fix injection bugs in table editor

app/helpers.php

@@ -88,7 +88,7 @@ function vali($arr) {
  */
 function old_json($name, $default) {
     $old = old($name, null);
-    if (is_string($old)) return json_decode($old);
+    if (is_string($old)) return fromJSON($old);
     return $default;
 }
 
@@ -104,7 +104,7 @@ function toJSON($object, $emptyObj=false) {
         $object = $object->toArray();
     }
 
-    return \GuzzleHttp\json_encode($object, JSON_UNESCAPED_SLASHES + JSON_UNESCAPED_UNICODE);
+    return \GuzzleHttp\json_encode($object);
 }
 
 function fromJSON($object, $assoc=false) {

porklib/Providers/BladeExtensionsProvider.php

@@ -37,23 +37,14 @@ class BladeExtensionsProvider extends ServiceProvider
 			return "<?= e(app()->make('\\Faker\\Generator')->$method($params)) ?>";
 		});
 
-		// csrf token for forms
-		Blade::directive('formCsrf', function () {
-			return '<?= csrf_field() ?>';
-		});
-
 		// json encode
 		Blade::directive('json', function ($x) {
-			return "<?= json_encode(($x), JSON_UNESCAPED_SLASHES) ?>";
+			return "<?= toJSON($x) ?>";
 		});
 
 		// json encode, escaped
 		Blade::directive('jsone', function ($x) {
-			if (config('app.pretty_json')) {
+			return "<?= e(toJSON($x)) ?>";
-				return "<?= e(json_encode(($x), JSON_PRETTY_PRINT|JSON_UNESCAPED_SLASHES)) ?>";
-			} else {
-				return "<?= e(json_encode(($x), JSON_UNESCAPED_SLASHES)) ?>";
-			}
 		});
 
 		// selected if cond true
@@ -66,10 +57,6 @@ class BladeExtensionsProvider extends ServiceProvider
 			return "<?= ($x) ? 'checked' : '' ?>";
 		});
 
-		Blade::if('admin', function () {
-			return \Auth::user()->isAdmin();
-		});
-
 		Blade::if('set', function ($x) {
 			return config($x) != '';
 		});

resources/views/table/create.blade.php

@@ -79,7 +79,7 @@
     ready(function() {
       app.ColumnEditor('#column-editor', {
         name: 'columns',
-        xColumns: {!! old('columns', toJSON($columns)) !!},
+        xColumns: @json(old_json('columns', $columns)),
         newTable: true,
         //sortable: false,
       })

resources/views/table/propose/add-rows.blade.php

@@ -27,9 +27,9 @@
           '<nav class="text-center" aria-label="Table pages">' +
             @json((string)$rows->links(null, ['ulClass' => 'mb-0'])) +
           '</nav>',
-        route: {!! toJSON($table->draftUpdateRoute) !!},
+        route: @json($table->draftUpdateRoute),
-        columns: {!! toJSON($columns) !!},
+        columns: @json($columns),
-        xRows: {!! toJSON($xrows, true) !!},
+        xRows: @json($xrows, true),
         newRows: true, // indicate all are new
         pageUrl: @json(request()->fullUrl()),
         loadCsvUrl: @json($table->getDraftRoute('add-rows-csv')),

resources/views/table/propose/edit-rows.blade.php

@@ -28,9 +28,9 @@
           '<nav class="text-center" aria-label="Table pages">' +
             @json((string)$rows->links(null, ['ulClass' => 'mb-0'])) +
           '</nav>',
-        route: {!! toJSON($table->draftUpdateRoute) !!},
+        route: @json($table->draftUpdateRoute),
-        columns: {!! toJSON($columns) !!},
+        columns: @json($columns),
-        xRows: {!! toJSON($transformed, true) !!},
+        xRows: @json($transformed),
         xRowOrder: @json($transformed->keys()),
       })
     });

resources/views/table/propose/manage-columns.blade.php

@@ -16,8 +16,8 @@
     ready(function() {
       app.ColumnEditor('#column-editor', {
         name: 'columns',
-        route: {!! toJSON($table->draftUpdateRoute) !!},
+        route: @json($table->draftUpdateRoute),
-        xColumns: {!! toJSON($columns) !!},
+        xColumns: @json($columns),
         orderChanged: @json(!empty($changeset->columnOrder))
       })
     });