Fix bug

blade-ui-kit · Feb 20, 2022 · f954c3f · f954c3f
1 parent e62ae99
commit f954c3f
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/src/Factory.php b/src/Factory.php
@@ -223,6 +223,10 @@ private function formatAttributes(string $set, $class = '', array $attributes =
             }
         }
 
+        if (isset($attributes['class'])) {
+            $attributes['class'] = str_replace('"', '&quot;', $attributes['class']);
+        }
+
         return array_merge($attributes, $this->config['attributes'], (array) ($this->sets[$set]['attributes'] ?? []));
     }
 

diff --git a/tests/FactoryTest.php b/tests/FactoryTest.php
@@ -225,6 +225,26 @@ public function passing_classes_as_attributes_will_override_default_classes()
         $this->assertSame('custom-class', $icon->attributes()['class']);
     }
 
+    /** @test */
+    public function classes_with_xss_are_escaped()
+    {
+        $factory = $this->prepareSets();
+
+        $icon = $factory->svg('camera', 'h-4 w-4\" onLoad=\"alert(\'XSS\')');
+
+        $this->assertSame('h-4 w-4\&quot; onLoad=\&quot;alert(\'XSS\')', $icon->attributes()['class']);
+
+        $icon = $factory->svg('camera', '', ['class' => 'h-4 w-4\" onLoad=\"alert(\'XSS\')']);
+
+        $this->assertSame('h-4 w-4\&quot; onLoad=\&quot;alert(\'XSS\')', $icon->attributes()['class']);
+
+        $factory = $this->prepareSets(['class' => 'h-4 w-4\" onLoad=\"alert(\'XSS\')']);
+
+        $icon = $factory->svg('camera');
+
+        $this->assertSame('h-4 w-4\&quot; onLoad=\&quot;alert(\'XSS\')', $icon->attributes()['class']);
+    }
+
     /** @test */
     public function icons_can_have_attributes()
     {