mirror of
https://github.com/firefly-iii/firefly-iii.git
synced 2024-11-23 09:26:29 -06:00
Fix security issue with markdown, thanks to @simhnna
This commit is contained in:
James Cole
parent
73fee4eb6b
commit
3819de4e74
@ -238,7 +238,7 @@ class BillController extends Controller
|
||||
$overallAverage = $repository->getOverallAverage($bill);
|
||||
$manager = new Manager();
|
||||
$manager->setSerializer(new DataArraySerializer());
|
||||
$manager->parseIncludes(['attachments']);
|
||||
$manager->parseIncludes(['attachments','notes']);
|
||||
|
||||
// Make a resource out of the data and
|
||||
$parameters = new ParameterBag();
|
||||
|
||||
@ -52,4 +52,12 @@ class Note extends Model
|
||||
{
|
||||
return $this->morphTo();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param $value
|
||||
*/
|
||||
public function setTextAttribute($value)
|
||||
{
|
||||
$this->attributes['text'] = e($value);
|
||||
}
|
||||
}
|
||||
|
||||
@ -93,6 +93,14 @@ class Rule extends Model
|
||||
return $this->hasMany('FireflyIII\Models\RuleTrigger');
|
||||
}
|
||||
|
||||
/**
|
||||
* @param $value
|
||||
*/
|
||||
public function setDescriptionAttribute($value)
|
||||
{
|
||||
$this->attributes['description'] = e($value);
|
||||
}
|
||||
|
||||
/**
|
||||
* @codeCoverageIgnore
|
||||
* @return \Illuminate\Database\Eloquent\Relations\BelongsTo
|
||||
|
||||
16
public/js/ff/transactions/split/edit.js
vendored
16
public/js/ff/transactions/split/edit.js
vendored
@ -43,13 +43,13 @@ $(document).ready(function () {
|
||||
|
||||
$.getJSON('json/categories').done(function (data) {
|
||||
categories = data;
|
||||
$('input[name$="category]"]').typeahead({source: categories, autoSelect: false});
|
||||
$('input[name$="category_name]"]').typeahead({source: categories, autoSelect: false});
|
||||
});
|
||||
|
||||
$.getJSON('json/transaction-journals/' + what).done(function (data) {
|
||||
descriptions = data;
|
||||
$('input[name="journal_description"]').typeahead({source: descriptions, autoSelect: false});
|
||||
$('input[name$="description]"]').typeahead({source: descriptions, autoSelect: false});
|
||||
$('input[name$="transaction_description]"]').typeahead({source: descriptions, autoSelect: false});
|
||||
});
|
||||
|
||||
$.getJSON('json/tags').done(function (data) {
|
||||
@ -123,10 +123,10 @@ function cloneDivRow() {
|
||||
source.find('input[name$="source_account_name]"]').typeahead({source: srcAccounts, autoSelect: false});
|
||||
}
|
||||
if (categories.length > 0) {
|
||||
source.find('input[name$="category]"]').typeahead({source: categories, autoSelect: false});
|
||||
source.find('input[name$="category_name]"]').typeahead({source: categories, autoSelect: false});
|
||||
}
|
||||
if (descriptions.length > 0) {
|
||||
source.find('input[name$="description]"]').typeahead({source: descriptions, autoSelect: false});
|
||||
source.find('input[name$="transaction_description]"]').typeahead({source: descriptions, autoSelect: false});
|
||||
}
|
||||
|
||||
$('div.split_row_holder').append(source);
|
||||
@ -180,9 +180,9 @@ function resetDivSplits() {
|
||||
// loop each possible field.
|
||||
|
||||
// ends with ][description]
|
||||
$.each($('input[name$="][description]"]'), function (i, v) {
|
||||
$.each($('input[name$="][transaction_description]"]'), function (i, v) {
|
||||
var input = $(v);
|
||||
input.attr('name', 'transactions[' + i + '][description]');
|
||||
input.attr('name', 'transactions[' + i + '][transaction_description]');
|
||||
});
|
||||
// ends with ][destination_account_name]
|
||||
$.each($('input[name$="][destination_account_name]"]'), function (i, v) {
|
||||
@ -225,9 +225,9 @@ function resetDivSplits() {
|
||||
});
|
||||
|
||||
// ends with ][category]
|
||||
$.each($('input[name$="][category]"]'), function (i, v) {
|
||||
$.each($('input[name$="][category_name]"]'), function (i, v) {
|
||||
var input = $(v);
|
||||
input.attr('name', 'transactions[' + i + '][category]');
|
||||
input.attr('name', 'transactions[' + i + '][category_name]');
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
@ -84,11 +84,11 @@
|
||||
<h3 class="box-title">{{ 'more'|_ }}</h3>
|
||||
</div>
|
||||
<div class="box-body no-padding">
|
||||
{% if object.notes|length > 0 %}
|
||||
{% if object.data.notes|length > 0 %}
|
||||
<table class="table">
|
||||
<tr>
|
||||
<td>{{ trans('list.notes') }}</td>
|
||||
<td class="markdown">{{ object.notes.data[0].markdown }}</td>
|
||||
<td class="markdown">{{ object.data.notes|markdown }}</td>
|
||||
</tr>
|
||||
</table>
|
||||
{% endif %}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user