diff --git a/includes/controller/angeltypes_controller.php b/includes/controller/angeltypes_controller.php index 3d820446..eced5a46 100644 --- a/includes/controller/angeltypes_controller.php +++ b/includes/controller/angeltypes_controller.php @@ -72,7 +72,7 @@ function angeltype_delete_controller() } return [ - sprintf(__('Delete angeltype %s'), $angeltype->name), + sprintf(__('Delete angeltype %s'), htmlspecialchars($angeltype->name)), AngelType_delete_view($angeltype), ]; } @@ -152,7 +152,7 @@ function angeltype_edit_controller() } return [ - sprintf(__('Edit %s'), $angeltype->name), + sprintf(__('Edit %s'), htmlspecialchars((string) $angeltype->name)), AngelType_edit_view($angeltype, $supporter_mode), ]; } @@ -193,7 +193,7 @@ function angeltype_controller() $isSupporter = !is_null($user_angeltype) && $user_angeltype->supporter; return [ - sprintf(__('Team %s'), $angeltype->name), + sprintf(__('Team %s'), htmlspecialchars($angeltype->name)), AngelType_view( $angeltype, $members, @@ -323,7 +323,7 @@ function angeltypes_list_controller() $angeltype->name = '' - . $angeltype->name + . htmlspecialchars($angeltype->name) . ''; $angeltype->actions = table_buttons($actions); diff --git a/includes/controller/rooms_controller.php b/includes/controller/rooms_controller.php index 2136565a..5fdca4a3 100644 --- a/includes/controller/rooms_controller.php +++ b/includes/controller/rooms_controller.php @@ -53,7 +53,7 @@ function room_controller(): array $shiftCalendarRenderer = shiftCalendarRendererByShiftFilter($shiftsFilter); return [ - $room->name, + htmlspecialchars($room->name), Room_view($room, $shiftsFilterRenderer, $shiftCalendarRenderer), ]; } diff --git a/includes/controller/shifts_controller.php b/includes/controller/shifts_controller.php index fe3b8939..99bf0e53 100644 --- a/includes/controller/shifts_controller.php +++ b/includes/controller/shifts_controller.php @@ -194,7 +194,7 @@ function shift_edit_controller() foreach ($angeltypes as $angeltype_id => $angeltype_name) { $angel_types_spinner .= form_spinner( 'angeltype_count_' . $angeltype_id, - $angeltype_name, + htmlspecialchars($angeltype_name), $needed_angel_types[$angeltype_id] ); } @@ -213,7 +213,10 @@ function shift_edit_controller() form_text('start', __('Start:'), $start->format('Y-m-d H:i')), form_text('end', __('End:'), $end->format('Y-m-d H:i')), form_textarea('description', __('Additional description'), $description), - form_info('', __('This description is for single shifts, otherwise please use the description in shift type.')), + form_info( + '', + __('This description is for single shifts, otherwise please use the description in shift type.') + ), '

' . __('Needed angels') . '

', $angel_types_spinner, form_submit('submit', __('Save')), @@ -338,7 +341,7 @@ function shift_controller() } return [ - $shift->shiftType->name, + htmlspecialchars($shift->shiftType->name), Shift_view($shift, $shifttype, $room, $angeltypes, $shift_signup_state), ]; } diff --git a/includes/controller/shifttypes_controller.php b/includes/controller/shifttypes_controller.php index 0f1cdfe4..efd11988 100644 --- a/includes/controller/shifttypes_controller.php +++ b/includes/controller/shifttypes_controller.php @@ -33,7 +33,7 @@ function shifttype_delete_controller() } return [ - sprintf(__('Delete shifttype %s'), $shifttype->name), + sprintf(__('Delete shifttype %s'), htmlspecialchars($shifttype->name)), ShiftType_delete_view($shifttype), ]; } @@ -110,7 +110,7 @@ function shifttype_controller() $shifttype = ShiftType::findOrFail($request->input('shifttype_id')); return [ - $shifttype->name, + htmlspecialchars($shifttype->name), ShiftType_view($shifttype), ]; } diff --git a/includes/controller/user_angeltypes_controller.php b/includes/controller/user_angeltypes_controller.php index 7b43d19f..07d81dd6 100644 --- a/includes/controller/user_angeltypes_controller.php +++ b/includes/controller/user_angeltypes_controller.php @@ -39,7 +39,7 @@ function user_angeltypes_unconfirmed_hint() foreach ($unconfirmed_user_angeltypes as $user_angeltype) { $unconfirmed_links[] = '' . $user_angeltype->angelType->name + . '">' . htmlspecialchars($user_angeltype->angelType->name) . ' (+' . $user_angeltype->count . ')' . ''; } @@ -438,7 +438,7 @@ function user_angeltype_join_controller(AngelType $angeltype) } return [ - sprintf(__('Become a %s'), $angeltype->name), + sprintf(__('Become a %s'), htmlspecialchars($angeltype->name)), UserAngelType_join_view($user, $angeltype), ]; } diff --git a/includes/controller/users_controller.php b/includes/controller/users_controller.php index 5ed7a7e6..0e2dbe73 100644 --- a/includes/controller/users_controller.php +++ b/includes/controller/users_controller.php @@ -91,7 +91,7 @@ function user_delete_controller() } return [ - sprintf(__('Delete %s'), $user_source->displayName), + sprintf(__('Delete %s'), htmlspecialchars($user_source->displayName)), User_delete_view($user_source), ]; } @@ -182,7 +182,7 @@ function user_edit_vouchers_controller() } return [ - sprintf(__('%s\'s vouchers'), $user_source->displayName), + sprintf(__('%s\'s vouchers'), htmlspecialchars($user_source->displayName)), User_edit_vouchers_view($user_source), ]; } @@ -244,7 +244,7 @@ function user_controller() } return [ - $user_source->displayName, + htmlspecialchars($user_source->displayName), User_view( $user_source, auth()->can('admin_user'), diff --git a/includes/engelsystem.php b/includes/engelsystem.php index b156c68a..0c368dc8 100644 --- a/includes/engelsystem.php +++ b/includes/engelsystem.php @@ -23,7 +23,7 @@ if ($app->get('config')->get('maintenance')) { http_response_code(503); $url = $app->get(UrlGeneratorInterface::class); $maintenance = file_get_contents(__DIR__ . '/../resources/views/layouts/maintenance.html'); - $maintenance = str_replace('%APP_NAME%', $app->get('config')->get('app_name'), $maintenance); + $maintenance = str_replace('%APP_NAME%', htmlspecialchars($app->get('config')->get('app_name')), $maintenance); $maintenance = str_replace('%ASSETS_PATH%', $url->to(''), $maintenance); echo $maintenance; die(); diff --git a/includes/helper/message_helper.php b/includes/helper/message_helper.php index 13526a63..d550fd44 100644 --- a/includes/helper/message_helper.php +++ b/includes/helper/message_helper.php @@ -17,11 +17,12 @@ function msg() * * @param string $msg * @param bool $immediately + * @param bool $immediatelyRaw * @return string */ -function info($msg, $immediately = false) +function info($msg, $immediately = false, $immediatelyRaw = false) { - return alert(NotificationType::INFORMATION, $msg, $immediately); + return alert(NotificationType::INFORMATION, $msg, $immediately, $immediatelyRaw); } /** @@ -29,11 +30,12 @@ function info($msg, $immediately = false) * * @param string $msg * @param bool $immediately + * @param bool $immediatelyRaw * @return string */ -function warning($msg, $immediately = false) +function warning($msg, $immediately = false, $immediatelyRaw = false) { - return alert(NotificationType::WARNING, $msg, $immediately); + return alert(NotificationType::WARNING, $msg, $immediately, $immediatelyRaw); } /** @@ -41,11 +43,12 @@ function warning($msg, $immediately = false) * * @param string $msg * @param bool $immediately + * @param bool $immediatelyRaw * @return string */ -function error($msg, $immediately = false) +function error($msg, $immediately = false, $immediatelyRaw = false) { - return alert(NotificationType::ERROR, $msg, $immediately); + return alert(NotificationType::ERROR, $msg, $immediately, $immediatelyRaw); } /** @@ -53,24 +56,27 @@ function error($msg, $immediately = false) * * @param string $msg * @param bool $immediately + * @param bool $immediatelyRaw * @return string */ -function success($msg, $immediately = false) +function success($msg, $immediately = false, $immediatelyRaw = false) { - return alert(NotificationType::MESSAGE, $msg, $immediately); + return alert(NotificationType::MESSAGE, $msg, $immediately, $immediatelyRaw); } /** * Renders an alert message with the given alert-* class or sets it in session * - * @see \Engelsystem\Controllers\HasUserNotifications - * * @param NotificationType $type * @param string $msg * @param bool $immediately + * @param bool $immediatelyRaw * @return string + * + * @see \Engelsystem\Controllers\HasUserNotifications + * */ -function alert(NotificationType $type, $msg, $immediately = false) +function alert(NotificationType $type, $msg, $immediately = false, $immediatelyRaw = false) { if (empty($msg)) { return ''; @@ -87,6 +93,7 @@ function alert(NotificationType $type, $msg, $immediately = false) ['danger', 'warning', 'info', 'success'], $type->value ); + $msg = $immediatelyRaw ? $msg : htmlspecialchars($msg); return ''; } diff --git a/includes/pages/admin_free.php b/includes/pages/admin_free.php index 7fd17faa..ff6859fe 100644 --- a/includes/pages/admin_free.php +++ b/includes/pages/admin_free.php @@ -100,9 +100,9 @@ function admin_free() 'name' => User_Nick_render($usr) . User_Pronoun_render($usr), 'shift_state' => User_shift_state_render($usr), 'last_shift' => User_last_shift_render($usr), - 'dect' => sprintf('%1$s', $usr->contact->dect), + 'dect' => sprintf('%1$s', htmlspecialchars((string) $usr->contact->dect)), 'email' => $usr->settings->email_human - ? sprintf('%1$s', $email) + ? sprintf('%1$s', htmlspecialchars((string) $email)) : icon('eye-slash'), 'actions' => auth()->can('admin_user') diff --git a/includes/pages/admin_groups.php b/includes/pages/admin_groups.php index 5e46d5ba..6152475b 100644 --- a/includes/pages/admin_groups.php +++ b/includes/pages/admin_groups.php @@ -31,11 +31,11 @@ function admin_groups() $privileges_html = []; foreach ($privileges as $privilege) { - $privileges_html[] = $privilege['name']; + $privileges_html[] = htmlspecialchars($privilege['name']); } $groups_table[] = [ - 'name' => $group->name, + 'name' => htmlspecialchars($group->name), 'privileges' => join(', ', $privileges_html), 'actions' => button( page_link_to( @@ -72,15 +72,15 @@ function admin_groups() foreach ($privileges as $privilege) { $privileges_form[] = form_checkbox( 'privileges[]', - $privilege->description . ' (' . $privilege->name . ')', + htmlspecialchars($privilege->description . ' (' . $privilege->name . ')'), $privilege->selected != '', $privilege->id, - 'privilege-' . $privilege->name + 'privilege-' . htmlspecialchars($privilege->name) ); } $privileges_form[] = form_submit('submit', __('Save')); - $html .= page_with_title(__('Edit group') . ' ' . $group->name, [ + $html .= page_with_title(__('Edit group') . ' ' . htmlspecialchars($group->name), [ form( $privileges_form, page_link_to('admin_groups', ['action' => 'save', 'id' => $group->id]) diff --git a/includes/pages/admin_shifts.php b/includes/pages/admin_shifts.php index 01cb7bdb..2cc92256 100644 --- a/includes/pages/admin_shifts.php +++ b/includes/pages/admin_shifts.php @@ -333,7 +333,7 @@ function admin_shifts() . Room_name_render(Room::find($shift['room_id'])), 'title' => ShiftType_name_render(ShiftType::find($shifttype_id)) - . ($shift['title'] ? '
' . $shift['title'] : ''), + . ($shift['title'] ? '
' . htmlspecialchars($shift['title']) : ''), 'needed_angels' => '', ]; foreach ($types as $type) { @@ -443,7 +443,7 @@ function admin_shifts() $angel_types .= '
' . form_spinner( 'angeltype_count_' . $type->id, - $type->name, + htmlspecialchars($type->name), $needed_angel_types[$type->id], [ 'radio-name' => 'angelmode', diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php index b02d7473..71179006 100644 --- a/includes/pages/admin_user.php +++ b/includes/pages/admin_user.php @@ -48,7 +48,7 @@ function admin_user() $html .= ' ' . __('If the angel is active, it can claim a goodie. If goodie is set to \'Yes\', the angel already got their goodie.'); } } - $html .= '

'; + $html .= '

'; $html .= '
' . "\n"; @@ -57,20 +57,32 @@ function admin_user() $html .= '' . "\n"; $html .= '' . "\n"; $html .= '' . "\n"; - $html .= ' ' . "\n"; + $html .= ' ' . "\n"; $html .= ' ' . "\n"; if (config('enable_user_name')) { - $html .= ' ' . "\n"; - $html .= ' ' . "\n"; + $html .= ' ' . "\n"; + $html .= ' ' . "\n"; } - $html .= ' ' . "\n"; + $html .= ' ' . "\n"; if (config('enable_dect')) { - $html .= ' ' . "\n"; + $html .= ' ' . "\n"; } if ($user_source->settings->email_human) { - $html .= ' ' . "\n"; + $html .= ' ' . "\n"; } if ($goodie_tshirt) { $html .= '
' . __('Nickname') . '' . '
' . __('Nickname') . '' + . '' + . '
' . __('Last login') . '

' . ($user_source->last_login_at ? $user_source->last_login_at->format(__('Y-m-d H:i')) : '-') . '

' . __('Prename') . '' . '
' . __('Last name') . '' . '
' . __('Prename') . '' + . '' + . '
' . __('Last name') . '' + . '' + . '
' . __('Mobile') . '' . '
' . __('Mobile') . '' + . '' + . '
' . __('DECT') . '' . '
' . __('DECT') . '' + . '' + . '
' . __('settings.profile.email') . '' . '
' . __('settings.profile.email') . '' + . '' + . '
' . __('user.shirt_size') . '' @@ -120,11 +132,11 @@ function admin_user() $html .= '
' . "\n" . ''; $html .= '' . "\n"; - $html .= '' . "\n" . '
' . "\n"; + $html .= '' . "\n" . '
' . "\n"; $html .= '' . "\n"; $html .= '
'; - $html .= '
'; + $html .= '
'; $html .= form_info('', __('Please visit the angeltypes page or the users profile to manage the users angeltypes.')); @@ -133,14 +145,18 @@ function admin_user() . '" method="post">' . "\n"; $html .= form_csrf(); $html .= '' . "\n"; - $html .= ' ' . "\n"; - $html .= ' ' . "\n"; + $html .= ' ' . "\n"; + $html .= ' ' . "\n"; - $html .= '
' . __('Password') . '' . '
' . __('Confirm password') . '' . '
' . __('Password') . '' + . '' + . '
' . __('Confirm password') . '' + . '' + . '
' . "\n" . '
' . "\n"; + $html .= '' . "\n" . '
' . "\n"; $html .= '' . "\n"; $html .= ''; - $html .= '
'; + $html .= '
'; /** @var Group $my_highest_group */ $my_highest_group = $user->groups()->orderByDesc('id')->first(); @@ -168,7 +184,9 @@ function admin_user() $html .= '
' . 'selected ? ' checked="checked"' : '') - . ' />
'; + . ' />
'; } $html .= '
'; @@ -176,7 +194,7 @@ function admin_user() $html .= '' . "\n"; $html .= ''; - $html .= '
'; + $html .= '
'; } $html .= buttons([ diff --git a/includes/pages/guest_login.php b/includes/pages/guest_login.php index 851e7670..c391f676 100644 --- a/includes/pages/guest_login.php +++ b/includes/pages/guest_login.php @@ -86,7 +86,7 @@ function guest_register() if ($angel_type->hide_register) { continue; } - $angel_types[$angel_type->id] = $angel_type->name + $angel_types[$angel_type->id] = htmlspecialchars($angel_type->name) . ($angel_type->restricted ? ' (' . __('Requires introduction') . ')' : ''); if (!$angel_type->restricted) { $selected_angel_types[] = $angel_type->id; @@ -436,7 +436,7 @@ function guest_register() 'email_shiftinfo', __( 'settings.profile.email_shiftinfo', - [config('app_name')] + [htmlspecialchars(config('app_name'))] ), $email_shiftinfo ), @@ -459,7 +459,7 @@ function guest_register() form_checkbox( 'email_goody', __('To receive vouchers, give consent that nick, email address, worked hours and shirt size will be stored until the next similar event.') - . (config('privacy_email') ? ' ' . __('To withdraw your approval, send an email to %1$s.', [config('privacy_email')]) : ''), + . (config('privacy_email') ? ' ' . __('To withdraw your approval, send an email to %1$s.', [htmlspecialchars(config('privacy_email'))]) : ''), $email_goody ) : '', ]), diff --git a/includes/pages/user_shifts.php b/includes/pages/user_shifts.php index d1b7a08f..841ff8f2 100644 --- a/includes/pages/user_shifts.php +++ b/includes/pages/user_shifts.php @@ -377,15 +377,6 @@ function ical_hint() . '

' . $user->api_key . '

'; } -/** - * @param array $array - * @return array - */ -function get_ids_from_array($array) -{ - return $array['id']; -} - /** * @param array $items * @param array $selected @@ -418,7 +409,7 @@ function make_select($items, $selected, $name, $title = null, $ownSelect = []) $htmlItems[] = '
' . '' + . '>' . (!isset($i['enabled']) || $i['enabled'] ? '' : icon('mortarboard-fill')) . '
'; } diff --git a/includes/sys_form.php b/includes/sys_form.php index 2ef208a5..fae7988a 100644 --- a/includes/sys_form.php +++ b/includes/sys_form.php @@ -128,14 +128,15 @@ function form_checkbox($name, $label, $selected, $value = 'checked', $html_id = } return '
' - . '
'; } /** - * Rendert einen Radio + * Renders a radio button * * @param string $name * @param string $label @@ -232,26 +233,6 @@ function form_text($name, $label, $value, $disabled = false, $maxlength = null, ); } -/** - * Renders a text input with placeholder instead of label. - * - * @param string $name Input name - * @param string $placeholder Placeholder - * @param string $value The value - * @param boolean $disabled Is the field enabled? - * @return string - */ -function form_text_placeholder($name, $placeholder, $value, $disabled = false) -{ - $disabled = $disabled ? ' disabled="disabled"' : ''; - return form_element( - '', - '' - ); -} - /** * Rendert ein Formular-Emailfeld * @@ -277,22 +258,6 @@ function form_email($name, $label, $value, $disabled = false, $autocomplete = nu ); } -/** - * Rendert ein Formular-Dateifeld - * - * @param string $name - * @param string $label - * @return string - */ -function form_file($name, $label) -{ - return form_element( - $label, - sprintf('', $name), - 'form_' . $name - ); -} - /** * Rendert ein Formular-Passwortfeld * @@ -308,7 +273,7 @@ function form_password($name, $label, $autocomplete, $disabled = false) return form_element( $label, sprintf( - '', + '', $name, config('min_password_length'), $autocomplete, @@ -318,25 +283,6 @@ function form_password($name, $label, $autocomplete, $disabled = false) ); } -/** - * Renders a password input with placeholder instead of label. - * - * @param string $name - * @param string $placeholder - * @param bool $disabled - * @return string - */ -function form_password_placeholder($name, $placeholder, $disabled = false) -{ - $disabled = $disabled ? ' disabled="disabled"' : ''; - return form_element( - '', - '', - 'form_' . $name - ); -} - /** * Rendert ein Formular-Textfeld * @@ -463,9 +409,13 @@ function html_select_key($dom_id, $name, $rows, $selected, $selectText = '') } foreach ($rows as $key => $row) { if (($key == $selected) || ($row === $selected)) { - $html .= ''; + $html .= ''; } else { - $html .= ''; + $html .= ''; } } $html .= ''; diff --git a/includes/sys_menu.php b/includes/sys_menu.php index 815c604c..35b96a1b 100644 --- a/includes/sys_menu.php +++ b/includes/sys_menu.php @@ -76,15 +76,22 @@ function make_navigation() } $title = ((array) $options)[0]; - $menu[] = toolbar_item_link(page_link_to($menu_page), '', $title, $menu_page == $page); + $menu[] = toolbar_item_link( + page_link_to($menu_page), + '', + $title, + $menu_page == $page + ); } $menu = make_room_navigation($menu); $admin_menu = []; $admin_pages = [ - // path => name - // path => [name, permission] + // Examples: + // path => name, + // path => [name, permission], + 'admin_arrive' => 'Arrive angels', 'admin_active' => 'Active angels', 'users' => ['All Angels', 'admin_user'], @@ -111,7 +118,7 @@ function make_navigation() $title = ((array) $options)[0]; $admin_menu[] = toolbar_dropdown_item( page_link_to($menu_page), - __($title), + htmlspecialchars(__($title)), $menu_page == $page ); } diff --git a/includes/sys_page.php b/includes/sys_page.php index a5eb7142..b0e7b492 100644 --- a/includes/sys_page.php +++ b/includes/sys_page.php @@ -2,9 +2,7 @@ use Engelsystem\Helpers\Carbon; use Engelsystem\Http\Exceptions\HttpTemporaryRedirect; -use Engelsystem\Models\BaseModel; use Engelsystem\ValidationResult; -use Illuminate\Support\Collection; /** * Provide page/request helper functions @@ -63,41 +61,6 @@ function throw_redirect($url) throw new HttpTemporaryRedirect($url); } -/** - * Echoes given output and dies. - * - * @param string $output String to display - */ -function raw_output($output = '') -{ - echo $output; - die(); -} - -/** - * Helper function for transforming list of entities into array for select boxes. - * - * @param array|Collection $data The data array - * @param string $key_name name of the column to use as id/key - * @param string $value_name name of the column to use as displayed value - * - * @return array|Collection - */ -function select_array($data, $key_name, $value_name) -{ - if ($data instanceof Collection) { - return $data->mapWithKeys(function (BaseModel $model) use ($key_name, $value_name) { - return [$model->{$key_name} => $model->{$value_name}]; - }); - } - - $return = []; - foreach ($data as $value) { - $return[$value[$key_name]] = $value[$value_name]; - } - return $return; -} - /** * Returns an int[] from given request param name. * @@ -185,23 +148,6 @@ function strip_request_item($name, $default_value = null) return $default_value; } -/** - * Returns REQUEST value or default value (null) if not set. - * - * @param string $name - * @param string|null $default_value - * @return mixed|null - */ -function strip_request_tags($name, $default_value = null) -{ - $request = request(); - if ($request->has($name)) { - return strip_tags($request->input($name)); - } - - return $default_value; -} - /** * Testet, ob der angegebene REQUEST Wert ein Integer ist, bzw. * eine ID sein könnte. diff --git a/includes/sys_template.php b/includes/sys_template.php index bad1cf2a..56df96e2 100644 --- a/includes/sys_template.php +++ b/includes/sys_template.php @@ -72,17 +72,6 @@ function tabs($tabs, $selected = 0) ]); } -/** - * Display muted (grey) text. - * - * @param string $text - * @return string - */ -function mute($text) -{ - return '' . $text . ''; -} - /** * Renders a bootstrap label with given content and class. * @@ -188,7 +177,7 @@ function toolbar_item_link($href, $icon, $label, $active = false) return '
  • ' . '' . ($icon != '' ? ' ' : '') - . $label + . htmlspecialchars($label) . '' . '
    • '; } @@ -196,11 +185,11 @@ function toolbar_item_link($href, $icon, $label, $active = false) function toolbar_dropdown_item(string $href, string $label, bool $active, string $icon = null): string { return strtr( - '
  • {icon} {label}
    • ', + '
  • {icon} {label}
    • ', [ '{href}' => $href, '{icon}' => $icon === null ? '' : '', - '{label}' => $label, + '{label}' => htmlspecialchars($label), '{active}' => $active ? ' active' : '', '{aria}' => $active ? ' aria-current="page"' : '', ] @@ -235,7 +224,7 @@ EOT; $template, [ '{class}' => $active ? ' active' : '', - '{label}' => $label, + '{label}' => htmlspecialchars($label), '{submenu}' => join("\n", $submenu), ] ); diff --git a/includes/view/AngelTypes_view.php b/includes/view/AngelTypes_view.php index 290e93ae..81e6bfd5 100644 --- a/includes/view/AngelTypes_view.php +++ b/includes/view/AngelTypes_view.php @@ -26,7 +26,7 @@ function AngelType_name_render(AngelType $angeltype, $plain = false) } return '' - . ($angeltype->restricted ? icon('mortarboard-fill') : '') . $angeltype->name + . ($angeltype->restricted ? icon('mortarboard-fill') : '') . htmlspecialchars($angeltype->name) . ''; } @@ -60,7 +60,7 @@ function AngelType_render_membership(AngelType $user_angeltype) */ function AngelType_delete_view(AngelType $angeltype) { - return page_with_title(sprintf(__('Delete angeltype %s'), $angeltype->name), [ + return page_with_title(sprintf(__('Delete angeltype %s'), htmlspecialchars($angeltype->name)), [ info(sprintf(__('Do you want to delete angeltype %s?'), $angeltype->name), true), form([ buttons([ @@ -80,14 +80,14 @@ function AngelType_delete_view(AngelType $angeltype) */ function AngelType_edit_view(AngelType $angeltype, bool $supporter_mode) { - return page_with_title(sprintf(__('Edit %s'), $angeltype->name), [ + return page_with_title(sprintf(__('Edit %s'), htmlspecialchars((string) $angeltype->name)), [ buttons([ button(page_link_to('angeltypes'), icon('person-lines-fill') . __('Angeltypes'), 'back'), ]), msg(), form([ $supporter_mode - ? form_info(__('Name'), $angeltype->name) + ? form_info(__('Name'), htmlspecialchars($angeltype->name)) : form_text('name', __('Name'), $angeltype->name), $supporter_mode ? form_info(__('Requires introduction'), $angeltype->restricted ? __('Yes') : __('No')) @@ -244,7 +244,7 @@ function AngelType_view_members(AngelType $angeltype, $members, $admin_user_ange foreach ($members as $member) { $member->name = User_Nick_render($member) . User_Pronoun_render($member); if (config('enable_dect')) { - $member['dect'] = $member->contact->dect; + $member['dect'] = htmlspecialchars((string) $member->contact->dect); } if ($angeltype->requires_driver_license) { $member['wants_to_drive'] = icon_bool($member->license->wantsToDrive()); @@ -405,7 +405,7 @@ function AngelType_view( ShiftCalendarRenderer $shiftCalendarRenderer, $tab ) { - return page_with_title(sprintf(__('Team %s'), $angeltype->name), [ + return page_with_title(sprintf(__('Team %s'), htmlspecialchars($angeltype->name)), [ AngelType_view_buttons($angeltype, $user_angeltype, $admin_angeltypes, $supporter, $user_driver_license, $user), msg(), tabs([ @@ -465,7 +465,7 @@ function AngelType_view_info( $info[] = '

    ' . __('Description') . '

    '; $parsedown = new Parsedown(); if ($angeltype->description != '') { - $info[] = $parsedown->parse($angeltype->description); + $info[] = $parsedown->parse(htmlspecialchars($angeltype->description)); } list($supporters, $members_confirmed, $members_unconfirmed) = AngelType_view_members( @@ -539,9 +539,20 @@ function AngelType_view_info( function AngelTypes_render_contact_info(AngelType $angeltype) { $info = [ - __('Name') => [$angeltype->contact_name, $angeltype->contact_name], - __('DECT') => config('enable_dect') ? [sprintf('%1$s', $angeltype->contact_dect), $angeltype->contact_dect] : null, - __('E-Mail') => [sprintf('%1$s', $angeltype->contact_email), $angeltype->contact_email], + __('Name') => [ + htmlspecialchars($angeltype->contact_name), + htmlspecialchars($angeltype->contact_name), + ], + __('DECT') => config('enable_dect') + ? [ + sprintf('%1$s', htmlspecialchars($angeltype->contact_dect)), + htmlspecialchars($angeltype->contact_dect), + ] + : null, + __('E-Mail') => [ + sprintf('%1$s', htmlspecialchars($angeltype->contact_email)), + htmlspecialchars($angeltype->contact_email), + ], ]; $contactInfo = []; foreach ($info as $name => $data) { diff --git a/includes/view/PublicDashboard_view.php b/includes/view/PublicDashboard_view.php index a39946bf..b77d9152 100644 --- a/includes/view/PublicDashboard_view.php +++ b/includes/view/PublicDashboard_view.php @@ -19,7 +19,9 @@ function public_dashboard_view($stats, $free_shifts, $important_news) if ($important_news->isNotEmpty()) { $first_news = $important_news->first(); $news = div('alert alert-warning text-center', [ - '' . $first_news->title . '', + '' + . '' . htmlspecialchars($first_news->title) . '' + . '', ]); } @@ -93,17 +95,17 @@ function public_dashboard_shift_render($shift) $panel_body = icon('clock-history') . $shift['start'] . ' - ' . $shift['end']; $panel_body .= ' (' . $shift['duration'] . ' h)'; - $panel_body .= '
    ' . icon('list-task') . $shift['shifttype_name']; + $panel_body .= '
    ' . icon('list-task') . htmlspecialchars($shift['shifttype_name']); if (!empty($shift['title'])) { - $panel_body .= ' (' . $shift['title'] . ')'; + $panel_body .= ' (' . htmlspecialchars($shift['title']) . ')'; } - $panel_body .= '
    ' . icon('pin-map-fill') . $shift['room_name']; + $panel_body .= '
    ' . icon('pin-map-fill') . htmlspecialchars($shift['room_name']); foreach ($shift['needed_angels'] as $needed_angels) { $panel_body .= '
    ' . icon('person') . '' - . $needed_angels['need'] . ' × ' . $needed_angels['angeltype_name'] + . $needed_angels['need'] . ' × ' . htmlspecialchars($needed_angels['angeltype_name']) . ''; } diff --git a/includes/view/Rooms_view.php b/includes/view/Rooms_view.php index f1ba4c4c..2693b901 100644 --- a/includes/view/Rooms_view.php +++ b/includes/view/Rooms_view.php @@ -24,13 +24,13 @@ function Room_view(Room $room, ShiftsFilterRenderer $shiftsFilterRenderer, Shift if ($room->description) { $description = '

    ' . __('Description') . '

    '; $parsedown = new Parsedown(); - $description .= $parsedown->parse($room->description); + $description .= $parsedown->parse(htmlspecialchars($room->description)); } $dect = ''; if (config('enable_dect') && $room->dect) { $dect = heading(__('Contact'), 3) - . description([__('DECT') => sprintf('%1$s', $room->dect)]); + . description([__('DECT') => sprintf('%1$s', htmlspecialchars($room->dect))]); } $tabs = []; @@ -39,7 +39,7 @@ function Room_view(Room $room, ShiftsFilterRenderer $shiftsFilterRenderer, Shift '
    ' . '' . '
    ', - $room->map_url + htmlspecialchars($room->map_url) ); } @@ -57,7 +57,7 @@ function Room_view(Room $room, ShiftsFilterRenderer $shiftsFilterRenderer, Shift $selected_tab = count($tabs) - 1; } - return page_with_title(icon('pin-map-fill') . $room->name, [ + return page_with_title(icon('pin-map-fill') . htmlspecialchars($room->name), [ $assignNotice, auth()->can('admin_rooms') ? buttons([ button( @@ -79,8 +79,8 @@ function Room_view(Room $room, ShiftsFilterRenderer $shiftsFilterRenderer, Shift function Room_name_render(Room $room) { if (auth()->can('view_rooms')) { - return '' . icon('pin-map-fill') . $room->name . ''; + return '' . icon('pin-map-fill') . htmlspecialchars($room->name) . ''; } - return icon('pin-map-fill') . $room->name; + return icon('pin-map-fill') . htmlspecialchars($room->name); } diff --git a/includes/view/ShiftCalendarShiftRenderer.php b/includes/view/ShiftCalendarShiftRenderer.php index 3ab89147..5caa8976 100644 --- a/includes/view/ShiftCalendarShiftRenderer.php +++ b/includes/view/ShiftCalendarShiftRenderer.php @@ -29,7 +29,7 @@ class ShiftCalendarShiftRenderer { $info_text = ''; if ($shift->title != '') { - $info_text = icon('info-circle') . $shift->title . '
    '; + $info_text = icon('info-circle') . htmlspecialchars($shift->title) . '
    '; } list($shift_signup_state, $shifts_row) = $this->renderShiftNeededAngeltypes( $shift, @@ -199,7 +199,7 @@ class ShiftCalendarShiftRenderer : $inner_text . '
    ' . button( page_link_to('user_angeltypes', ['action' => 'add', 'angeltype_id' => $angeltype->id]), - sprintf(__('Become %s'), $angeltype->name), + sprintf(__('Become %s'), htmlspecialchars($angeltype->name)), 'btn-sm' ), // Shift collides or user is already signed up: No signup allowed @@ -262,7 +262,7 @@ class ShiftCalendarShiftRenderer } $shift_heading = $shift->start->format('H:i') . ' ‐ ' . $shift->end->format('H:i') . ' — ' - . $shift->shiftType->name; + . htmlspecialchars($shift->shiftType->name); if ($needed_angeltypes_count > 0) { $shift_heading = '' . $needed_angeltypes_count . ' ' . $shift_heading; diff --git a/includes/view/ShiftEntry_view.php b/includes/view/ShiftEntry_view.php index 31242b46..4d8f33f9 100644 --- a/includes/view/ShiftEntry_view.php +++ b/includes/view/ShiftEntry_view.php @@ -19,7 +19,7 @@ function ShiftEntry_delete_view_admin(Shift $shift, AngelType $angeltype, User $ return page_with_title(ShiftEntry_delete_title(), [ info(sprintf( __('Do you want to sign off %s from shift %s from %s to %s as %s?'), - User_Nick_render($signoff_user), + $signoff_user->displayName, $shift->shiftType->name, $shift->start->format(__('Y-m-d H:i')), $shift->end->format(__('Y-m-d H:i')), @@ -92,7 +92,7 @@ function ShiftEntry_create_view_admin( ) { $start = $shift->start->format(__('Y-m-d H:i')); return page_with_title( - ShiftEntry_create_title() . ': ' . $shift->shiftType->name + ShiftEntry_create_title() . ': ' . htmlspecialchars($shift->shiftType->name) . ' %c', [ Shift_view_header($shift, $room), @@ -120,7 +120,7 @@ function ShiftEntry_create_view_supporter(Shift $shift, Room $room, AngelType $a { $start = $shift->start->format(__('Y-m-d H:i')); return page_with_title( - ShiftEntry_create_title() . ': ' . $shift->shiftType->name + ShiftEntry_create_title() . ': ' . htmlspecialchars($shift->shiftType->name) . ' %c', [ Shift_view_header($shift, $room), @@ -149,7 +149,7 @@ function ShiftEntry_create_view_user(Shift $shift, Room $room, AngelType $angelt { $start = $shift->start->format(__('Y-m-d H:i')); return page_with_title( - ShiftEntry_create_title() . ': ' . $shift->shiftType->name + ShiftEntry_create_title() . ': ' . htmlspecialchars($shift->shiftType->name) . ' %c', [ Shift_view_header($shift, $room), @@ -218,9 +218,9 @@ function ShiftEntry_edit_view( form([ form_info(__('Angel:'), User_Nick_render($angel)), form_info(__('Date, Duration:'), $date), - form_info(__('Location:'), $location), - form_info(__('Title:'), $title), - form_info(__('Type:'), $type), + form_info(__('Location:'), htmlspecialchars($location)), + form_info(__('Title:'), htmlspecialchars($title)), + form_info(__('Type:'), htmlspecialchars($type)), $comment, join('', $freeload_form), form_submit('submit', __('Save')), diff --git a/includes/view/ShiftTypes_view.php b/includes/view/ShiftTypes_view.php index 4f2a7b07..f19f883e 100644 --- a/includes/view/ShiftTypes_view.php +++ b/includes/view/ShiftTypes_view.php @@ -10,7 +10,7 @@ use Illuminate\Support\Collection; function ShiftType_name_render(ShiftType $shifttype) { if (auth()->can('shifttypes')) { - return '' . $shifttype->name . ''; + return '' . htmlspecialchars($shifttype->name) . ''; } return $shifttype->name; } @@ -21,7 +21,7 @@ function ShiftType_name_render(ShiftType $shifttype) */ function ShiftType_delete_view(ShiftType $shifttype) { - return page_with_title(sprintf(__('Delete shifttype %s'), $shifttype->name), [ + return page_with_title(sprintf(__('Delete shifttype %s'), htmlspecialchars($shifttype->name)), [ info(sprintf(__('Do you want to delete shifttype %s?'), $shifttype->name), true), form([ buttons([ @@ -67,7 +67,7 @@ function ShiftType_view(ShiftType $shifttype) { $parsedown = new Parsedown(); $title = $shifttype->name; - return page_with_title($title, [ + return page_with_title(htmlspecialchars($title), [ msg(), buttons([ button(page_link_to('shifttypes'), shifttypes_title(), 'back'), @@ -81,7 +81,7 @@ function ShiftType_view(ShiftType $shifttype) ), ]), heading(__('Description'), 2), - $parsedown->parse($shifttype->description), + $parsedown->parse(htmlspecialchars($shifttype->description)), ], true); } @@ -95,7 +95,7 @@ function ShiftTypes_list_view($shifttypes) $shifttype->name = '' - . $shifttype->name + . htmlspecialchars($shifttype->name) . ''; $shifttype->actions = table_buttons([ button( diff --git a/includes/view/Shifts_view.php b/includes/view/Shifts_view.php index 5e27dc0f..e0c99b53 100644 --- a/includes/view/Shifts_view.php +++ b/includes/view/Shifts_view.php @@ -24,8 +24,8 @@ function Shift_view_header(Shift $shift, Room $room) '

    ' . __('Title') . '

    ', '

    ' . ($shift->url != '' - ? '' . $shift->title . '' - : $shift->title) + ? '' . htmlspecialchars($shift->title) . '' + : htmlspecialchars($shift->title)) . '

    ', ]), div('col-sm-3 col-xs-6', [ @@ -98,7 +98,7 @@ function Shift_signup_button_render(Shift $shift, AngelType $angeltype) page_link_to('angeltypes', ['action' => 'view', 'angeltype_id' => $angeltype->id]), sprintf( __('Become %s'), - $angeltype->name + htmlspecialchars($angeltype->name) ) ); } @@ -170,8 +170,15 @@ function Shift_view(Shift $shift, ShiftType $shifttype, Room $room, $angeltypes_ $buttons = [ $shift_admin ? button(shift_edit_link($shift), icon('pencil') . __('edit')) : '', $shift_admin ? button(shift_delete_link($shift), icon('trash') . __('delete')) : '', - $admin_shifttypes ? button(shifttype_link($shifttype), $shifttype->name) : '', - $admin_rooms ? button(room_link($room), icon('pin-map-fill') . $room->name) : '', + $admin_shifttypes + ? button(shifttype_link($shifttype), htmlspecialchars($shifttype->name)) + : '', + $admin_rooms + ? button( + room_link($room), + icon('pin-map-fill') . htmlspecialchars($room->name) + ) + : '', ]; } $buttons[] = button(user_link(auth()->user()->id), ' ' . __('My shifts')); @@ -185,8 +192,8 @@ function Shift_view(Shift $shift, ShiftType $shifttype, Room $room, $angeltypes_ ]), div('col-sm-6', [ '

    ' . __('Description') . '

    ', - $parsedown->parse($shifttype->description), - $parsedown->parse($shift->description), + $parsedown->parse(htmlspecialchars($shifttype->description)), + $parsedown->parse(htmlspecialchars($shift->description)), ]), ]); @@ -197,7 +204,8 @@ function Shift_view(Shift $shift, ShiftType $shifttype, Room $room, $angeltypes_ $start = $shift->start->format(__('Y-m-d H:i')); return page_with_title( - $shift->shiftType->name . ' %c', + htmlspecialchars($shift->shiftType->name) + . ' %c', $content ); } diff --git a/includes/view/UserAngelTypes_view.php b/includes/view/UserAngelTypes_view.php index e50e1f04..9f41b86a 100644 --- a/includes/view/UserAngelTypes_view.php +++ b/includes/view/UserAngelTypes_view.php @@ -138,7 +138,7 @@ function UserAngelType_add_view(AngelType $angeltype, $users_source, $user_id) { $users = []; foreach ($users_source as $user_source) { - $users[$user_source->id] = User_Nick_render($user_source); + $users[$user_source->id] = $user_source->displayName; } return page_with_title(__('Add user to angeltype'), [ @@ -151,7 +151,7 @@ function UserAngelType_add_view(AngelType $angeltype, $users_source, $user_id) ), ]), form([ - form_info(__('Angeltype'), $angeltype->name), + form_info(__('Angeltype'), htmlspecialchars($angeltype->name)), form_checkbox('auto_confirm_user', __('Confirm user'), true), form_select('user_id', __('User'), $users, $user_id), form_submit('submit', __('Add')), @@ -166,7 +166,7 @@ function UserAngelType_add_view(AngelType $angeltype, $users_source, $user_id) */ function UserAngelType_join_view($user, AngelType $angeltype) { - return page_with_title(sprintf(__('Become a %s'), $angeltype->name), [ + return page_with_title(sprintf(__('Become a %s'), htmlspecialchars($angeltype->name)), [ msg(), info(sprintf( __('Do you really want to add %s to %s?'), diff --git a/includes/view/UserHintsRenderer.php b/includes/view/UserHintsRenderer.php index 55c65595..4a06686f 100644 --- a/includes/view/UserHintsRenderer.php +++ b/includes/view/UserHintsRenderer.php @@ -20,9 +20,9 @@ class UserHintsRenderer if (!empty($hint)) { if ($important) { $this->important = true; - $this->hints[] = error($hint, true); + $this->hints[] = error($hint, true, true); } else { - $this->hints[] = info($hint, true); + $this->hints[] = info($hint, true, true); } } } diff --git a/includes/view/User_view.php b/includes/view/User_view.php index 97ea6c0c..d9a553e3 100644 --- a/includes/view/User_view.php +++ b/includes/view/User_view.php @@ -92,9 +92,9 @@ function Users_view( foreach ($users as $user) { $u = []; $u['name'] = User_Nick_render($user) . User_Pronoun_render($user); - $u['first_name'] = $user->personalData->first_name; - $u['last_name'] = $user->personalData->last_name; - $u['dect'] = sprintf('%1$s', $user->contact->dect); + $u['first_name'] = htmlspecialchars((string) $user->personalData->first_name); + $u['last_name'] = htmlspecialchars((string) $user->personalData->last_name); + $u['dect'] = sprintf('%1$s', htmlspecialchars((string) $user->contact->dect)); $u['arrived'] = icon_bool($user->state->arrived); if (config('enable_voucher')) { $u['got_voucher'] = $user->state->got_voucher; @@ -273,7 +273,7 @@ function User_view_shiftentries($needed_angel_type) { $shift_info = '
    ' . $needed_angel_type['name'] . ': '; + . '">' . htmlspecialchars($needed_angel_type['name']) . ': '; $shift_entries = []; foreach ($needed_angel_type['users'] as $user_shift) { @@ -299,9 +299,9 @@ function User_view_shiftentries($needed_angel_type) */ function User_view_myshift(Shift $shift, $user_source, $its_me) { - $shift_info = '' . $shift->shiftType->name . ''; + $shift_info = '' . htmlspecialchars($shift->shiftType->name) . ''; if ($shift->title) { - $shift_info .= '
    ' . $shift->title . ''; + $shift_info .= '
    ' . htmlspecialchars($shift->title) . ''; } foreach ($shift->needed_angeltypes as $needed_angel_type) { $shift_info .= User_view_shiftentries($needed_angel_type); @@ -320,7 +320,7 @@ function User_view_myshift(Shift $shift, $user_source, $its_me) ]; if ($its_me) { - $myshift['comment'] = $shift->user_comment; + $myshift['comment'] = htmlspecialchars($shift->user_comment); } if ($shift->freeloaded) { @@ -329,7 +329,9 @@ function User_view_myshift(Shift $shift, $user_source, $its_me) . '

    '; if (auth()->can('user_shifts_admin')) { $myshift['comment'] .= '
    ' - . '

    ' . __('Freeloaded') . ': ' . $shift->freeloaded_comment . '

    '; + . '

    ' + . __('Freeloaded') . ': ' . htmlspecialchars($shift->freeloaded_comment) + . '

    '; } else { $myshift['comment'] .= '

    ' . __('Freeloaded') . '

    '; } @@ -454,7 +456,7 @@ function User_view_worklog(Worklog $worklog, $admin_user_worklog_privilege) 'duration' => sprintf('%.2f', $worklog->hours) . ' h', 'room' => '', 'shift_info' => __('Work log entry'), - 'comment' => $worklog->comment . '
    ' + 'comment' => htmlspecialchars($worklog->comment) . '
    ' . sprintf( __('Added by %s at %s'), User_Nick_render($worklog->creator), @@ -616,8 +618,8 @@ function User_view( config('enable_dect') && $user_source->contact->dect ? heading( icon('phone') - . ' ' - . $user_source->contact->dect + . ' ' + . htmlspecialchars($user_source->contact->dect) . '' ) : '', @@ -625,8 +627,8 @@ function User_view( $user_source->settings->mobile_show ? heading( icon('phone') - . ' ' - . $user_source->contact->mobile + . ' ' + . htmlspecialchars($user_source->contact->mobile) . '' ) : '' @@ -647,18 +649,19 @@ function User_view( ($its_me || $admin_user_privilege) ? '

    ' . __('Shifts') . '

    ' : '', $myshifts_table, ($its_me && $nightShiftsConfig['enabled'] && $goodie_enabled) ? info( - icon('info-circle') . sprintf( - __('Your night shifts between %d and %d am count twice.'), + sprintf( + icon('info-circle') . __('Your night shifts between %d and %d am count twice.'), $nightShiftsConfig['start'], $nightShiftsConfig['end'] ), + true, true ) : '', $its_me && count($shifts) == 0 ? error(sprintf( __('Go to the shifts table to sign yourself up for some shifts.'), page_link_to('user_shifts') - ), true) + ), true, true) : '', $its_me ? ical_hint() : '', ] @@ -788,7 +791,7 @@ function User_angeltypes_render($user_angeltypes) $class = 'text-warning'; } $output[] = '' - . ($angeltype->pivot->supporter ? icon('patch-check') : '') . $angeltype->name + . ($angeltype->pivot->supporter ? icon('patch-check') : '') . htmlspecialchars($angeltype->name) . ''; } return div('col-md-2', [ @@ -805,7 +808,7 @@ function User_groups_render($user_groups) { $output = []; foreach ($user_groups as $group) { - $output[] = __($group->name); + $output[] = __(htmlspecialchars($group->name)); } return div('col-md-2', [ @@ -825,9 +828,11 @@ function User_oauth_render(User $user) $output = []; foreach ($user->oauth as $oauth) { $output[] = __( - isset($config[$oauth->provider]['name']) - ? $config[$oauth->provider]['name'] - : Str::ucfirst($oauth->provider) + htmlspecialchars( + isset($config[$oauth->provider]['name']) + ? $config[$oauth->provider]['name'] + : Str::ucfirst($oauth->provider) + ) ); } @@ -968,7 +973,10 @@ function render_user_tshirt_hint() function render_user_dect_hint() { $user = auth()->user(); - if ($user->state->arrived && config('enable_dect') && !$user->contact->dect) { + if ( + $user->state->arrived + && config('enable_dect') && !$user->contact->dect + ) { $text = __('You need to specify a DECT phone number in your settings! If you don\'t have a DECT phone, just enter \'-\'.'); return render_profile_link($text); } diff --git a/resources/views/emails/angeltype-added.twig b/resources/views/emails/angeltype-added.twig index 5ce3fc83..a66a4eb3 100644 --- a/resources/views/emails/angeltype-added.twig +++ b/resources/views/emails/angeltype-added.twig @@ -3,9 +3,9 @@ {% set url=url('/angeltypes', {'action': 'view', 'angeltype_id': angeltype.id}) %} {% block introduction %} -{{ __('notification.angeltype.added.introduction', [angeltype.name, url])|raw }} +{{ __('notification.angeltype.added.introduction', [angeltype.name|e, url])|raw }} {% endblock %} {% block message %} -{{ __('notification.angeltype.added.text', [angeltype.name, url])|raw }} +{{ __('notification.angeltype.added.text', [angeltype.name|e, url])|raw }} {% endblock %} diff --git a/resources/views/emails/angeltype-confirmed.twig b/resources/views/emails/angeltype-confirmed.twig index 1fd2d0b1..8f2c3e17 100644 --- a/resources/views/emails/angeltype-confirmed.twig +++ b/resources/views/emails/angeltype-confirmed.twig @@ -3,9 +3,9 @@ {% set url=url('/angeltypes', {'action': 'view', 'angeltype_id': angeltype.id}) %} {% block introduction %} -{{ __('notification.angeltype.confirmed.introduction', [angeltype.name, url])|raw }} +{{ __('notification.angeltype.confirmed.introduction', [angeltype.name|e, url])|raw }} {% endblock %} {% block message %} -{{ __('notification.angeltype.confirmed.text', [angeltype.name, url])|raw }} +{{ __('notification.angeltype.confirmed.text', [angeltype.name|e, url])|raw }} {% endblock %} diff --git a/resources/views/pages/login.twig b/resources/views/pages/login.twig index 27400ffc..1d50401a 100644 --- a/resources/views/pages/login.twig +++ b/resources/views/pages/login.twig @@ -7,7 +7,7 @@
    -

    {{ __('Welcome to the %s!', [config('name') ~ m.angel() ~ (config('app_name')|upper) ])|raw }}

    +

    {{ __('Welcome to the %s!', [config('name')|e ~ m.angel() ~ (config('app_name')|upper|e) ])|raw }}