From 4136a332f71b7eb2a98f463c8aa71386f805adde Mon Sep 17 00:00:00 2001
From: qiuluoli <158252913+qiuluoli@users.noreply.github.com>
Date: Thu, 14 May 2026 09:27:01 -0700
Subject: [PATCH 1/2] fix: regenerate session ID after login to prevent session
 fixation (Fixes #537)

---
 familyconnections/inc/utils.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/familyconnections/inc/utils.php b/familyconnections/inc/utils.php
index 73400965..4161c05b 100644
--- a/familyconnections/inc/utils.php
+++ b/familyconnections/inc/utils.php
@@ -2776,6 +2776,9 @@ function loginUser ($userId, $remember)
         setcookie('fcms_cookie_token', $token, time() + (30*(24*3600)), '/'); // 30 days
     }
 
+    // Regenerate session ID to prevent session fixation attacks (Fixes #537)
+    session_regenerate_id(true);
+
     $_SESSION['fcms_id']    = $userId;
     $_SESSION['fcms_token'] = $token;
 

From b097af7e2e14ad5e205b2f72ccc45590adc9d93f Mon Sep 17 00:00:00 2001
From: qiuluoli <158252913+qiuluoli@users.noreply.github.com>
Date: Thu, 14 May 2026 09:27:18 -0700
Subject: [PATCH 2/2] fix: sanitize CSV export to prevent CSV injection (Fixes
 #539)

---
 familyconnections/addressbook.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/familyconnections/addressbook.php b/familyconnections/addressbook.php
index daa87167..d199bc67 100644
--- a/familyconnections/addressbook.php
+++ b/familyconnections/addressbook.php
@@ -196,6 +196,14 @@ function displayExportSubmit ()
 
         foreach ($rows as $row)
         {
+            // Sanitize cell values to prevent CSV injection (Fixes #539)
+            $row = array_map(function($val) {
+                // Prefix dangerous characters to prevent formula execution in spreadsheets
+                if (preg_match('/^[=+\-@\t\r]/', $val)) {
+                    return "'" . $val;
+                }
+                return $val;
+            }, $row);
             $csv .= '"'.join('","', str_replace('"', '""', $row))."\"\015\012";
         }