prevent XSS vulnerability for Markdown and Wysiwyg fields

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
 ### Added
 
+## [1.6.1] - 2020-10-25
+### Fixed
+- Prevent XSS vulnerability for `Markdown` and `Wysiwyg` fields.
+
 ## [1.6.0] - 2020-10-19
 ### Added
 - Ability to set height for `Markdown` field input via `rows` method.
@@ -78,7 +82,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Everything, initial release.
 
 
-[Unreleased]: https://github.com/Cherry-Pie/Jarboe/compare/1.6.0...master
+[Unreleased]: https://github.com/Cherry-Pie/Jarboe/compare/1.6.1...master
+[1.6.1]: https://github.com/Cherry-Pie/Jarboe/compare/1.6.0...1.6.1
 [1.6.0]: https://github.com/Cherry-Pie/Jarboe/compare/1.5.0...1.6.0
 [1.5.0]: https://github.com/Cherry-Pie/Jarboe/compare/1.4.1...1.5.0
 [1.4.1]: https://github.com/Cherry-Pie/Jarboe/compare/1.4.0...1.4.1

src/Jarboe/Jarboe.php

@@ -7,7 +7,7 @@
 
 class Jarboe
 {
-    const VERSION = '1.6.0';
+    const VERSION = '1.6.1';
 
     public function crud($uri, $controller)
     {

src/resources/views/crud/fields/markdown/create.blade.php

@@ -16,7 +16,7 @@
             <div class="input {{ $field->hasError($errors, $locale) ? 'state-error' : '' }}">
                 <textarea name="{{ $field->name() }}[{{ $locale }}]"
                           rows="{{ $field->getRowsNum() }}"
-                          class="markdown-field custom-scroll">{!! $field->oldOrDefault($locale) !!}</textarea>
+                          class="markdown-field custom-scroll">{{ $field->oldOrDefault($locale) }}</textarea>
 
                 @include('jarboe::crud.fields.markdown.inc.error_messages', [
                     'messages' => $field->getErrors($errors, $locale),
@@ -28,7 +28,7 @@ class="markdown-field custom-scroll">{!! $field->oldOrDefault($locale) !!}</text
     <div class="textarea {{ $errors->has($field->name()) ? 'state-error' : '' }}">
         <textarea name="{{ $field->name() }}"
                   rows="{{ $field->getRowsNum() }}"
-                  class="markdown-field custom-scroll">{!! $field->oldOrDefault() !!}</textarea>
+                  class="markdown-field custom-scroll">{{ $field->oldOrDefault() }}</textarea>
     </div>
 
     @include('jarboe::crud.fields.markdown.inc.error_messages', [

src/resources/views/crud/fields/markdown/edit.blade.php

@@ -16,7 +16,7 @@
             <div class="input {{ $field->hasError($errors, $locale) ? 'state-error' : '' }}">
                 <textarea name="{{ $field->name() }}[{{ $locale }}]"
                           rows="{{ $field->getRowsNum() }}"
-                          class="markdown-field custom-scroll">{!! $field->oldOrAttribute($model, $locale) !!}</textarea>
+                          class="markdown-field custom-scroll">{{ $field->oldOrAttribute($model, $locale) }}</textarea>
 
                 @include('jarboe::crud.fields.markdown.inc.error_messages', [
                     'messages' => $field->getErrors($errors, $locale),
@@ -28,7 +28,7 @@ class="markdown-field custom-scroll">{!! $field->oldOrAttribute($model, $locale)
     <div class="textarea {{ $errors->has($field->name()) ? 'state-error' : '' }}">
         <textarea name="{{ $field->name() }}"
                   rows="{{ $field->getRowsNum() }}"
-                  class="markdown-field custom-scroll">{!! $field->oldOrAttribute($model) !!}</textarea>
+                  class="markdown-field custom-scroll">{{ $field->oldOrAttribute($model) }}</textarea>
     </div>
 
     @include('jarboe::crud.fields.markdown.inc.error_messages', [

src/resources/views/crud/fields/markdown/readonly.blade.php

@@ -16,7 +16,7 @@
             <div class="input {{ $field->hasError($errors, $locale) ? 'state-error' : '' }}">
                 <textarea disabled
                           rows="{{ $field->getRowsNum() }}"
-                          class="markdown-field custom-scroll">{!! $field->getAttribute($model, $locale) !!}</textarea>
+                          class="markdown-field custom-scroll">{{ $field->getAttribute($model, $locale) }}</textarea>
 
                 @include('jarboe::crud.fields.markdown.inc.error_messages', [
                     'messages' => $field->getErrors($errors, $locale),
@@ -28,7 +28,7 @@ class="markdown-field custom-scroll">{!! $field->getAttribute($model, $locale) !
     <div class="textarea {{ $errors->has($field->name()) ? 'state-error' : '' }}">
         <textarea disabled
                   rows="{{ $field->getRowsNum() }}"
-                  class="markdown-field custom-scroll">{!! $field->getAttribute($model) !!}</textarea>
+                  class="markdown-field custom-scroll">{{ $field->getAttribute($model) }}</textarea>
     </div>
 
     @include('jarboe::crud.fields.markdown.inc.error_messages', [

src/resources/views/crud/fields/wysiwyg/summernote/create.blade.php

@@ -11,7 +11,7 @@
                 <textarea class="summernote-{{ $field->name() }}-{{ $locale }} wysiwyg-summernote-field"
                           name="{{ $field->name() }}[{{ $locale }}]"
                           data-options="{{ json_encode($field->getOptions()) }}"
-                          style="display: none;">{!! $field->oldOrDefault($locale) !!}</textarea>
+                          style="display: none;">{{ $field->oldOrDefault($locale) }}</textarea>
                 @include('jarboe::crud.fields.wysiwyg.summernote.inc.error_messages', [
                     'messages' => $errors->get($field->name() .'.'. $locale)
                 ])
@@ -24,7 +24,7 @@
         <textarea class="summernote-{{ $field->name() }}-default wysiwyg-summernote-field"
                   name="{{ $field->name() }}"
                   data-options="{{ json_encode($field->getOptions()) }}"
-                  style="display: none;">{!! $field->oldOrDefault() !!}</textarea>
+                  style="display: none;">{{ $field->oldOrDefault() }}</textarea>
         @include('jarboe::crud.fields.wysiwyg.summernote.inc.error_messages', [
             'messages' => $errors->get($field->name())
         ])

src/resources/views/crud/fields/wysiwyg/summernote/edit.blade.php

@@ -11,7 +11,7 @@
                 <textarea class="summernote-{{ $field->name() }}-{{ $locale }} wysiwyg-summernote-field"
                           name="{{ $field->name() }}[{{ $locale }}]"
                           data-options="{{ json_encode($field->getOptions()) }}"
-                          style="display: none;">{!! $field->getAttribute($model, $locale) !!}</textarea>
+                          style="display: none;">{{ $field->getAttribute($model, $locale) }}</textarea>
                 @include('jarboe::crud.fields.wysiwyg.summernote.inc.error_messages', [
                     'messages' => $errors->get($field->name() .'.'. $locale)
                 ])
@@ -24,7 +24,7 @@
         <textarea class="summernote-{{ $field->name() }}-default wysiwyg-summernote-field"
                   name="{{ $field->name() }}"
                   data-options="{{ json_encode($field->getOptions()) }}"
-                  style="display: none;">{!! $field->getAttribute($model) !!}</textarea>
+                  style="display: none;">{{ $field->getAttribute($model) }}</textarea>
         @include('jarboe::crud.fields.wysiwyg.summernote.inc.error_messages', [
             'messages' => $errors->get($field->name())
         ])

src/resources/views/crud/fields/wysiwyg/summernote/readonly.blade.php

@@ -10,15 +10,15 @@
              data-options="{{ json_encode($field->getOptions()) }}"
              disabled
              style="{{ $field->isCurrentLocale($locale) ? '' : 'display:none;' }}">
-            <textarea class="summernote-{{ $field->name() }}-{{ $locale }}" style="display: none;">{!! $field->getAttribute($model, $locale) !!}</textarea>
+            <textarea class="summernote-{{ $field->name() }}-{{ $locale }}" style="display: none;">{{ $field->getAttribute($model, $locale) }}</textarea>
         </div>
         @include('jarboe::crud.fields.wysiwyg.summernote.inc.styles_and_scripts', compact('field', 'locale'))
     @endforeach
 @else
     <textarea class="summernote-{{ $field->name() }}-default wysiwyg-summernote-field"
               data-options="{{ json_encode($field->getOptions()) }}"
               disabled
-              style="display: none;">{!! $field->getAttribute($model) !!}</textarea>
+              style="display: none;">{{ $field->getAttribute($model) }}</textarea>
     @include('jarboe::crud.fields.wysiwyg.summernote.inc.styles_and_scripts', [
         'field' => $field,
         'locale' => 'default',

src/resources/views/crud/fields/wysiwyg/tinymce/create.blade.php

@@ -11,7 +11,7 @@
                 <textarea class="tinymce-{{ $field->name() }}-{{ $locale }} wysiwyg-tinymce-field"
                           name="{{ $field->name() }}[{{ $locale }}]"
                           data-options="{{ json_encode($field->getOptions()) }}"
-                          style="visibility: hidden;">{!! $field->oldOrDefault($locale) !!}</textarea>
+                          style="visibility: hidden;">{{ $field->oldOrDefault($locale) }}</textarea>
                 @include('jarboe::crud.fields.wysiwyg.tinymce.inc.error_messages', [
                     'messages' => $errors->get($field->name() .'.'. $locale)
                 ])
@@ -24,7 +24,7 @@
         <textarea class="tinymce-{{ $field->name() }}-default wysiwyg-tinymce-field"
                   name="{{ $field->name() }}"
                   data-options="{{ json_encode($field->getOptions()) }}"
-                  style="visibility: hidden;">{!! $field->oldOrDefault() !!}</textarea>
+                  style="visibility: hidden;">{{ $field->oldOrDefault() }}</textarea>
         @include('jarboe::crud.fields.wysiwyg.tinymce.inc.error_messages', [
             'messages' => $errors->get($field->name())
         ])

src/resources/views/crud/fields/wysiwyg/tinymce/edit.blade.php

@@ -11,7 +11,7 @@
                 <textarea class="tinymce-{{ $field->name() }}-{{ $locale }} wysiwyg-tinymce-field"
                           name="{{ $field->name() }}[{{ $locale }}]"
                           data-options="{{ json_encode($field->getOptions()) }}"
-                          style="visibility: hidden;">{!! $field->getAttribute($model, $locale) !!}</textarea>
+                          style="visibility: hidden;">{{ $field->getAttribute($model, $locale) }}</textarea>
                 @include('jarboe::crud.fields.wysiwyg.tinymce.inc.error_messages', [
                     'messages' => $errors->get($field->name() .'.'. $locale)
                 ])
@@ -24,7 +24,7 @@
         <textarea class="tinymce-{{ $field->name() }}-default wysiwyg-tinymce-field"
                   name="{{ $field->name() }}"
                   data-options="{{ json_encode($field->getOptions()) }}"
-                  style="visibility: hidden;">{!! $field->getAttribute($model) !!}</textarea>
+                  style="visibility: hidden;">{{ $field->getAttribute($model) }}</textarea>
         @include('jarboe::crud.fields.wysiwyg.tinymce.inc.error_messages', [
             'messages' => $errors->get($field->name())
         ])

src/resources/views/crud/fields/wysiwyg/tinymce/readonly.blade.php

@@ -14,15 +14,15 @@
             <textarea class="tinymce-{{ $field->name() }}-{{ $locale }}"
                       data-options="{{ json_encode($field->getOptions()) }}"
                       disabled
-                      style="visibility: hidden;">{!! $field->getAttribute($model, $locale) !!}</textarea>
+                      style="visibility: hidden;">{{ $field->getAttribute($model, $locale) }}</textarea>
         </div>
         @include('jarboe::crud.fields.wysiwyg.tinymce.inc.styles_and_scripts', compact('field', 'locale'))
     @endforeach
 @else
     <textarea class="tinymce-{{ $field->name() }}-default wysiwyg-tinymce-field"
               data-options="{{ json_encode($field->getOptions()) }}"
               disabled
-              style="visibility: hidden;">{!! $field->getAttribute($model) !!}</textarea>
+              style="visibility: hidden;">{{ $field->getAttribute($model) }}</textarea>
     @include('jarboe::crud.fields.wysiwyg.tinymce.inc.styles_and_scripts', [
         'field' => $field,
         'locale' => 'default',