diff --git a/app/Http/Requests/Company/UpdateCompanyRequest.php b/app/Http/Requests/Company/UpdateCompanyRequest.php index e53dade24d1f..4cdd76bddcf6 100644 --- a/app/Http/Requests/Company/UpdateCompanyRequest.php +++ b/app/Http/Requests/Company/UpdateCompanyRequest.php @@ -137,7 +137,7 @@ class UpdateCompanyRequest extends Request } if (isset($settings['email_style_custom'])) { - $settings['email_style_custom'] = str_replace(['{!!','!!}','{{','}}','@dd', '@dump', '@if', '@if(','@endif','@isset','@unless','@auth','@empty','@guest','@env','@section','@switch', '@foreach', '@while', '@include', '@each', '@once', '@push', '@use', '@forelse', '@verbatim', ' 2) diff --git a/app/Services/Template/TemplateService.php b/app/Services/Template/TemplateService.php index 429a565cab69..89482765fade 100644 --- a/app/Services/Template/TemplateService.php +++ b/app/Services/Template/TemplateService.php @@ -100,6 +100,7 @@ class TemplateService $this->twig->addExtension(new IntlExtension()); $this->twig->addExtension(new \Twig\Extension\DebugExtension()); + $function = new \Twig\TwigFunction('img', function ($string, $style = '') { return ''; }); @@ -122,25 +123,14 @@ class TemplateService $this->twig->addFilter($filter); - $filter = new \Twig\TwigFilter('filter', function ($array, $arrow){ + $allowedTags = ['if', 'for', 'set', 'filter']; + $allowedFilters = ['escape', 'e', 'upper', 'lower', 'capitalize', 'filter', 'length', 'merge','format_currency','map', 'join', 'first', 'date','sum']; + $allowedFunctions = ['range', 'cycle', 'constant', 'date',]; + $allowedProperties = []; + $allowedMethods = ['img','t']; - if(is_string($arrow) && in_array($arrow, ['popen','exec','shell_exec','system','passthru','proc_open','pcntl_exec','sleep','escapeshellcmd','escapeshellarg'])) - throw new RuntimeError("Attempt to access command line"); - - if (!is_iterable($array)) { - throw new RuntimeError(sprintf('The "filter" filter expects an array or "Traversable", got "%s".', \is_object($array) ? \get_class($array) : \gettype($array))); - } - - if (\is_array($array)) { - return array_filter($array, $arrow, \ARRAY_FILTER_USE_BOTH); - } - - // the IteratorIterator wrapping is needed as some internal PHP classes are \Traversable but do not implement \Iterator - return new \CallbackFilterIterator(new \IteratorIterator($array), $arrow); - - }); - - $this->twig->addFilter($filter); + $policy = new \Twig\Sandbox\SecurityPolicy($allowedTags, $allowedFilters, $allowedFunctions, $allowedProperties, $allowedMethods); + $this->twig->addExtension(new \Twig\Extension\SandboxExtension($policy, true)); return $this; } diff --git a/app/Utils/TemplateEngine.php b/app/Utils/TemplateEngine.php index 94adf01c0287..ba3ad307e8af 100644 --- a/app/Utils/TemplateEngine.php +++ b/app/Utils/TemplateEngine.php @@ -255,7 +255,7 @@ class TemplateEngine /*If no custom design exists, send back a blank!*/ if (strlen($wrapper) > 1) { - $wrapper = $this->renderView($wrapper, $data); + // $wrapper = $this->renderView($wrapper, $data); } else { $wrapper = ''; } diff --git a/app/Utils/Traits/MakesInvoiceHtml.php b/app/Utils/Traits/MakesInvoiceHtml.php index 33868b0a3d70..afbd4afe8d76 100644 --- a/app/Utils/Traits/MakesInvoiceHtml.php +++ b/app/Utils/Traits/MakesInvoiceHtml.php @@ -36,6 +36,7 @@ trait MakesInvoiceHtml * @param string $string The Blade file string * @param array $data The array of template variables * @return string The return HTML string + * @deprecated // not needed! * @throws FatalThrowableError */ public function renderView($string, $data = []): string