iFixit · ardelato · Apr 27, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
diff --git a/app/Http/Controllers/GroupController.php b/app/Http/Controllers/GroupController.php
@@ -455,7 +455,7 @@ public function delete($id): RedirectResponse
             $group->delete();
 
             return redirect('/group')->with('success', __('groups.delete_succeeded', [
-                'name' => $name,
+                'name' => e($name),
             ]));
         } else {
             return redirect('/user/forbidden');
@@ -576,7 +576,7 @@ public function getJoinGroup($group_id): RedirectResponse
             return redirect()
                 ->back()
                 ->with('success', __('groups.now_following', [
-                    'name' => $group->name,
+                    'name' => e($group->name),
                     'link' => url('/group/view/'.$group->idgroups),
                 ]));
         } catch (\Exception $e) {
@@ -661,7 +661,7 @@ public function inviteNearbyRestarter($groupId, $userId): RedirectResponse
             }
         }
 
-        return redirect('/group/nearby/'.intval($groupId))->with('success', $user->name.' has been invited');
+        return redirect('/group/nearby/'.intval($groupId))->with('success', e($user->name).' has been invited');
     }
 
     /**

diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
@@ -294,7 +294,7 @@ public function postSoftDeleteUser(Request $request): RedirectResponse
 
         if (Auth::id() !== $user_id) {
             return redirect('user/all')->with('danger', __('profile.soft_deleted', [
-                'name' => $old_user_name
+                'name' => e($old_user_name)
             ]));
         } else {
             return redirect('login');

diff --git a/app/Http/Middleware/AcceptUserInvites.php b/app/Http/Middleware/AcceptUserInvites.php
@@ -45,13 +45,13 @@ public function handle(Request $request, Closure $next): Response
                         $acceptance->delete();
                         $request->session()->push('invites-feedback', __('groups.you_have_joined', [
                             'url' => url("/group/view/{$group->idgroups}"),
-                            'name' => $group->name
+                            'name' => e($group->name)
                         ]));
 
                     // Else that must mean the User is already part of the Group.
                         // We can then delete the Invite and create a new session
                     } else {
-                        $request->session()->push('invites-feedback', 'You are already a member of <a class="plain-link" href='.url("/group/view/{$group->idgroups}").">{$group->name}</a>");
+                        $request->session()->push('invites-feedback', 'You are already a member of <a class="plain-link" href="'.url("/group/view/{$group->idgroups}").'">'.e($group->name).'</a>');
                     }
                 }
                 $request->session()->forget('groups');
@@ -78,13 +78,13 @@ public function handle(Request $request, Closure $next): Response
                         $acceptance->delete();
                         $request->session()->push('invites-feedback', __('events.you_have_joined', [
                             'url' => url("/party/view/{$event->idevents}"),
-                            'name' => $event->venue
+                            'name' => e($event->venue)
                         ]));
 
                     // Else that must mean the User is already part of the Event.
                         // We can then delete the Invite and create a new session
                     } else {
-                        $request->session()->push('invites-feedback', 'You are already a member of <a class="plain-link" href='.url("/party/view/{$event->idevents}").">{$event->venue}</a>");
+                        $request->session()->push('invites-feedback', 'You are already a member of <a class="plain-link" href="'.url("/party/view/{$event->idevents}").'">'.e($event->venue).'</a>');
                     }
                 }
                 $request->session()->forget('events');

diff --git a/app/Models/Brands.php b/app/Models/Brands.php
@@ -21,4 +21,9 @@ class Brands extends Model
      * @var array
      */
     protected $hidden = [];
+
+    public function setBrandNameAttribute($value)
+    {
+        $this->attributes['brand_name'] = $value === null ? null : strip_tags((string) $value);
+    }
 }
diff --git a/app/Models/Category.php b/app/Models/Category.php
@@ -33,6 +33,11 @@ class Category extends Model
 
     // Setters
 
+    public function setNameAttribute($value)
+    {
+        $this->attributes['name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
     //Getters
     public function findAll()
     {

diff --git a/app/Models/Group.php b/app/Models/Group.php
@@ -12,6 +12,7 @@
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Facades\Lang;
 use Illuminate\Support\Facades\Log;
+use Stevebauman\Purify\Facades\Purify;
 use OwenIt\Auditing\Contracts\Auditable;
 use Illuminate\Database\Eloquent\SoftDeletes;
 
@@ -446,6 +447,16 @@ public function setDistanceAttribute($val)
         $this->distance = $val;
     }
 
+    public function setNameAttribute($value)
+    {
+        $this->attributes['name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
+    public function setFreeTextAttribute($value)
+    {
+        $this->attributes['free_text'] = $value === null ? null : Purify::clean((string) $value);
+    }
+
     public function createDiscourseGroup() {
         // Get the host who created the group.
         $success = false;

diff --git a/app/Models/GroupTags.php b/app/Models/GroupTags.php
@@ -42,5 +42,10 @@ public function groupTagGroups(): HasMany
 
     // Setters
 
+    public function setTagNameAttribute($value)
+    {
+        $this->attributes['tag_name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
     //Getters
 }
diff --git a/app/Models/Network.php b/app/Models/Network.php
@@ -6,11 +6,22 @@
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use App\Models\Group;
 use Illuminate\Database\Eloquent\Model;
+use Stevebauman\Purify\Facades\Purify;
 
 class Network extends Model
 {
     use HasFactory;
 
+    public function setNameAttribute($value)
+    {
+        $this->attributes['name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
+    public function setDescriptionAttribute($value)
+    {
+        $this->attributes['description'] = $value === null ? null : Purify::clean((string) $value);
+    }
+
     public function groups(): BelongsToMany
     {
         return $this->belongsToMany(Group::class, 'group_network', 'network_id', 'group_id');

diff --git a/app/Models/Party.php b/app/Models/Party.php
@@ -13,6 +13,7 @@
 use DB;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\SoftDeletes;
+use Stevebauman\Purify\Facades\Purify;
 use Illuminate\Support\Str;
 use Notification;
 use OwenIt\Auditing\Contracts\Auditable;
@@ -767,6 +768,16 @@ public function getEventEndUtcAttribute() {
         return array_key_exists('event_end_utc', $this->attributes) ? Carbon::parse($this->attributes['event_end_utc'], 'UTC')->toIso8601String() : null;
     }
 
+    public function setVenueAttribute($value)
+    {
+        $this->attributes['venue'] = $value === null ? null : strip_tags((string) $value);
+    }
+
+    public function setFreeTextAttribute($value)
+    {
+        $this->attributes['free_text'] = $value === null ? null : Purify::clean((string) $value);
+    }
+
     // Mutators for previous event_date/start/end fields.  These are now superceded by the UTC fields and therefore
     // should never be set directly.  Throw exceptions to ensure that they are not.
     public function setEventDateAttribute($val) {

diff --git a/app/Models/Skills.php b/app/Models/Skills.php
@@ -26,5 +26,10 @@ class Skills extends Model
 
     // Setters
 
+    public function setSkillNameAttribute($value)
+    {
+        $this->attributes['skill_name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
     //Getters
 }
diff --git a/app/Models/User.php b/app/Models/User.php
@@ -9,6 +9,7 @@
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use App\Events\UserDeleted;
 use App\Events\UserUpdated;
+use Stevebauman\Purify\Facades\Purify;
 use App\Helpers\Fixometer;
 use App\Models\Network;
 use App\Models\UserGroups;
@@ -64,6 +65,21 @@ class User extends Authenticatable implements Auditable, HasLocalePreference
         'remember_token',
     ];
 
+    public function setNameAttribute($value)
+    {
+        $this->attributes['name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
+    public function setLocationAttribute($value)
+    {
+        $this->attributes['location'] = $value === null ? null : strip_tags((string) $value);
+    }
+
+    public function setBiographyAttribute($value)
+    {
+        $this->attributes['biography'] = $value === null ? null : Purify::clean((string) $value);
+    }
+
     /**
      * The event map for the model.
      *

diff --git a/composer.json b/composer.json
@@ -44,9 +44,10 @@
         "sentry/sentry-laravel": "^4.13",
         "soundasleep/html2text": "^1.1",
         "spatie/calendar-links": "^1.6",
-        "spatie/laravel-validation-rules": "^3.4",
         "spatie/laravel-html": "^3.12.0",
+        "spatie/laravel-validation-rules": "^3.4",
         "spinen/laravel-discourse-sso": "dev-l12-compatibility",
+        "stevebauman/purify": "^6.3",
         "symfony/http-client": "^7.2",
         "symfony/http-foundation": "^7.2",
         "symfony/mailgun-mailer": "^7.2",

diff --git a/composer.lock b/composer.lock