Patched XSS & CSRF

OussamaMater · OussamaMater · commit 3ab0052e03a1 · 2024-05-06T08:21:09.000+01:00
diff --git a/app/Http/Middleware/VerifyCsrfToken.php b/app/Http/Middleware/VerifyCsrfToken.php
@@ -3,6 +3,8 @@
 namespace App\Http\Middleware;
 
 use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
+use Override;
+use Symfony\Component\HttpFoundation\Cookie;
 
 class VerifyCsrfToken extends Middleware
 {
@@ -14,4 +16,21 @@ class VerifyCsrfToken extends Middleware
     protected $except = [
         //
     ];
+
+    #[Override]
+    protected function newCookie($request, $config)
+    {
+        return new Cookie(
+            'XSRF-TOKEN',
+            $request->session()->token(),
+            $this->availableAt(60 * $config['lifetime']),
+            $config['path'],
+            $config['domain'],
+            $config['secure'],
+            true,
+            false,
+            $config['same_site'] ?? null,
+            $config['partitioned'] ?? false
+        );
+    }
 }
diff --git a/resources/helpers.php b/resources/helpers.php
@@ -54,6 +54,20 @@ function replace_links(string $markdown): string
     }
 }
 
+if (! function_exists('md_to_safe_html')) {
+    /**
+     * Converts Markdown to a safe HTML string.
+     */
+    function md_to_safe_html(string $markdown): string
+    {
+        return str($markdown)->markdown([
+            'html_input' => 'escape',
+            'max_nesting_level' => 10,
+            'allow_unsafe_links' => false,
+        ])->toString();
+    }
+}
+
 if (! function_exists('canonical')) {
     /**
      * Generate a canonical URL to the given route and allowed list of query params.
diff --git a/resources/views/articles/show.blade.php b/resources/views/articles/show.blade.php
@@ -106,7 +106,7 @@ class="w-full bg-center {{ $article->hasHeroImage() ? 'bg-cover' : '' }} bg-gray
                         x-init="$nextTick(function () { highlightCode($el); })"
                         class="prose prose-lg text-gray-800 prose-lio"
                     >
-                        <x-buk-markdown>{!! $article->body() !!}</x-buk-markdown>
+                        <x-buk-markdown>{!! md_to_safe_html($article->body) !!}</x-buk-markdown>
                     </div>
 
                     @if ($article->isUpdated())
diff --git a/tests/Unit/Helpers/MdToSafeHtmlTest.php b/tests/Unit/Helpers/MdToSafeHtmlTest.php
@@ -0,0 +1,13 @@
+<?php
+
+test('converts markdown to safe html', function () {
+    $body = 'Hello, World! ![](image.png).';
+
+    expect(md_to_safe_html($body))->toBe('<p>Hello, World! <img src="image.png" alt="" />.</p>' . "\n");
+});
+
+test('prevents unsafe links', function () {
+    $body = "[Unsafe Link](javascript:alert('Hello'))";
+
+    expect(md_to_safe_html($body))->toBe('<p><a>Unsafe Link</a></p>' . "\n");
+});

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ class="w-full bg-center {{ $article->hasHeroImage() ? 'bg-cover' : '' }} bg-gray`
`106`	`106`	`x-init="$nextTick(function () { highlightCode($el); })"`
`107`	`107`	`class="prose prose-lg text-gray-800 prose-lio"`
`108`	`108`	`>`
`109`		`- <x-buk-markdown>{!! $article->body() !!}</x-buk-markdown>`
	`109`	`+ <x-buk-markdown>{!! md_to_safe_html($article->body) !!}</x-buk-markdown>`
`110`	`110`	`</div>`
`111`	`111`
`112`	`112`	`@if ($article->isUpdated())`