From d1a96dd752ba30dc56380400dd2587d8abb8e9d1 Mon Sep 17 00:00:00 2001
From: Chris Hunt <chris.hunt@kasmweb.com>
Date: Thu, 24 Jul 2025 19:05:16 +0100
Subject: [PATCH] Escape search queries and add setting value on edit

---
 app/Http/Controllers/SearchController.php   |  3 ++
 app/Http/Controllers/SettingsController.php |  1 +
 app/Search.php                              |  2 +-
 app/Setting.php                             | 48 ++++++++++-----------
 config/app.php                              |  2 +-
 5 files changed, 30 insertions(+), 26 deletions(-)

diff --git a/app/Http/Controllers/SearchController.php b/app/Http/Controllers/SearchController.php
index 9e61e928..8a16e32b 100644
--- a/app/Http/Controllers/SearchController.php
+++ b/app/Http/Controllers/SearchController.php
@@ -18,6 +18,9 @@ class SearchController extends Controller
         $requestprovider = $request->input('provider');
         $query = $request->input('q');
 
+        // Sanitize the query to prevent XSS
+        $query = htmlspecialchars($query, ENT_QUOTES, 'UTF-8'); 
+
         // Validate the presence and non-emptiness of the query parameter
         if (!$query || trim($query) === '') {
             abort(400, 'Missing or empty query parameter');
diff --git a/app/Http/Controllers/SettingsController.php b/app/Http/Controllers/SettingsController.php
index 9817d8fa..51e97917 100644
--- a/app/Http/Controllers/SettingsController.php
+++ b/app/Http/Controllers/SettingsController.php
@@ -45,6 +45,7 @@ class SettingsController extends Controller
         if (! is_null($setting)) {
             return view('settings.edit')->with([
                 'setting' => $setting,
+                'value' => $setting->value,
             ]);
         } else {
             $route = route('settings.list', []);
diff --git a/app/Search.php b/app/Search.php
index 982b9f31..0d7bdaf9 100644
--- a/app/Search.php
+++ b/app/Search.php
@@ -121,7 +121,7 @@ abstract class Search
                     $output .= '<option value="'.$key.'"'.$selected.'>'.$searchprovider['name'].'</option>';
                 }
                 $output .= '</select>';
-                $output .= '<input type="text" name="q" value="'.(Input::get('q') ?? '').'" class="homesearch" autofocus placeholder="'.__('app.settings.search').'..." />';
+                $output .= '<input type="text" name="q" value="'.e(Input::get('q') ?? '').'" class="homesearch" autofocus placeholder="'.__('app.settings.search').'..." />';
                 $output .= '<button type="submit">'.ucwords(__('app.settings.search')).'</button>';
                 $output .= '</div>';
                 $output .= '</form>';
diff --git a/app/Setting.php b/app/Setting.php
index 26b8701e..0c6dd5fd 100644
--- a/app/Setting.php
+++ b/app/Setting.php
@@ -150,41 +150,41 @@ class Setting extends Model
         switch ($this->type) {
             case 'image':
                 $value = '';
-                if (isset($this->value) && ! empty($this->value)) {
-                    $value .= '<a class="setting-view-image" href="'.
-                        asset('storage/'.$this->value).
-                        '" title="'.
-                        __('app.settings.view').
-                        '" target="_blank"><img src="'.
-                        asset('storage/'.
-                            $this->value).
+                if (isset($this->value) && !empty($this->value)) {
+                    $value .= '<a class="setting-view-image" href="' .
+                        asset('storage/' . $this->value) .
+                        '" title="' .
+                        __('app.settings.view') .
+                        '" target="_blank"><img src="' .
+                        asset('storage/' .
+                            $this->value) .
                         '" /></a>';
                 }
                 $value .= '<input type="file" name="value" class="form-control" />';
-                if (isset($this->value) && ! empty($this->value)) {
-                    $value .= '<a class="settinglink" href="'.
-                        route('settings.clear', $this->id).
-                        '" title="'.
-                        __('app.settings.remove').
-                        '">'.
-                        __('app.settings.reset').
+                if (isset($this->value) && !empty($this->value)) {
+                    $value .= '<a class="settinglink" href="' .
+                        route('settings.clear', $this->id) .
+                        '" title="' .
+                        __('app.settings.remove') .
+                        '">' .
+                        __('app.settings.reset') .
                         '</a>';
                 }
-
+    
                 break;
             case 'boolean':
                 $checked = false;
-                if (isset($this->value) && (bool) $this->value === true) {
+                if (isset($this->value) && (bool)$this->value === true) {
                     $checked = true;
                 }
                 $set_checked = ($checked) ? ' checked="checked"' : '';
                 $value = '
                 <input type="hidden" name="value" value="0" />
                 <label class="switch">
-                    <input type="checkbox" name="value" value="1"'.$set_checked.' />
+                    <input type="checkbox" name="value" value="1"' . $set_checked . ' />
                     <span class="slider round"></span>
                 </label>';
-
+    
                 break;
             case 'select':
                 $options = json_decode($this->options);
@@ -193,21 +193,21 @@ class Setting extends Model
                 }
                 $value = '<select name="value" class="form-control">';
                 foreach ($options as $key => $opt) {
-                    $value .= '<option value="'.$key.'" '.(($this->value == $key) ? 'selected' : '').'>'.__($opt).'</option>';
+                    $value .= '<option value="' . $key . '" ' . (($this->value == $key) ? 'selected' : '') . '>' . __($opt) . '</option>';
                 }
                 $value .= '</select>';
                 break;
             case 'textarea':
-                $value = '<textarea name="value" class="form-control" cols="44" rows="15"></textarea>';
+                $value = '<textarea name="value" class="form-control" cols="44" rows="15">' . htmlspecialchars($this->value, ENT_QUOTES, 'UTF-8') . '</textarea>';
                 break;
             default:
-                $value = '<input type="text" name="value" class="form-control" />';
+                $value = '<input type="text" name="value" class="form-control" value="' . htmlspecialchars($this->value, ENT_QUOTES, 'UTF-8') . '" />';
                 break;
         }
-
+    
         return $value;
     }
-
+    
     public function group(): BelongsTo
     {
         return $this->belongsTo(\App\SettingGroup::class, 'group_id');
diff --git a/config/app.php b/config/app.php
index 030e9c43..583ad695 100644
--- a/config/app.php
+++ b/config/app.php
@@ -5,7 +5,7 @@ use Illuminate\Support\Facades\Facade;
 
 return [
 
-    'version' => '2.7.2',
+    'version' => '2.7.3',
 
     'appsource' => env('APP_SOURCE', 'https://appslist.heimdall.site/'),