Clean input for custom css

2025-07-09 02:04:30 -04:00 · 2022-11-19 10:58:32 +11:00 · 2022-11-19 10:58:32 +11:00 · 1c89a39d56
commit 1c89a39d56
parent eaedcba6d0
3 changed files with 20 additions and 2 deletions
--- a/app/Http/Requests/Company/UpdateCompanyRequest.php
+++ b/app/Http/Requests/Company/UpdateCompanyRequest.php
@ -22,6 +22,14 @@ class UpdateCompanyRequest extends Request
 {
    use MakesHash;

+    private array $protected_input = [
+        'client_portal_privacy_policy',
+        'client_portal_terms',
+        'portal_custom_footer',
+        'portal_custom_css',
+        'portal_custom_head'
+    ];
+
    /**
     * Determine if the user is authorized to make this request.
     *
@ -32,6 +40,8 @@ class UpdateCompanyRequest extends Request
        return auth()->user()->can('edit', $this->company);
    }

+
+
    public function rules()
    {
        $input = $this->all();
@ -90,6 +100,14 @@ class UpdateCompanyRequest extends Request
    {
        $account = $this->company->account;

+        if(Ninja::isHosted())
+        {
+            foreach($this->protected_input as $protected_var)
+            {
+                $settings[$protected_var] = str_replace("script", "", $settings[$protected_var]);
+            }
+        }
+
        if (! $account->isFreeHostedClient()) {
            return $settings;
        }
--- a/resources/views/portal/ninja2020/layout/app.blade.php
+++ b/resources/views/portal/ninja2020/layout/app.blade.php
@ -163,7 +163,7 @@
        @yield('footer')
        @stack('footer')

-        @if((bool) \App\Utils\Ninja::isSelfHost() && !empty($client->getSetting('portal_custom_footer')))
+        @if($company && $company->account->isPaid() && !empty($client->getSetting('portal_custom_footer')))
            <div class="py-1 text-sm text-center text-white bg-primary">
                {!! $client->getSetting('portal_custom_footer') !!}
            </div>
--- a/resources/views/portal/ninja2020/layout/vendor_app.blade.php
+++ b/resources/views/portal/ninja2020/layout/vendor_app.blade.php
@ -164,7 +164,7 @@
        @yield('footer')
        @stack('footer')

-        @if((bool) \App\Utils\Ninja::isSelfHost() && !empty($settings->portal_custom_footer))
+        @if($company && $company->account->isPaid() && !empty($settings->portal_custom_footer))
            <div class="py-1 text-sm text-center text-white bg-primary">
                {!! $settings->portal_custom_footer !!}
            </div>