Merge pull request #175 from Gustavinho/bug/xss-bug

Gustavinho · web-flow · commit 03f4bbebce93 · 2023-01-02T13:42:17.000-06:00
Bug/xss bug
diff --git a/resources/views/components/alerts-handler.blade.php b/resources/views/components/alerts-handler.blade.php
@@ -1,4 +1,5 @@
 <div
+  x-cloak
   x-data='{ open: false, message: "", type: "success" }'
   x-init="@this.on('notify', (notification) => {
     open = true;
diff --git a/resources/views/components/editable.blade.php b/resources/views/components/editable.blade.php
@@ -11,7 +11,8 @@
     editing: false
   }"
   @click.away="editing = false; value = original;">
-  <input x-cloak
+  <input
+    x-cloak
     x-ref="input"
     x-show="editing"
     x-model="value"
@@ -24,7 +25,7 @@ class="block appearance-none w-full bg-white border-gray-300 hover:border-gray-5
     @click="editing = true; $nextTick(() => {$refs.input.focus()})"
     x-html="value"
     class='transition-all duration-300 ease-in-out px-2 py-1 rounded cursor-pointer focus:outline-none hover:bg-white hover:border-gray-500 border border-transparent'>
-    {!! $model->$field !!}
+    {!! strip_tags($model->$field) !!}
   </div>
 
 </div>

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`<div`
	`2`	`+ x-cloak`
`2`	`3`	`x-data='{ open: false, message: "", type: "success" }'`
`3`	`4`	`x-init="@this.on('notify', (notification) => {`
`4`	`5`	`open = true;`