Merge pull request #10942 from snipe/fixes/xss_user_requested

snipe · web-flow · commit f211c11034ba · 2022-04-15T12:25:56.000+01:00
Fixes potential XSS vuln in user requestable results
diff --git a/app/Http/Controllers/Api/ProfileController.php b/app/Http/Controllers/Api/ProfileController.php
@@ -30,11 +30,11 @@ public function requestedAssets()
             // Make sure the asset and request still exist
             if ($checkoutRequest && $checkoutRequest->itemRequested()) {
                 $results['rows'][] = [
-                    'image' => $checkoutRequest->itemRequested()->present()->getImageUrl(),
-                    'name' => $checkoutRequest->itemRequested()->present()->name(),
-                    'type' => $checkoutRequest->itemType(),
-                    'qty' => $checkoutRequest->quantity,
-                    'location' => ($checkoutRequest->location()) ? $checkoutRequest->location()->name : null,
+                    'image' => e($checkoutRequest->itemRequested()->present()->getImageUrl()),
+                    'name' => e($checkoutRequest->itemRequested()->present()->name()),
+                    'type' => e($checkoutRequest->itemType()),
+                    'qty' => (int) $checkoutRequest->quantity,
+                    'location' => ($checkoutRequest->location()) ? e($checkoutRequest->location()->name) : null,
                     'expected_checkin' => Helper::getFormattedDateObject($checkoutRequest->itemRequested()->expected_checkin, 'datetime'),
                     'request_date' => Helper::getFormattedDateObject($checkoutRequest->created_at, 'datetime'),
                 ];
