fix for security issue

app/controllers/property_hires_controller.rb

@@ -367,6 +367,9 @@ class PropertyHiresController < ApplicationController
 
 
   def get_bookings
+    if !(valid_timestamp?(params[:start]) && valid_timestamp?(params[:end]))
+      return render json: {}, status: :unprocessable_entity
+    end
     events =[]
     allevents = []
     if params[:property_id] == "all"
@@ -667,4 +670,15 @@ class PropertyHiresController < ApplicationController
     return allevents
   end
 
+  def valid_timestamp?(number)
+    begin
+      # Ensure the input is numeric and within a practical range
+      number = Integer(number) rescue Float(number)
+      min_timestamp = Time.new(1900, 1, 1).to_i
+      max_timestamp = Time.new(3000, 12, 31).to_i
+      number >= min_timestamp && number <= max_timestamp
+    rescue ArgumentError, TypeError
+      false
+    end
+  end
 end