Fixes potential XSS vuln in user requestable results

Signed-off-by: snipe <snipe@snipe.net>
snipe · Apr 15, 2022 · 698c7f4 · 698c7f4
1 parent 7479f5f
commit 698c7f4
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/app/Http/Controllers/Api/ProfileController.php b/app/Http/Controllers/Api/ProfileController.php
@@ -30,11 +30,11 @@ public function requestedAssets()
             // Make sure the asset and request still exist
             if ($checkoutRequest && $checkoutRequest->itemRequested()) {
                 $results['rows'][] = [
-                    'image' => $checkoutRequest->itemRequested()->present()->getImageUrl(),
-                    'name' => $checkoutRequest->itemRequested()->present()->name(),
-                    'type' => $checkoutRequest->itemType(),
-                    'qty' => $checkoutRequest->quantity,
-                    'location' => ($checkoutRequest->location()) ? $checkoutRequest->location()->name : null,
+                    'image' => e($checkoutRequest->itemRequested()->present()->getImageUrl()),
+                    'name' => e($checkoutRequest->itemRequested()->present()->name()),
+                    'type' => e($checkoutRequest->itemType()),
+                    'qty' => (int) $checkoutRequest->quantity,
+                    'location' => ($checkoutRequest->location()) ? e($checkoutRequest->location()->name) : null,
                     'expected_checkin' => Helper::getFormattedDateObject($checkoutRequest->itemRequested()->expected_checkin, 'datetime'),
                     'request_date' => Helper::getFormattedDateObject($checkoutRequest->created_at, 'datetime'),
                 ];