diff --git a/app/Http/Transformers/ActionlogsTransformer.php b/app/Http/Transformers/ActionlogsTransformer.php index 53ece05583..7b7e8e326b 100644 --- a/app/Http/Transformers/ActionlogsTransformer.php +++ b/app/Http/Transformers/ActionlogsTransformer.php @@ -26,6 +26,18 @@ class ActionlogsTransformer if ($actionlog->filename!='') { $icon = e(\App\Helpers\Helper::filetype_icon($actionlog->filename)); } + + // This is necessary since we can't escape special characters within a JSON object + if (($actionlog->log_meta) && ($actionlog->log_meta!='')) { + $meta_array = json_decode($actionlog->log_meta); + foreach ($meta_array as $key => $value) { + foreach ($value as $meta_key => $meta_value) { + $clean_meta[$key][$meta_key] = e($meta_value); + } + } + } + + $array = [ 'id' => (int) $actionlog->id, 'icon' => $icon, @@ -64,7 +76,7 @@ class ActionlogsTransformer 'note' => ($actionlog->note) ? e($actionlog->note): null, 'signature_file' => ($actionlog->accept_signature) ? route('log.signature.view', ['filename' => $actionlog->accept_signature ]) : null, - 'log_meta' => ($actionlog->log_meta) ? json_decode($actionlog->log_meta): null, + 'log_meta' => ((isset($clean_meta)) && (is_array($clean_meta))) ? $clean_meta: null, ]; diff --git a/app/Http/Transformers/UsersTransformer.php b/app/Http/Transformers/UsersTransformer.php index 49755db7dc..e6b33ab606 100644 --- a/app/Http/Transformers/UsersTransformer.php +++ b/app/Http/Transformers/UsersTransformer.php @@ -24,7 +24,7 @@ class UsersTransformer $array = [ 'id' => (int) $user->id, 'avatar' => e($user->present()->gravatar), - 'name' => e($user->first_name).' '.($user->last_name), + 'name' => e($user->first_name).' '.e($user->last_name), 'first_name' => e($user->first_name), 'last_name' => e($user->last_name), 'username' => e($user->username), diff --git a/public/css/build/all.css b/public/css/build/all.css index 418fe416f0..4bfc2811b5 100644 Binary files a/public/css/build/all.css and b/public/css/build/all.css differ diff --git a/public/css/dist/all.css b/public/css/dist/all.css index 418fe416f0..0613103f1f 100644 Binary files a/public/css/dist/all.css and b/public/css/dist/all.css differ diff --git a/public/js/build/all.js b/public/js/build/all.js index de69adc765..6c4683aa71 100644 Binary files a/public/js/build/all.js and b/public/js/build/all.js differ diff --git a/public/js/build/vue.js b/public/js/build/vue.js index f70ca5ece8..4f79b0c904 100644 Binary files a/public/js/build/vue.js and b/public/js/build/vue.js differ diff --git a/public/js/build/vue.js.map b/public/js/build/vue.js.map index 388c23e39a..7a57f2884a 100644 Binary files a/public/js/build/vue.js.map and b/public/js/build/vue.js.map differ diff --git a/public/js/dist/all.js b/public/js/dist/all.js index de69adc765..bbfd0e7778 100644 Binary files a/public/js/dist/all.js and b/public/js/dist/all.js differ diff --git a/public/mix-manifest.json b/public/mix-manifest.json index 48e7eb5f92..888f9a782f 100644 --- a/public/mix-manifest.json +++ b/public/mix-manifest.json @@ -1,14 +1,14 @@ { - "/js/build/vue.js": "/js/build/vue.js?id=af0a53aa1b89d0e19039", + "/js/build/vue.js": "/js/build/vue.js?id=96f90510b797ac27a94b", "/css/AdminLTE.css": "/css/AdminLTE.css?id=5e72463a66acbcc740d5", "/css/app.css": "/css/app.css?id=407edb63cc6b6dc62405", "/css/overrides.css": "/css/overrides.css?id=2d81c3704393bac77011", - "/js/build/vue.js.map": "/js/build/vue.js.map?id=79fce5e6515d8a4cc760", + "/js/build/vue.js.map": "/js/build/vue.js.map?id=423f16f63b86abd6b196", "/css/AdminLTE.css.map": "/css/AdminLTE.css.map?id=0be7790b84909dca6a0a", "/css/app.css.map": "/css/app.css.map?id=96b5c985e860716e6a16", "/css/overrides.css.map": "/css/overrides.css.map?id=f7ce9ca49027594ac402", "/css/dist/all.css": "/css/dist/all.css?id=98db4e9b7650453c8b00", - "/js/dist/all.js": "/js/dist/all.js?id=a3a656ed6316d4c4efe7", + "/js/dist/all.js": "/js/dist/all.js?id=114f1025a1b3e8975476", "/css/build/all.css": "/css/build/all.css?id=98db4e9b7650453c8b00", - "/js/build/all.js": "/js/build/all.js?id=a3a656ed6316d4c4efe7" -} \ No newline at end of file + "/js/build/all.js": "/js/build/all.js?id=114f1025a1b3e8975476" +} diff --git a/resources/assets/js/components/importer/importer-file.vue b/resources/assets/js/components/importer/importer-file.vue index 9dadf20e9c..fd545fc519 100644 --- a/resources/assets/js/components/importer/importer-file.vue +++ b/resources/assets/js/components/importer/importer-file.vue @@ -40,9 +40,8 @@ tr { -
{{ this.statusText }}
@@ -84,7 +83,6 @@ tr {
{{ this.statusText }}
diff --git a/resources/assets/js/snipeit.js b/resources/assets/js/snipeit.js index 4e3cb24b4a..e2e1dde39c 100755 --- a/resources/assets/js/snipeit.js +++ b/resources/assets/js/snipeit.js @@ -260,7 +260,18 @@ $(document).ready(function () { } function formatDataSelection (datalist) { - return datalist.text; + // This a heinous workaround for a known bug in Select2. + // Without this, the rich selectlists are vulnerable to XSS. + // Many thanks to @uberbrady for this fix. It ain't pretty, + // but it resolves the issue until Select2 addresses it on their end. + // + // Bug was reported in 2016 :{ + // https://github.com/select2/select2/issues/4587 + + return datalist.text.replace(/>/g, '>') + .replace(/