Merge pull request #1477 from KodeStar/2.x

Escape search queries and add setting value on edit

Author: KodeStar

app/Http/Controllers/SearchController.php

@@ -18,6 +18,9 @@ public function index(Request $request)
         $requestprovider = $request->input('provider');
         $query = $request->input('q');
 
+        // Sanitize the query to prevent XSS
+        $query = htmlspecialchars($query, ENT_QUOTES, 'UTF-8'); 
+
         // Validate the presence and non-emptiness of the query parameter
         if (!$query || trim($query) === '') {
             abort(400, 'Missing or empty query parameter');

app/Http/Controllers/SettingsController.php

@@ -45,6 +45,7 @@ public function edit(int $id)
         if (! is_null($setting)) {
             return view('settings.edit')->with([
                 'setting' => $setting,
+                'value' => $setting->value,
             ]);
         } else {
             $route = route('settings.list', []);

app/Search.php

@@ -121,7 +121,7 @@ public static function form(): string
                     $output .= '<option value="'.$key.'"'.$selected.'>'.$searchprovider['name'].'</option>';
                 }
                 $output .= '</select>';
-                $output .= '<input type="text" name="q" value="'.(Input::get('q') ?? '').'" class="homesearch" autofocus placeholder="'.__('app.settings.search').'..." />';
+                $output .= '<input type="text" name="q" value="'.e(Input::get('q') ?? '').'" class="homesearch" autofocus placeholder="'.__('app.settings.search').'..." />';
                 $output .= '<button type="submit">'.ucwords(__('app.settings.search')).'</button>';
                 $output .= '</div>';
                 $output .= '</form>';

app/Setting.php

@@ -150,41 +150,41 @@ public function getEditValueAttribute()
         switch ($this->type) {
             case 'image':
                 $value = '';
-                if (isset($this->value) && ! empty($this->value)) {
-                    $value .= '<a class="setting-view-image" href="'.
-                        asset('storage/'.$this->value).
-                        '" title="'.
-                        __('app.settings.view').
-                        '" target="_blank"><img src="'.
-                        asset('storage/'.
-                            $this->value).
+                if (isset($this->value) && !empty($this->value)) {
+                    $value .= '<a class="setting-view-image" href="' .
+                        asset('storage/' . $this->value) .
+                        '" title="' .
+                        __('app.settings.view') .
+                        '" target="_blank"><img src="' .
+                        asset('storage/' .
+                            $this->value) .
                         '" /></a>';
                 }
                 $value .= '<input type="file" name="value" class="form-control" />';
-                if (isset($this->value) && ! empty($this->value)) {
-                    $value .= '<a class="settinglink" href="'.
-                        route('settings.clear', $this->id).
-                        '" title="'.
-                        __('app.settings.remove').
-                        '">'.
-                        __('app.settings.reset').
+                if (isset($this->value) && !empty($this->value)) {
+                    $value .= '<a class="settinglink" href="' .
+                        route('settings.clear', $this->id) .
+                        '" title="' .
+                        __('app.settings.remove') .
+                        '">' .
+                        __('app.settings.reset') .
                         '</a>';
                 }
-
+    
                 break;
             case 'boolean':
                 $checked = false;
-                if (isset($this->value) && (bool) $this->value === true) {
+                if (isset($this->value) && (bool)$this->value === true) {
                     $checked = true;
                 }
                 $set_checked = ($checked) ? ' checked="checked"' : '';
                 $value = '
                 <input type="hidden" name="value" value="0" />
                 <label class="switch">
-                    <input type="checkbox" name="value" value="1"'.$set_checked.' />
+                    <input type="checkbox" name="value" value="1"' . $set_checked . ' />
                     <span class="slider round"></span>
                 </label>';
-
+    
                 break;
             case 'select':
                 $options = json_decode($this->options);
@@ -193,21 +193,21 @@ public function getEditValueAttribute()
                 }
                 $value = '<select name="value" class="form-control">';
                 foreach ($options as $key => $opt) {
-                    $value .= '<option value="'.$key.'" '.(($this->value == $key) ? 'selected' : '').'>'.__($opt).'</option>';
+                    $value .= '<option value="' . $key . '" ' . (($this->value == $key) ? 'selected' : '') . '>' . __($opt) . '</option>';
                 }
                 $value .= '</select>';
                 break;
             case 'textarea':
-                $value = '<textarea name="value" class="form-control" cols="44" rows="15"></textarea>';
+                $value = '<textarea name="value" class="form-control" cols="44" rows="15">' . htmlspecialchars($this->value, ENT_QUOTES, 'UTF-8') . '</textarea>';
                 break;
             default:
-                $value = '<input type="text" name="value" class="form-control" />';
+                $value = '<input type="text" name="value" class="form-control" value="' . htmlspecialchars($this->value, ENT_QUOTES, 'UTF-8') . '" />';
                 break;
         }
-
+    
         return $value;
     }
-
+    
     public function group(): BelongsTo
     {
         return $this->belongsTo(\App\SettingGroup::class, 'group_id');

config/app.php

@@ -5,7 +5,7 @@
 
 return [
 
-    'version' => '2.7.2',
+    'version' => '2.7.3',
 
     'appsource' => env('APP_SOURCE', 'https://appslist.heimdall.site/'),