Merge branch 'master' into bug/image-upload

BookStackApp · Mar 18, 2018 · 0335f58 · 0335f58
2 parents 3a5c20c + 380e2ff
commit 0335f58
Show file tree

Hide file tree

Showing 39 changed files with 10,664 additions and 4,676 deletions.
diff --git a/app/Http/Controllers/ImageController.php b/app/Http/Controllers/ImageController.php
@@ -120,7 +120,7 @@ public function uploadByType($type, Request $request)
     {
         $this->checkPermission('image-create-all');
         $this->validate($request, [
-            'file' => 'image'
+            'file' => 'required|image'
         ]);
 
         if (!$this->imageRepo->isValidType($type)) {

diff --git a/app/Repos/EntityRepo.php b/app/Repos/EntityRepo.php
@@ -713,6 +713,10 @@ protected function formatHtml($htmlText)
     public function renderPage(Page $page, $ignorePermissions = false)
     {
         $content = $page->html;
+        if (!config('app.allow_content_scripts')) {
+            $content = $this->escapeScripts($content);
+        }
+
         $matches = [];
         preg_match_all("/{{@\s?([0-9].*?)}}/", $content, $matches);
         if (count($matches[0]) === 0) {
@@ -760,6 +764,24 @@ public function renderPage(Page $page, $ignorePermissions = false)
         return $content;
     }
 
+    /**
+     * Escape script tags within HTML content.
+     * @param string $html
+     * @return mixed
+     */
+    protected function escapeScripts(string $html)
+    {
+        $scriptSearchRegex = '/<script.*?>.*?<\/script>/ms';
+        $matches = [];
+        preg_match_all($scriptSearchRegex, $html, $matches);
+        if (count($matches) === 0) return $html;
+
+        foreach ($matches[0] as $match) {
+            $html = str_replace($match, htmlentities($match), $html);
+        }
+        return $html;
+    }
+
     /**
      * Get the plain text version of a page's content.
      * @param Page $page

diff --git a/config/app.php b/config/app.php
@@ -8,6 +8,8 @@
         'books' => env('APP_VIEWS_BOOKS', 'list')
     ],
 
+    'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
+
     /*
     |--------------------------------------------------------------------------
     | Application Debug Mode
@@ -148,8 +150,6 @@
          */
         Intervention\Image\ImageServiceProvider::class,
         Barryvdh\DomPDF\ServiceProvider::class,
-        Barryvdh\LaravelIdeHelper\IdeHelperServiceProvider::class,
-        Barryvdh\Debugbar\ServiceProvider::class,
         Barryvdh\Snappy\ServiceProvider::class,
 
 
@@ -164,7 +164,6 @@
         BookStack\Providers\EventServiceProvider::class,
         BookStack\Providers\RouteServiceProvider::class,
         BookStack\Providers\CustomFacadeProvider::class,
-
     ],
 
     /*
@@ -222,7 +221,6 @@
         'ImageTool' => Intervention\Image\Facades\Image::class,
         'DomPDF' => Barryvdh\DomPDF\Facade::class,
         'SnappyPDF' => Barryvdh\Snappy\Facades\SnappyPdf::class,
-        'Debugbar'  => Barryvdh\Debugbar\Facade::class,
 
         /**
          * Custom

diff --git a/gulpfile.js b/gulpfile.js