From 2dd77b1597c51dfdd326243333f57a61dc95a197 Mon Sep 17 00:00:00 2001
From: Patrick Boivin <pboivin@gmail.com>
Date: Thu, 16 Sep 2021 12:04:57 -0400
Subject: [PATCH] fix: Listing XSS vulnerability on numeric parameters

---
 frontend/js/store/modules/datatable.js | 10 +++++-----
 views/layouts/listing.blade.php        | 10 +++++-----
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/frontend/js/store/modules/datatable.js b/frontend/js/store/modules/datatable.js
index c08b30870..36e1ca2a6 100644
--- a/frontend/js/store/modules/datatable.js
+++ b/frontend/js/store/modules/datatable.js
@@ -33,11 +33,11 @@ const state = {
   columns: window[process.env.VUE_APP_NAME].STORE.datatable.columns || [],
   filter: window[process.env.VUE_APP_NAME].STORE.datatable.filter || {},
   filtersNav: window[process.env.VUE_APP_NAME].STORE.datatable.navigation || [],
-  page: window[process.env.VUE_APP_NAME].STORE.datatable.page || 1,
-  maxPage: window[process.env.VUE_APP_NAME].STORE.datatable.maxPage || 1,
-  defaultMaxPage: window[process.env.VUE_APP_NAME].STORE.datatable.defaultMaxPage || 1,
-  offset: window[process.env.VUE_APP_NAME].STORE.datatable.offset || 60,
-  defaultOffset: window[process.env.VUE_APP_NAME].STORE.datatable.defaultOffset || 60,
+  page: Number(window[process.env.VUE_APP_NAME].STORE.datatable.page || 1),
+  maxPage: Number(window[process.env.VUE_APP_NAME].STORE.datatable.maxPage || 1),
+  defaultMaxPage: Number(window[process.env.VUE_APP_NAME].STORE.datatable.defaultMaxPage || 1),
+  offset: Number(window[process.env.VUE_APP_NAME].STORE.datatable.offset || 60),
+  defaultOffset: Number(window[process.env.VUE_APP_NAME].STORE.datatable.defaultOffset || 60),
   sortKey: window[process.env.VUE_APP_NAME].STORE.datatable.sortKey || '',
   sortDir: window[process.env.VUE_APP_NAME].STORE.datatable.sortDir || 'asc',
   bulk: [],
diff --git a/views/layouts/listing.blade.php b/views/layouts/listing.blade.php
index 840996617..32ff1e6a7 100644
--- a/views/layouts/listing.blade.php
+++ b/views/layouts/listing.blade.php
@@ -171,11 +171,11 @@
         columns: {!! json_encode($tableColumns) !!},
         navigation: {!! json_encode($tableMainFilters) !!},
         filter: { status: '{{ $filters['status'] ?? $defaultFilterSlug ?? 'all' }}' },
-        page: {{ request('page') ?? 1 }},
-        maxPage: {{ $maxPage ?? 1 }},
-        defaultMaxPage: {{ $defaultMaxPage ?? 1 }},
-        offset: {{ request('offset') ?? $offset ?? 60 }},
-        defaultOffset: {{ $defaultOffset ?? 60 }},
+        page: '{{ request('page') ?? 1 }}',
+        maxPage: '{{ $maxPage ?? 1 }}',
+        defaultMaxPage: '{{ $defaultMaxPage ?? 1 }}',
+        offset: '{{ request('offset') ?? $offset ?? 60 }}',
+        defaultOffset: '{{ $defaultOffset ?? 60 }}',
         sortKey: '{{ $reorder ? (request('sortKey') ?? '') : (request('sortKey') ?? '') }}',
         sortDir: '{{ request('sortDir') ?? 'asc' }}',
         baseUrl: '{{ rtrim(config('app.url'), '/') . '/' }}',