fix injection bugs in table editor

master
Ondřej Hruška 6 years ago
parent b716260a53
commit 7ae41b368e
Signed by: MightyPork
GPG Key ID: 2C5FD5035250423D
  1. 4
      app/helpers.php
  2. 17
      porklib/Providers/BladeExtensionsProvider.php
  3. 2
      resources/views/table/create.blade.php
  4. 6
      resources/views/table/propose/add-rows.blade.php
  5. 6
      resources/views/table/propose/edit-rows.blade.php
  6. 4
      resources/views/table/propose/manage-columns.blade.php

@ -88,7 +88,7 @@ function vali($arr) {
*/ */
function old_json($name, $default) { function old_json($name, $default) {
$old = old($name, null); $old = old($name, null);
if (is_string($old)) return json_decode($old); if (is_string($old)) return fromJSON($old);
return $default; return $default;
} }
@ -104,7 +104,7 @@ function toJSON($object, $emptyObj=false) {
$object = $object->toArray(); $object = $object->toArray();
} }
return \GuzzleHttp\json_encode($object, JSON_UNESCAPED_SLASHES + JSON_UNESCAPED_UNICODE); return \GuzzleHttp\json_encode($object);
} }
function fromJSON($object, $assoc=false) { function fromJSON($object, $assoc=false) {

@ -37,23 +37,14 @@ class BladeExtensionsProvider extends ServiceProvider
return "<?= e(app()->make('\\Faker\\Generator')->$method($params)) ?>"; return "<?= e(app()->make('\\Faker\\Generator')->$method($params)) ?>";
}); });
// csrf token for forms
Blade::directive('formCsrf', function () {
return '<?= csrf_field() ?>';
});
// json encode // json encode
Blade::directive('json', function ($x) { Blade::directive('json', function ($x) {
return "<?= json_encode(($x), JSON_UNESCAPED_SLASHES) ?>"; return "<?= toJSON($x) ?>";
}); });
// json encode, escaped // json encode, escaped
Blade::directive('jsone', function ($x) { Blade::directive('jsone', function ($x) {
if (config('app.pretty_json')) { return "<?= e(toJSON($x)) ?>";
return "<?= e(json_encode(($x), JSON_PRETTY_PRINT|JSON_UNESCAPED_SLASHES)) ?>";
} else {
return "<?= e(json_encode(($x), JSON_UNESCAPED_SLASHES)) ?>";
}
}); });
// selected if cond true // selected if cond true
@ -66,10 +57,6 @@ class BladeExtensionsProvider extends ServiceProvider
return "<?= ($x) ? 'checked' : '' ?>"; return "<?= ($x) ? 'checked' : '' ?>";
}); });
Blade::if('admin', function () {
return \Auth::user()->isAdmin();
});
Blade::if('set', function ($x) { Blade::if('set', function ($x) {
return config($x) != ''; return config($x) != '';
}); });

@ -79,7 +79,7 @@
ready(function() { ready(function() {
app.ColumnEditor('#column-editor', { app.ColumnEditor('#column-editor', {
name: 'columns', name: 'columns',
xColumns: {!! old('columns', toJSON($columns)) !!}, xColumns: @json(old_json('columns', $columns)),
newTable: true, newTable: true,
//sortable: false, //sortable: false,
}) })

@ -27,9 +27,9 @@
'<nav class="text-center" aria-label="Table pages">' + '<nav class="text-center" aria-label="Table pages">' +
@json((string)$rows->links(null, ['ulClass' => 'mb-0'])) + @json((string)$rows->links(null, ['ulClass' => 'mb-0'])) +
'</nav>', '</nav>',
route: {!! toJSON($table->draftUpdateRoute) !!}, route: @json($table->draftUpdateRoute),
columns: {!! toJSON($columns) !!}, columns: @json($columns),
xRows: {!! toJSON($xrows, true) !!}, xRows: @json($xrows, true),
newRows: true, // indicate all are new newRows: true, // indicate all are new
pageUrl: @json(request()->fullUrl()), pageUrl: @json(request()->fullUrl()),
loadCsvUrl: @json($table->getDraftRoute('add-rows-csv')), loadCsvUrl: @json($table->getDraftRoute('add-rows-csv')),

@ -28,9 +28,9 @@
'<nav class="text-center" aria-label="Table pages">' + '<nav class="text-center" aria-label="Table pages">' +
@json((string)$rows->links(null, ['ulClass' => 'mb-0'])) + @json((string)$rows->links(null, ['ulClass' => 'mb-0'])) +
'</nav>', '</nav>',
route: {!! toJSON($table->draftUpdateRoute) !!}, route: @json($table->draftUpdateRoute),
columns: {!! toJSON($columns) !!}, columns: @json($columns),
xRows: {!! toJSON($transformed, true) !!}, xRows: @json($transformed),
xRowOrder: @json($transformed->keys()), xRowOrder: @json($transformed->keys()),
}) })
}); });

@ -16,8 +16,8 @@
ready(function() { ready(function() {
app.ColumnEditor('#column-editor', { app.ColumnEditor('#column-editor', {
name: 'columns', name: 'columns',
route: {!! toJSON($table->draftUpdateRoute) !!}, route: @json($table->draftUpdateRoute),
xColumns: {!! toJSON($columns) !!}, xColumns: @json($columns),
orderChanged: @json(!empty($changeset->columnOrder)) orderChanged: @json(!empty($changeset->columnOrder))
}) })
}); });

Loading…
Cancel
Save