Merge pull request #51 from iFixit/fix/xss-remediation

Fix: Add stevebauman/purify for HTML sanitization

Author: ardelato

app/Http/Controllers/GroupController.php

@@ -455,7 +455,7 @@ public function delete($id): RedirectResponse
             $group->delete();
 
             return redirect('/group')->with('success', __('groups.delete_succeeded', [
-                'name' => $name,
+                'name' => e($name),
             ]));
         } else {
             return redirect('/user/forbidden');
@@ -576,7 +576,7 @@ public function getJoinGroup($group_id): RedirectResponse
             return redirect()
                 ->back()
                 ->with('success', __('groups.now_following', [
-                    'name' => $group->name,
+                    'name' => e($group->name),
                     'link' => url('/group/view/'.$group->idgroups),
                 ]));
         } catch (\Exception $e) {
@@ -661,7 +661,7 @@ public function inviteNearbyRestarter($groupId, $userId): RedirectResponse
             }
         }
 
-        return redirect('/group/nearby/'.intval($groupId))->with('success', $user->name.' has been invited');
+        return redirect('/group/nearby/'.intval($groupId))->with('success', e($user->name).' has been invited');
     }
 
     /**

app/Http/Controllers/UserController.php

@@ -292,7 +292,7 @@ public function postSoftDeleteUser(Request $request): RedirectResponse
 
         if (Auth::id() !== $user_id) {
             return redirect('user/all')->with('danger', __('profile.soft_deleted', [
-                'name' => $old_user_name
+                'name' => e($old_user_name)
             ]));
         } else {
             return redirect('login');

app/Http/Middleware/AcceptUserInvites.php

@@ -45,13 +45,13 @@ public function handle(Request $request, Closure $next): Response
                         $acceptance->delete();
                         $request->session()->push('invites-feedback', __('groups.you_have_joined', [
                             'url' => url("/group/view/{$group->idgroups}"),
-                            'name' => $group->name
+                            'name' => e($group->name)
                         ]));
 
                     // Else that must mean the User is already part of the Group.
                         // We can then delete the Invite and create a new session
                     } else {
-                        $request->session()->push('invites-feedback', 'You are already a member of <a class="plain-link" href='.url("/group/view/{$group->idgroups}").">{$group->name}</a>");
+                        $request->session()->push('invites-feedback', 'You are already a member of <a class="plain-link" href="'.url("/group/view/{$group->idgroups}").'">'.e($group->name).'</a>');
                     }
                 }
                 $request->session()->forget('groups');
@@ -78,13 +78,13 @@ public function handle(Request $request, Closure $next): Response
                         $acceptance->delete();
                         $request->session()->push('invites-feedback', __('events.you_have_joined', [
                             'url' => url("/party/view/{$event->idevents}"),
-                            'name' => $event->venue
+                            'name' => e($event->venue)
                         ]));
 
                     // Else that must mean the User is already part of the Event.
                         // We can then delete the Invite and create a new session
                     } else {
-                        $request->session()->push('invites-feedback', 'You are already a member of <a class="plain-link" href='.url("/party/view/{$event->idevents}").">{$event->venue}</a>");
+                        $request->session()->push('invites-feedback', 'You are already a member of <a class="plain-link" href="'.url("/party/view/{$event->idevents}").'">'.e($event->venue).'</a>');
                     }
                 }
                 $request->session()->forget('events');

app/Models/Brands.php

@@ -21,4 +21,9 @@ class Brands extends Model
      * @var array
      */
     protected $hidden = [];
+
+    public function setBrandNameAttribute($value)
+    {
+        $this->attributes['brand_name'] = $value === null ? null : strip_tags((string) $value);
+    }
 }

app/Models/Category.php

@@ -33,6 +33,11 @@ class Category extends Model
 
     // Setters
 
+    public function setNameAttribute($value)
+    {
+        $this->attributes['name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
     //Getters
     public function findAll()
     {

app/Models/Group.php

@@ -12,6 +12,7 @@
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Facades\Lang;
 use Illuminate\Support\Facades\Log;
+use Stevebauman\Purify\Facades\Purify;
 use OwenIt\Auditing\Contracts\Auditable;
 use Illuminate\Database\Eloquent\SoftDeletes;
 
@@ -446,6 +447,16 @@ public function setDistanceAttribute($val)
         $this->distance = $val;
     }
 
+    public function setNameAttribute($value)
+    {
+        $this->attributes['name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
+    public function setFreeTextAttribute($value)
+    {
+        $this->attributes['free_text'] = $value === null ? null : Purify::clean((string) $value);
+    }
+
     public function createDiscourseGroup() {
         // Get the host who created the group.
         $success = false;

app/Models/GroupTags.php

@@ -42,5 +42,10 @@ public function groupTagGroups(): HasMany
 
     // Setters
 
+    public function setTagNameAttribute($value)
+    {
+        $this->attributes['tag_name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
     //Getters
 }

app/Models/Network.php

@@ -6,11 +6,22 @@
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use App\Models\Group;
 use Illuminate\Database\Eloquent\Model;
+use Stevebauman\Purify\Facades\Purify;
 
 class Network extends Model
 {
     use HasFactory;
 
+    public function setNameAttribute($value)
+    {
+        $this->attributes['name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
+    public function setDescriptionAttribute($value)
+    {
+        $this->attributes['description'] = $value === null ? null : Purify::clean((string) $value);
+    }
+
     public function groups(): BelongsToMany
     {
         return $this->belongsToMany(Group::class, 'group_network', 'network_id', 'group_id');

app/Models/Party.php

@@ -13,6 +13,7 @@
 use DB;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\SoftDeletes;
+use Stevebauman\Purify\Facades\Purify;
 use Illuminate\Support\Str;
 use Notification;
 use OwenIt\Auditing\Contracts\Auditable;
@@ -767,6 +768,16 @@ public function getEventEndUtcAttribute() {
         return array_key_exists('event_end_utc', $this->attributes) ? Carbon::parse($this->attributes['event_end_utc'], 'UTC')->toIso8601String() : null;
     }
 
+    public function setVenueAttribute($value)
+    {
+        $this->attributes['venue'] = $value === null ? null : strip_tags((string) $value);
+    }
+
+    public function setFreeTextAttribute($value)
+    {
+        $this->attributes['free_text'] = $value === null ? null : Purify::clean((string) $value);
+    }
+
     // Mutators for previous event_date/start/end fields.  These are now superceded by the UTC fields and therefore
     // should never be set directly.  Throw exceptions to ensure that they are not.
     public function setEventDateAttribute($val) {

app/Models/Skills.php

@@ -26,5 +26,10 @@ class Skills extends Model
 
     // Setters
 
+    public function setSkillNameAttribute($value)
+    {
+        $this->attributes['skill_name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
     //Getters
 }