From 0d520fb6d4216e2abc06173e5c9b01c3988315c3 Mon Sep 17 00:00:00 2001
From: Tim van Dijen <tvdijen@gmail.com>
Date: Wed, 13 Nov 2024 23:11:28 +0100
Subject: [PATCH] Add assertion to prevent illegal characters in tags

---
 src/PowerIdPDisco.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/PowerIdPDisco.php b/src/PowerIdPDisco.php
index 9b3e5ef..1a263ea 100644
--- a/src/PowerIdPDisco.php
+++ b/src/PowerIdPDisco.php
@@ -339,6 +339,13 @@ public function handleRequest(): void
         $t->data['rememberenabled'] = $this->config->getOptionalBoolean('idpdisco.enableremember', false);
         $t->data['rememberchecked'] = $this->config->getOptionalBoolean('idpdisco.rememberchecked', false);
         foreach (array_keys($idpList) as $tab) {
+            Assert::regex(
+                $tab,
+                '/^[a-z_][a-z0-9_-]+$/',
+                'Tags can contain alphanumeric characters, hyphens and underscores.'
+                . ' They must start with a A-Z or an underscore.',
+            );
+
             $translatableTag = "{discopower:tabs:$tab}";
             if ($translator::translateSingularGettext($translatableTag) === $translatableTag) {
                 $t->data['tabNames'][$tab] = $translator::noop($tab);