Merge pull request #1671 from suraj-webkul/XSS

Krayin CRM vulnerable to Cross Site Scripting (XSS) via the organizat…

Author: devansh-webkul

CHANGELOG.md

@@ -1,3 +1,7 @@
+## **v1.3.1 (9th of October 2024)** - *Release*
+
+* Fix security issues.
+
 ## **v1.3.0 (21st of June 2024)** - *Release*
 
 * #1251[upgrade] Upgraded the Laravel framework to version 10, incorporating the latest features and enhancements for improved performance, security, and developer experience and Installer package.

packages/Webkul/Admin/src/Http/Controllers/Contact/OrganizationController.php

@@ -43,7 +43,6 @@ public function create()
         return view('admin::contacts.organizations.create');
     }
 
-
     /**
      * Store a newly created resource in storage.
      *
@@ -54,7 +53,11 @@ public function store(AttributeForm $request)
     {
         Event::dispatch('contacts.organization.create.before');
 
-        $organization = $this->organizationRepository->create(request()->all());
+        $organization = $this->organizationRepository->create([
+            'name'        => $request->input('name'),
+            'address'     => $request->input('address'),
+            'entity_type' => $request->input('entity_type'),
+        ]);
 
         Event::dispatch('contacts.organization.create.after', $organization);
 
@@ -87,7 +90,11 @@ public function update(AttributeForm $request, $id)
     {
         Event::dispatch('contacts.organization.update.before', $id);
 
-        $organization = $this->organizationRepository->update(request()->all(), $id);
+        $organization = $this->organizationRepository->update([
+            'name'        => $request->input('name'),
+            'address'     => $request->input('address'),
+            'entity_type' => $request->input('entity_type'),
+        ], $id);
 
         Event::dispatch('contacts.organization.update.after', $organization);
 

packages/Webkul/UI/src/DataGrid/Traits/ProvideCollection.php

@@ -89,6 +89,8 @@ public function sortOrFilterCollection($collection, $parseInfo)
     public function formatCollection()
     {
         $this->collection->transform(function ($record) {
+            $record = $this->sanitizeRecord($record);
+
             $this->transformRows($record);
 
             $this->transformActions($record);
@@ -415,4 +417,29 @@ private function generateKeyFromActionTitle($title, $suffix)
 
         return strtolower($validatedStrings) . $suffix;
     }
+
+    /**
+     * Prepare all the setup for datagrid.
+     */
+    protected function sanitizeRecord($record)
+    {
+        /**
+         * Convert stdClass to array.
+         */
+        $tempRow = json_decode(json_encode($record), true);
+
+        foreach ($tempRow as $column => $value) {
+            if (! is_string($tempRow[$column])) {
+                continue;
+            }
+
+            if (is_array($value)) {
+                return $this->sanitizeRow($tempRow[$column]);
+            } else {
+                $record->{$column} = strip_tags($value);
+            }
+        }
+
+        return $record;
+    }
 }