From 1c89a39d569ef5184757cac1d84300a9f23ad9ee Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Sat, 19 Nov 2022 10:58:32 +1100
Subject: [PATCH] Clean input for custom css

---
 .../Requests/Company/UpdateCompanyRequest.php  | 18 ++++++++++++++++++
 .../portal/ninja2020/layout/app.blade.php      |  2 +-
 .../ninja2020/layout/vendor_app.blade.php      |  2 +-
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/app/Http/Requests/Company/UpdateCompanyRequest.php b/app/Http/Requests/Company/UpdateCompanyRequest.php
index 37cf05e5400e..94797598d43c 100644
--- a/app/Http/Requests/Company/UpdateCompanyRequest.php
+++ b/app/Http/Requests/Company/UpdateCompanyRequest.php
@@ -22,6 +22,14 @@ class UpdateCompanyRequest extends Request
 {
     use MakesHash;
 
+    private array $protected_input = [
+        'client_portal_privacy_policy',
+        'client_portal_terms',
+        'portal_custom_footer',
+        'portal_custom_css',
+        'portal_custom_head'
+    ];
+
     /**
      * Determine if the user is authorized to make this request.
      *
@@ -32,6 +40,8 @@ class UpdateCompanyRequest extends Request
         return auth()->user()->can('edit', $this->company);
     }
 
+
+
     public function rules()
     {
         $input = $this->all();
@@ -90,6 +100,14 @@ class UpdateCompanyRequest extends Request
     {
         $account = $this->company->account;
 
+        if(Ninja::isHosted())
+        {
+            foreach($this->protected_input as $protected_var)
+            {
+                $settings[$protected_var] = str_replace("script", "", $settings[$protected_var]);
+            }
+        }
+
         if (! $account->isFreeHostedClient()) {
             return $settings;
         }
diff --git a/resources/views/portal/ninja2020/layout/app.blade.php b/resources/views/portal/ninja2020/layout/app.blade.php
index e2aed0225bbb..a68a47b90b41 100644
--- a/resources/views/portal/ninja2020/layout/app.blade.php
+++ b/resources/views/portal/ninja2020/layout/app.blade.php
@@ -163,7 +163,7 @@
         @yield('footer')
         @stack('footer')
 
-        @if((bool) \App\Utils\Ninja::isSelfHost() && !empty($client->getSetting('portal_custom_footer')))
+        @if($company && $company->account->isPaid() && !empty($client->getSetting('portal_custom_footer')))
             <div class="py-1 text-sm text-center text-white bg-primary">
                 {!! $client->getSetting('portal_custom_footer') !!}
             </div>
diff --git a/resources/views/portal/ninja2020/layout/vendor_app.blade.php b/resources/views/portal/ninja2020/layout/vendor_app.blade.php
index 87f03f3d8026..baf55d4945d4 100644
--- a/resources/views/portal/ninja2020/layout/vendor_app.blade.php
+++ b/resources/views/portal/ninja2020/layout/vendor_app.blade.php
@@ -164,7 +164,7 @@
         @yield('footer')
         @stack('footer')
 
-        @if((bool) \App\Utils\Ninja::isSelfHost() && !empty($settings->portal_custom_footer))
+        @if($company && $company->account->isPaid() && !empty($settings->portal_custom_footer))
             <div class="py-1 text-sm text-center text-white bg-primary">
                 {!! $settings->portal_custom_footer !!}
             </div>