fix comments xss

microweber · Jan 19, 2022 · 51b5a4e · 51b5a4e
1 parent b64ef57
commit 51b5a4e
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 6 deletions.
diff --git a/src/MicroweberPackages/Comment/Models/Comment.php b/src/MicroweberPackages/Comment/Models/Comment.php
@@ -25,6 +25,7 @@ class Comment extends Model
 //        'comment_body'=>MarkdownCast::class
 //    ];
 
+
     public function modelFilter()
     {
         return $this->provideFilter(ContentFilter::class);

diff --git a/src/MicroweberPackages/Comment/Models/CommentsCrud.php b/src/MicroweberPackages/Comment/Models/CommentsCrud.php
@@ -54,7 +54,7 @@ public function get($params = false)
                 if (isset($item['comment_body']) and ($item['comment_body'] != '')) {
                     $surl = site_url();
                     $item['comment_body'] = str_replace('{SITE_URL}', $surl, $item['comment_body']);
-                    $comments[$i]['comment_body'] = $item['comment_body']; // mw()->format->autolink($item['comment_body']);
+                    $comments[$i]['comment_body'] = htmlentities($item['comment_body']);
                 }
 
                 if (isset($params['single'])) {

diff --git a/src/MicroweberPackages/Comment/resources/views/admin/comments/comment_item.blade.php b/src/MicroweberPackages/Comment/resources/views/admin/comments/comment_item.blade.php
@@ -55,10 +55,10 @@
                         </h6>
 
                     <div class="mb-3">
-                        <div class="js-comment-body-text"><?php print $comment['comment_body']; ?></div>
+                        <div class="js-comment-body-text">{{ $comment['comment_body'] }}</div>
                         <span class="js-comment-body-textarea" style="display: none;">
                             <small class="text-muted">Comment:</small>
-                            <textarea name="comment_body" class="form-control"><?php print $comment['comment_body']; ?></textarea>
+                            <textarea name="comment_body" class="form-control">{{ $comment['comment_body'] }}</textarea>
                         </span>
                     </div>
 

diff --git a/userfiles/modules/comments/src/Controllers/Admin.php b/userfiles/modules/comments/src/Controllers/Admin.php
@@ -46,7 +46,6 @@ function index($params)
 
     function comments_list($params)
     {
-
         if (!user_can_access('module.comments.index')) {
             return;
         }
@@ -113,12 +112,10 @@ function comment_item($params)
 
         $comment = get_comments($data);
 
-
         if (!$comment) {
             return;
         }
 
-
         $view_file = $this->views_dir . 'comment_item.php';
         $view = new View($view_file);
         $view->assign('params', $params);