diff --git a/app/Http/Controllers/ClientPortalController.php b/app/Http/Controllers/ClientPortalController.php
index edcea0ba3539..7548ed46e273 100644
--- a/app/Http/Controllers/ClientPortalController.php
+++ b/app/Http/Controllers/ClientPortalController.php
@@ -431,7 +431,7 @@ class ClientPortalController extends BaseController
return $model->invitation_key ? link_to('/view/'.$model->invitation_key, $model->invoice_number)->toHtml() : $model->invoice_number;
})
->addColumn('transaction_reference', function ($model) {
- return $model->transaction_reference ? $model->transaction_reference : ''.trans('texts.manual_entry').'';
+ return $model->transaction_reference ? e($model->transaction_reference) : ''.trans('texts.manual_entry').'';
})
->addColumn('payment_type', function ($model) {
return ($model->payment_type && ! $model->last4) ? $model->payment_type : ($model->account_gateway_id ? 'Online payment' : '');
diff --git a/app/Http/Controllers/TaskController.php b/app/Http/Controllers/TaskController.php
index 03eec1a7510d..62404903b91f 100644
--- a/app/Http/Controllers/TaskController.php
+++ b/app/Http/Controllers/TaskController.php
@@ -161,7 +161,7 @@ class TaskController extends BaseController
$invoices = $task->client_id ? $this->invoiceRepo->findOpenInvoices($task->client_id) : [];
foreach ($invoices as $invoice) {
- $actions[] = ['url' => 'javascript:submitAction("add_to_invoice", '.$invoice->public_id.')', 'label' => trans('texts.add_to_invoice', ['invoice' => $invoice->invoice_number])];
+ $actions[] = ['url' => 'javascript:submitAction("add_to_invoice", '.$invoice->public_id.')', 'label' => trans('texts.add_to_invoice', ['invoice' => e($invoice->invoice_number)])];
}
}
diff --git a/app/Libraries/HTMLUtils.php b/app/Libraries/HTMLUtils.php
index 24dd67a6b5da..ad8ea6c8cb53 100644
--- a/app/Libraries/HTMLUtils.php
+++ b/app/Libraries/HTMLUtils.php
@@ -39,6 +39,8 @@ class HTMLUtils
public static function sanitizeHTML($html)
{
+ $html = html_entity_decode($html);
+
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
diff --git a/app/Models/Activity.php b/app/Models/Activity.php
index 8d9fe10e9316..c637f467913f 100644
--- a/app/Models/Activity.php
+++ b/app/Models/Activity.php
@@ -123,11 +123,11 @@ class Activity extends Eloquent
$data = [
'client' => $client ? link_to($client->getRoute(), $client->getDisplayName()) : null,
- 'user' => $isSystem ? '' . trans('texts.system') . '' : $user->getDisplayName(),
+ 'user' => $isSystem ? '' . trans('texts.system') . '' : e($user->getDisplayName()),
'invoice' => $invoice ? link_to($invoice->getRoute(), $invoice->getDisplayName()) : null,
'quote' => $invoice ? link_to($invoice->getRoute(), $invoice->getDisplayName()) : null,
- 'contact' => $contactId ? $client->getDisplayName() : $user->getDisplayName(),
- 'payment' => $payment ? $payment->transaction_reference : null,
+ 'contact' => $contactId ? e($client->getDisplayName()) : e($user->getDisplayName()),
+ 'payment' => $payment ? e($payment->transaction_reference) : null,
'payment_amount' => $payment ? $account->formatMoney($payment->amount, $payment) : null,
'adjustment' => $this->adjustment ? $account->formatMoney($this->adjustment, $this) : null,
'credit' => $credit ? $account->formatMoney($credit->amount, $client) : null,
diff --git a/app/Models/Traits/PresentsInvoice.php b/app/Models/Traits/PresentsInvoice.php
index 641e6bdb7ab4..53647cf9675a 100644
--- a/app/Models/Traits/PresentsInvoice.php
+++ b/app/Models/Traits/PresentsInvoice.php
@@ -290,7 +290,7 @@ trait PresentsInvoice
'contact.custom_value1' => 'custom_contact_label1',
'contact.custom_value2' => 'custom_contact_label2',
] as $field => $property) {
- $data[$field] = $this->$property ?: trans('texts.custom_field');
+ $data[$field] = e($this->$property) ?: trans('texts.custom_field');
}
return $data;
diff --git a/app/Models/Traits/SendsEmails.php b/app/Models/Traits/SendsEmails.php
index 942be0033784..0d9abb2c7b43 100644
--- a/app/Models/Traits/SendsEmails.php
+++ b/app/Models/Traits/SendsEmails.php
@@ -4,6 +4,7 @@ namespace App\Models\Traits;
use App\Constants\Domain;
use Utils;
+use HTMLUtils;
/**
* Class SendsEmails.
@@ -36,7 +37,8 @@ trait SendsEmails
$value = $this->account_email_settings->$field;
if ($value) {
- return preg_replace("/\r\n|\r|\n/", ' ', $value);
+ $value = preg_replace("/\r\n|\r|\n/", ' ', $value);
+ return HTMLUtils::sanitizeHTML($value);
}
}
@@ -94,7 +96,9 @@ trait SendsEmails
$template = preg_replace("/\r\n|\r|\n/", ' ', $template);
//
is causing page breaks with the email designs
- return str_replace('/>', ' />', $template);
+ $template = str_replace('/>', ' />', $template);
+
+ return HTMLUtils::sanitizeHTML($template);
}
/**
diff --git a/app/Ninja/Datatables/CreditDatatable.php b/app/Ninja/Datatables/CreditDatatable.php
index 2fd96e09155e..53ff00b58845 100644
--- a/app/Ninja/Datatables/CreditDatatable.php
+++ b/app/Ninja/Datatables/CreditDatatable.php
@@ -50,13 +50,13 @@ class CreditDatatable extends EntityDatatable
[
'public_notes',
function ($model) {
- return $model->public_notes;
+ return e($model->public_notes);
},
],
[
'private_notes',
function ($model) {
- return $model->private_notes;
+ return e($model->private_notes);
},
],
];
diff --git a/app/Ninja/Datatables/ExpenseDatatable.php b/app/Ninja/Datatables/ExpenseDatatable.php
index f9f9e4ada124..c3c344e92099 100644
--- a/app/Ninja/Datatables/ExpenseDatatable.php
+++ b/app/Ninja/Datatables/ExpenseDatatable.php
@@ -84,7 +84,7 @@ class ExpenseDatatable extends EntityDatatable
[
'public_notes',
function ($model) {
- return $model->public_notes != null ? substr($model->public_notes, 0, 100) : '';
+ return $model->public_notes != null ? e(substr($model->public_notes, 0, 100)) : '';
},
],
[
diff --git a/app/Ninja/Datatables/PaymentDatatable.php b/app/Ninja/Datatables/PaymentDatatable.php
index 2da386dc106d..05d23b59e297 100644
--- a/app/Ninja/Datatables/PaymentDatatable.php
+++ b/app/Ninja/Datatables/PaymentDatatable.php
@@ -46,7 +46,7 @@ class PaymentDatatable extends EntityDatatable
[
'transaction_reference',
function ($model) {
- return $model->transaction_reference ? $model->transaction_reference : ''.trans('texts.manual_entry').'';
+ return $model->transaction_reference ? e($model->transaction_reference) : ''.trans('texts.manual_entry').'';
},
],
[
diff --git a/app/Ninja/Datatables/ProductDatatable.php b/app/Ninja/Datatables/ProductDatatable.php
index 467efedbc347..43343f0cf753 100644
--- a/app/Ninja/Datatables/ProductDatatable.php
+++ b/app/Ninja/Datatables/ProductDatatable.php
@@ -24,7 +24,7 @@ class ProductDatatable extends EntityDatatable
[
'notes',
function ($model) {
- return nl2br(Str::limit($model->notes, 100));
+ return e(nl2br(Str::limit($model->notes, 100)));
},
],
[
diff --git a/app/Ninja/Datatables/RecurringInvoiceDatatable.php b/app/Ninja/Datatables/RecurringInvoiceDatatable.php
index 797d3ca0cf1c..a7d20ad355a8 100644
--- a/app/Ninja/Datatables/RecurringInvoiceDatatable.php
+++ b/app/Ninja/Datatables/RecurringInvoiceDatatable.php
@@ -64,7 +64,7 @@ class RecurringInvoiceDatatable extends EntityDatatable
[
'private_notes',
function ($model) {
- return $model->private_notes;
+ return e($model->private_notes);
},
],
[
diff --git a/app/Ninja/Datatables/TaskDatatable.php b/app/Ninja/Datatables/TaskDatatable.php
index a63460a31b1d..85722feec296 100644
--- a/app/Ninja/Datatables/TaskDatatable.php
+++ b/app/Ninja/Datatables/TaskDatatable.php
@@ -55,7 +55,7 @@ class TaskDatatable extends EntityDatatable
[
'description',
function ($model) {
- return $model->description;
+ return e($model->description);
},
],
[
diff --git a/app/Ninja/Datatables/UserDatatable.php b/app/Ninja/Datatables/UserDatatable.php
index ecc47039b9a1..4841dea1ea33 100644
--- a/app/Ninja/Datatables/UserDatatable.php
+++ b/app/Ninja/Datatables/UserDatatable.php
@@ -14,7 +14,7 @@ class UserDatatable extends EntityDatatable
[
'first_name',
function ($model) {
- return $model->public_id ? link_to('users/'.$model->public_id.'/edit', $model->first_name.' '.$model->last_name)->toHtml() : ($model->first_name.' '.$model->last_name);
+ return $model->public_id ? link_to('users/'.$model->public_id.'/edit', $model->first_name.' '.$model->last_name)->toHtml() : e($model->first_name.' '.$model->last_name);
},
],
[
diff --git a/app/Ninja/Presenters/AccountPresenter.php b/app/Ninja/Presenters/AccountPresenter.php
index 64e78bcf897e..5cfd0e70dd68 100644
--- a/app/Ninja/Presenters/AccountPresenter.php
+++ b/app/Ninja/Presenters/AccountPresenter.php
@@ -166,7 +166,7 @@ class AccountPresenter extends Presenter
if ($rate->is_inclusive) {
$name .= ' - ' . trans('texts.inclusive');
}
- $options[($rate->is_inclusive ? '1 ' : '0 ') . $rate->rate . ' ' . $rate->name] = $name;
+ $options[($rate->is_inclusive ? '1 ' : '0 ') . $rate->rate . ' ' . $rate->name] = e($name);
}
return $options;
diff --git a/app/Ninja/Repositories/CreditRepository.php b/app/Ninja/Repositories/CreditRepository.php
index 346156cd91ee..c5152cbc732f 100644
--- a/app/Ninja/Repositories/CreditRepository.php
+++ b/app/Ninja/Repositories/CreditRepository.php
@@ -89,7 +89,7 @@ class CreditRepository extends BaseRepository
return Utils::formatMoney($model->balance, $model->currency_id, $model->country_id);
})
->addColumn('public_notes', function ($model) {
- return $model->public_notes;
+ return e($model->public_notes);
})
->make();
diff --git a/resources/views/accounts/product.blade.php b/resources/views/accounts/product.blade.php
index 7d9ff865f4d2..39b9d18a1904 100644
--- a/resources/views/accounts/product.blade.php
+++ b/resources/views/accounts/product.blade.php
@@ -24,10 +24,10 @@
@if ($account->hasFeature(FEATURE_INVOICE_SETTINGS))
@if ($account->custom_invoice_item_label1)
- {!! Former::text('custom_value1')->label($account->custom_invoice_item_label1) !!}
+ {!! Former::text('custom_value1')->label(e($account->custom_invoice_item_label1)) !!}
@endif
@if ($account->custom_invoice_item_label2)
- {!! Former::text('custom_value2')->label($account->custom_invoice_item_label2) !!}
+ {!! Former::text('custom_value2')->label(e($account->custom_invoice_item_label2)) !!}
@endif
@endif
diff --git a/resources/views/clients/edit.blade.php b/resources/views/clients/edit.blade.php
index ea81fe533ba7..ad05536cf3c3 100644
--- a/resources/views/clients/edit.blade.php
+++ b/resources/views/clients/edit.blade.php
@@ -50,10 +50,10 @@
@if (Auth::user()->hasFeature(FEATURE_INVOICE_SETTINGS))
@if ($customLabel1)
- {!! Former::text('custom_value1')->label($customLabel1) !!}
+ {!! Former::text('custom_value1')->label(e($customLabel1)) !!}
@endif
@if ($customLabel2)
- {!! Former::text('custom_value2')->label($customLabel2) !!}
+ {!! Former::text('custom_value2')->label(e($customLabel2)) !!}
@endif
@endif
@@ -115,12 +115,12 @@
@if ($account->custom_contact_label1)
{!! Former::text('custom_contact1')->data_bind("value: custom_value1, valueUpdate: 'afterkeydown',
attr: {name: 'contacts[' + \$index() + '][custom_value1]'}")
- ->label($account->custom_contact_label1) !!}
+ ->label(e($account->custom_contact_label1)) !!}
@endif
@if ($account->custom_contact_label2)
{!! Former::text('custom_contact2')->data_bind("value: custom_value2, valueUpdate: 'afterkeydown',
attr: {name: 'contacts[' + \$index() + '][custom_value2]'}")
- ->label($account->custom_contact_label2) !!}
+ ->label(e($account->custom_contact_label2)) !!}
@endif
@endif
diff --git a/resources/views/invoices/edit.blade.php b/resources/views/invoices/edit.blade.php
index 41fbe9068c4f..6b626c74f244 100644
--- a/resources/views/invoices/edit.blade.php
+++ b/resources/views/invoices/edit.blade.php
@@ -135,7 +135,14 @@
@if ( ! $invoice->is_deleted && ! $invoice->client->is_deleted)
@@ -181,7 +188,7 @@
@endif
@if ($account->showCustomField('custom_invoice_text_label1', $invoice))
- {!! Former::text('custom_text_value1')->label($account->custom_invoice_text_label1 ?: ' ')->data_bind("value: custom_text_value1, valueUpdate: 'afterkeydown'") !!}
+ {!! Former::text('custom_text_value1')->label(e($account->custom_invoice_text_label1) ?: ' ')->data_bind("value: custom_text_value1, valueUpdate: 'afterkeydown'") !!}
@endif
@@ -226,7 +233,7 @@
) !!}
@if ($account->showCustomField('custom_invoice_text_label2', $invoice))
- {!! Former::text('custom_text_value2')->label($account->custom_invoice_text_label2 ?: ' ')->data_bind("value: custom_text_value2, valueUpdate: 'afterkeydown'") !!}
+ {!! Former::text('custom_text_value2')->label(e($account->custom_invoice_text_label2) ?: ' ')->data_bind("value: custom_text_value2, valueUpdate: 'afterkeydown'") !!}
@endif
@if ($entityType == ENTITY_INVOICE)
@@ -591,12 +598,12 @@
@if (Auth::user()->hasFeature(FEATURE_INVOICE_SETTINGS))
@if ($account->custom_client_label1)
{!! Former::text('client[custom_value1]')
- ->label($account->custom_client_label1)
+ ->label(e($account->custom_client_label1))
->data_bind("value: custom_value1, valueUpdate: 'afterkeydown'") !!}
@endif
@if ($account->custom_client_label2)
{!! Former::text('client[custom_value2]')
- ->label($account->custom_client_label2)
+ ->label(e($account->custom_client_label2))
->data_bind("value: custom_value2, valueUpdate: 'afterkeydown'") !!}
@endif
@endif
@@ -651,12 +658,12 @@
@if ($account->custom_contact_label1)
{!! Former::text('custom_contact1')->data_bind("value: custom_value1, valueUpdate: 'afterkeydown',
attr: {name: 'client[contacts][' + \$index() + '][custom_value1]'}")
- ->label($account->custom_contact_label1) !!}
+ ->label(e($account->custom_contact_label1)) !!}
@endif
@if ($account->custom_contact_label2)
{!! Former::text('custom_contact2')->data_bind("value: custom_value2, valueUpdate: 'afterkeydown',
attr: {name: 'client[contacts][' + \$index() + '][custom_value2]'}")
- ->label($account->custom_contact_label2) !!}
+ ->label(e($account->custom_contact_label2)) !!}
@endif
@endif