From 3819de4e7473c8c73656bafe749ef7043e316b97 Mon Sep 17 00:00:00 2001
From: James Cole <thegrumpydictator@gmail.com>
Date: Wed, 4 Apr 2018 19:14:47 +0200
Subject: [PATCH] Fix security issue with markdown, thanks to @simhnna

---
 app/Http/Controllers/BillController.php |  2 +-
 app/Models/Note.php                     |  8 ++++++++
 app/Models/Rule.php                     |  8 ++++++++
 public/js/ff/transactions/split/edit.js | 16 ++++++++--------
 resources/views/bills/show.twig         |  4 ++--
 5 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/app/Http/Controllers/BillController.php b/app/Http/Controllers/BillController.php
index 3befb08701..1aeeb7b8bb 100644
--- a/app/Http/Controllers/BillController.php
+++ b/app/Http/Controllers/BillController.php
@@ -238,7 +238,7 @@ class BillController extends Controller
         $overallAverage = $repository->getOverallAverage($bill);
         $manager        = new Manager();
         $manager->setSerializer(new DataArraySerializer());
-        $manager->parseIncludes(['attachments']);
+        $manager->parseIncludes(['attachments','notes']);
 
         // Make a resource out of the data and
         $parameters = new ParameterBag();
diff --git a/app/Models/Note.php b/app/Models/Note.php
index e0ca98c8f2..a6588c8564 100644
--- a/app/Models/Note.php
+++ b/app/Models/Note.php
@@ -52,4 +52,12 @@ class Note extends Model
     {
         return $this->morphTo();
     }
+
+    /**
+     * @param $value
+     */
+    public function setTextAttribute($value)
+    {
+        $this->attributes['text'] = e($value);
+    }
 }
diff --git a/app/Models/Rule.php b/app/Models/Rule.php
index 3d4eec456a..17879ad461 100644
--- a/app/Models/Rule.php
+++ b/app/Models/Rule.php
@@ -93,6 +93,14 @@ class Rule extends Model
         return $this->hasMany('FireflyIII\Models\RuleTrigger');
     }
 
+    /**
+     * @param $value
+     */
+    public function setDescriptionAttribute($value)
+    {
+        $this->attributes['description'] = e($value);
+    }
+
     /**
      * @codeCoverageIgnore
      * @return \Illuminate\Database\Eloquent\Relations\BelongsTo
diff --git a/public/js/ff/transactions/split/edit.js b/public/js/ff/transactions/split/edit.js
index ebab05b5e8..97b4c1f88f 100644
--- a/public/js/ff/transactions/split/edit.js
+++ b/public/js/ff/transactions/split/edit.js
@@ -43,13 +43,13 @@ $(document).ready(function () {
 
     $.getJSON('json/categories').done(function (data) {
         categories = data;
-        $('input[name$="category]"]').typeahead({source: categories, autoSelect: false});
+        $('input[name$="category_name]"]').typeahead({source: categories, autoSelect: false});
     });
 
     $.getJSON('json/transaction-journals/' + what).done(function (data) {
         descriptions = data;
         $('input[name="journal_description"]').typeahead({source: descriptions, autoSelect: false});
-        $('input[name$="description]"]').typeahead({source: descriptions, autoSelect: false});
+        $('input[name$="transaction_description]"]').typeahead({source: descriptions, autoSelect: false});
     });
 
     $.getJSON('json/tags').done(function (data) {
@@ -123,10 +123,10 @@ function cloneDivRow() {
         source.find('input[name$="source_account_name]"]').typeahead({source: srcAccounts, autoSelect: false});
     }
     if (categories.length > 0) {
-        source.find('input[name$="category]"]').typeahead({source: categories, autoSelect: false});
+        source.find('input[name$="category_name]"]').typeahead({source: categories, autoSelect: false});
     }
     if (descriptions.length > 0) {
-        source.find('input[name$="description]"]').typeahead({source: descriptions, autoSelect: false});
+        source.find('input[name$="transaction_description]"]').typeahead({source: descriptions, autoSelect: false});
     }
 
     $('div.split_row_holder').append(source);
@@ -180,9 +180,9 @@ function resetDivSplits() {
     // loop each possible field.
 
     // ends with ][description]
-    $.each($('input[name$="][description]"]'), function (i, v) {
+    $.each($('input[name$="][transaction_description]"]'), function (i, v) {
         var input = $(v);
-        input.attr('name', 'transactions[' + i + '][description]');
+        input.attr('name', 'transactions[' + i + '][transaction_description]');
     });
     // ends with ][destination_account_name]
     $.each($('input[name$="][destination_account_name]"]'), function (i, v) {
@@ -225,9 +225,9 @@ function resetDivSplits() {
     });
 
     // ends with ][category]
-    $.each($('input[name$="][category]"]'), function (i, v) {
+    $.each($('input[name$="][category_name]"]'), function (i, v) {
         var input = $(v);
-        input.attr('name', 'transactions[' + i + '][category]');
+        input.attr('name', 'transactions[' + i + '][category_name]');
     });
 }
 
diff --git a/resources/views/bills/show.twig b/resources/views/bills/show.twig
index 83148c7f0d..accc2fee36 100644
--- a/resources/views/bills/show.twig
+++ b/resources/views/bills/show.twig
@@ -84,11 +84,11 @@
                     <h3 class="box-title">{{ 'more'|_ }}</h3>
                 </div>
                 <div class="box-body no-padding">
-                    {% if object.notes|length > 0 %}
+                    {% if object.data.notes|length > 0 %}
                         <table class="table">
                             <tr>
                                 <td>{{ trans('list.notes') }}</td>
-                                <td class="markdown">{{ object.notes.data[0].markdown }}</td>
+                                <td class="markdown">{{ object.data.notes|markdown }}</td>
                             </tr>
                         </table>
                     {% endif %}