Fixes XSS vulnerabilities (#6831)
* Properly escape log_meta values * Vue syntax fix to allow npm run dev to work again * Janky fix for Select2 bug * Compiled production assets * Escape user’s last name in API * Removed duplicate alertClass * Compiled production assets
This commit is contained in:
snipe
GitHub
parent
dec77890bd
commit
dee92cfc6c
11 changed files with 8705 additions and 71 deletions
|
|
@ -26,6 +26,18 @@ class ActionlogsTransformer
|
|||
if ($actionlog->filename!='') {
|
||||
$icon = e(\App\Helpers\Helper::filetype_icon($actionlog->filename));
|
||||
}
|
||||
|
||||
// This is necessary since we can't escape special characters within a JSON object
|
||||
if (($actionlog->log_meta) && ($actionlog->log_meta!='')) {
|
||||
$meta_array = json_decode($actionlog->log_meta);
|
||||
foreach ($meta_array as $key => $value) {
|
||||
foreach ($value as $meta_key => $meta_value) {
|
||||
$clean_meta[$key][$meta_key] = e($meta_value);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
$array = [
|
||||
'id' => (int) $actionlog->id,
|
||||
'icon' => $icon,
|
||||
|
|
@ -64,7 +76,7 @@ class ActionlogsTransformer
|
|||
|
||||
'note' => ($actionlog->note) ? e($actionlog->note): null,
|
||||
'signature_file' => ($actionlog->accept_signature) ? route('log.signature.view', ['filename' => $actionlog->accept_signature ]) : null,
|
||||
'log_meta' => ($actionlog->log_meta) ? json_decode($actionlog->log_meta): null,
|
||||
'log_meta' => ((isset($clean_meta)) && (is_array($clean_meta))) ? $clean_meta: null,
|
||||
|
||||
|
||||
];
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ class UsersTransformer
|
|||
$array = [
|
||||
'id' => (int) $user->id,
|
||||
'avatar' => e($user->present()->gravatar),
|
||||
'name' => e($user->first_name).' '.($user->last_name),
|
||||
'name' => e($user->first_name).' '.e($user->last_name),
|
||||
'first_name' => e($user->first_name),
|
||||
'last_name' => e($user->last_name),
|
||||
'username' => e($user->username),
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
2
public/css/dist/all.css
vendored
2
public/css/dist/all.css
vendored
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
52
public/js/dist/all.js
vendored
52
public/js/dist/all.js
vendored
File diff suppressed because one or more lines are too long
|
|
@ -1,14 +1,14 @@
|
|||
{
|
||||
"/js/build/vue.js": "/js/build/vue.js?id=af0a53aa1b89d0e19039",
|
||||
"/js/build/vue.js": "/js/build/vue.js?id=96f90510b797ac27a94b",
|
||||
"/css/AdminLTE.css": "/css/AdminLTE.css?id=5e72463a66acbcc740d5",
|
||||
"/css/app.css": "/css/app.css?id=407edb63cc6b6dc62405",
|
||||
"/css/overrides.css": "/css/overrides.css?id=2d81c3704393bac77011",
|
||||
"/js/build/vue.js.map": "/js/build/vue.js.map?id=79fce5e6515d8a4cc760",
|
||||
"/js/build/vue.js.map": "/js/build/vue.js.map?id=423f16f63b86abd6b196",
|
||||
"/css/AdminLTE.css.map": "/css/AdminLTE.css.map?id=0be7790b84909dca6a0a",
|
||||
"/css/app.css.map": "/css/app.css.map?id=96b5c985e860716e6a16",
|
||||
"/css/overrides.css.map": "/css/overrides.css.map?id=f7ce9ca49027594ac402",
|
||||
"/css/dist/all.css": "/css/dist/all.css?id=98db4e9b7650453c8b00",
|
||||
"/js/dist/all.js": "/js/dist/all.js?id=a3a656ed6316d4c4efe7",
|
||||
"/js/dist/all.js": "/js/dist/all.js?id=114f1025a1b3e8975476",
|
||||
"/css/build/all.css": "/css/build/all.css?id=98db4e9b7650453c8b00",
|
||||
"/js/build/all.js": "/js/build/all.js?id=a3a656ed6316d4c4efe7"
|
||||
}
|
||||
"/js/build/all.js": "/js/build/all.js?id=114f1025a1b3e8975476"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -40,9 +40,8 @@ tr {
|
|||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="alert col-md-12"
|
||||
<div class="alert col-md-12" style="text-align:left"
|
||||
:class="alertClass"
|
||||
style="text-align:left"
|
||||
v-if="statusText">
|
||||
{{ this.statusText }}
|
||||
</div>
|
||||
|
|
@ -84,7 +83,6 @@ tr {
|
|||
|
||||
<div class="alert col-md-12" style="padding-top: 20px;"
|
||||
:class="alertClass"
|
||||
style="text-align:left"
|
||||
v-if="statusText">
|
||||
{{ this.statusText }}
|
||||
</div>
|
||||
|
|
|
|||
|
|
@ -260,7 +260,18 @@ $(document).ready(function () {
|
|||
}
|
||||
|
||||
function formatDataSelection (datalist) {
|
||||
return datalist.text;
|
||||
// This a heinous workaround for a known bug in Select2.
|
||||
// Without this, the rich selectlists are vulnerable to XSS.
|
||||
// Many thanks to @uberbrady for this fix. It ain't pretty,
|
||||
// but it resolves the issue until Select2 addresses it on their end.
|
||||
//
|
||||
// Bug was reported in 2016 :{
|
||||
// https://github.com/select2/select2/issues/4587
|
||||
|
||||
return datalist.text.replace(/>/g, '>')
|
||||
.replace(/</g, '<')
|
||||
.replace(/"/g, '"')
|
||||
.replace(/'/g, ''');
|
||||
}
|
||||
|
||||
// This handles the radio button selectors for the checkout-to-foo options
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue