From 1c89a39d569ef5184757cac1d84300a9f23ad9ee Mon Sep 17 00:00:00 2001 From: David Bomba Date: Sat, 19 Nov 2022 10:58:32 +1100 Subject: [PATCH] Clean input for custom css --- .../Requests/Company/UpdateCompanyRequest.php | 18 ++++++++++++++++++ .../portal/ninja2020/layout/app.blade.php | 2 +- .../ninja2020/layout/vendor_app.blade.php | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/app/Http/Requests/Company/UpdateCompanyRequest.php b/app/Http/Requests/Company/UpdateCompanyRequest.php index 37cf05e5400e..94797598d43c 100644 --- a/app/Http/Requests/Company/UpdateCompanyRequest.php +++ b/app/Http/Requests/Company/UpdateCompanyRequest.php @@ -22,6 +22,14 @@ class UpdateCompanyRequest extends Request { use MakesHash; + private array $protected_input = [ + 'client_portal_privacy_policy', + 'client_portal_terms', + 'portal_custom_footer', + 'portal_custom_css', + 'portal_custom_head' + ]; + /** * Determine if the user is authorized to make this request. * @@ -32,6 +40,8 @@ class UpdateCompanyRequest extends Request return auth()->user()->can('edit', $this->company); } + + public function rules() { $input = $this->all(); @@ -90,6 +100,14 @@ class UpdateCompanyRequest extends Request { $account = $this->company->account; + if(Ninja::isHosted()) + { + foreach($this->protected_input as $protected_var) + { + $settings[$protected_var] = str_replace("script", "", $settings[$protected_var]); + } + } + if (! $account->isFreeHostedClient()) { return $settings; } diff --git a/resources/views/portal/ninja2020/layout/app.blade.php b/resources/views/portal/ninja2020/layout/app.blade.php index e2aed0225bbb..a68a47b90b41 100644 --- a/resources/views/portal/ninja2020/layout/app.blade.php +++ b/resources/views/portal/ninja2020/layout/app.blade.php @@ -163,7 +163,7 @@ @yield('footer') @stack('footer') - @if((bool) \App\Utils\Ninja::isSelfHost() && !empty($client->getSetting('portal_custom_footer'))) + @if($company && $company->account->isPaid() && !empty($client->getSetting('portal_custom_footer')))
{!! $client->getSetting('portal_custom_footer') !!}
diff --git a/resources/views/portal/ninja2020/layout/vendor_app.blade.php b/resources/views/portal/ninja2020/layout/vendor_app.blade.php index 87f03f3d8026..baf55d4945d4 100644 --- a/resources/views/portal/ninja2020/layout/vendor_app.blade.php +++ b/resources/views/portal/ninja2020/layout/vendor_app.blade.php @@ -164,7 +164,7 @@ @yield('footer') @stack('footer') - @if((bool) \App\Utils\Ninja::isSelfHost() && !empty($settings->portal_custom_footer)) + @if($company && $company->account->isPaid() && !empty($settings->portal_custom_footer))
{!! $settings->portal_custom_footer !!}