<?php
/**
 * PATCHED CODE - RECOMMENDED FIX
 * 
 * This demonstrates the secure way to handle the nfsen parameter
 */

// OPTION 1: Whitelist Validation (Recommended)
// =============================================

$allowed_pages = ['general', 'stats', 'channel'];

if (!isset($vars['nfsen']) || !in_array($vars['nfsen'], $allowed_pages, true)) {
    $vars['nfsen'] = 'general';
}

include 'includes/html/pages/device/nfsen/' . $vars['nfsen'] . '.inc.php';


// OPTION 2: basename() Sanitization
// ==================================

$nfsen_page = basename($vars['nfsen'] ?? 'general');

if (is_file('includes/html/pages/device/nfsen/' . $nfsen_page . '.inc.php')) {
    include 'includes/html/pages/device/nfsen/' . $nfsen_page . '.inc.php';
} else {
    include 'includes/html/pages/device/nfsen/general.inc.php';
}


// OPTION 3: Regex Validation
// ==========================

$nfsen_page = $vars['nfsen'] ?? 'general';

// Only allow alphanumeric characters and hyphens
if (!preg_match('/^[a-zA-Z0-9\-]+$/', $nfsen_page)) {
    $nfsen_page = 'general';
}

if (is_file('includes/html/pages/device/nfsen/' . $nfsen_page . '.inc.php')) {
    include 'includes/html/pages/device/nfsen/' . $nfsen_page . '.inc.php';
} else {
    include 'includes/html/pages/device/nfsen/general.inc.php';
}