From 0667ccfc989c4426a9a37c89d4c4b769a9005eab Mon Sep 17 00:00:00 2001 From: James Cole Date: Fri, 17 Feb 2023 05:49:54 +0100 Subject: [PATCH] Catch escape in currencies --- app/Factory/TransactionCurrencyFactory.php | 7 ++++++- app/Services/Internal/Update/CurrencyUpdateService.php | 10 +++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/app/Factory/TransactionCurrencyFactory.php b/app/Factory/TransactionCurrencyFactory.php index 0068e63352..9cc9c9f265 100644 --- a/app/Factory/TransactionCurrencyFactory.php +++ b/app/Factory/TransactionCurrencyFactory.php @@ -41,6 +41,11 @@ class TransactionCurrencyFactory */ public function create(array $data): TransactionCurrency { + $data['code'] = e($data['code']); + $data['symbol'] = e($data['symbol']); + $data['name'] = e($data['name']); + $data['decimal_places'] = (int)$data['decimal_places']; + $data['enabled'] = (bool)$data['enabled']; // if the code already exists (deleted) // force delete it and then create the transaction: $count = TransactionCurrency::withTrashed()->whereCode($data['code'])->count(); @@ -78,7 +83,7 @@ class TransactionCurrencyFactory */ public function find(?int $currencyId, ?string $currencyCode): ?TransactionCurrency { - $currencyCode = (string)$currencyCode; + $currencyCode = (string)e($currencyCode); $currencyId = (int)$currencyId; if ('' === $currencyCode && 0 === $currencyId) { diff --git a/app/Services/Internal/Update/CurrencyUpdateService.php b/app/Services/Internal/Update/CurrencyUpdateService.php index ad5f217daf..f7e16acb01 100644 --- a/app/Services/Internal/Update/CurrencyUpdateService.php +++ b/app/Services/Internal/Update/CurrencyUpdateService.php @@ -41,23 +41,23 @@ class CurrencyUpdateService public function update(TransactionCurrency $currency, array $data): TransactionCurrency { if (array_key_exists('code', $data) && '' !== (string)$data['code']) { - $currency->code = $data['code']; + $currency->code = e($data['code']); } if (array_key_exists('symbol', $data) && '' !== (string)$data['symbol']) { - $currency->symbol = $data['symbol']; + $currency->symbol = e($data['symbol']); } if (array_key_exists('name', $data) && '' !== (string)$data['name']) { - $currency->name = $data['name']; + $currency->name = e($data['name']); } if (array_key_exists('enabled', $data) && is_bool($data['enabled'])) { - $currency->enabled = $data['enabled']; + $currency->enabled = (bool) $data['enabled']; } if (array_key_exists('decimal_places', $data) && is_int($data['decimal_places'])) { - $currency->decimal_places = $data['decimal_places']; + $currency->decimal_places = (int) $data['decimal_places']; } $currency->save();