From 32b66623e37c828ae71e3a3643c4ea6285386e76 Mon Sep 17 00:00:00 2001
From: S-Cart <giaiphap247.com@gmail.com>
Date: Wed, 2 Feb 2022 20:17:54 +0700
Subject: [PATCH] Fix xss admin auth

---
 src/Admin/Controllers/Auth/LoginController.php      | 3 ++-
 src/Admin/Controllers/Auth/PermissionController.php | 4 ++--
 src/Admin/Controllers/Auth/RoleController.php       | 4 ++--
 src/Admin/Controllers/Auth/UsersController.php      | 3 ++-
 src/Config/s-cart.php                               | 2 +-
 5 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/Admin/Controllers/Auth/LoginController.php b/src/Admin/Controllers/Auth/LoginController.php
index de74de2..a82db03 100644
--- a/src/Admin/Controllers/Auth/LoginController.php
+++ b/src/Admin/Controllers/Auth/LoginController.php
@@ -130,8 +130,9 @@ public function putSetting()
         if ($data['password']) {
             $dataUpdate['password'] = bcrypt($data['password']);
         }
+        $dataUpdate = sc_clean($dataUpdate, [], true);
         $user->update($dataUpdate);
-//
+
         return redirect()->route('admin.home')->with('success', sc_language_render('action.edit_success'));
     }
 
diff --git a/src/Admin/Controllers/Auth/PermissionController.php b/src/Admin/Controllers/Auth/PermissionController.php
index 0effe27..71a95b9 100644
--- a/src/Admin/Controllers/Auth/PermissionController.php
+++ b/src/Admin/Controllers/Auth/PermissionController.php
@@ -188,7 +188,7 @@ public function postCreate()
             'slug' => $data['slug'],
             'http_uri' => implode(',', ($data['http_uri'] ?? [])),
         ];
-
+        $dataInsert = sc_clean($dataInsert, [], true);
         $permission = AdminPermission::createPermission($dataInsert);
 
         return redirect()->route('admin_permission.index')->with('success', sc_language_render('action.create_success'));
@@ -243,8 +243,8 @@ public function postEdit($id)
             'slug' => $data['slug'],
             'http_uri' => implode(',', ($data['http_uri'] ?? [])),
         ];
+        $dataUpdate = sc_clean($dataUpdate, [], true);
         $permission->update($dataUpdate);
-//
         return redirect()->route('admin_permission.index')->with('success', sc_language_render('action.edit_success'));
     }
 
diff --git a/src/Admin/Controllers/Auth/RoleController.php b/src/Admin/Controllers/Auth/RoleController.php
index 56899f7..039fa52 100644
--- a/src/Admin/Controllers/Auth/RoleController.php
+++ b/src/Admin/Controllers/Auth/RoleController.php
@@ -155,7 +155,7 @@ public function postCreate()
             'name' => $data['name'],
             'slug' => $data['slug'],
         ];
-
+        $dataInsert = sc_clean($dataInsert, [], true);
         $role = AdminRole::createRole($dataInsert);
         $permission = $data['permission'] ?? [];
         $administrators = $data['administrators'] ?? [];
@@ -219,6 +219,7 @@ public function postEdit($id)
             'name' => $data['name'],
             'slug' => $data['slug'],
         ];
+        $dataUpdate = sc_clean($dataUpdate, [], true);
         $role->update($dataUpdate);
         $permission = $data['permission'] ?? [];
         $administrators = $data['administrators'] ?? [];
@@ -232,7 +233,6 @@ public function postEdit($id)
         if ($administrators) {
             $role->administrators()->attach($administrators);
         }
-//
         return redirect()->route('admin_role.index')->with('success', sc_language_render('action.edit_success'));
     }
 
diff --git a/src/Admin/Controllers/Auth/UsersController.php b/src/Admin/Controllers/Auth/UsersController.php
index c6e2758..a12065d 100644
--- a/src/Admin/Controllers/Auth/UsersController.php
+++ b/src/Admin/Controllers/Auth/UsersController.php
@@ -190,7 +190,7 @@ public function postCreate()
             'email'    => strtolower($data['email']),
             'password' => bcrypt($data['password']),
         ];
-
+        $dataInsert = sc_clean($dataInsert, [], true);
         $user = AdminUser::createUser($dataInsert);
 
         $roles = $data['roles'] ?? [];
@@ -278,6 +278,7 @@ public function postEdit($id)
         if ($data['password']) {
             $dataUpdate['password'] = bcrypt($data['password']);
         }
+        $dataUpdate = sc_clean($dataUpdate, [], true);
         AdminUser::updateInfo($dataUpdate, $id);
 
         if (!in_array($user->id, SC_GUARD_ADMIN)) {
diff --git a/src/Config/s-cart.php b/src/Config/s-cart.php
index 5f0ee1c..63bd7f4 100644
--- a/src/Config/s-cart.php
+++ b/src/Config/s-cart.php
@@ -1,7 +1,7 @@
 <?php
 return [
     'core'             => '6.8',
-    'core-sub-version' => '6.8.12',
+    'core-sub-version' => '6.8.13',
     'homepage'         => 'https://s-cart.org',
     'name'             => 'S-Cart',
     'github'           => 'https://github.com/s-cart/s-cart',