From 42032f5e9aac23b6abec5c07b6a975fbe695dd0a Mon Sep 17 00:00:00 2001
From: Hillel Coren <hillelcoren@gmail.com>
Date: Sun, 7 May 2017 10:00:38 +0300
Subject: [PATCH] Improve JSON encoding in HTML

---
 app/Http/Requests/SaveClientPortalSettings.php    |  4 ++--
 app/Libraries/HTMLUtils.php                       | 15 ++++++++++++++-
 resources/views/accounts/client_portal.blade.php  |  2 +-
 resources/views/accounts/invoice_design.blade.php |  2 +-
 resources/views/accounts/payments.blade.php       |  2 +-
 .../accounts/templates_and_reminders.blade.php    |  2 +-
 resources/views/clients/statement.blade.php       |  4 ++--
 resources/views/credits/edit.blade.php            |  2 +-
 resources/views/dashboard.blade.php               |  2 +-
 resources/views/expenses/edit.blade.php           |  8 ++++----
 resources/views/invoices/edit.blade.php           | 12 ++++++------
 resources/views/invoices/history.blade.php        |  2 +-
 resources/views/invoices/knockout.blade.php       |  4 ++--
 resources/views/invoices/pdf.blade.php            |  2 +-
 resources/views/invoices/view.blade.php           |  6 +++---
 resources/views/payments/edit.blade.php           |  4 ++--
 .../views/payments/paymentmethods_list.blade.php  |  2 +-
 resources/views/projects/edit.blade.php           |  2 +-
 resources/views/reports/d3.blade.php              |  2 +-
 resources/views/tasks/edit.blade.php              |  4 ++--
 20 files changed, 48 insertions(+), 35 deletions(-)

diff --git a/app/Http/Requests/SaveClientPortalSettings.php b/app/Http/Requests/SaveClientPortalSettings.php
index 7912c0df45da..cd81bf7d31dd 100644
--- a/app/Http/Requests/SaveClientPortalSettings.php
+++ b/app/Http/Requests/SaveClientPortalSettings.php
@@ -38,7 +38,7 @@ class SaveClientPortalSettings extends Request
         $input = $this->all();
 
         if ($this->client_view_css && Utils::isNinja()) {
-            $input['client_view_css'] = HTMLUtils::sanitize($this->client_view_css);
+            $input['client_view_css'] = HTMLUtils::sanitizeCSS($this->client_view_css);
         }
 
         if (Utils::isNinja()) {
@@ -53,7 +53,7 @@ class SaveClientPortalSettings extends Request
                 $input['subdomain'] = null;
             }
         }
-        
+
         $this->replace($input);
 
         return $this->all();
diff --git a/app/Libraries/HTMLUtils.php b/app/Libraries/HTMLUtils.php
index 412252a1eb6d..3e3252a922ca 100644
--- a/app/Libraries/HTMLUtils.php
+++ b/app/Libraries/HTMLUtils.php
@@ -7,7 +7,7 @@ use HTMLPurifier_Config;
 
 class HTMLUtils
 {
-    public static function sanitize($css)
+    public static function sanitizeCSS($css)
     {
         // Allow referencing the body element
         $css = preg_replace('/(?<![a-z0-9\-\_\#\.])body(?![a-z0-9\-\_])/i', '.body', $css);
@@ -36,4 +36,17 @@ class HTMLUtils
         // Get the first style block
         return count($css) ? $css[0] : '';
     }
+
+    public static function sanitizeHTML($html)
+    {
+        $config = HTMLPurifier_Config::createDefault();
+        $purifier = new HTMLPurifier($config);
+
+        return $purifier->purify($html);
+    }
+
+    public static function encodeJSON($string)
+    {
+        return htmlentities(json_encode($string), ENT_NOQUOTES);
+    }
 }
diff --git a/resources/views/accounts/client_portal.blade.php b/resources/views/accounts/client_portal.blade.php
index 71fa231e65e2..22debed199ac 100644
--- a/resources/views/accounts/client_portal.blade.php
+++ b/resources/views/accounts/client_portal.blade.php
@@ -372,7 +372,7 @@ iframe.src = '{{ rtrim(SITE_URL ,'/') }}/view/'
 
 <script type="text/javascript">
 
-    var products = {!! strip_tags(json_encode($products)) !!};
+    var products = {!! HTMLUtils::encodeJSON($products) !!};
 
     $(function() {
         var $productSelect = $('select#product');
diff --git a/resources/views/accounts/invoice_design.blade.php b/resources/views/accounts/invoice_design.blade.php
index 56169a0423b2..faa791debef7 100644
--- a/resources/views/accounts/invoice_design.blade.php
+++ b/resources/views/accounts/invoice_design.blade.php
@@ -22,7 +22,7 @@
   <script>
     var invoiceDesigns = {!! $invoiceDesigns !!};
     var invoiceFonts = {!! $invoiceFonts !!};
-    var invoice = {!! strip_tags(json_encode($invoice)) !!};
+    var invoice = {!! HTMLUtils::encodeJSON($invoice) !!};
 
     function getDesignJavascript() {
       var id = $('#invoice_design_id').val();
diff --git a/resources/views/accounts/payments.blade.php b/resources/views/accounts/payments.blade.php
index 8cf5db6f517c..bee3345957e1 100644
--- a/resources/views/accounts/payments.blade.php
+++ b/resources/views/accounts/payments.blade.php
@@ -200,7 +200,7 @@
   <script>
     window.onDatatableReady = actionListHandler;
 
-	var taxRates = {!! strip_tags(json_encode($taxRates)) !!};
+	var taxRates = {!! HTMLUtils::encodeJSON($taxRates) !!};
 	var taxRatesMap = {};
 	for (var i=0; i<taxRates.length; i++) {
 		var taxRate = taxRates[i];
diff --git a/resources/views/accounts/templates_and_reminders.blade.php b/resources/views/accounts/templates_and_reminders.blade.php
index e440a44980eb..e83a66ca06f7 100644
--- a/resources/views/accounts/templates_and_reminders.blade.php
+++ b/resources/views/accounts/templates_and_reminders.blade.php
@@ -151,7 +151,7 @@
         var entityTypes = ['invoice', 'quote', 'payment', 'reminder1', 'reminder2', 'reminder3'];
         var stringTypes = ['subject', 'template'];
         var templates = {!! json_encode($defaultTemplates) !!};
-        var account = {!! strip_tags(json_encode(Auth::user()->account)) !!};
+        var account = {!! HTMLUtils::encodeJSON(Auth::user()->account) !!};
 
         function refreshPreview() {
             for (var i=0; i<entityTypes.length; i++) {
diff --git a/resources/views/clients/statement.blade.php b/resources/views/clients/statement.blade.php
index 2ddbf787b5fb..bebacbd32079 100644
--- a/resources/views/clients/statement.blade.php
+++ b/resources/views/clients/statement.blade.php
@@ -13,8 +13,8 @@
 
         var invoiceDesigns = {!! \App\Models\InvoiceDesign::getDesigns() !!};
         var invoiceFonts = {!! Cache::get('fonts') !!};
-        var currentInvoice = {!! strip_tags(json_encode($invoice)) !!};
-        var invoice = {!! strip_tags(json_encode($invoice)) !!};
+        var currentInvoice = {!! HTMLUtils::encodeJSON($invoice) !!};
+        var invoice = {!! HTMLUtils::encodeJSON($invoice) !!};
 
         function getPDFString(cb) {
 
diff --git a/resources/views/credits/edit.blade.php b/resources/views/credits/edit.blade.php
index e5934602615c..99e11129bd06 100644
--- a/resources/views/credits/edit.blade.php
+++ b/resources/views/credits/edit.blade.php
@@ -58,7 +58,7 @@
 	<script type="text/javascript">
 
 
-	var clients = {!! $clients ? strip_tags(json_encode($clients)) : 'false' !!};
+	var clients = {!! $clients ? HTMLUtils::encodeJSON($clients) : 'false' !!};
 
 	$(function() {
 
diff --git a/resources/views/dashboard.blade.php b/resources/views/dashboard.blade.php
index d73d1a16b0bd..ae18d806d907 100644
--- a/resources/views/dashboard.blade.php
+++ b/resources/views/dashboard.blade.php
@@ -83,7 +83,7 @@
             }
         }
 
-        var account = {!! strip_tags(json_encode($account)) !!};
+        var account = {!! HTMLUtils::encodeJSON($account) !!};
         var chartGroupBy = 'day';
         var chartCurrencyId = {{ $account->getCurrencyId() }};
 		var dateRanges = {!! $account->present()->dateRangeOptions !!};
diff --git a/resources/views/expenses/edit.blade.php b/resources/views/expenses/edit.blade.php
index 2be683e8234a..1ccca4509389 100644
--- a/resources/views/expenses/edit.blade.php
+++ b/resources/views/expenses/edit.blade.php
@@ -256,10 +256,10 @@
     <script type="text/javascript">
         Dropzone.autoDiscover = false;
 
-        var vendors = {!! strip_tags(json_encode($vendors)) !!};
-        var clients = {!! strip_tags(json_encode($clients)) !!};
-        var categories = {!! strip_tags(json_encode($categories)) !!};
-        var taxRates = {!! strip_tags(json_encode($taxRates)) !!};
+        var vendors = {!! HTMLUtils::encodeJSON($vendors) !!};
+        var clients = {!! HTMLUtils::encodeJSON($clients) !!};
+        var categories = {!! HTMLUtils::encodeJSON($categories) !!};
+        var taxRates = {!! HTMLUtils::encodeJSON($taxRates) !!};
 
         var clientMap = {};
         var vendorMap = {};
diff --git a/resources/views/invoices/edit.blade.php b/resources/views/invoices/edit.blade.php
index acceab2be5eb..52026d6eda06 100644
--- a/resources/views/invoices/edit.blade.php
+++ b/resources/views/invoices/edit.blade.php
@@ -841,8 +841,8 @@
 	<script type="text/javascript">
     Dropzone.autoDiscover = false;
 
-    var products = {!! strip_tags(json_encode($products)) !!};
-	var clients = {!! strip_tags(json_encode($clients)) !!};
+    var products = {!! HTMLUtils::encodeJSON($products) !!};
+	var clients = {!! HTMLUtils::encodeJSON($clients) !!};
     var account = {!! Auth::user()->account !!};
     var dropzone;
 
@@ -882,7 +882,7 @@
             // otherwise create blank model
             window.model = new ViewModel();
 
-            var invoice = {!! strip_tags(json_encode($invoice)) !!};
+            var invoice = {!! HTMLUtils::encodeJSON($invoice) !!};
             ko.mapping.fromJS(invoice, model.invoice().mapping, model.invoice);
             model.invoice().is_recurring({{ $invoice->is_recurring ? '1' : '0' }});
             model.invoice().start_date_orig(model.invoice().start_date());
@@ -900,7 +900,7 @@
             @else
                 // set the default account tax rate
                 @if ($account->invoice_taxes && ! empty($defaultTax))
-                    var defaultTax = {!! strip_tags(json_encode($defaultTax)) !!};
+                    var defaultTax = {!! HTMLUtils::encodeJSON($defaultTax) !!};
                     model.invoice().tax_rate1(defaultTax.rate);
                     model.invoice().tax_name1(defaultTax.name);
                 @endif
@@ -909,7 +909,7 @@
             @if (isset($tasks) && $tasks)
                 // move the blank invoice line item to the end
                 var blank = model.invoice().invoice_items.pop();
-                var tasks = {!! strip_tags(json_encode($tasks)) !!};
+                var tasks = {!! HTMLUtils::encodeJSON($tasks) !!};
 
                 for (var i=0; i<tasks.length; i++) {
                     var task = tasks[i];
@@ -928,7 +928,7 @@
 
                 // move the blank invoice line item to the end
                 var blank = model.invoice().invoice_items.pop();
-                var expenses = {!! strip_tags(json_encode($expenses)) !!}
+                var expenses = {!! HTMLUtils::encodeJSON($expenses) !!}
 
                 for (var i=0; i<expenses.length; i++) {
                     var expense = expenses[i];
diff --git a/resources/views/invoices/history.blade.php b/resources/views/invoices/history.blade.php
index a77dcc3f11ec..917064dacdb8 100644
--- a/resources/views/invoices/history.blade.php
+++ b/resources/views/invoices/history.blade.php
@@ -13,7 +13,7 @@
 
     var invoiceDesigns = {!! $invoiceDesigns !!};
     var invoiceFonts = {!! $invoiceFonts !!};
-    var currentInvoice = {!! strip_tags(json_encode($invoice)) !!};
+    var currentInvoice = {!! HTMLUtils::encodeJSON($invoice) !!};
     var versionsJson = {!! strip_tags($versionsJson) !!};
 
     function getPDFString(cb) {
diff --git a/resources/views/invoices/knockout.blade.php b/resources/views/invoices/knockout.blade.php
index f60772dbce03..5ce432126cff 100644
--- a/resources/views/invoices/knockout.blade.php
+++ b/resources/views/invoices/knockout.blade.php
@@ -7,7 +7,7 @@ function ViewModel(data) {
     //self.invoice = data ? false : new InvoiceModel();
     self.invoice = ko.observable(data ? false : new InvoiceModel());
     self.expense_currency_id = ko.observable();
-    self.products = {!! strip_tags(json_encode($products)) !!};
+    self.products = {!! HTMLUtils::encodeJSON($products) !!};
 
     self.loadClient = function(client) {
         ko.mapping.fromJS(client, model.invoice().client().mapping, model.invoice().client);
@@ -174,7 +174,7 @@ function InvoiceModel(data) {
     var self = this;
     this.client = ko.observable(clientModel);
     this.is_public = ko.observable(0);
-    self.account = {!! strip_tags(json_encode($account)) !!};
+    self.account = {!! HTMLUtils::encodeJSON($account) !!};
     self.id = ko.observable('');
     self.discount = ko.observable('');
     self.is_amount_discount = ko.observable(0);
diff --git a/resources/views/invoices/pdf.blade.php b/resources/views/invoices/pdf.blade.php
index db673536018c..f6d919808b99 100644
--- a/resources/views/invoices/pdf.blade.php
+++ b/resources/views/invoices/pdf.blade.php
@@ -102,7 +102,7 @@
       NINJA.bodyFont = "Roboto";
   @endif
 
-  var invoiceLabels = {!! strip_tags(json_encode($account->getInvoiceLabels())) !!};
+  var invoiceLabels = {!! HTMLUtils::encodeJSON($account->getInvoiceLabels()) !!};
 
   if (window.invoice) {
     //invoiceLabels.item = invoice.has_tasks ? invoiceLabels.date : invoiceLabels.item_orig;
diff --git a/resources/views/invoices/view.blade.php b/resources/views/invoices/view.blade.php
index a402ba4f79da..ced0072efe4c 100644
--- a/resources/views/invoices/view.blade.php
+++ b/resources/views/invoices/view.blade.php
@@ -82,7 +82,7 @@
                     e.preventDefault();
 
                     $('#wepay-error').remove();
-                    var email = {!! strip_tags(json_encode($contact->email)) !!} || prompt('{{ trans('texts.ach_email_prompt') }}');
+                    var email = {!! HTMLUtils::encodeJSON($contact->email) !!} || prompt('{{ trans('texts.ach_email_prompt') }}');
                     if(!email)return;
 
                     WePay.bank_account.create({
@@ -176,14 +176,14 @@
         @endif
 		<script type="text/javascript">
 
-			window.invoice = {!! strip_tags(json_encode($invoice)) !!};
+			window.invoice = {!! HTMLUtils::encodeJSON($invoice) !!};
 			invoice.features = {
                 customize_invoice_design:{{ $invoice->client->account->hasFeature(FEATURE_CUSTOMIZE_INVOICE_DESIGN) ? 'true' : 'false' }},
                 remove_created_by:{{ $invoice->client->account->hasFeature(FEATURE_REMOVE_CREATED_BY) ? 'true' : 'false' }},
                 invoice_settings:{{ $invoice->client->account->hasFeature(FEATURE_INVOICE_SETTINGS) ? 'true' : 'false' }}
             };
 			invoice.is_quote = {{ $invoice->isQuote() ? 'true' : 'false' }};
-			invoice.contact = {!! strip_tags(json_encode($contact)) !!};
+			invoice.contact = {!! HTMLUtils::encodeJSON($contact) !!};
 
 			function getPDFString(cb) {
     	  	    return generatePDF(invoice, invoice.invoice_design.javascript, true, cb);
diff --git a/resources/views/payments/edit.blade.php b/resources/views/payments/edit.blade.php
index 394ca2d6e64c..d62671d61aaa 100644
--- a/resources/views/payments/edit.blade.php
+++ b/resources/views/payments/edit.blade.php
@@ -106,8 +106,8 @@
 
 	<script type="text/javascript">
 
-	var invoices = {!! strip_tags(json_encode($invoices)) !!};
-	var clients = {!! strip_tags(json_encode($clients)) !!};
+	var invoices = {!! HTMLUtils::encodeJSON($invoices) !!};
+	var clients = {!! HTMLUtils::encodeJSON($clients) !!};
 
 	$(function() {
 
diff --git a/resources/views/payments/paymentmethods_list.blade.php b/resources/views/payments/paymentmethods_list.blade.php
index 5ffe8392d2ee..dd30255d05cb 100644
--- a/resources/views/payments/paymentmethods_list.blade.php
+++ b/resources/views/payments/paymentmethods_list.blade.php
@@ -58,7 +58,7 @@
                 e.preventDefault();
 
                 $('#wepay-error').remove();
-                var email = {!! strip_tags(json_encode($contact->email)) !!} || prompt('{{ trans('texts.ach_email_prompt') }}');
+                var email = {!! HTMLUtils::encodeJSON($contact->email) !!} || prompt('{{ trans('texts.ach_email_prompt') }}');
                 if(!email)return;
 
                 WePay.bank_account.create({
diff --git a/resources/views/projects/edit.blade.php b/resources/views/projects/edit.blade.php
index 7c6484aeb740..cecc7f7fe54c 100644
--- a/resources/views/projects/edit.blade.php
+++ b/resources/views/projects/edit.blade.php
@@ -61,7 +61,7 @@
 
     <script>
 
-		var clients = {!! strip_tags(json_encode($clients)) !!};
+		var clients = {!! HTMLUtils::encodeJSON($clients) !!};
 
         $(function() {
 			var $clientSelect = $('select#client_id');
diff --git a/resources/views/reports/d3.blade.php b/resources/views/reports/d3.blade.php
index 10e322341cad..b6f70d03d812 100644
--- a/resources/views/reports/d3.blade.php
+++ b/resources/views/reports/d3.blade.php
@@ -60,7 +60,7 @@
   <script type="text/javascript">
 
     // store data as JSON
-    var data = {!! strip_tags(json_encode($clients)) !!};
+    var data = {!! HTMLUtils::encodeJSON($clients) !!};
 
     _.each(data, function(client) {
       _.each(client.invoices, function(invoice) {
diff --git a/resources/views/tasks/edit.blade.php b/resources/views/tasks/edit.blade.php
index 21bbf4926fa1..9066fbf14ef5 100644
--- a/resources/views/tasks/edit.blade.php
+++ b/resources/views/tasks/edit.blade.php
@@ -232,8 +232,8 @@
       }
     }
 
-    var clients = {!! strip_tags(json_encode($clients)) !!};
-    var projects = {!! strip_tags(json_encode($projects)) !!};
+    var clients = {!! HTMLUtils::encodeJSON($clients) !!};
+    var projects = {!! HTMLUtils::encodeJSON($projects) !!};
 
     var timeLabels = {};
     @foreach (['hour', 'minute', 'second'] as $period)