From 2ef0c340a742ef12054e59e4aab3647ba65a7f54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dani=C3=ABl=20van=20Drunen?= <daniel@pixely.me>
Date: Mon, 20 Dec 2021 21:11:38 +0100
Subject: [PATCH 1/5] Apply v-pre attribute in every Blade view where
 $tag->name is used

---
 resources/views/budgets/create.blade.php     | 2 +-
 resources/views/budgets/index.blade.php      | 2 +-
 resources/views/imports/complete.blade.php   | 2 +-
 resources/views/partials/tag.blade.php       | 2 +-
 resources/views/spendings/create.blade.php   | 2 +-
 resources/views/spendings/edit.blade.php     | 2 +-
 resources/views/tags/index.blade.php         | 2 +-
 resources/views/transactions/index.blade.php | 4 ++--
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/resources/views/budgets/create.blade.php b/resources/views/budgets/create.blade.php
index 1cf96042..c27e197d 100644
--- a/resources/views/budgets/create.blade.php
+++ b/resources/views/budgets/create.blade.php
@@ -16,7 +16,7 @@
                         <label>{{ __('models.tag') }}</label>
                         <select name="tag_id">
                             @foreach ($tags as $tag)
-                                <option value="{{ $tag->id }}">{{ $tag->name }}</option>
+                                <option value="{{ $tag->id }}" v-pre>{{ $tag->name }}</option>
                             @endforeach
                         </select>
                         @include('partials.validation_error', ['payload' => 'tag_id'])
diff --git a/resources/views/budgets/index.blade.php b/resources/views/budgets/index.blade.php
index 2e0174bd..da6e1232 100644
--- a/resources/views/budgets/index.blade.php
+++ b/resources/views/budgets/index.blade.php
@@ -18,7 +18,7 @@
             @endif
             @foreach ($budgets as $budget)
                 <div class="box__section">
-                    <div>{{ $budget->tag->name }}</div>
+                    <div v-pre>{{ $budget->tag->name }}</div>
                     <progress class="mt-2 mb-1" value="{{ $budget->spent }}" min="0" max="{{ $budget->amount }}"></progress>
                     <div style="font-size: 14px; font-weight: 600;">{!! $currency !!} {{ $budget->formatted_spent }} {{ __('general.of') }} {!! $currency !!} {{ $budget->formatted_amount }}</div>
                 </div>
diff --git a/resources/views/imports/complete.blade.php b/resources/views/imports/complete.blade.php
index 9787a782..625ad457 100644
--- a/resources/views/imports/complete.blade.php
+++ b/resources/views/imports/complete.blade.php
@@ -40,7 +40,7 @@
                                 <select name="rows[{{ $index }}][tag_id]">
                                     <option value="">-</option>
                                     @foreach ($tags as $tag)
-                                        <option value="{{ $tag->id }}">{{ $tag->name }}</option>
+                                        <option value="{{ $tag->id }}" v-pre>{{ $tag->name }}</option>
                                     @endforeach
                                 </select>
                                 @include('partials.validation_error', ['payload' => 'rows.' . $index . '.tag_id'])
diff --git a/resources/views/partials/tag.blade.php b/resources/views/partials/tag.blade.php
index a2eb4e04..b20f8b85 100644
--- a/resources/views/partials/tag.blade.php
+++ b/resources/views/partials/tag.blade.php
@@ -1 +1 @@
-<span style="border-radius: 5px; background: #{{ $payload->color }}; color: #FFF; padding: 5px 10px; font-size: 14px; font-weight: 600;"><i class="fas fa-tag fa-xs"></i> {{ $payload->name }}</span>
+<span style="border-radius: 5px; background: #{{ $payload->color }}; color: #FFF; padding: 5px 10px; font-size: 14px; font-weight: 600;" v-pre><i class="fas fa-tag fa-xs"></i> {{ $payload->name }}</span>
diff --git a/resources/views/spendings/create.blade.php b/resources/views/spendings/create.blade.php
index b815f07c..e1a85d27 100644
--- a/resources/views/spendings/create.blade.php
+++ b/resources/views/spendings/create.blade.php
@@ -14,7 +14,7 @@
                         <select name="tag_id">
                             <option value="">-</option>
                             @foreach ($tags as $tag)
-                                <option value="{{ $tag->id }}">{{ $tag->name }}</option>
+                                <option value="{{ $tag->id }}" v-pre>{{ $tag->name }}</option>
                             @endforeach
                         </select>
                         @include('partials.validation_error', ['payload' => 'tag_id'])
diff --git a/resources/views/spendings/edit.blade.php b/resources/views/spendings/edit.blade.php
index d9ea00d2..8d6667ab 100644
--- a/resources/views/spendings/edit.blade.php
+++ b/resources/views/spendings/edit.blade.php
@@ -15,7 +15,7 @@
                         <select name="tag_id">
                             <option value="">-</option>
                             @foreach ($tags as $tag)
-                                <option value="{{ $tag->id }}" {{ $tag->id === $spending->tag_id ? 'selected' : '' }}>{{ $tag->name }}</option>
+                                <option value="{{ $tag->id }}" {{ $tag->id === $spending->tag_id ? 'selected' : '' }} v-pre>{{ $tag->name }}</option>
                             @endforeach
                         </select>
                         @include('partials.validation_error', ['payload' => 'tag_id'])
diff --git a/resources/views/tags/index.blade.php b/resources/views/tags/index.blade.php
index c0ca819e..1ee52abf 100644
--- a/resources/views/tags/index.blade.php
+++ b/resources/views/tags/index.blade.php
@@ -24,7 +24,7 @@
                         <div class="row__column row__column--compact row__column--middle mr-2">
                             <div style="width: 15px; height: 15px; border-radius: 2px; background: #{{ $tag->color }};"></div>
                         </div>
-                        <div class="row__column row__column--middle">{{ $tag->name }}</div>
+                        <div class="row__column row__column--middle" v-pre>{{ $tag->name }}</div>
                         <div class="row__column row__column--middle">{{ $tag->spendings->count() }}</div>
                         <div class="row__column row__column--middle row row--right">
                             <div class="row__column row__column--compact">
diff --git a/resources/views/transactions/index.blade.php b/resources/views/transactions/index.blade.php
index 5625a14f..a497e535 100644
--- a/resources/views/transactions/index.blade.php
+++ b/resources/views/transactions/index.blade.php
@@ -22,7 +22,7 @@
                         <span>Filter by Tag</span>
                         @foreach ($tags as $tag)
                             <div class="mt-1 ml-1">
-                                <a href="/transactions?filterBy=tag-{{ $tag->id }}">{{ $tag->name }}</a>
+                                <a href="/transactions?filterBy=tag-{{ $tag->id }}" v-pre>{{ $tag->name }}</a>
                             </div>
                         @endforeach
                     </div>
@@ -57,7 +57,7 @@
                                                 <div class="row__column row__column--compact row__column--middle mr-05" style="font-size: 12px;">
                                                     <i class="fas fa-tag" style="color: #{{ $transaction->tag->color }};"></i>
                                                 </div>
-                                                <div class="row__column row__column--compact row__column--middle">{{ $transaction->tag->name }}</div>
+                                                <div class="row__column row__column--compact row__column--middle" v-pre>{{ $transaction->tag->name }}</div>
                                             </div>
                                         @endif
                                     </div>

From 64b0a401e9d32d863c795ae8d2c24a80269ba583 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dani=C3=ABl=20van=20Drunen?= <daniel@pixely.me>
Date: Mon, 20 Dec 2021 21:17:17 +0100
Subject: [PATCH 2/5] Fix potential XSS vulernability on page that shows list
 of imports

---
 resources/views/imports/index.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/imports/index.blade.php b/resources/views/imports/index.blade.php
index 5c7394cd..642af5a2 100644
--- a/resources/views/imports/index.blade.php
+++ b/resources/views/imports/index.blade.php
@@ -21,7 +21,7 @@
                 </div>
                 @foreach ($imports as $import)
                     <div class="box__section row">
-                        <div class="row__column">{{ $import->name }}</div>
+                        <div class="row__column" v-pre>{{ $import->name }}</div>
                         <div class="row__column">{{ $import->status < 2 ? $import->status + 1 . ' / 3' : 'Completed' }}</div>
                         <div class="row__column row__column--compact text-right" style="width: 100px;">
                             @if ($import->status < 2)

From b99be9d5728c53f24d2f09faf976b22024292b83 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dani=C3=ABl=20van=20Drunen?= <daniel@pixely.me>
Date: Mon, 20 Dec 2021 21:24:11 +0100
Subject: [PATCH 3/5] Apply v-pre attribute in every Blade view where
 $space->name is used

---
 resources/views/layout.blade.php                | 2 +-
 resources/views/settings/spaces/index.blade.php | 2 +-
 resources/views/space_invites/show.blade.php    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/resources/views/layout.blade.php b/resources/views/layout.blade.php
index b95d68c5..2c1f52e2 100644
--- a/resources/views/layout.blade.php
+++ b/resources/views/layout.blade.php
@@ -91,7 +91,7 @@
                                         <ul slot="menu" v-cloak>
                                             @foreach (Auth::user()->spaces as $space)
                                                 <li>
-                                                    <a href="/spaces/{{ $space->id }}">{{ $space->name }}</a>
+                                                    <a href="/spaces/{{ $space->id }}" v-pre>{{ $space->name }}</a>
                                                 </li>
                                             @endforeach
                                         </ul>
diff --git a/resources/views/settings/spaces/index.blade.php b/resources/views/settings/spaces/index.blade.php
index 47e7d192..a1834dd2 100644
--- a/resources/views/settings/spaces/index.blade.php
+++ b/resources/views/settings/spaces/index.blade.php
@@ -11,7 +11,7 @@
         <ul class="box__section">
             @foreach ($spaces as $space)
                 <li class="row row--middle">
-                    <div class="row__column">{{ $space->name }} &middot; {{ ucfirst($space->pivot->role) }}</div>
+                    <div class="row__column" v-pre>{{ $space->name }} &middot; {{ ucfirst($space->pivot->role) }}</div>
                     <div class="row__column row__column--compact">
                         @can('edit', $space)
                             <a class="button button--secondary button--small" href="/spaces/{{ $space->id }}/edit">{{ __('pages.settings') }}</a>
diff --git a/resources/views/space_invites/show.blade.php b/resources/views/space_invites/show.blade.php
index 58ac6bf9..ad0c3a2f 100644
--- a/resources/views/space_invites/show.blade.php
+++ b/resources/views/space_invites/show.blade.php
@@ -10,7 +10,7 @@
         @endif
         <div class="box mt-3">
             <div class="box__section">
-                <h3 class="color-dark mb-1">{{ __('general.invited_to') }} "{{ $invite->space->name }}"</h3>
+                <h3 class="color-dark mb-1" v-pre>{{ __('general.invited_to') }} "{{ $invite->space->name }}"</h3>
                 <div>{{ __('general.sent_by') }} {{ $invite->inviter->name }}.</div>
                 <div class="row row--middle mt-2">
                     <form method="POST" action="{{ route('space_invites.accept', ['space' => $invite->space->id, 'invite' => $invite->id]) }}">

From faca3223b8e47a3bc9a5d88c7c78b36b9a8ec520 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dani=C3=ABl=20van=20Drunen?= <daniel@pixely.me>
Date: Mon, 20 Dec 2021 21:36:48 +0100
Subject: [PATCH 4/5] Fix potential XSS vulnerability on page for editing
 spaces

---
 resources/views/spaces/edit.blade.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/resources/views/spaces/edit.blade.php b/resources/views/spaces/edit.blade.php
index 5f9224e6..3feb8f56 100644
--- a/resources/views/spaces/edit.blade.php
+++ b/resources/views/spaces/edit.blade.php
@@ -40,7 +40,7 @@
                 <div class="row__column row__column--double">
                     @foreach ($space->users as $i => $user)
                         <div class="{{ $i > 0 ? 'mt-2' : null }}">
-                            <div class="color-dark mb-1">{{ $user->name }}</div>
+                            <div class="color-dark mb-1" v-pre>{{ $user->name }}</div>
                             <div class="fs-sm">{{ ucfirst($user->pivot->role) }}</div>
                         </div>
                     @endforeach
@@ -58,8 +58,8 @@
                     @endif
                     @foreach ($space->invites as $i => $invite)
                         <div class="{{ $i > 0 ? 'mt-2' : '' }}">
-                            <div class="color-dark mb-1">{{ $invite->invitee->name }}</div>
-                            <div class="fs-sm">{{ __('general.invited_by') }} {{ $invite->inviter->name }} &middot; {{ $invite->status }}</div>
+                            <div class="color-dark mb-1" v-pre>{{ $invite->invitee->name }}</div>
+                            <div class="fs-sm" v-pre>{{ __('general.invited_by') }} {{ $invite->inviter->name }} &middot; {{ $invite->status }}</div>
                         </div>
                     @endforeach
                 </div>

From 38e01f2d077f1e6f09d2e38c2c5f293144257324 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dani=C3=ABl=20van=20Drunen?= <daniel@pixely.me>
Date: Mon, 20 Dec 2021 21:47:14 +0100
Subject: [PATCH 5/5] Apply v-pre attribute in every Blade view where
 description of earnings, spendings and recurrings are used

---
 resources/views/earnings/show.blade.php      | 2 +-
 resources/views/recurrings/index.blade.php   | 2 +-
 resources/views/recurrings/show.blade.php    | 2 +-
 resources/views/spendings/show.blade.php     | 2 +-
 resources/views/transactions/index.blade.php | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/resources/views/earnings/show.blade.php b/resources/views/earnings/show.blade.php
index 970c5755..c2f6f678 100644
--- a/resources/views/earnings/show.blade.php
+++ b/resources/views/earnings/show.blade.php
@@ -4,7 +4,7 @@
 
 @section('body')
     <div class="wrapper my-3">
-        <h2>{{ $earning->description }}</h2>
+        <h2 v-pre>{{ $earning->description }}</h2>
         @include('partials.attachments', ['payload' => $earning])
     </div>
 @endsection
diff --git a/resources/views/recurrings/index.blade.php b/resources/views/recurrings/index.blade.php
index 12a3c349..42b536f2 100644
--- a/resources/views/recurrings/index.blade.php
+++ b/resources/views/recurrings/index.blade.php
@@ -18,7 +18,7 @@
                     <div class="box__section row">
                         <div class="row__column">
                             <div class="color-dark">
-                                <a href="/recurrings/{{ $recurring->id }}">{{ $recurring->description }}</a>
+                                <a href="/recurrings/{{ $recurring->id }}" v-pre>{{ $recurring->description }}</a>
                             </div>
                             <div class="row mt-1">
                                 <div class="row__column row__column--compact" style="font-size: 14px; font-weight: 600;">{!! $currency !!} {{ \App\Helper::formatNumber($recurring->amount / 100) }}</div>
diff --git a/resources/views/recurrings/show.blade.php b/resources/views/recurrings/show.blade.php
index f9468bf0..066fd10c 100644
--- a/resources/views/recurrings/show.blade.php
+++ b/resources/views/recurrings/show.blade.php
@@ -2,7 +2,7 @@
 
 @section('body')
     <div class="wrapper my-3">
-        <h2>{{ $recurring->description }}</h2>
+        <h2 v-pre>{{ $recurring->description }}</h2>
         <div class="row my-3">
             <div class="row__column row__column--compact">
                 @if ($recurring->status)
diff --git a/resources/views/spendings/show.blade.php b/resources/views/spendings/show.blade.php
index 9465b49c..f1b4885c 100644
--- a/resources/views/spendings/show.blade.php
+++ b/resources/views/spendings/show.blade.php
@@ -4,7 +4,7 @@
 
 @section('body')
     <div class="wrapper my-3">
-        <h2>{{ $spending->description }}</h2>
+        <h2 v-pre>{{ $spending->description }}</h2>
         @include('partials.attachments', ['payload' => $spending])
     </div>
 @endsection
diff --git a/resources/views/transactions/index.blade.php b/resources/views/transactions/index.blade.php
index a497e535..0ffcc357 100644
--- a/resources/views/transactions/index.blade.php
+++ b/resources/views/transactions/index.blade.php
@@ -36,7 +36,7 @@
                             @foreach ($transactions as $transaction)
                                 <div class="box__section row row--responsive">
                                     <div class="row__column row__column--middle row row--middle">
-                                        <div>{{ $transaction->description }}</div>
+                                        <div v-pre>{{ $transaction->description }}</div>
                                         <a href="/{{ get_class($transaction) === 'App\Models\Earning' ? 'earnings' : 'spendings' }}/{{ $transaction->id }}">
                                             <i class="fas fa-info-circle fa-xs c-light ml-1"></i>
                                         </a>