Merge branch 'master' into bug/image-upload

2025-07-28 17:02:04 +03:00 · 2018-03-18 23:44:33 +05:30
parent 3a5c20c17e 380e2ff668
commit 0335f58478
39 changed files with 8518 additions and 2530 deletions
--- a/app/Http/Controllers/ImageController.php
+++ b/app/Http/Controllers/ImageController.php
@ -120,7 +120,7 @@ class ImageController extends Controller
    {
        $this->checkPermission('image-create-all');
        $this->validate($request, [
-            'file' => 'image'
+            'file' => 'required|image'
        ]);

        if (!$this->imageRepo->isValidType($type)) {
--- a/app/Repos/EntityRepo.php
+++ b/app/Repos/EntityRepo.php
@ -713,6 +713,10 @@ class EntityRepo
    public function renderPage(Page $page, $ignorePermissions = false)
    {
        $content = $page->html;
+        if (!config('app.allow_content_scripts')) {
+            $content = $this->escapeScripts($content);
+        }
+
        $matches = [];
        preg_match_all("/{{@\s?([0-9].*?)}}/", $content, $matches);
        if (count($matches[0]) === 0) {
@ -760,6 +764,24 @@ class EntityRepo
        return $content;
    }

+    /**
+     * Escape script tags within HTML content.
+     * @param string $html
+     * @return mixed
+     */
+    protected function escapeScripts(string $html)
+    {
+        $scriptSearchRegex = '/<script.*?>.*?<\/script>/ms';
+        $matches = [];
+        preg_match_all($scriptSearchRegex, $html, $matches);
+        if (count($matches) === 0) return $html;
+
+        foreach ($matches[0] as $match) {
+            $html = str_replace($match, htmlentities($match), $html);
+        }
+        return $html;
+    }
+
    /**
     * Get the plain text version of a page's content.
     * @param Page $page