XSS patch for basic models
This commit is contained in:
Manish Verma
@@ -2786,7 +2786,7 @@ class TicketController extends Controller
|
||||
$color = "<i class='fa fa-exclamation-triangle' title='".Lang::get('lang.accoutn-not-verified')."'></i>";
|
||||
}
|
||||
|
||||
return "<a href='".$url."' title='".Lang::get('lang.see-profile1').' '.$name.'''.Lang::get('lang.see-profile2')."'><span style='color:#508983'>".str_limit($name, 30).' <span style="color:#f75959">'.$color.'</span></span></a>';
|
||||
return "<a href='".$url."' title='".Lang::get('lang.see-profile1').' '.strip_tags($name).'''.Lang::get('lang.see-profile2')."'><span style='color:#508983'>".str_limit(strip_tags($name), 30).' <span style="color:#f75959">'.$color.'</span></span></a>';
|
||||
})
|
||||
->editColumn('a_uname', function ($tickets) {
|
||||
if ($tickets->assigned_to == null && $tickets->name == null) {
|
||||
@@ -2797,11 +2797,11 @@ class TicketController extends Controller
|
||||
$assign = utfEncoding($tickets->a_fname).' '.utfEncoding($tickets->a_lname);
|
||||
$url = route('user.show', $tickets->assigned_to);
|
||||
|
||||
return "<a href='".$url."' title='".Lang::get('lang.see-profile1').' '.$assign.'''.Lang::get('lang.see-profile2')."'><span style='color:green'>".mb_substr($assign, 0, 30, 'UTF-8').'</span></a>';
|
||||
return "<a href='".$url."' title='".Lang::get('lang.see-profile1').' '.strip_tags($assign).'''.Lang::get('lang.see-profile2')."'><span style='color:green'>".mb_substr(strip_tags($assign), 0, 30, 'UTF-8').'</span></a>';
|
||||
} else {
|
||||
$url1 = '#';
|
||||
|
||||
return "<a href='".$url1."' title='".Lang::get('lang.see-profile1').' '.ucfirst($tickets->name).'''.Lang::get('lang.see-profile2')."'><span style='color:green'>".mb_substr(ucfirst($tickets->name), 0, 30, 'UTF-8').'</span></a>';
|
||||
return "<a href='".$url1."' title='".Lang::get('lang.see-profile1').' '.ucfirst(strip_tags($tickets->name)).'''.Lang::get('lang.see-profile2')."'><span style='color:green'>".mb_substr(ucfirst(strip_tags($tickets->name)), 0, 30, 'UTF-8').'</span></a>';
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
@@ -41,6 +41,8 @@ class ClientRequest extends Request
|
||||
'Email' => 'required|email',
|
||||
'Subject' => 'required',
|
||||
'Details' => 'required',
|
||||
'mobile' => 'numeric',
|
||||
'Phone' => 'numeric',
|
||||
];
|
||||
$custom_rule = $this->getCustomRule();
|
||||
$rules = array_merge($current_rule, $custom_rule);
|
||||
@@ -133,7 +135,8 @@ class ClientRequest extends Request
|
||||
'Email' => 'email',
|
||||
'Subject' => 'required',
|
||||
'Details' => 'required',
|
||||
'mobile' => 'required',
|
||||
'mobile' => 'required|numeric',
|
||||
'Phone' => 'numeric',
|
||||
];
|
||||
} else {
|
||||
return [
|
||||
|
||||
@@ -132,7 +132,7 @@ class Ticket_Thread extends Model
|
||||
|
||||
public function getSubject()
|
||||
{
|
||||
$subject = $this->attributes['title'];
|
||||
$subject = strip_tags($this->attributes['title']);
|
||||
$array = imap_mime_header_decode($subject);
|
||||
$title = '';
|
||||
if (is_array($array) && count($array) > 0) {
|
||||
|
||||
@@ -12,4 +12,24 @@ class Comment extends BaseModel
|
||||
{
|
||||
protected $table = 'kb_comment';
|
||||
protected $fillable = ['article_id', 'name', 'email', 'website', 'comment', 'status'];
|
||||
|
||||
public function setNameAttribute($value)
|
||||
{
|
||||
$this->attributes['name'] = strip_tags($value);
|
||||
}
|
||||
|
||||
public function setCommentAttribute($value)
|
||||
{
|
||||
$this->attributes['comment'] = strip_tags($value);
|
||||
}
|
||||
|
||||
public function getNameAttribute($value)
|
||||
{
|
||||
return strip_tags($value);
|
||||
}
|
||||
|
||||
public function getCommentAttribute($value)
|
||||
{
|
||||
return strip_tags($value);
|
||||
}
|
||||
}
|
||||
|
||||
29
app/User.php
29
app/User.php
@@ -176,6 +176,35 @@ class User extends Model implements AuthenticatableContract, CanResetPasswordCon
|
||||
return $this->name();
|
||||
}
|
||||
|
||||
public function getFirstNameAttribute($value)
|
||||
{
|
||||
return strip_tags($value);
|
||||
}
|
||||
|
||||
public function getLastNameAttribute($value)
|
||||
{
|
||||
return strip_tags($value);
|
||||
}
|
||||
|
||||
public function getUserNameAttribute($value)
|
||||
{
|
||||
return strip_tags($value);
|
||||
}
|
||||
|
||||
public function setFirstNameAttribute($value)
|
||||
{
|
||||
$this->attributes['first_name']=strip_tags($value);
|
||||
}
|
||||
|
||||
public function setLastNameAttribute($value)
|
||||
{
|
||||
$this->attributes['last_name']= strip_tags($value);
|
||||
}
|
||||
|
||||
public function setUserNameAttribute($value)
|
||||
{
|
||||
$this->attributes['user_name']= strip_tags($value);
|
||||
}
|
||||
/**
|
||||
* Get the identifier that will be stored in the subject claim of the JWT.
|
||||
*
|
||||
|
||||
@@ -1219,7 +1219,7 @@ if ($thread->title != "") {
|
||||
|
||||
<select class="form-control" id="select-merge-parent" name='p_id' data-placeholder="{!! Lang::get('lang.select_tickets') !!}" style="width: 100%;"><option value="{{$tickets->id}}"><?php
|
||||
$ticket_data = App\Model\helpdesk\Ticket\Ticket_Thread::select('title')->where('ticket_id', "=", $tickets->id)->first();
|
||||
echo $ticket_data->title;
|
||||
echo strip_tags($ticket_data->title);
|
||||
?></option></select>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
Reference in New Issue
Block a user