Update

Blair2004 · Blair2004 · commit 80f138721589 · 2021-03-17T11:34:39.000+01:00
- Fixed : striping tags that are inputed by the end user.
diff --git a/app/Forms/UserProfileForm.php b/app/Forms/UserProfileForm.php
@@ -59,7 +59,7 @@ public function processAttribute( $request )
     
             foreach( $request->input( 'attribute' ) as $key => $value ) {
                 if ( in_array( $key, $allowedInputs ) ) {
-                    $user->$key     =   preg_replace( '#<script(.*?)>(.*?)</script>#is', '', $value );
+                    $user->$key     =   strip_tags( $value );
                 }
             }
     
diff --git a/app/Http/Controllers/Dashboard/CrudController.php b/app/Http/Controllers/Dashboard/CrudController.php
@@ -120,7 +120,7 @@ public function crudPost( String $namespace, CrudPostRequest $request )
              * all script tags
              */
             if ( ! empty( $entry->$name ) ) {
-                $entry->$name       =   preg_replace( '#<script(.*?)>(.*?)</script>#is', null, $entry->$name );
+                $entry->$name       =   strip_tags( $entry->$name );
             }
         }
         
@@ -243,7 +243,7 @@ public function crudPut( String $namespace, $id, CrudPutRequest $request  )
              * all script tags
              */
             if ( ! empty( $entry->$name ) ) {
-                $entry->$name       =   preg_replace( '#<script(.*?)>(.*?)</script>#is', null, $entry->$name );
+                $entry->$name       =   strip_tags( $entry->$name );
             }
         }
         
diff --git a/app/Services/Options.php b/app/Services/Options.php
@@ -154,7 +154,7 @@ public function beforeSave( $option )
         * sanitizing input to remove
         * all script tags
         */
-        $option->value      =   preg_replace( '#<script(.*?)>(.*?)</script>#is', '', $option->value );
+        $option->value      =   strip_tags( $option->value );
 
         return $option;
     }
diff --git a/app/Services/UserOptions.php b/app/Services/UserOptions.php
@@ -27,7 +27,7 @@ public function beforeSave( $option )
         * sanitizing input to remove
         * all script tags
         */
-        $option->value      =   preg_replace( '#<script(.*?)>(.*?)</script>#is', '', $option->value );   
+        $option->value      =   strip_tags( $option->value );   
 
         return $option;
     }

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ public function processAttribute( $request )`
`59`	`59`
`60`	`60`	`foreach( $request->input( 'attribute' ) as $key => $value ) {`
`61`	`61`	`if ( in_array( $key, $allowedInputs ) ) {`
`62`		`- $user->$key = preg_replace( '#<script(.?)>(.?)</script>#is', '', $value );`
	`62`	`+ $user->$key = strip_tags( $value );`
`63`	`63`	`}`
`64`	`64`	`}`
`65`	`65`
Original file line number	Diff line number	Diff line change
`@@ -120,7 +120,7 @@ public function crudPost( String $namespace, CrudPostRequest $request )`
`120`	`120`	`* all script tags`
`121`	`121`	`*/`
`122`	`122`	`if ( ! empty( $entry->$name ) ) {`
`123`		`- $entry->$name = preg_replace( '#<script(.?)>(.?)</script>#is', null, $entry->$name );`
	`123`	`+ $entry->$name = strip_tags( $entry->$name );`
`124`	`124`	`}`
`125`	`125`	`}`
`126`	`126`
`@@ -243,7 +243,7 @@ public function crudPut( String $namespace, $id, CrudPutRequest $request )`
`243`	`243`	`* all script tags`
`244`	`244`	`*/`
`245`	`245`	`if ( ! empty( $entry->$name ) ) {`
`246`		`- $entry->$name = preg_replace( '#<script(.?)>(.?)</script>#is', null, $entry->$name );`
	`246`	`+ $entry->$name = strip_tags( $entry->$name );`
`247`	`247`	`}`
`248`	`248`	`}`
`249`	`249`
Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,7 @@ public function beforeSave( $option )`
`154`	`154`	`* sanitizing input to remove`
`155`	`155`	`* all script tags`
`156`	`156`	`*/`
`157`		`- $option->value = preg_replace( '#<script(.?)>(.?)</script>#is', '', $option->value );`
	`157`	`+ $option->value = strip_tags( $option->value );`
`158`	`158`
`159`	`159`	`return $option;`
`160`	`160`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ public function beforeSave( $option )`
`27`	`27`	`* sanitizing input to remove`
`28`	`28`	`* all script tags`
`29`	`29`	`*/`
`30`		`- $option->value = preg_replace( '#<script(.?)>(.?)</script>#is', '', $option->value );`
	`30`	`+ $option->value = strip_tags( $option->value );`
`31`	`31`
`32`	`32`	`return $option;`
`33`	`33`	`}`