fix: Escape app title and tag title on list pages CVE-2022-47968 (#1088)

keriati · web-flow · commit a4022ce517dc · 2023-01-05T20:31:15.000+01:00
diff --git a/resources/views/items/list.blade.php b/resources/views/items/list.blade.php
@@ -32,7 +32,7 @@
                             <tr>
                                 <td>{{ $app->title }}</td>
                                 <td><a href="{{ $app->url }}">{{ $app->link }}</a></td>
-                                <td class="text-center"><a{{ $app->target }} href="{!! route('items.edit', [$app->id]) !!}" title="{{ __('app.settings.edit') }} {!! $app->title !!}"><i class="fas fa-edit"></i></a></td>
+                                <td class="text-center"><a{{ $app->target }} href="{!! route('items.edit', [$app->id]) !!}" title="{{ __('app.settings.edit') }} {{ $app->title }}"><i class="fas fa-edit"></i></a></td>
                                 <td class="text-center">
                                         {!! Form::open(['method' => 'DELETE','route' => ['items.destroy', $app->id],'style'=>'display:inline']) !!}
                                         <button class="link" type="submit"><i class="fa fa-trash-alt"></i></button>
diff --git a/resources/views/items/scripts.blade.php b/resources/views/items/scripts.blade.php
@@ -31,13 +31,13 @@
                 }
             });
             // initial load
-            $('#tile-preview .title').html($('#appname').val());
+            $('#tile-preview .title').text($('#appname').val());
             $('#tile-preview .item').css('backgroundColor', $('#appcolour').val());
             $('#tile-preview .app-icon').attr('src', $('#appimage img').attr('src'));
 
             // Updates
             $('#appname').on('keyup change', function(e) {
-                $('#tile-preview .title').html($(this).val());
+                $('#tile-preview .title').text($(this).val());
             })
             $('#apptype').on('change', function(e) {
                 appload($(this).find('option:selected').val());
@@ -178,7 +178,7 @@ function appload(appvalue) {
                         if($('#appname').val() === '') {
                             $('#appname').val(data.name)
                         }
-                        $('#tile-preview .title').html($('#appname').val());
+                        $('#tile-preview .title').text($('#appname').val());
                         if(data.custom != null) {
                             $.get(base+'view/'+data.custom, function(getdata) {
                                 $('#sapconfig').html(getdata).show();
diff --git a/resources/views/tags/list.blade.php b/resources/views/tags/list.blade.php
@@ -31,7 +31,7 @@
                             <tr>
                                 <td>{{ $app->title }}</td>
                                 <td><a{{ $app->target }} href="{{ url($app->link) }}">{{ $app->link }}</a></td>
-                                <td class="text-center"><a href="{!! route('tags.edit', [$app->id]) !!}" title="{{ __('app.settings.edit') }} {!! $app->title !!}"><i class="fas fa-edit"></i></a></td>
+                                <td class="text-center"><a href="{!! route('tags.edit', [$app->id]) !!}" title="{{ __('app.settings.edit') }} {{ $app->title }}"><i class="fas fa-edit"></i></a></td>
                                 <td class="text-center">
                                         {!! Form::open(['method' => 'DELETE','route' => ['tags.destroy', $app->id],'style'=>'display:inline']) !!}
                                         <button class="link" type="submit"><i class="fa fa-trash-alt"></i></button>
diff --git a/tests/Feature/ItemListTest.php b/tests/Feature/ItemListTest.php
@@ -31,4 +31,15 @@ public function test_displays_items_on_the_item_list_page()
         $response->assertSee('Item 2');
         $response->assertSee('Item 3');
     }
+
+    public function test_escapes_xss_on_the_item_list_page()
+    {
+        $this->addItemWithTitleToDB('<script>alert("XSS")</script>');
+
+        $response = $this->get('/items');
+
+        $response->assertStatus(200);
+        $response->assertDontSee('<script>alert("XSS")</script>', false);
+        $response->assertSee('<script>alert("XSS")</script>');
+    }
 }
diff --git a/tests/Feature/TagListTest.php b/tests/Feature/TagListTest.php
@@ -32,4 +32,15 @@ public function test_displays_the_tags_on_the_tag_list_page()
         $response->assertSee('Tag 2');
         $response->assertSee('Tag 3');
     }
+
+    public function test_escapes_xss_on_the_tag_list_page()
+    {
+        $this->addTagWithTitleToDB('<script>alert("XSS")</script>');
+
+        $response = $this->get('/tags');
+
+        $response->assertStatus(200);
+        $response->assertDontSee('<script>alert("XSS")</script>', false);
+        $response->assertSee('<script>alert("XSS")</script>');
+    }
 }
