Fix Injection + v5.0.2 (#2123)

LycheeOrg · Dec 28, 2023 · 33354a2 · 33354a2
1 parent dd255b1
commit 33354a2
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 4 deletions.
diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
@@ -223,7 +223,7 @@ private function logSQL(QueryExecuted $query): void
 
 		$sql_with_bindings = Str::replaceArray('?', $bindings, $query->sql);
 
-		$explain = DB::select('EXPLAIN ' . $sql_with_bindings);
+		$explain = DB::select('EXPLAIN ' . $query->sql, $query->bindings);
 		$renderer = new ArrayToTextTable();
 		$renderer->setIgnoredKeys(['possible_keys', 'key_len', 'ref']);
 

diff --git a/database/migrations/2023_12_28_144906_bump_version050002.php b/database/migrations/2023_12_28_144906_bump_version050002.php
@@ -0,0 +1,26 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+return new class() extends Migration {
+	/**
+	 * Run the migrations.
+	 *
+	 * @return void
+	 */
+	public function up(): void
+	{
+		DB::table('configs')->where('key', 'version')->update(['value' => '050002']);
+	}
+
+	/**
+	 * Reverse the migrations.
+	 *
+	 * @return void
+	 */
+	public function down(): void
+	{
+		DB::table('configs')->where('key', 'version')->update(['value' => '050001']);
+	}
+};
diff --git a/resources/views/livewire/forms/album/share-with.blade.php b/resources/views/livewire/forms/album/share-with.blade.php
@@ -96,10 +96,10 @@ class="bg-neutral-800 text-sm rounded-full w-56 px-2 pl-8 py-1 focus:outline-non
                                 @foreach ($this->userList as $result)
                                     <li class="border-b border-neutral-700 cursor-pointer transition-all ease-in-out duration-300
 							hover:bg-gradient-to-b hover:from-primary-500 hover:to-primary-600 hover:text-text-main-0"
-                                        wire:click="select('{{ $result['id'] }}','{{ $result['username'] }}')">
+                                        wire:click="select('{{ $result['id'] }}',@js($result['username']))">
                                         <a class="px-1 py-1 flex items-center"
                                             @if ($loop->last) @keydown.tab="isSearchUserOpen = false" @endif>
-                                            <span class="ml-4 text-left">{{ $result['username'] }}</span>
+                                            <span class="ml-4 text-left">{{ ($result['username']) }}</span>
                                         </a>
                                     </li>
                                 @endforeach

diff --git a/version.md b/version.md
@@ -1 +1 @@
-5.0.1
+5.0.2