mkrieger/byos_laravel
1
0
Fork 0
mirror of https://github.com/usetrmnl/byos_laravel.git synced 2026-01-13 15:07:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

add HTML rendering on config modal with tests

Browse source 
Models/Plugin will now sanitize "description" and "help text" before loading. This allows HTML from these fields to be rendered safely.
Sanitization is done using Purify library for completeness (new dependency).

A test suite of simple xss attacks is also added.
This commit is contained in:
jerremyng 2026-01-04 08:15:09 +00:00 committed by Benjamin Nussbaum
parent 9019561bb3
commit 46e792bc6d
6 changed files with 470 additions and 158 deletions
Download patch file Download diff file Expand all files Collapse all files

24
app/Models/Plugin.php
View file

@ -62,6 +62,11 @@ class Plugin extends Model
$model->current_image = null;
}
});
// Sanitize configuration template on save
static::saving(function ($model): void {
$model->sanitizeTemplate();
});
}
public function user()
@ -69,6 +74,25 @@ class Plugin extends Model
return $this->belongsTo(User::class);
}
// sanitize configuration template descriptions and help texts (since they allow HTML rendering)
protected function sanitizeTemplate(): void
{
$template = $this->configuration_template;
if (isset($template['custom_fields']) && is_array($template['custom_fields'])) {
foreach ($template['custom_fields'] as &$field) {
if (isset($field['description'])) {
$field['description'] = \Stevebauman\Purify\Facades\Purify::clean($field['description']);
}
if (isset($field['help_text'])) {
$field['help_text'] = \Stevebauman\Purify\Facades\Purify::clean($field['help_text']);
}
}
$this->configuration_template = $template;
}
}
public function hasMissingRequiredConfigurationFields(): bool
{
if (! isset($this->configuration_template['custom_fields']) || empty($this->configuration_template['custom_fields'])) {