From 7ae41b368e05eb7b5d76bcc225192c69e45ed021 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Hru=C5=A1ka?= <ondra@ondrovo.com>
Date: Sun, 12 Aug 2018 21:58:42 +0200
Subject: [PATCH] fix injection bugs in table editor

---
 app/helpers.php                                 |  4 ++--
 porklib/Providers/BladeExtensionsProvider.php   | 17 ++---------------
 resources/views/table/create.blade.php          |  2 +-
 .../views/table/propose/add-rows.blade.php      |  6 +++---
 .../views/table/propose/edit-rows.blade.php     |  6 +++---
 .../table/propose/manage-columns.blade.php      |  4 ++--
 6 files changed, 13 insertions(+), 26 deletions(-)

diff --git a/app/helpers.php b/app/helpers.php
index bd3796a..81f0eed 100644
--- a/app/helpers.php
+++ b/app/helpers.php
@@ -88,7 +88,7 @@ function vali($arr) {
  */
 function old_json($name, $default) {
     $old = old($name, null);
-    if (is_string($old)) return json_decode($old);
+    if (is_string($old)) return fromJSON($old);
     return $default;
 }
 
@@ -104,7 +104,7 @@ function toJSON($object, $emptyObj=false) {
         $object = $object->toArray();
     }
 
-    return \GuzzleHttp\json_encode($object, JSON_UNESCAPED_SLASHES + JSON_UNESCAPED_UNICODE);
+    return \GuzzleHttp\json_encode($object);
 }
 
 function fromJSON($object, $assoc=false) {
diff --git a/porklib/Providers/BladeExtensionsProvider.php b/porklib/Providers/BladeExtensionsProvider.php
index a0c34cf..58a9ed1 100644
--- a/porklib/Providers/BladeExtensionsProvider.php
+++ b/porklib/Providers/BladeExtensionsProvider.php
@@ -37,23 +37,14 @@ class BladeExtensionsProvider extends ServiceProvider
 			return "<?= e(app()->make('\\Faker\\Generator')->$method($params)) ?>";
 		});
 
-		// csrf token for forms
-		Blade::directive('formCsrf', function () {
-			return '<?= csrf_field() ?>';
-		});
-
 		// json encode
 		Blade::directive('json', function ($x) {
-			return "<?= json_encode(($x), JSON_UNESCAPED_SLASHES) ?>";
+			return "<?= toJSON($x) ?>";
 		});
 
 		// json encode, escaped
 		Blade::directive('jsone', function ($x) {
-			if (config('app.pretty_json')) {
-				return "<?= e(json_encode(($x), JSON_PRETTY_PRINT|JSON_UNESCAPED_SLASHES)) ?>";
-			} else {
-				return "<?= e(json_encode(($x), JSON_UNESCAPED_SLASHES)) ?>";
-			}
+			return "<?= e(toJSON($x)) ?>";
 		});
 
 		// selected if cond true
@@ -66,10 +57,6 @@ class BladeExtensionsProvider extends ServiceProvider
 			return "<?= ($x) ? 'checked' : '' ?>";
 		});
 
-		Blade::if('admin', function () {
-			return \Auth::user()->isAdmin();
-		});
-
 		Blade::if('set', function ($x) {
 			return config($x) != '';
 		});
diff --git a/resources/views/table/create.blade.php b/resources/views/table/create.blade.php
index 9413fd3..7f4904b 100644
--- a/resources/views/table/create.blade.php
+++ b/resources/views/table/create.blade.php
@@ -79,7 +79,7 @@
     ready(function() {
       app.ColumnEditor('#column-editor', {
         name: 'columns',
-        xColumns: {!! old('columns', toJSON($columns)) !!},
+        xColumns: @json(old_json('columns', $columns)),
         newTable: true,
         //sortable: false,
       })
diff --git a/resources/views/table/propose/add-rows.blade.php b/resources/views/table/propose/add-rows.blade.php
index 08bdd5e..8042ebe 100644
--- a/resources/views/table/propose/add-rows.blade.php
+++ b/resources/views/table/propose/add-rows.blade.php
@@ -27,9 +27,9 @@
           '<nav class="text-center" aria-label="Table pages">' +
             @json((string)$rows->links(null, ['ulClass' => 'mb-0'])) +
           '</nav>',
-        route: {!! toJSON($table->draftUpdateRoute) !!},
-        columns: {!! toJSON($columns) !!},
-        xRows: {!! toJSON($xrows, true) !!},
+        route: @json($table->draftUpdateRoute),
+        columns: @json($columns),
+        xRows: @json($xrows, true),
         newRows: true, // indicate all are new
         pageUrl: @json(request()->fullUrl()),
         loadCsvUrl: @json($table->getDraftRoute('add-rows-csv')),
diff --git a/resources/views/table/propose/edit-rows.blade.php b/resources/views/table/propose/edit-rows.blade.php
index a617c2c..8d69319 100644
--- a/resources/views/table/propose/edit-rows.blade.php
+++ b/resources/views/table/propose/edit-rows.blade.php
@@ -28,9 +28,9 @@
           '<nav class="text-center" aria-label="Table pages">' +
             @json((string)$rows->links(null, ['ulClass' => 'mb-0'])) +
           '</nav>',
-        route: {!! toJSON($table->draftUpdateRoute) !!},
-        columns: {!! toJSON($columns) !!},
-        xRows: {!! toJSON($transformed, true) !!},
+        route: @json($table->draftUpdateRoute),
+        columns: @json($columns),
+        xRows: @json($transformed),
         xRowOrder: @json($transformed->keys()),
       })
     });
diff --git a/resources/views/table/propose/manage-columns.blade.php b/resources/views/table/propose/manage-columns.blade.php
index 97ba4cb..45c0d56 100644
--- a/resources/views/table/propose/manage-columns.blade.php
+++ b/resources/views/table/propose/manage-columns.blade.php
@@ -16,8 +16,8 @@
     ready(function() {
       app.ColumnEditor('#column-editor', {
         name: 'columns',
-        route: {!! toJSON($table->draftUpdateRoute) !!},
-        xColumns: {!! toJSON($columns) !!},
+        route: @json($table->draftUpdateRoute),
+        xColumns: @json($columns),
         orderChanged: @json(!empty($changeset->columnOrder))
       })
     });