DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2024-11-10 23:54:12 -08:00
Code Issues Actions 12 Packages Projects Releases Wiki Activity

Merge pull request #11758 from snipe/security/xss_on_dashboard_note

Browse source 
Fixed possible XSS on dashboard note
This commit is contained in:
snipe 2022-08-29 11:50:48 -07:00 committed by GitHub
parent e8f2e50ada 9cf5f30c77
commit e94b5ac435
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 29 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
app/Helpers/Helper.php
View file

@ -22,12 +22,13 @@ class Helper
* @since [v2.0]
* @return string
*/
public static function parseEscapedMarkedown($str)
public static function parseEscapedMarkedown($str = null)
{
$Parsedown = new \Parsedown();
$Parsedown->setSafeMode(true);
if ($str) {
return $Parsedown->text(e($str));
return $Parsedown->text($str);
}
}

8
app/Models/Accessory.php
View file

@ -2,6 +2,7 @@
namespace App\Models;
use App\Helpers\Helper;
use App\Models\Traits\Acceptable;
use App\Models\Traits\Searchable;
use App\Presenters\Presentable;
@ -299,15 +300,14 @@ class Accessory extends SnipeModel
*/
public function getEula()
{
$Parsedown = new \Parsedown();
if ($this->category->eula_text) {
return $Parsedown->text(e($this->category->eula_text));
return Helper::parseEscapedMarkedown($this->category->eula_text);
} elseif ((Setting::getSettings()->default_eula_text) && ($this->category->use_default_eula == '1')) {
return $Parsedown->text(e(Setting::getSettings()->default_eula_text));
return Helper::parseEscapedMarkedown(Setting::getSettings()->default_eula_text);
}
return null;
return null;
}
/**

8
app/Models/Asset.php
View file

@ -5,6 +5,7 @@ namespace App\Models;
use App\Events\AssetCheckedOut;
use App\Events\CheckoutableCheckedOut;
use App\Exceptions\CheckoutNotAllowed;
use App\Helpers\Helper;
use App\Http\Traits\UniqueSerialTrait;
use App\Http\Traits\UniqueUndeletedTrait;
use App\Models\Traits\Acceptable;
@ -875,13 +876,12 @@ class Asset extends Depreciable
*/
public function getEula()
{
$Parsedown = new \Parsedown();
if (($this->model) && ($this->model->category)) {
if ($this->model->category->eula_text) {
return $Parsedown->text(e($this->model->category->eula_text));
return Helper::parseEscapedMarkedown($this->model->category->eula_text);
} elseif ($this->model->category->use_default_eula == '1') {
return $Parsedown->text(e(Setting::getSettings()->default_eula_text));
return Helper::parseEscapedMarkedown(Setting::getSettings()->default_eula_text);
} else {
return false;
}

6
app/Models/Category.php
View file

@ -9,6 +9,7 @@ use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\SoftDeletes;
use Illuminate\Support\Facades\Gate;
use Watson\Validating\ValidatingTrait;
use App\Helpers\Helper;
/**
* Model for Categories. Categories are a higher-level group
@ -207,12 +208,11 @@ class Category extends SnipeModel
*/
public function getEula()
{
$Parsedown = new \Parsedown();
if ($this->eula_text) {
return $Parsedown->text(e($this->eula_text));
return Helper::parseEscapedMarkedown($this->eula_text);
} elseif ((Setting::getSettings()->default_eula_text) && ($this->use_default_eula == '1')) {
return $Parsedown->text(e(Setting::getSettings()->default_eula_text));
return Helper::parseEscapedMarkedown(Setting::getSettings()->default_eula_text);
} else {
return null;
}

7
app/Models/Consumable.php
View file

@ -2,6 +2,7 @@
namespace App\Models;
use App\Helpers\Helper;
use App\Models\Traits\Acceptable;
use App\Models\Traits\Searchable;
use App\Presenters\Presentable;
@ -265,12 +266,10 @@ class Consumable extends SnipeModel
*/
public function getEula()
{
$Parsedown = new \Parsedown();
if ($this->category->eula_text) {
return $Parsedown->text(e($this->category->eula_text));
return Helper::parseEscapedMarkedown($this->category->eula_text);
} elseif ((Setting::getSettings()->default_eula_text) && ($this->category->use_default_eula == '1')) {
return $Parsedown->text(e(Setting::getSettings()->default_eula_text));
return Helper::parseEscapedMarkedown(Setting::getSettings()->default_eula_text);
} else {
return null;
}

6
app/Models/License.php
View file

@ -2,6 +2,7 @@
namespace App\Models;
use App\Helpers\Helper;
use App\Models\Traits\Searchable;
use App\Presenters\Presentable;
use Carbon\Carbon;
@ -337,12 +338,11 @@ class License extends Depreciable
*/
public function getEula()
{
$Parsedown = new \Parsedown();
if ($this->category->eula_text) {
return $Parsedown->text(e($this->category->eula_text));
return Helper::parseEscapedMarkedown($this->category->eula_text);
} elseif ($this->category->use_default_eula == '1') {
return $Parsedown->text(e(Setting::getSettings()->default_eula_text));
return Helper::parseEscapedMarkedown(Setting::getSettings()->default_eula_text);
} else {
return false;
}

8
app/Models/Setting.php
View file

@ -8,9 +8,10 @@ use Illuminate\Notifications\Notifiable;
use Illuminate\Support\Collection;
use Illuminate\Support\Facades\App;
use Illuminate\Support\Facades\Cache;
use Parsedown;
use App\Helpers\Helper;
use Watson\Validating\ValidatingTrait;
/**
* Settings model.
*/
@ -135,7 +136,6 @@ class Setting extends Model
public function lar_ver(): string
{
$app = App::getFacadeApplication();
return $app::VERSION;
}
@ -147,9 +147,7 @@ class Setting extends Model
public static function getDefaultEula(): ?string
{
if (self::getSettings()->default_eula_text) {
$parsedown = new Parsedown();
return $parsedown->text(e(self::getSettings()->default_eula_text));
return Helper::parseEscapedMarkedown(self::getSettings()->default_eula_text);
}
return null;

6
app/Presenters/AssetModelPresenter.php
View file

@ -2,6 +2,8 @@
namespace App\Presenters;
use App\Helpers\Helper;
/**
* Class AssetModelPresenter
*/
@ -159,10 +161,8 @@ class AssetModelPresenter extends Presenter
*/
public function note()
{
$Parsedown = new \Parsedown();
if ($this->model->note) {
return $Parsedown->text($this->model->note);
return Helper::parseEscapedMarkedown($this->model->note);
}
}

2
resources/views/auth/login.blade.php
View file

@ -28,7 +28,7 @@
@if ($snipeSettings->login_note)
<div class="col-md-12">
<div class="alert alert-info">
{!! Parsedown::instance()->text(e($snipeSettings->login_note)) !!}
{!! Helper::parseEscapedMarkedown($snipeSettings->login_note) !!}
</div>
</div>
@endif

2
resources/views/dashboard.blade.php
View file

@ -17,7 +17,7 @@
<div class="box-body">
<div class="row">
<div class="col-md-12">
{!! Parsedown::instance()->text(e($snipeSettings->dashboard_message)) !!}
{!! Helper::parseEscapedMarkedown($snipeSettings->dashboard_message) !!}
</div>
</div>
</div>

2
resources/views/layouts/default.blade.php
View file

@ -827,7 +827,7 @@
</div>
@if ($snipeSettings->footer_text!='')
<div class="pull-right">
{!! Parsedown::instance()->text(e($snipeSettings->footer_text)) !!}
{!! Helper::parseEscapedMarkedown($snipeSettings->footer_text) !!}
</div>
@endif