From 5da662441cb303538df54d807deaff3ca4b92f8f Mon Sep 17 00:00:00 2001
From: Afonso Coutinho <116525378+afonsopc@users.noreply.github.com>
Date: Mon, 1 Jun 2026 21:50:19 +0100
Subject: [PATCH] Validate slash command time minutes

* fix: reject hour > 23 in 'today/tomorrow' reminder time parsing

* fix: reject minute > 59 in reminder time parsing
---
 static/js/slashCommands.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/static/js/slashCommands.js b/static/js/slashCommands.js
index 81bb159..7c5515c 100644
--- a/static/js/slashCommands.js
+++ b/static/js/slashCommands.js
@@ -1464,6 +1464,7 @@ function _parseTimeSpec(input) {
     const mer = (m[4] || '').toLowerCase();
     if (mer === 'pm' && hh < 12) hh += 12;
     if (mer === 'am' && hh === 12) hh = 0;
+    if (hh > 23 || mm > 59) return null;
     d.setHours(hh, mm, 0, 0);
     return { date: d, rest: m[5].trim() };
   }
@@ -1477,9 +1478,9 @@ function _parseTimeSpec(input) {
     const mer = (m[3] || '').toLowerCase();
     if (mer === 'pm' && hh < 12) hh += 12;
     if (mer === 'am' && hh === 12) hh = 0;
-    // Require an hour <= 23 and either a minute field or am/pm to avoid
-    // eating plain numbers like "3 apples".
-    if (hh > 23) return null;
+    // Require a valid hour/minute and either a minute field or am/pm to
+    // avoid eating plain numbers like "3 apples".
+    if (hh > 23 || mm > 59) return null;
     if (m[2] == null && !mer) return null;
     d.setHours(hh, mm, 0, 0);
     if (d.getTime() <= now.getTime()) d.setDate(d.getDate() + 1);