Skip to content

Commit

Permalink
[2.0]: Fix Tag Component Xss
Browse files Browse the repository at this point in the history
  • Loading branch information
@suraj-webkul
suraj-webkul committed Nov 6, 2024
1 parent 0d69ad5 commit 4848b68
Show file tree
Hide file tree
Showing 12 changed files with 104 additions and 84 deletions.
1 change: 1 addition & 0 deletions packages/Webkul/Admin/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
"@vee-validate/rules": "^4.9.1",
"@vitejs/plugin-vue": "^4.2.3",
"chartjs-chart-funnel": "^4.2.1",
"dompurify": "^3.1.7",
"flatpickr": "^4.6.13",
"mitt": "^3.0.1",
"vee-validate": "^4.9.1",
Expand Down
6 changes: 5 additions & 1 deletion packages/Webkul/Admin/src/DataGrids/Mail/EmailDataGrid.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,11 @@ public function prepareColumns(): void
'searchable' => false,
'filterable' => false,
'sortable' => false,
'closure' => fn ($row) => $row->attachments ? '<i class="icon-attachment text-2xl"></i>' : '',
'closure' => function ($row) {
$emails = app(EmailRepository::class)->find($row->id)->emails()->withCount('attachments')->get();

return $emails->sum('attachments_count');
},
]);

$this->addColumn([
Expand Down
6 changes: 4 additions & 2 deletions packages/Webkul/Admin/src/Resources/assets/js/app.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,12 +118,14 @@ import VueCal from "./plugins/vue-cal";
VueCal,
].forEach((plugin) => app.use(plugin));


/**
* Global directives.
*/
import Debounce from "./directives/debounce";
import DOMPurify from "./directives/dompurify";

app.directive("debounce", Debounce);
app.directive("safe-html", DOMPurify);

export default app;

export default app;
10 changes: 10 additions & 0 deletions packages/Webkul/Admin/src/Resources/assets/js/directives/dompurify.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
import DOMPurify from 'dompurify';

export default {
beforeMount(el, binding) {
el.innerHTML = DOMPurify.sanitize(binding.value);
},
updated(el, binding) {
el.innerHTML = DOMPurify.sanitize(binding.value);
}
};
2 changes: 1 addition & 1 deletion packages/Webkul/Admin/src/Resources/views/components/activities/index.blade.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ class="dark:text-white"
<p
class="dark:text-white"
v-if="activity.comment"
v-html="activity.comment"
v-safe-html="activity.comment"
></p>

{!! view_render_event('admin.components.activities.content.activity.item.description.after') !!}
Expand Down
8 changes: 5 additions & 3 deletions packages/Webkul/Admin/src/Resources/views/mail/index.blade.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,9 @@ class="icon-checkbox-outline peer-checked:icon-checkbox-select cursor-pointer ro
<!-- Content -->
<div class="flex-frow flex items-center gap-2">
<!-- Attachments -->
<p v-html="record.attachments"></p>
<p v-if="record.attachments > 0">
<i class="icon-attachment text-2xl"></i>
</p>
<!-- Tags -->
<span
Expand All @@ -155,8 +157,8 @@ class="flex items-center gap-1 rounded-md bg-rose-100 px-3 py-1.5 text-xs font-m
<!-- Reply(Content) -->
<p
class="!font-normal"
v-html="truncatedReply(record.reply)"
class="max-w-[600px] truncate !font-normal"
v-text="record.reply"
></p>
</div>
Expand Down
6 changes: 3 additions & 3 deletions packages/Webkul/Admin/src/Resources/views/mail/view.blade.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
@lang('admin::app.mail.view.title')
</div>

<span class="label-active">{{ request('route') }}</span>
<span class="label-active">{{ ucfirst(request('route')) }}</span>

{!! view_render_event('admin.mail.view.tags.before', ['email' => $email]) !!}

Expand Down Expand Up @@ -243,9 +243,9 @@ class="flex cursor-pointer items-center gap-2"
{!! view_render_event('admin.mail.view.mail_body.before', ['email' => $email]) !!}
<!-- Mail Body -->
<div
v-html="email.reply"
<div
class="dark:text-gray-300"
v-safe-html="email.reply"
></div>
{!! view_render_event('admin.mail.view.mail_body.after', ['email' => $email]) !!}
Expand Down
1 change: 0 additions & 1 deletion public/admin/build/assets/app-1a3013f6.css
View file

This file was deleted.

1 change: 1 addition & 0 deletions public/admin/build/assets/app-1b23879e.css
View file

Large diffs are not rendered by default.

71 changes: 0 additions & 71 deletions public/admin/build/assets/app-2032dc2b.js
View file

This file was deleted.

72 changes: 72 additions & 0 deletions public/admin/build/assets/app-3d9f948a.js
View file

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions public/admin/build/manifest.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@
"src": "node_modules/vue-cal/dist/i18n/zh-hk.es.js"
},
"src/Resources/assets/css/app.css": {
"file": "assets/app-1a3013f6.css",
"file": "assets/app-1b23879e.css",
"isEntry": true,
"src": "src/Resources/assets/css/app.css"
},
Expand Down Expand Up @@ -370,7 +370,7 @@
"node_modules/vue-cal/dist/i18n/zh-hk.es.js",
"node_modules/vue-cal/dist/drag-and-drop.es.js"
],
"file": "assets/app-2032dc2b.js",
"file": "assets/app-3d9f948a.js",
"isEntry": true,
"src": "src/Resources/assets/js/app.js"
},
Expand Down

0 comments on commit 4848b68

Please sign in to comment.