From a5ae3aa6bca66ca79a4a5eede90e21b91711d65f Mon Sep 17 00:00:00 2001
From: Hillel Coren <hillelcoren@gmail.com>
Date: Wed, 17 Apr 2019 18:29:09 +0300
Subject: [PATCH] XSS fixes

---
 app/Libraries/Utils.php                    | 1 +
 app/Ninja/Datatables/ActivityDatatable.php | 2 +-
 app/Ninja/Presenters/ClientPresenter.php   | 5 +++--
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/app/Libraries/Utils.php b/app/Libraries/Utils.php
index 2c2a9dda65d8..1fe93c993422 100644
--- a/app/Libraries/Utils.php
+++ b/app/Libraries/Utils.php
@@ -1258,6 +1258,7 @@ class Utils
             return '';
         }
 
+        $link = e($link);
         $title = $link;
         if (substr($link, 0, 4) != 'http') {
             $link = 'http://' . $link;
diff --git a/app/Ninja/Datatables/ActivityDatatable.php b/app/Ninja/Datatables/ActivityDatatable.php
index 44c6482e8f37..5d555c48531b 100644
--- a/app/Ninja/Datatables/ActivityDatatable.php
+++ b/app/Ninja/Datatables/ActivityDatatable.php
@@ -45,7 +45,7 @@ class ActivityDatatable extends EntityDatatable
                         'invoice' => $model->invoice ? link_to('/invoices/' . $model->invoice_public_id, $model->is_recurring ? trans('texts.recurring_invoice') : $model->invoice)->toHtml() : null,
                         'quote' => $model->invoice ? link_to('/quotes/' . $model->invoice_public_id, $model->invoice)->toHtml() : null,
                         'contact' => $model->contact_id ? link_to('/clients/' . $model->client_public_id, Utils::getClientDisplayName($model))->toHtml() : Utils::getPersonDisplayName($model->user_first_name, $model->user_last_name, $model->user_email),
-                        'payment' => $model->payment ?: '',
+                        'payment' => $model->payment ? e($model->payment) : '',
                         'credit' => $model->payment_amount ? Utils::formatMoney($model->credit, $model->currency_id, $model->country_id) : '',
                         'payment_amount' => $model->payment_amount ? Utils::formatMoney($model->payment_amount, $model->currency_id, $model->country_id) : null,
                         'adjustment' => $model->adjustment ? Utils::formatMoney($model->adjustment, $model->currency_id, $model->country_id) : null,
diff --git a/app/Ninja/Presenters/ClientPresenter.php b/app/Ninja/Presenters/ClientPresenter.php
index 5ed162b51072..5561ca9cbaa0 100644
--- a/app/Ninja/Presenters/ClientPresenter.php
+++ b/app/Ninja/Presenters/ClientPresenter.php
@@ -32,9 +32,10 @@ class ClientPresenter extends EntityPresenter
             return '';
         }
 
-        $link = Utils::addHttp($client->website);
+        $website = e($client->website);
+        $link = Utils::addHttp($website);
 
-        return link_to($link, $client->website, ['target' => '_blank']);
+        return link_to($link, $website, ['target' => '_blank']);
     }
 
     public function paid_to_date()