From 6df883fc0ea46830a384d1c1825616f220fa0a16 Mon Sep 17 00:00:00 2001
From: suraj kashyap <suraj.kashyap370@webkul.in>
Date: Tue, 8 Oct 2024 19:04:25 +0530
Subject: [PATCH 1/4] Krayin CRM vulnerable to Cross Site Scripting (XSS) via
 the organization name.

---
 .../Controllers/Contact/OrganizationController.php  | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/packages/Webkul/Admin/src/Http/Controllers/Contact/OrganizationController.php b/packages/Webkul/Admin/src/Http/Controllers/Contact/OrganizationController.php
index da700942f..22e3e100c 100644
--- a/packages/Webkul/Admin/src/Http/Controllers/Contact/OrganizationController.php
+++ b/packages/Webkul/Admin/src/Http/Controllers/Contact/OrganizationController.php
@@ -43,7 +43,6 @@ public function create()
         return view('admin::contacts.organizations.create');
     }
 
-
     /**
      * Store a newly created resource in storage.
      *
@@ -54,7 +53,11 @@ public function store(AttributeForm $request)
     {
         Event::dispatch('contacts.organization.create.before');
 
-        $organization = $this->organizationRepository->create(request()->all());
+        $organization = $this->organizationRepository->create([
+            'name'        => htmlspecialchars($request->input('name')),
+            'address'     => $request->input('address'),
+            'entity_type' => $request->input('entity_type'),
+        ]);
 
         Event::dispatch('contacts.organization.create.after', $organization);
 
@@ -87,7 +90,11 @@ public function update(AttributeForm $request, $id)
     {
         Event::dispatch('contacts.organization.update.before', $id);
 
-        $organization = $this->organizationRepository->update(request()->all(), $id);
+        $organization = $this->organizationRepository->update([
+            'name'        => htmlspecialchars($request->input('name')),
+            'address'     => $request->input('address'),
+            'entity_type' => $request->input('entity_type'),
+        ], $id);
 
         Event::dispatch('contacts.organization.update.after', $organization);
 

From 93e165a068892a4216a13b5547401d9de2445abf Mon Sep 17 00:00:00 2001
From: suraj kashyap <suraj.kashyap370@webkul.in>
Date: Wed, 9 Oct 2024 11:16:54 +0530
Subject: [PATCH 2/4] [fix]: stored Cross-Site Scripting vulnerability.

---
 .../Contact/OrganizationController.php        |  4 +--
 .../src/DataGrid/Traits/ProvideCollection.php | 29 ++++++++++++++++++-
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/packages/Webkul/Admin/src/Http/Controllers/Contact/OrganizationController.php b/packages/Webkul/Admin/src/Http/Controllers/Contact/OrganizationController.php
index 22e3e100c..f23b7d4a8 100644
--- a/packages/Webkul/Admin/src/Http/Controllers/Contact/OrganizationController.php
+++ b/packages/Webkul/Admin/src/Http/Controllers/Contact/OrganizationController.php
@@ -54,7 +54,7 @@ public function store(AttributeForm $request)
         Event::dispatch('contacts.organization.create.before');
 
         $organization = $this->organizationRepository->create([
-            'name'        => htmlspecialchars($request->input('name')),
+            'name'        => $request->input('name'),
             'address'     => $request->input('address'),
             'entity_type' => $request->input('entity_type'),
         ]);
@@ -91,7 +91,7 @@ public function update(AttributeForm $request, $id)
         Event::dispatch('contacts.organization.update.before', $id);
 
         $organization = $this->organizationRepository->update([
-            'name'        => htmlspecialchars($request->input('name')),
+            'name'        => $request->input('name'),
             'address'     => $request->input('address'),
             'entity_type' => $request->input('entity_type'),
         ], $id);
diff --git a/packages/Webkul/UI/src/DataGrid/Traits/ProvideCollection.php b/packages/Webkul/UI/src/DataGrid/Traits/ProvideCollection.php
index 600cf5ed5..39d239e8b 100644
--- a/packages/Webkul/UI/src/DataGrid/Traits/ProvideCollection.php
+++ b/packages/Webkul/UI/src/DataGrid/Traits/ProvideCollection.php
@@ -89,6 +89,8 @@ public function sortOrFilterCollection($collection, $parseInfo)
     public function formatCollection()
     {
         $this->collection->transform(function ($record) {
+            $record = $this->sanitizeRecord($record);
+
             $this->transformRows($record);
 
             $this->transformActions($record);
@@ -316,7 +318,7 @@ private function transformColumns($record)
     {
         foreach ($this->columns as $index => $column) {
             if (isset($column['closure'])) {
-                $record->{$column['index']} = $column['closure']($record);
+                $record->{$column['index']} = ($column['closure']($record));
             } else {
                 if ($column['type'] == 'price') {
                     if (isset($column['currencyCode'])) {
@@ -415,4 +417,29 @@ private function generateKeyFromActionTitle($title, $suffix)
 
         return strtolower($validatedStrings) . $suffix;
     }
+
+    /**
+     * Prepare all the setup for datagrid.
+     */
+    protected function sanitizeRecord($record)
+    {
+        /**
+         * Convert stdClass to array.
+         */
+        $tempRow = json_decode(json_encode($record), true);
+
+        foreach ($tempRow as $column => $value) {
+            if (! is_string($tempRow[$column])) {
+                continue;
+            }
+
+            if (is_array($value)) {
+                return $this->sanitizeRow($tempRow[$column]);
+            } else {
+                $record->{$column} = strip_tags($value);
+            }
+        }
+
+        return $record;
+    }
 }

From ca0bdda75c26802587fd9d3612ca0fb60bfe01db Mon Sep 17 00:00:00 2001
From: suraj kashyap <suraj.kashyap370@webkul.in>
Date: Wed, 9 Oct 2024 11:18:08 +0530
Subject: [PATCH 3/4] revert some changes.

---
 packages/Webkul/UI/src/DataGrid/Traits/ProvideCollection.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/Webkul/UI/src/DataGrid/Traits/ProvideCollection.php b/packages/Webkul/UI/src/DataGrid/Traits/ProvideCollection.php
index 39d239e8b..166d9598c 100644
--- a/packages/Webkul/UI/src/DataGrid/Traits/ProvideCollection.php
+++ b/packages/Webkul/UI/src/DataGrid/Traits/ProvideCollection.php
@@ -318,7 +318,7 @@ private function transformColumns($record)
     {
         foreach ($this->columns as $index => $column) {
             if (isset($column['closure'])) {
-                $record->{$column['index']} = ($column['closure']($record));
+                $record->{$column['index']} = $column['closure']($record);
             } else {
                 if ($column['type'] == 'price') {
                     if (isset($column['currencyCode'])) {

From 7a6289f5ca2bfbdddbc76c82183f30d7d5a5028f Mon Sep 17 00:00:00 2001
From: suraj kashyap <suraj.kashyap370@webkul.in>
Date: Wed, 9 Oct 2024 11:42:11 +0530
Subject: [PATCH 4/4] Update changelog.

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6735328ae..d9426c0f2 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## **v1.3.1 (9th of October 2024)** - *Release*
+
+* Fix security issues.
+
 ## **v1.3.0 (21st of June 2024)** - *Release*
 
 * #1251[upgrade] Upgraded the Laravel framework to version 10, incorporating the latest features and enhancements for improved performance, security, and developer experience and Installer package.