From b256e1ec5520b4e0c76834615332808f252d3e86 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 2 Jun 2026 09:34:57 +0000 Subject: [PATCH] Harden dashboard welcome message against XSS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The admin dashboard renders the remotely fetched welcome message unescaped ({!! $welcomeMessage !!}). It was only filtered with strip_tags(), which keeps the attributes of allowed tags, so a compromised or man-in-the-middled upstream could smuggle in event handlers (onclick, onerror, …) or javascript: URIs and execute script in the admin context. Parse the fetched HTML and strip every attribute, restoring only a safe href (http/https/mailto, relative or anchor) on links. https://claude.ai/code/session_01EUUnydptJJw8Az5AAVQ1r3 --- .../Controllers/DashboardAdminController.php | 66 ++++++++++++++++++- 1 file changed, 65 insertions(+), 1 deletion(-) diff --git a/src/Http/Controllers/DashboardAdminController.php b/src/Http/Controllers/DashboardAdminController.php index 52cd8321..e9fe685d 100644 --- a/src/Http/Controllers/DashboardAdminController.php +++ b/src/Http/Controllers/DashboardAdminController.php @@ -4,6 +4,7 @@ namespace TypiCMS\Modules\Core\Http\Controllers; +use DOMDocument; use Illuminate\Http\RedirectResponse; use Illuminate\Support\Facades\Http; use Illuminate\View\View; @@ -34,12 +35,75 @@ private function fetchWelcomeMessage(): string $body = rescue(fn () => Http::timeout(2)->get($url)->body()); if ($body !== null) { - return strip_tags($body, '