Control-Allow-Origin: *");
 
 switch ($_GET["type"]) {
     case "alumno_photo":
-        $centro = str_replace('..', '_', $_GET["centro"] ?? '');
-        $aulario = str_replace('..', '_', $_GET["aulario"] ?? '');
-        $alumno = str_replace('..', '_', $_GET["alumno"] ?? '');
+        $centro = basename($_GET["centro"] ?? '');
+        $aulario = basename($_GET["aulario"] ?? '');
+        $alumno = basename($_GET["alumno"] ?? '');
+        // Additional validation to prevent empty names
+        if (empty($centro) || empty($aulario) || empty($alumno)) {
+            header("HTTP/1.1 400 Bad Request");
+            die("Invalid parameters");
+        }
         $relpath = "entreaulas/Centros/$centro/Aularios/$aulario/Alumnos/$alumno/photo.jpg";
         break;
     case "panel_actividades":
diff --git a/public_html/entreaulas/paneldiario.php b/public_html/entreaulas/paneldiario.php
index aab0f68..e548c18 100755
--- a/public_html/entreaulas/paneldiario.php
+++ b/public_html/entreaulas/paneldiario.php
@@ -152,8 +152,14 @@ switch ($_GET["action"]) {
     break;
   case "quien_soy":
     // ¿Quién soy? - Identificación del alumno
-    $aulario_id = $_GET["aulario"] ?? "";
-    $centro_id = $_SESSION["auth_data"]["entreaulas"]["centro"] ?? "";
+    $aulario_id = basename($_GET["aulario"] ?? '');
+    $centro_id = basename($_SESSION["auth_data"]["entreaulas"]["centro"] ?? '');
+    
+    // Validate parameters
+    if (empty($aulario_id) || empty($centro_id)) {
+      echo '<div class="card pad"><p>Error: Parámetros inválidos.</p></div>';
+      break;
+    }
     
     $alumnos_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id/Alumnos";
     $alumnos = [];
@@ -166,7 +172,7 @@ switch ($_GET["action"]) {
       function seleccionarAlumno(element, nombre) {
         element.style.backgroundColor = "#9cff9f"; // Verde
         announceAndMaybeRedirect(
-          nombre + ", ¡Hola " + nombre + "!",
+          "¡Hola " + nombre + "!",
           "/entreaulas/paneldiario.php?aulario=<?php echo urlencode($_GET['aulario'] ?? ''); ?>",
           true
         );
@@ -193,7 +199,7 @@ switch ($_GET["action"]) {
           $photo_path = $alumno_path . "/photo.jpg";
           $photo_exists = file_exists($photo_path);
       ?>
-        <a class="card grid-item" style="color: black;" onclick="seleccionarAlumno(this, '<?php echo htmlspecialchars($alumno_name); ?>');">
+        <a class="card grid-item" style="color: black;" onclick="seleccionarAlumno(this, <?php echo json_encode($alumno_name, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT); ?>);">
           <?php if ($photo_exists): ?>
             <img src="_filefetch.php?type=alumno_photo&alumno=<?php echo urlencode($alumno_name); ?>&centro=<?php echo urlencode($centro_id); ?>&aulario=<?php echo urlencode($aulario_id); ?>" height="150" class="bg-white">
           <?php else: ?>