Cutlery/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2025-07-09 03:14:30 -04:00
Code Issues Packages Projects Releases Wiki Activity

Improve JSON encoding in HTML

Browse Source
This commit is contained in:
Hillel Coren 2017-05-07 10:00:38 +03:00
parent 2cacec4d6c
commit 42032f5e9a
20 changed files with 48 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/Http/Requests/SaveClientPortalSettings.php
View File

@ -38,7 +38,7 @@ class SaveClientPortalSettings extends Request
$input = $this->all(); $input = $this->all();
if ($this->client_view_css && Utils::isNinja()) { if ($this->client_view_css && Utils::isNinja()) {
$input['client_view_css'] = HTMLUtils::sanitize($this->client_view_css); $input['client_view_css'] = HTMLUtils::sanitizeCSS($this->client_view_css);
} }
if (Utils::isNinja()) { if (Utils::isNinja()) {
@ -53,7 +53,7 @@ class SaveClientPortalSettings extends Request
$input['subdomain'] = null; $input['subdomain'] = null;
} }
} }
$this->replace($input); $this->replace($input);
return $this->all(); return $this->all();

15
app/Libraries/HTMLUtils.php
View File

@ -7,7 +7,7 @@ use HTMLPurifier_Config;
class HTMLUtils class HTMLUtils
{ {
public static function sanitize($css) public static function sanitizeCSS($css)
{ {
// Allow referencing the body element // Allow referencing the body element
$css = preg_replace('/(?<![a-z0-9\-\_\#\.])body(?![a-z0-9\-\_])/i', '.body', $css); $css = preg_replace('/(?<![a-z0-9\-\_\#\.])body(?![a-z0-9\-\_])/i', '.body', $css);
@ -36,4 +36,17 @@ class HTMLUtils
// Get the first style block // Get the first style block
return count($css) ? $css[0] : ''; return count($css) ? $css[0] : '';
} }
public static function sanitizeHTML($html)
{
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
return $purifier->purify($html);
}
public static function encodeJSON($string)
{
return htmlentities(json_encode($string), ENT_NOQUOTES);
}
} }

2
resources/views/accounts/client_portal.blade.php
View File

@ -372,7 +372,7 @@ iframe.src = '{{ rtrim(SITE_URL ,'/') }}/view/'
<script type="text/javascript"> <script type="text/javascript">
var products = {!! strip_tags(json_encode($products)) !!}; var products = {!! HTMLUtils::encodeJSON($products) !!};
$(function() { $(function() {
var $productSelect = $('select#product'); var $productSelect = $('select#product');

2
resources/views/accounts/invoice_design.blade.php
View File

@ -22,7 +22,7 @@
<script> <script>
var invoiceDesigns = {!! $invoiceDesigns !!}; var invoiceDesigns = {!! $invoiceDesigns !!};
var invoiceFonts = {!! $invoiceFonts !!}; var invoiceFonts = {!! $invoiceFonts !!};
var invoice = {!! strip_tags(json_encode($invoice)) !!}; var invoice = {!! HTMLUtils::encodeJSON($invoice) !!};
function getDesignJavascript() { function getDesignJavascript() {
var id = $('#invoice_design_id').val(); var id = $('#invoice_design_id').val();

2
resources/views/accounts/payments.blade.php
View File

@ -200,7 +200,7 @@
<script> <script>
window.onDatatableReady = actionListHandler; window.onDatatableReady = actionListHandler;
var taxRates = {!! strip_tags(json_encode($taxRates)) !!}; var taxRates = {!! HTMLUtils::encodeJSON($taxRates) !!};
var taxRatesMap = {}; var taxRatesMap = {};
for (var i=0; i<taxRates.length; i++) { for (var i=0; i<taxRates.length; i++) {
var taxRate = taxRates[i]; var taxRate = taxRates[i];

2
resources/views/accounts/templates_and_reminders.blade.php
View File

@ -151,7 +151,7 @@
var entityTypes = ['invoice', 'quote', 'payment', 'reminder1', 'reminder2', 'reminder3']; var entityTypes = ['invoice', 'quote', 'payment', 'reminder1', 'reminder2', 'reminder3'];
var stringTypes = ['subject', 'template']; var stringTypes = ['subject', 'template'];
var templates = {!! json_encode($defaultTemplates) !!}; var templates = {!! json_encode($defaultTemplates) !!};
var account = {!! strip_tags(json_encode(Auth::user()->account)) !!}; var account = {!! HTMLUtils::encodeJSON(Auth::user()->account) !!};
function refreshPreview() { function refreshPreview() {
for (var i=0; i<entityTypes.length; i++) { for (var i=0; i<entityTypes.length; i++) {

4
resources/views/clients/statement.blade.php
View File

@ -13,8 +13,8 @@
var invoiceDesigns = {!! \App\Models\InvoiceDesign::getDesigns() !!}; var invoiceDesigns = {!! \App\Models\InvoiceDesign::getDesigns() !!};
var invoiceFonts = {!! Cache::get('fonts') !!}; var invoiceFonts = {!! Cache::get('fonts') !!};
var currentInvoice = {!! strip_tags(json_encode($invoice)) !!}; var currentInvoice = {!! HTMLUtils::encodeJSON($invoice) !!};
var invoice = {!! strip_tags(json_encode($invoice)) !!}; var invoice = {!! HTMLUtils::encodeJSON($invoice) !!};
function getPDFString(cb) { function getPDFString(cb) {

2
resources/views/credits/edit.blade.php
View File

@ -58,7 +58,7 @@
<script type="text/javascript"> <script type="text/javascript">
var clients = {!! $clients ? strip_tags(json_encode($clients)) : 'false' !!}; var clients = {!! $clients ? HTMLUtils::encodeJSON($clients) : 'false' !!};
$(function() { $(function() {

2
resources/views/dashboard.blade.php
View File

@ -83,7 +83,7 @@
} }
} }
var account = {!! strip_tags(json_encode($account)) !!}; var account = {!! HTMLUtils::encodeJSON($account) !!};
var chartGroupBy = 'day'; var chartGroupBy = 'day';
var chartCurrencyId = {{ $account->getCurrencyId() }}; var chartCurrencyId = {{ $account->getCurrencyId() }};
var dateRanges = {!! $account->present()->dateRangeOptions !!}; var dateRanges = {!! $account->present()->dateRangeOptions !!};

8
resources/views/expenses/edit.blade.php
View File

@ -256,10 +256,10 @@
<script type="text/javascript"> <script type="text/javascript">
Dropzone.autoDiscover = false; Dropzone.autoDiscover = false;
var vendors = {!! strip_tags(json_encode($vendors)) !!}; var vendors = {!! HTMLUtils::encodeJSON($vendors) !!};
var clients = {!! strip_tags(json_encode($clients)) !!}; var clients = {!! HTMLUtils::encodeJSON($clients) !!};
var categories = {!! strip_tags(json_encode($categories)) !!}; var categories = {!! HTMLUtils::encodeJSON($categories) !!};
var taxRates = {!! strip_tags(json_encode($taxRates)) !!}; var taxRates = {!! HTMLUtils::encodeJSON($taxRates) !!};
var clientMap = {}; var clientMap = {};
var vendorMap = {}; var vendorMap = {};

12
resources/views/invoices/edit.blade.php
View File

@ -841,8 +841,8 @@
<script type="text/javascript"> <script type="text/javascript">
Dropzone.autoDiscover = false; Dropzone.autoDiscover = false;
var products = {!! strip_tags(json_encode($products)) !!}; var products = {!! HTMLUtils::encodeJSON($products) !!};
var clients = {!! strip_tags(json_encode($clients)) !!}; var clients = {!! HTMLUtils::encodeJSON($clients) !!};
var account = {!! Auth::user()->account !!}; var account = {!! Auth::user()->account !!};
var dropzone; var dropzone;
@ -882,7 +882,7 @@
// otherwise create blank model // otherwise create blank model
window.model = new ViewModel(); window.model = new ViewModel();
var invoice = {!! strip_tags(json_encode($invoice)) !!}; var invoice = {!! HTMLUtils::encodeJSON($invoice) !!};
ko.mapping.fromJS(invoice, model.invoice().mapping, model.invoice); ko.mapping.fromJS(invoice, model.invoice().mapping, model.invoice);
model.invoice().is_recurring({{ $invoice->is_recurring ? '1' : '0' }}); model.invoice().is_recurring({{ $invoice->is_recurring ? '1' : '0' }});
model.invoice().start_date_orig(model.invoice().start_date()); model.invoice().start_date_orig(model.invoice().start_date());
@ -900,7 +900,7 @@
@else @else
// set the default account tax rate // set the default account tax rate
@if ($account->invoice_taxes && ! empty($defaultTax)) @if ($account->invoice_taxes && ! empty($defaultTax))
var defaultTax = {!! strip_tags(json_encode($defaultTax)) !!}; var defaultTax = {!! HTMLUtils::encodeJSON($defaultTax) !!};
model.invoice().tax_rate1(defaultTax.rate); model.invoice().tax_rate1(defaultTax.rate);
model.invoice().tax_name1(defaultTax.name); model.invoice().tax_name1(defaultTax.name);
@endif @endif
@ -909,7 +909,7 @@
@if (isset($tasks) && $tasks) @if (isset($tasks) && $tasks)
// move the blank invoice line item to the end // move the blank invoice line item to the end
var blank = model.invoice().invoice_items.pop(); var blank = model.invoice().invoice_items.pop();
var tasks = {!! strip_tags(json_encode($tasks)) !!}; var tasks = {!! HTMLUtils::encodeJSON($tasks) !!};
for (var i=0; i<tasks.length; i++) { for (var i=0; i<tasks.length; i++) {
var task = tasks[i]; var task = tasks[i];
@ -928,7 +928,7 @@
// move the blank invoice line item to the end // move the blank invoice line item to the end
var blank = model.invoice().invoice_items.pop(); var blank = model.invoice().invoice_items.pop();
var expenses = {!! strip_tags(json_encode($expenses)) !!} var expenses = {!! HTMLUtils::encodeJSON($expenses) !!}
for (var i=0; i<expenses.length; i++) { for (var i=0; i<expenses.length; i++) {
var expense = expenses[i]; var expense = expenses[i];

2
resources/views/invoices/history.blade.php
View File

@ -13,7 +13,7 @@
var invoiceDesigns = {!! $invoiceDesigns !!}; var invoiceDesigns = {!! $invoiceDesigns !!};
var invoiceFonts = {!! $invoiceFonts !!}; var invoiceFonts = {!! $invoiceFonts !!};
var currentInvoice = {!! strip_tags(json_encode($invoice)) !!}; var currentInvoice = {!! HTMLUtils::encodeJSON($invoice) !!};
var versionsJson = {!! strip_tags($versionsJson) !!}; var versionsJson = {!! strip_tags($versionsJson) !!};
function getPDFString(cb) { function getPDFString(cb) {

4
resources/views/invoices/knockout.blade.php
View File

@ -7,7 +7,7 @@ function ViewModel(data) {
//self.invoice = data ? false : new InvoiceModel(); //self.invoice = data ? false : new InvoiceModel();
self.invoice = ko.observable(data ? false : new InvoiceModel()); self.invoice = ko.observable(data ? false : new InvoiceModel());
self.expense_currency_id = ko.observable(); self.expense_currency_id = ko.observable();
self.products = {!! strip_tags(json_encode($products)) !!}; self.products = {!! HTMLUtils::encodeJSON($products) !!};
self.loadClient = function(client) { self.loadClient = function(client) {
ko.mapping.fromJS(client, model.invoice().client().mapping, model.invoice().client); ko.mapping.fromJS(client, model.invoice().client().mapping, model.invoice().client);
@ -174,7 +174,7 @@ function InvoiceModel(data) {
var self = this; var self = this;
this.client = ko.observable(clientModel); this.client = ko.observable(clientModel);
this.is_public = ko.observable(0); this.is_public = ko.observable(0);
self.account = {!! strip_tags(json_encode($account)) !!}; self.account = {!! HTMLUtils::encodeJSON($account) !!};
self.id = ko.observable(''); self.id = ko.observable('');
self.discount = ko.observable(''); self.discount = ko.observable('');
self.is_amount_discount = ko.observable(0); self.is_amount_discount = ko.observable(0);

2
resources/views/invoices/pdf.blade.php
View File

@ -102,7 +102,7 @@
NINJA.bodyFont = "Roboto"; NINJA.bodyFont = "Roboto";
@endif @endif
var invoiceLabels = {!! strip_tags(json_encode($account->getInvoiceLabels())) !!}; var invoiceLabels = {!! HTMLUtils::encodeJSON($account->getInvoiceLabels()) !!};
if (window.invoice) { if (window.invoice) {
//invoiceLabels.item = invoice.has_tasks ? invoiceLabels.date : invoiceLabels.item_orig; //invoiceLabels.item = invoice.has_tasks ? invoiceLabels.date : invoiceLabels.item_orig;

6
resources/views/invoices/view.blade.php
View File

@ -82,7 +82,7 @@
e.preventDefault(); e.preventDefault();
$('#wepay-error').remove(); $('#wepay-error').remove();
var email = {!! strip_tags(json_encode($contact->email)) !!} || prompt('{{ trans('texts.ach_email_prompt') }}'); var email = {!! HTMLUtils::encodeJSON($contact->email) !!} || prompt('{{ trans('texts.ach_email_prompt') }}');
if(!email)return; if(!email)return;
WePay.bank_account.create({ WePay.bank_account.create({
@ -176,14 +176,14 @@
@endif @endif
<script type="text/javascript"> <script type="text/javascript">
window.invoice = {!! strip_tags(json_encode($invoice)) !!}; window.invoice = {!! HTMLUtils::encodeJSON($invoice) !!};
invoice.features = { invoice.features = {
customize_invoice_design:{{ $invoice->client->account->hasFeature(FEATURE_CUSTOMIZE_INVOICE_DESIGN) ? 'true' : 'false' }}, customize_invoice_design:{{ $invoice->client->account->hasFeature(FEATURE_CUSTOMIZE_INVOICE_DESIGN) ? 'true' : 'false' }},
remove_created_by:{{ $invoice->client->account->hasFeature(FEATURE_REMOVE_CREATED_BY) ? 'true' : 'false' }}, remove_created_by:{{ $invoice->client->account->hasFeature(FEATURE_REMOVE_CREATED_BY) ? 'true' : 'false' }},
invoice_settings:{{ $invoice->client->account->hasFeature(FEATURE_INVOICE_SETTINGS) ? 'true' : 'false' }} invoice_settings:{{ $invoice->client->account->hasFeature(FEATURE_INVOICE_SETTINGS) ? 'true' : 'false' }}
}; };
invoice.is_quote = {{ $invoice->isQuote() ? 'true' : 'false' }}; invoice.is_quote = {{ $invoice->isQuote() ? 'true' : 'false' }};
invoice.contact = {!! strip_tags(json_encode($contact)) !!}; invoice.contact = {!! HTMLUtils::encodeJSON($contact) !!};
function getPDFString(cb) { function getPDFString(cb) {
return generatePDF(invoice, invoice.invoice_design.javascript, true, cb); return generatePDF(invoice, invoice.invoice_design.javascript, true, cb);

4
resources/views/payments/edit.blade.php
View File

@ -106,8 +106,8 @@
<script type="text/javascript"> <script type="text/javascript">
var invoices = {!! strip_tags(json_encode($invoices)) !!}; var invoices = {!! HTMLUtils::encodeJSON($invoices) !!};
var clients = {!! strip_tags(json_encode($clients)) !!}; var clients = {!! HTMLUtils::encodeJSON($clients) !!};
$(function() { $(function() {

2
resources/views/payments/paymentmethods_list.blade.php
View File

@ -58,7 +58,7 @@
e.preventDefault(); e.preventDefault();
$('#wepay-error').remove(); $('#wepay-error').remove();
var email = {!! strip_tags(json_encode($contact->email)) !!} || prompt('{{ trans('texts.ach_email_prompt') }}'); var email = {!! HTMLUtils::encodeJSON($contact->email) !!} || prompt('{{ trans('texts.ach_email_prompt') }}');
if(!email)return; if(!email)return;
WePay.bank_account.create({ WePay.bank_account.create({

2
resources/views/projects/edit.blade.php
View File

@ -61,7 +61,7 @@
<script> <script>
var clients = {!! strip_tags(json_encode($clients)) !!}; var clients = {!! HTMLUtils::encodeJSON($clients) !!};
$(function() { $(function() {
var $clientSelect = $('select#client_id'); var $clientSelect = $('select#client_id');

2
resources/views/reports/d3.blade.php
View File

@ -60,7 +60,7 @@
<script type="text/javascript"> <script type="text/javascript">
// store data as JSON // store data as JSON
var data = {!! strip_tags(json_encode($clients)) !!}; var data = {!! HTMLUtils::encodeJSON($clients) !!};
_.each(data, function(client) { _.each(data, function(client) {
_.each(client.invoices, function(invoice) { _.each(client.invoices, function(invoice) {

4
resources/views/tasks/edit.blade.php
View File

@ -232,8 +232,8 @@
} }
} }
var clients = {!! strip_tags(json_encode($clients)) !!}; var clients = {!! HTMLUtils::encodeJSON($clients) !!};
var projects = {!! strip_tags(json_encode($projects)) !!}; var projects = {!! HTMLUtils::encodeJSON($projects) !!};
var timeLabels = {}; var timeLabels = {};
@foreach (['hour', 'minute', 'second'] as $period) @foreach (['hour', 'minute', 'second'] as $period)