mirror of
https://github.com/invoiceninja/invoiceninja.git
synced 2024-11-08 20:22:42 +01:00
XSS fixes
This commit is contained in:
Hillel Coren
parent
08b5e398ba
commit
ef2d820744
@ -431,7 +431,7 @@ class ClientPortalController extends BaseController
|
|||||||
return $model->invitation_key ? link_to('/view/'.$model->invitation_key, $model->invoice_number)->toHtml() : $model->invoice_number;
|
return $model->invitation_key ? link_to('/view/'.$model->invitation_key, $model->invoice_number)->toHtml() : $model->invoice_number;
|
||||||
})
|
})
|
||||||
->addColumn('transaction_reference', function ($model) {
|
->addColumn('transaction_reference', function ($model) {
|
||||||
return $model->transaction_reference ? $model->transaction_reference : '<i>'.trans('texts.manual_entry').'</i>';
|
return $model->transaction_reference ? e($model->transaction_reference) : '<i>'.trans('texts.manual_entry').'</i>';
|
||||||
})
|
})
|
||||||
->addColumn('payment_type', function ($model) {
|
->addColumn('payment_type', function ($model) {
|
||||||
return ($model->payment_type && ! $model->last4) ? $model->payment_type : ($model->account_gateway_id ? '<i>Online payment</i>' : '');
|
return ($model->payment_type && ! $model->last4) ? $model->payment_type : ($model->account_gateway_id ? '<i>Online payment</i>' : '');
|
||||||
|
|||||||
@ -161,7 +161,7 @@ class TaskController extends BaseController
|
|||||||
$invoices = $task->client_id ? $this->invoiceRepo->findOpenInvoices($task->client_id) : [];
|
$invoices = $task->client_id ? $this->invoiceRepo->findOpenInvoices($task->client_id) : [];
|
||||||
|
|
||||||
foreach ($invoices as $invoice) {
|
foreach ($invoices as $invoice) {
|
||||||
$actions[] = ['url' => 'javascript:submitAction("add_to_invoice", '.$invoice->public_id.')', 'label' => trans('texts.add_to_invoice', ['invoice' => $invoice->invoice_number])];
|
$actions[] = ['url' => 'javascript:submitAction("add_to_invoice", '.$invoice->public_id.')', 'label' => trans('texts.add_to_invoice', ['invoice' => e($invoice->invoice_number)])];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -39,6 +39,8 @@ class HTMLUtils
|
|||||||
|
|
||||||
public static function sanitizeHTML($html)
|
public static function sanitizeHTML($html)
|
||||||
{
|
{
|
||||||
|
$html = html_entity_decode($html);
|
||||||
|
|
||||||
$config = HTMLPurifier_Config::createDefault();
|
$config = HTMLPurifier_Config::createDefault();
|
||||||
$purifier = new HTMLPurifier($config);
|
$purifier = new HTMLPurifier($config);
|
||||||
|
|
||||||
|
|||||||
@ -123,11 +123,11 @@ class Activity extends Eloquent
|
|||||||
|
|
||||||
$data = [
|
$data = [
|
||||||
'client' => $client ? link_to($client->getRoute(), $client->getDisplayName()) : null,
|
'client' => $client ? link_to($client->getRoute(), $client->getDisplayName()) : null,
|
||||||
'user' => $isSystem ? '<i>' . trans('texts.system') . '</i>' : $user->getDisplayName(),
|
'user' => $isSystem ? '<i>' . trans('texts.system') . '</i>' : e($user->getDisplayName()),
|
||||||
'invoice' => $invoice ? link_to($invoice->getRoute(), $invoice->getDisplayName()) : null,
|
'invoice' => $invoice ? link_to($invoice->getRoute(), $invoice->getDisplayName()) : null,
|
||||||
'quote' => $invoice ? link_to($invoice->getRoute(), $invoice->getDisplayName()) : null,
|
'quote' => $invoice ? link_to($invoice->getRoute(), $invoice->getDisplayName()) : null,
|
||||||
'contact' => $contactId ? $client->getDisplayName() : $user->getDisplayName(),
|
'contact' => $contactId ? e($client->getDisplayName()) : e($user->getDisplayName()),
|
||||||
'payment' => $payment ? $payment->transaction_reference : null,
|
'payment' => $payment ? e($payment->transaction_reference) : null,
|
||||||
'payment_amount' => $payment ? $account->formatMoney($payment->amount, $payment) : null,
|
'payment_amount' => $payment ? $account->formatMoney($payment->amount, $payment) : null,
|
||||||
'adjustment' => $this->adjustment ? $account->formatMoney($this->adjustment, $this) : null,
|
'adjustment' => $this->adjustment ? $account->formatMoney($this->adjustment, $this) : null,
|
||||||
'credit' => $credit ? $account->formatMoney($credit->amount, $client) : null,
|
'credit' => $credit ? $account->formatMoney($credit->amount, $client) : null,
|
||||||
|
|||||||
@ -290,7 +290,7 @@ trait PresentsInvoice
|
|||||||
'contact.custom_value1' => 'custom_contact_label1',
|
'contact.custom_value1' => 'custom_contact_label1',
|
||||||
'contact.custom_value2' => 'custom_contact_label2',
|
'contact.custom_value2' => 'custom_contact_label2',
|
||||||
] as $field => $property) {
|
] as $field => $property) {
|
||||||
$data[$field] = $this->$property ?: trans('texts.custom_field');
|
$data[$field] = e($this->$property) ?: trans('texts.custom_field');
|
||||||
}
|
}
|
||||||
|
|
||||||
return $data;
|
return $data;
|
||||||
|
|||||||
@ -4,6 +4,7 @@ namespace App\Models\Traits;
|
|||||||
|
|
||||||
use App\Constants\Domain;
|
use App\Constants\Domain;
|
||||||
use Utils;
|
use Utils;
|
||||||
|
use HTMLUtils;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Class SendsEmails.
|
* Class SendsEmails.
|
||||||
@ -36,7 +37,8 @@ trait SendsEmails
|
|||||||
$value = $this->account_email_settings->$field;
|
$value = $this->account_email_settings->$field;
|
||||||
|
|
||||||
if ($value) {
|
if ($value) {
|
||||||
return preg_replace("/\r\n|\r|\n/", ' ', $value);
|
$value = preg_replace("/\r\n|\r|\n/", ' ', $value);
|
||||||
|
return HTMLUtils::sanitizeHTML($value);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -94,7 +96,9 @@ trait SendsEmails
|
|||||||
$template = preg_replace("/\r\n|\r|\n/", ' ', $template);
|
$template = preg_replace("/\r\n|\r|\n/", ' ', $template);
|
||||||
|
|
||||||
// <br/> is causing page breaks with the email designs
|
// <br/> is causing page breaks with the email designs
|
||||||
return str_replace('/>', ' />', $template);
|
$template = str_replace('/>', ' />', $template);
|
||||||
|
|
||||||
|
return HTMLUtils::sanitizeHTML($template);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@ -50,13 +50,13 @@ class CreditDatatable extends EntityDatatable
|
|||||||
[
|
[
|
||||||
'public_notes',
|
'public_notes',
|
||||||
function ($model) {
|
function ($model) {
|
||||||
return $model->public_notes;
|
return e($model->public_notes);
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
'private_notes',
|
'private_notes',
|
||||||
function ($model) {
|
function ($model) {
|
||||||
return $model->private_notes;
|
return e($model->private_notes);
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
];
|
];
|
||||||
|
|||||||
@ -84,7 +84,7 @@ class ExpenseDatatable extends EntityDatatable
|
|||||||
[
|
[
|
||||||
'public_notes',
|
'public_notes',
|
||||||
function ($model) {
|
function ($model) {
|
||||||
return $model->public_notes != null ? substr($model->public_notes, 0, 100) : '';
|
return $model->public_notes != null ? e(substr($model->public_notes, 0, 100)) : '';
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
|
|||||||
@ -46,7 +46,7 @@ class PaymentDatatable extends EntityDatatable
|
|||||||
[
|
[
|
||||||
'transaction_reference',
|
'transaction_reference',
|
||||||
function ($model) {
|
function ($model) {
|
||||||
return $model->transaction_reference ? $model->transaction_reference : '<i>'.trans('texts.manual_entry').'</i>';
|
return $model->transaction_reference ? e($model->transaction_reference) : '<i>'.trans('texts.manual_entry').'</i>';
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
|
|||||||
@ -24,7 +24,7 @@ class ProductDatatable extends EntityDatatable
|
|||||||
[
|
[
|
||||||
'notes',
|
'notes',
|
||||||
function ($model) {
|
function ($model) {
|
||||||
return nl2br(Str::limit($model->notes, 100));
|
return e(nl2br(Str::limit($model->notes, 100)));
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
|
|||||||
@ -64,7 +64,7 @@ class RecurringInvoiceDatatable extends EntityDatatable
|
|||||||
[
|
[
|
||||||
'private_notes',
|
'private_notes',
|
||||||
function ($model) {
|
function ($model) {
|
||||||
return $model->private_notes;
|
return e($model->private_notes);
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
|
|||||||
@ -55,7 +55,7 @@ class TaskDatatable extends EntityDatatable
|
|||||||
[
|
[
|
||||||
'description',
|
'description',
|
||||||
function ($model) {
|
function ($model) {
|
||||||
return $model->description;
|
return e($model->description);
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
|
|||||||
@ -14,7 +14,7 @@ class UserDatatable extends EntityDatatable
|
|||||||
[
|
[
|
||||||
'first_name',
|
'first_name',
|
||||||
function ($model) {
|
function ($model) {
|
||||||
return $model->public_id ? link_to('users/'.$model->public_id.'/edit', $model->first_name.' '.$model->last_name)->toHtml() : ($model->first_name.' '.$model->last_name);
|
return $model->public_id ? link_to('users/'.$model->public_id.'/edit', $model->first_name.' '.$model->last_name)->toHtml() : e($model->first_name.' '.$model->last_name);
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
|
|||||||
@ -166,7 +166,7 @@ class AccountPresenter extends Presenter
|
|||||||
if ($rate->is_inclusive) {
|
if ($rate->is_inclusive) {
|
||||||
$name .= ' - ' . trans('texts.inclusive');
|
$name .= ' - ' . trans('texts.inclusive');
|
||||||
}
|
}
|
||||||
$options[($rate->is_inclusive ? '1 ' : '0 ') . $rate->rate . ' ' . $rate->name] = $name;
|
$options[($rate->is_inclusive ? '1 ' : '0 ') . $rate->rate . ' ' . $rate->name] = e($name);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $options;
|
return $options;
|
||||||
|
|||||||
@ -89,7 +89,7 @@ class CreditRepository extends BaseRepository
|
|||||||
return Utils::formatMoney($model->balance, $model->currency_id, $model->country_id);
|
return Utils::formatMoney($model->balance, $model->currency_id, $model->country_id);
|
||||||
})
|
})
|
||||||
->addColumn('public_notes', function ($model) {
|
->addColumn('public_notes', function ($model) {
|
||||||
return $model->public_notes;
|
return e($model->public_notes);
|
||||||
})
|
})
|
||||||
->make();
|
->make();
|
||||||
|
|
||||||
|
|||||||
@ -24,10 +24,10 @@
|
|||||||
|
|
||||||
@if ($account->hasFeature(FEATURE_INVOICE_SETTINGS))
|
@if ($account->hasFeature(FEATURE_INVOICE_SETTINGS))
|
||||||
@if ($account->custom_invoice_item_label1)
|
@if ($account->custom_invoice_item_label1)
|
||||||
{!! Former::text('custom_value1')->label($account->custom_invoice_item_label1) !!}
|
{!! Former::text('custom_value1')->label(e($account->custom_invoice_item_label1)) !!}
|
||||||
@endif
|
@endif
|
||||||
@if ($account->custom_invoice_item_label2)
|
@if ($account->custom_invoice_item_label2)
|
||||||
{!! Former::text('custom_value2')->label($account->custom_invoice_item_label2) !!}
|
{!! Former::text('custom_value2')->label(e($account->custom_invoice_item_label2)) !!}
|
||||||
@endif
|
@endif
|
||||||
@endif
|
@endif
|
||||||
|
|
||||||
|
|||||||
@ -50,10 +50,10 @@
|
|||||||
|
|
||||||
@if (Auth::user()->hasFeature(FEATURE_INVOICE_SETTINGS))
|
@if (Auth::user()->hasFeature(FEATURE_INVOICE_SETTINGS))
|
||||||
@if ($customLabel1)
|
@if ($customLabel1)
|
||||||
{!! Former::text('custom_value1')->label($customLabel1) !!}
|
{!! Former::text('custom_value1')->label(e($customLabel1)) !!}
|
||||||
@endif
|
@endif
|
||||||
@if ($customLabel2)
|
@if ($customLabel2)
|
||||||
{!! Former::text('custom_value2')->label($customLabel2) !!}
|
{!! Former::text('custom_value2')->label(e($customLabel2)) !!}
|
||||||
@endif
|
@endif
|
||||||
@endif
|
@endif
|
||||||
|
|
||||||
@ -115,12 +115,12 @@
|
|||||||
@if ($account->custom_contact_label1)
|
@if ($account->custom_contact_label1)
|
||||||
{!! Former::text('custom_contact1')->data_bind("value: custom_value1, valueUpdate: 'afterkeydown',
|
{!! Former::text('custom_contact1')->data_bind("value: custom_value1, valueUpdate: 'afterkeydown',
|
||||||
attr: {name: 'contacts[' + \$index() + '][custom_value1]'}")
|
attr: {name: 'contacts[' + \$index() + '][custom_value1]'}")
|
||||||
->label($account->custom_contact_label1) !!}
|
->label(e($account->custom_contact_label1)) !!}
|
||||||
@endif
|
@endif
|
||||||
@if ($account->custom_contact_label2)
|
@if ($account->custom_contact_label2)
|
||||||
{!! Former::text('custom_contact2')->data_bind("value: custom_value2, valueUpdate: 'afterkeydown',
|
{!! Former::text('custom_contact2')->data_bind("value: custom_value2, valueUpdate: 'afterkeydown',
|
||||||
attr: {name: 'contacts[' + \$index() + '][custom_value2]'}")
|
attr: {name: 'contacts[' + \$index() + '][custom_value2]'}")
|
||||||
->label($account->custom_contact_label2) !!}
|
->label(e($account->custom_contact_label2)) !!}
|
||||||
@endif
|
@endif
|
||||||
@endif
|
@endif
|
||||||
|
|
||||||
|
|||||||
@ -135,7 +135,14 @@
|
|||||||
<label class="checkbox" data-bind="attr: {for: $index() + '_check'}, visible: email.display" onclick="refreshPDF(true)">
|
<label class="checkbox" data-bind="attr: {for: $index() + '_check'}, visible: email.display" onclick="refreshPDF(true)">
|
||||||
<input type="hidden" value="0" data-bind="attr: {name: 'client[contacts][' + $index() + '][send_invoice]'}">
|
<input type="hidden" value="0" data-bind="attr: {name: 'client[contacts][' + $index() + '][send_invoice]'}">
|
||||||
<input type="checkbox" value="1" data-bind="visible: email() || first_name() || last_name(), checked: send_invoice, attr: {id: $index() + '_check', name: 'client[contacts][' + $index() + '][send_invoice]'}">
|
<input type="checkbox" value="1" data-bind="visible: email() || first_name() || last_name(), checked: send_invoice, attr: {id: $index() + '_check', name: 'client[contacts][' + $index() + '][send_invoice]'}">
|
||||||
<span data-bind="html: email.display"></span>
|
<span data-bind="visible: first_name || last_name">
|
||||||
|
<span data-bind="text: first_name() + ' ' + last_name()"></span>
|
||||||
|
<br/>
|
||||||
|
</span>
|
||||||
|
<span data-bind="visible: email">
|
||||||
|
<span data-bind="text: email"></span>
|
||||||
|
<br/>
|
||||||
|
</span>
|
||||||
</label>
|
</label>
|
||||||
@if ( ! $invoice->is_deleted && ! $invoice->client->is_deleted)
|
@if ( ! $invoice->is_deleted && ! $invoice->client->is_deleted)
|
||||||
<span data-bind="visible: !$root.invoice().is_recurring()">
|
<span data-bind="visible: !$root.invoice().is_recurring()">
|
||||||
@ -181,7 +188,7 @@
|
|||||||
@endif
|
@endif
|
||||||
|
|
||||||
@if ($account->showCustomField('custom_invoice_text_label1', $invoice))
|
@if ($account->showCustomField('custom_invoice_text_label1', $invoice))
|
||||||
{!! Former::text('custom_text_value1')->label($account->custom_invoice_text_label1 ?: ' ')->data_bind("value: custom_text_value1, valueUpdate: 'afterkeydown'") !!}
|
{!! Former::text('custom_text_value1')->label(e($account->custom_invoice_text_label1) ?: ' ')->data_bind("value: custom_text_value1, valueUpdate: 'afterkeydown'") !!}
|
||||||
@endif
|
@endif
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
@ -226,7 +233,7 @@
|
|||||||
) !!}
|
) !!}
|
||||||
|
|
||||||
@if ($account->showCustomField('custom_invoice_text_label2', $invoice))
|
@if ($account->showCustomField('custom_invoice_text_label2', $invoice))
|
||||||
{!! Former::text('custom_text_value2')->label($account->custom_invoice_text_label2 ?: ' ')->data_bind("value: custom_text_value2, valueUpdate: 'afterkeydown'") !!}
|
{!! Former::text('custom_text_value2')->label(e($account->custom_invoice_text_label2) ?: ' ')->data_bind("value: custom_text_value2, valueUpdate: 'afterkeydown'") !!}
|
||||||
@endif
|
@endif
|
||||||
|
|
||||||
@if ($entityType == ENTITY_INVOICE)
|
@if ($entityType == ENTITY_INVOICE)
|
||||||
@ -591,12 +598,12 @@
|
|||||||
@if (Auth::user()->hasFeature(FEATURE_INVOICE_SETTINGS))
|
@if (Auth::user()->hasFeature(FEATURE_INVOICE_SETTINGS))
|
||||||
@if ($account->custom_client_label1)
|
@if ($account->custom_client_label1)
|
||||||
{!! Former::text('client[custom_value1]')
|
{!! Former::text('client[custom_value1]')
|
||||||
->label($account->custom_client_label1)
|
->label(e($account->custom_client_label1))
|
||||||
->data_bind("value: custom_value1, valueUpdate: 'afterkeydown'") !!}
|
->data_bind("value: custom_value1, valueUpdate: 'afterkeydown'") !!}
|
||||||
@endif
|
@endif
|
||||||
@if ($account->custom_client_label2)
|
@if ($account->custom_client_label2)
|
||||||
{!! Former::text('client[custom_value2]')
|
{!! Former::text('client[custom_value2]')
|
||||||
->label($account->custom_client_label2)
|
->label(e($account->custom_client_label2))
|
||||||
->data_bind("value: custom_value2, valueUpdate: 'afterkeydown'") !!}
|
->data_bind("value: custom_value2, valueUpdate: 'afterkeydown'") !!}
|
||||||
@endif
|
@endif
|
||||||
@endif
|
@endif
|
||||||
@ -651,12 +658,12 @@
|
|||||||
@if ($account->custom_contact_label1)
|
@if ($account->custom_contact_label1)
|
||||||
{!! Former::text('custom_contact1')->data_bind("value: custom_value1, valueUpdate: 'afterkeydown',
|
{!! Former::text('custom_contact1')->data_bind("value: custom_value1, valueUpdate: 'afterkeydown',
|
||||||
attr: {name: 'client[contacts][' + \$index() + '][custom_value1]'}")
|
attr: {name: 'client[contacts][' + \$index() + '][custom_value1]'}")
|
||||||
->label($account->custom_contact_label1) !!}
|
->label(e($account->custom_contact_label1)) !!}
|
||||||
@endif
|
@endif
|
||||||
@if ($account->custom_contact_label2)
|
@if ($account->custom_contact_label2)
|
||||||
{!! Former::text('custom_contact2')->data_bind("value: custom_value2, valueUpdate: 'afterkeydown',
|
{!! Former::text('custom_contact2')->data_bind("value: custom_value2, valueUpdate: 'afterkeydown',
|
||||||
attr: {name: 'client[contacts][' + \$index() + '][custom_value2]'}")
|
attr: {name: 'client[contacts][' + \$index() + '][custom_value2]'}")
|
||||||
->label($account->custom_contact_label2) !!}
|
->label(e($account->custom_contact_label2)) !!}
|
||||||
@endif
|
@endif
|
||||||
@endif
|
@endif
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user