fix: add numeric check to parse to prevent dropdowns from being parsed (

#976) * hotfix(security|requests): add middleware that parses post fields * fix: handle arrays * fix: add "$this->" prefix to function calls * fix(requests): prevent numeric value from being parsed * chore(update): update version --------- Co-authored-by: Mercury <[email protected]>
corowne · Jun 16, 2024 · f0aa1f8 · f0aa1f8
1 parent 426bbd1
commit f0aa1f8
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/app/Http/Middleware/ParsePostRequestFields.php b/app/Http/Middleware/ParsePostRequestFields.php
@@ -24,6 +24,10 @@ public function handle(Request $request, Closure $next) {
                 if (is_array($value)) {
                     $parsedFields[$key] = $this->parseArray($value, $strippedFields);
                 } else {
+                    if (is_numeric($value)) {
+                        continue;
+                    }
+
                     if (in_array($key, $strippedFields)) { // we strip these since parse() doesn't remove HTML tags
                         $parsedFields[$key] = parse(strip_tags($value));
                     } else {
@@ -47,6 +51,10 @@ public function handle(Request $request, Closure $next) {
      */
     private function parseArray(array $array, array $strippedFields) : array {
         foreach ($array as $key => $value) {
+            if (is_numeric($value)) {
+                continue;
+            }
+
             if (is_array($value)) {
                 $array[$key] = $this->parseArray($value, $strippedFields);
             } else {

diff --git a/config/lorekeeper/settings.php b/config/lorekeeper/settings.php
@@ -24,7 +24,7 @@
     | Do not change this value!
     |
     */
-    'version' => '2.1.6',
+    'version' => '2.1.7',
 
     /*
     |--------------------------------------------------------------------------