Skip to content

Commit

Permalink
Merge pull request #9474 from suraj-webkul/theme-image-xss
Browse files Browse the repository at this point in the history
xss theme issue fixed.
  • Loading branch information
jitendra-webkul committed Feb 15, 2024
2 parents e18a65f + 16c13fe commit b01bfc5
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 15 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ public function index()
public function store()
{
if (request()->has('id')) {
$this->validate(request(), [
core()->getRequestedLocaleCode().'.options.*.image' => 'image|extensions:jpeg,jpg,png,svg,webp',
]);

$theme = $this->themeCustomizationRepository->find(request()->input('id'));

return $this->themeCustomizationRepository->uploadImage(request()->all(), $theme);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<x-slot:title>
@lang('admin::app.settings.themes.edit.title')
</x-slot>

@php
$channels = core()->getAllChannels();
Expand All @@ -11,7 +11,7 @@
$currentLocale = core()->getRequestedLocale();
@endphp

<x-admin::form
<x-admin::form
:action="route('admin.settings.themes.update', $theme->id)"
enctype="multipart/form-data"
v-slot="{ errors }"
Expand All @@ -20,18 +20,18 @@
<p class="text-xl text-gray-800 dark:text-white font-bold">
@lang('admin::app.settings.themes.edit.title')
</p>

<div class="flex gap-x-2.5 items-center">
<div class="flex gap-x-2.5 items-center">
<a
<a
href="{{ route('admin.settings.themes.index') }}"
class="transparent-button hover:bg-gray-200 dark:hover:bg-gray-800 dark:text-white"
>
>
@lang('admin::app.settings.themes.edit.back')
</a>
</div>
<button

<button
type="submit"
class="primary-button"
>
Expand All @@ -54,7 +54,7 @@ class="transparent-button px-1 py-1.5 hover:bg-gray-200 dark:hover:bg-gray-800 f
<span class="icon-language text-2xl"></span>

{{ $currentLocale->name }}

<input
type="hidden"
name="locale"
Expand Down Expand Up @@ -98,7 +98,7 @@ class="flex gap-2.5 px-5 py-2 text-base cursor-pointer hover:bg-gray-100 dark:h
</component>
</div>
</script>

<!-- Image-Carousel Template -->
@includeWhen($theme->type === 'image_carousel', 'admin::settings.themes.edit.image-carousel')

Expand Down Expand Up @@ -136,7 +136,7 @@ class="flex gap-2.5 px-5 py-2 text-base cursor-pointer hover:bg-gray-100 dark:h
image_carousel: 'v-image-carousel',
footer_links: 'v-footer-links',
services_content: 'v-services-content'
}
}
};
},
Expand All @@ -147,4 +147,3 @@ class="flex gap-2.5 px-5 py-2 text-base cursor-pointer hover:bg-gray-100 dark:h
</script>
@endPushOnce
</x-admin::layouts>

Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ class="secondary-button"
class="hidden"
accept="image/*"
ref="static_image"
label="Image"
@change="storeImage($event)"
>
</div>
Expand Down Expand Up @@ -380,7 +381,11 @@ class="rounded-full dark:peer-focus:ring-blue-800 peer-checked:bg-blue-600 w-9 h
line: cursorPointer.line, ch: cursorPointer.ch + response.data.length
});
})
.catch((error) => {});
.catch((error) => {
if (error.response.status == 422) {
this.$emitter.emit('add-flash', { type: 'warning', message: error.response.data.message });
}
});
},
},
});
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -76,11 +76,17 @@ public function uploadImage(array $data, ThemeCustomization $theme)
'title' => $image['title'],
];
} elseif ($image['image'] instanceof UploadedFile) {
$manager = new ImageManager();
try {
$manager = new ImageManager();

$path = 'theme/'.$theme->id.'/'.Str::random(40).'.webp';
$path = 'theme/'.$theme->id.'/'.Str::random(40).'.webp';

Storage::put($path, $manager->make($image['image'])->encode('webp'));
Storage::put($path, $manager->make($image['image'])->encode('webp'));
} catch (\Exception $e) {
session()->flash('error', $e->getMessage());

return redirect()->back();
}

if (($data['type'] ?? '') == 'static_content') {
return Storage::url($path);
Expand Down

0 comments on commit b01bfc5

Please sign in to comment.