From 80b1f17e1f8a858ce7739cdbb37b2d556e1d4cc6 Mon Sep 17 00:00:00 2001 From: Song Date: Wed, 23 Oct 2024 16:32:36 +0800 Subject: [PATCH 1/2] =?UTF-8?q?Show/Field=20Json()=20XSS=E8=84=9A=E6=9C=AC?= =?UTF-8?q?=E8=BF=87=E6=BB=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/Show/Field.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/Show/Field.php b/src/Show/Field.php index bdacba7df..eac77ef09 100755 --- a/src/Show/Field.php +++ b/src/Show/Field.php @@ -407,6 +407,14 @@ public function json() return $this->unescape()->as(function ($value) use ($field) { $content = is_string($value) ? json_decode($value, true) : $value; + if (is_array($content)) { + array_walk($content, function (&$v) { + $v = htmlspecialchars($v); + }); + } else { + $content = htmlspecialchars($content); + } + $field->wrap(false); return Dump::make($content); From 36cd509213ff69aece1a8f85abc8a3d4960f1b6c Mon Sep 17 00:00:00 2001 From: Song Date: Mon, 18 Nov 2024 10:17:51 +0800 Subject: [PATCH 2/2] =?UTF-8?q?=E5=A2=9E=E5=8A=A0Show=20json()=E5=81=A5?= =?UTF-8?q?=E5=A3=AE=E6=80=A7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/Show/Field.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Show/Field.php b/src/Show/Field.php index eac77ef09..52ed61434 100755 --- a/src/Show/Field.php +++ b/src/Show/Field.php @@ -409,6 +409,7 @@ public function json() if (is_array($content)) { array_walk($content, function (&$v) { + $v = strval($v); $v = htmlspecialchars($v); }); } else {