PR corrections. Use of strip_tags().

Author: aleixgilaguilar

app/Http/Controllers/Api/CommentsController.php

@@ -9,7 +9,7 @@ class CommentsController extends ApiController
 {
     public function store(Ticket $ticket)
     {
-        $comment = $ticket->addComment(null, sanitizeJSInjection(request('body')), request('new_status'));
+    	$comment = $ticket->addComment(null, strip_tags(request('body')), request('new_status'));
         if (! $comment) {
             return $this->respond(['id' => null, 'message' => 'Can not create a comment with empty body'], Response::HTTP_OK);
         }

app/Http/Controllers/Api/TicketsController.php

@@ -38,8 +38,8 @@ public function store()
 
         $ticket = Ticket::createAndNotify(
             request('requester'),
-            sanitizeJSInjection(request('title')),
-            sanitizeJSInjection(request('body')),
+            strip_tags(request('title')),
+            strip_tags(request('body')),
             request('tags')
         );
 

helpers/helpers.php

@@ -55,8 +55,3 @@ function toPercentage($value, $inverse = false)
 {
     return  ($inverse ? 1 - $value : $value) * 100;
 }
-
-function sanitizeJSInjection($text)
-{
-    return str_replace('/script>', '/\script>', str_replace('<script', '<\script', $text));
-}

tests/Feature/Api/SimpleTicketTest.php

@@ -92,7 +92,7 @@ public function can_create_a_ticket_with_js_injection(){
                 "name"  => "johndoe",
                 "email" => "[email protected]"
             ],
-            "title"         => "App <script>is not working</script>",
+            "title"         => "App <script>is not working</script> >>>",
             "body"          => "I can't log in into the application<script>alert(1)</script>",
             "tags"          => ["xef"]
         ],["token" => 'the-api-token']);
@@ -106,8 +106,8 @@ public function can_create_a_ticket_with_js_injection(){
                 $this->assertEquals($requester->email, "[email protected]");
                 $this->assertEquals( $ticket->requester_id, $requester->id);
             });
-            $this->assertEquals ( $ticket->title, "App <\script>is not working</\script>");
-            $this->assertEquals ( $ticket->body, "I can't log in into the application<\script>alert(1)</\script>");
+            $this->assertEquals ( $ticket->title, "App is not working >>>");
+            $this->assertEquals ( $ticket->body, "I can't log in into the applicationalert(1)");
             $this->assertTrue   ( $ticket->tags->pluck('name')->contains("xef") );
             $this->assertEquals( Ticket::STATUS_NEW, $ticket->status);
 
@@ -222,7 +222,7 @@ public function requester_can_comment_the_ticket_with_js_injection(){
         $response->assertJson   (["data" => ["id" => 2]]);
 
         $this->assertCount  (2, $ticket->comments);
-        $this->assertEquals ($ticket->comments[1]->body, "<\script> this is a comment </\script>");
+        $this->assertEquals ($ticket->comments[1]->body, " this is a comment ");
 
         //TODO: assert notifications
     }