Merge branch 'master' of https://github.com/snipe/snipe-it

2019-03-18 20:51:11 -07:00 · 2019-03-18 20:51:11 -07:00 · 1451b4f45d
commit 1451b4f45d
parent b6da68a69c dee92cfc6c
11 changed files with 8705 additions and 71 deletions
--- a/app/Http/Transformers/ActionlogsTransformer.php
+++ b/app/Http/Transformers/ActionlogsTransformer.php
@ -26,6 +26,18 @@ class ActionlogsTransformer
        if ($actionlog->filename!='') {
            $icon =  e(\App\Helpers\Helper::filetype_icon($actionlog->filename));
        }
+
+        // This is necessary since we can't escape special characters within a JSON object
+        if (($actionlog->log_meta) && ($actionlog->log_meta!='')) {
+            $meta_array = json_decode($actionlog->log_meta);
+            foreach ($meta_array as $key => $value) {
+                foreach ($value as $meta_key => $meta_value) {
+                    $clean_meta[$key][$meta_key] = e($meta_value);
+                }
+            }
+        }
+
+
        $array = [
            'id'          => (int) $actionlog->id,
            'icon'          => $icon,
@ -64,7 +76,7 @@ class ActionlogsTransformer

            'note'          => ($actionlog->note) ? e($actionlog->note): null,
            'signature_file'   => ($actionlog->accept_signature) ? route('log.signature.view', ['filename' => $actionlog->accept_signature ]) : null,
-            'log_meta'          => ($actionlog->log_meta) ? json_decode($actionlog->log_meta): null,
+            'log_meta'          => ((isset($clean_meta)) && (is_array($clean_meta))) ? $clean_meta: null,


        ];
--- a/app/Http/Transformers/UsersTransformer.php
+++ b/app/Http/Transformers/UsersTransformer.php
@ -24,7 +24,7 @@ class UsersTransformer
        $array = [
                'id' => (int) $user->id,
                'avatar' => e($user->present()->gravatar),
-                'name' => e($user->first_name).' '.($user->last_name),
+                'name' => e($user->first_name).' '.e($user->last_name),
                'first_name' => e($user->first_name),
                'last_name' => e($user->last_name),
                'username' => e($user->username),
--- a/public/css/build/all.css
+++ b/public/css/build/all.css
--- a/public/css/dist/all.css
+++ b/public/css/dist/all.css
--- a/public/js/build/all.js
+++ b/public/js/build/all.js
--- a/public/js/build/vue.js
+++ b/public/js/build/vue.js
--- a/public/js/build/vue.js.map
+++ b/public/js/build/vue.js.map
--- a/public/js/dist/all.js
+++ b/public/js/dist/all.js
--- a/public/mix-manifest.json
+++ b/public/mix-manifest.json
@ -1,14 +1,14 @@
 {
-    "/js/build/vue.js": "/js/build/vue.js?id=af0a53aa1b89d0e19039",
+    "/js/build/vue.js": "/js/build/vue.js?id=96f90510b797ac27a94b",
    "/css/AdminLTE.css": "/css/AdminLTE.css?id=5e72463a66acbcc740d5",
    "/css/app.css": "/css/app.css?id=407edb63cc6b6dc62405",
    "/css/overrides.css": "/css/overrides.css?id=2d81c3704393bac77011",
-    "/js/build/vue.js.map": "/js/build/vue.js.map?id=79fce5e6515d8a4cc760",
+    "/js/build/vue.js.map": "/js/build/vue.js.map?id=423f16f63b86abd6b196",
    "/css/AdminLTE.css.map": "/css/AdminLTE.css.map?id=0be7790b84909dca6a0a",
    "/css/app.css.map": "/css/app.css.map?id=96b5c985e860716e6a16",
    "/css/overrides.css.map": "/css/overrides.css.map?id=f7ce9ca49027594ac402",
    "/css/dist/all.css": "/css/dist/all.css?id=98db4e9b7650453c8b00",
-    "/js/dist/all.js": "/js/dist/all.js?id=a3a656ed6316d4c4efe7",
+    "/js/dist/all.js": "/js/dist/all.js?id=114f1025a1b3e8975476",
    "/css/build/all.css": "/css/build/all.css?id=98db4e9b7650453c8b00",
-    "/js/build/all.js": "/js/build/all.js?id=a3a656ed6316d4c4efe7"
-}
+    "/js/build/all.js": "/js/build/all.js?id=114f1025a1b3e8975476"
+}
--- a/resources/assets/js/components/importer/importer-file.vue
+++ b/resources/assets/js/components/importer/importer-file.vue
@ -40,9 +40,8 @@ tr {
                </div>
                </div>
            </div>
-            <div class="alert col-md-12"
+            <div class="alert col-md-12" style="text-align:left"
                 :class="alertClass"
-                 style="text-align:left"
                 v-if="statusText">
                {{ this.statusText }}
            </div>
@ -84,7 +83,6 @@ tr {

                <div class="alert col-md-12" style="padding-top: 20px;"
                     :class="alertClass"
-                     style="text-align:left"
                     v-if="statusText">
                    {{ this.statusText }}
                </div>
--- a/resources/assets/js/snipeit.js
+++ b/resources/assets/js/snipeit.js
@ -260,7 +260,18 @@ $(document).ready(function () {
    }

    function formatDataSelection (datalist) {
-        return datalist.text;
+        // This a heinous workaround for a known bug in Select2.
+        // Without this, the rich selectlists are vulnerable to XSS.
+        // Many thanks to @uberbrady for this fix. It ain't pretty,
+        // but it resolves the issue until Select2 addresses it on their end.
+        //
+        // Bug was reported in 2016 :{
+        // https://github.com/select2/select2/issues/4587
+
+        return datalist.text.replace(/>/g, '&gt;')
+            .replace(/</g, '&lt;')
+            .replace(/"/g, '&quot;')
+            .replace(/'/g, '&#039;');
    }

    // This handles the radio button selectors for the checkout-to-foo options