IntenseFinance/firefly-iii
3
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-02-25 18:45:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix security issue with markdown, thanks to @simhnna

Browse Source
This commit is contained in:
James Cole 2018-04-04 19:14:47 +02:00
parent 73fee4eb6b
commit 3819de4e74
No known key found for this signature in database
GPG Key ID: C16961E655E74B5E
5 changed files with 27 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/Http/Controllers/BillController.php
View File

@ -238,7 +238,7 @@ class BillController extends Controller
$overallAverage = $repository->getOverallAverage($bill); $overallAverage = $repository->getOverallAverage($bill);
$manager = new Manager(); $manager = new Manager();
$manager->setSerializer(new DataArraySerializer()); $manager->setSerializer(new DataArraySerializer());
$manager->parseIncludes(['attachments']); $manager->parseIncludes(['attachments','notes']);
// Make a resource out of the data and // Make a resource out of the data and
$parameters = new ParameterBag(); $parameters = new ParameterBag();

8
app/Models/Note.php
View File

@ -52,4 +52,12 @@ class Note extends Model
{ {
return $this->morphTo(); return $this->morphTo();
} }
/**
* @param $value
*/
public function setTextAttribute($value)
{
$this->attributes['text'] = e($value);
}
} }

8
app/Models/Rule.php
View File

@ -93,6 +93,14 @@ class Rule extends Model
return $this->hasMany('FireflyIII\Models\RuleTrigger'); return $this->hasMany('FireflyIII\Models\RuleTrigger');
} }
/**
* @param $value
*/
public function setDescriptionAttribute($value)
{
$this->attributes['description'] = e($value);
}
/** /**
* @codeCoverageIgnore * @codeCoverageIgnore
* @return \Illuminate\Database\Eloquent\Relations\BelongsTo * @return \Illuminate\Database\Eloquent\Relations\BelongsTo

16
public/js/ff/transactions/split/edit.js vendored
View File

@ -43,13 +43,13 @@ $(document).ready(function () {
$.getJSON('json/categories').done(function (data) { $.getJSON('json/categories').done(function (data) {
categories = data; categories = data;
$('input[name$="category]"]').typeahead({source: categories, autoSelect: false}); $('input[name$="category_name]"]').typeahead({source: categories, autoSelect: false});
}); });
$.getJSON('json/transaction-journals/' + what).done(function (data) { $.getJSON('json/transaction-journals/' + what).done(function (data) {
descriptions = data; descriptions = data;
$('input[name="journal_description"]').typeahead({source: descriptions, autoSelect: false}); $('input[name="journal_description"]').typeahead({source: descriptions, autoSelect: false});
$('input[name$="description]"]').typeahead({source: descriptions, autoSelect: false}); $('input[name$="transaction_description]"]').typeahead({source: descriptions, autoSelect: false});
}); });
$.getJSON('json/tags').done(function (data) { $.getJSON('json/tags').done(function (data) {
@ -123,10 +123,10 @@ function cloneDivRow() {
source.find('input[name$="source_account_name]"]').typeahead({source: srcAccounts, autoSelect: false}); source.find('input[name$="source_account_name]"]').typeahead({source: srcAccounts, autoSelect: false});
} }
if (categories.length > 0) { if (categories.length > 0) {
source.find('input[name$="category]"]').typeahead({source: categories, autoSelect: false}); source.find('input[name$="category_name]"]').typeahead({source: categories, autoSelect: false});
} }
if (descriptions.length > 0) { if (descriptions.length > 0) {
source.find('input[name$="description]"]').typeahead({source: descriptions, autoSelect: false}); source.find('input[name$="transaction_description]"]').typeahead({source: descriptions, autoSelect: false});
} }
$('div.split_row_holder').append(source); $('div.split_row_holder').append(source);
@ -180,9 +180,9 @@ function resetDivSplits() {
// loop each possible field. // loop each possible field.
// ends with ][description] // ends with ][description]
$.each($('input[name$="][description]"]'), function (i, v) { $.each($('input[name$="][transaction_description]"]'), function (i, v) {
var input = $(v); var input = $(v);
input.attr('name', 'transactions[' + i + '][description]'); input.attr('name', 'transactions[' + i + '][transaction_description]');
}); });
// ends with ][destination_account_name] // ends with ][destination_account_name]
$.each($('input[name$="][destination_account_name]"]'), function (i, v) { $.each($('input[name$="][destination_account_name]"]'), function (i, v) {
@ -225,9 +225,9 @@ function resetDivSplits() {
}); });
// ends with ][category] // ends with ][category]
$.each($('input[name$="][category]"]'), function (i, v) { $.each($('input[name$="][category_name]"]'), function (i, v) {
var input = $(v); var input = $(v);
input.attr('name', 'transactions[' + i + '][category]'); input.attr('name', 'transactions[' + i + '][category_name]');
}); });
} }

4
resources/views/bills/show.twig
View File

@ -84,11 +84,11 @@
<h3 class="box-title">{{ 'more'|_ }}</h3> <h3 class="box-title">{{ 'more'|_ }}</h3>
</div> </div>
<div class="box-body no-padding"> <div class="box-body no-padding">
{% if object.notes|length > 0 %} {% if object.data.notes|length > 0 %}
<table class="table"> <table class="table">
<tr> <tr>
<td>{{ trans('list.notes') }}</td> <td>{{ trans('list.notes') }}</td>
<td class="markdown">{{ object.notes.data[0].markdown }}</td> <td class="markdown">{{ object.data.notes|markdown }}</td>
</tr> </tr>
</table> </table>
{% endif %} {% endif %}