Commit cd2e1e1d authored by Yassine Doghri's avatar Yassine Doghri
Browse files

fix(security): add csrf filter + prevent xss attacks by escaping user input 

- update CI4 to v4.1.9's stable production package
- update php and js dependencies to latest
parent a597cf4e

app/Config/Database.php

+2 −2
Original line number Diff line number Diff line
@@ -24,7 +24,7 @@ class Database extends Config 
    /**

     * The default database connection.

     *

     * @var array<string, string|bool|int|array>

     * @var array<string, mixed>

     */

    public array $default = [

        'DSN' => '',
@@ -51,7 +51,7 @@ class Database extends Config 
     *

     * @noRector StringClassNameToClassConstantRector

     *

     * @var array<string, string|bool|int|array>

     * @var array<string, mixed>

     */

    public array $tests = [

        'DSN' => '',

app/Config/Fediverse.php

+10 −4
Original line number Diff line number Diff line
@@ -11,6 +11,7 @@ declare(strict_types=1); 
namespace Config;



use App\Libraries\NoteObject;

use Exception;

use Modules\Fediverse\Config\Fediverse as FediverseBaseConfig;



class Fediverse extends FediverseBaseConfig
@@ -26,10 +27,15 @@ class Fediverse extends FediverseBaseConfig 
    {

        parent::__construct();



        try {

            $appTheme = service('settings')

                ->get('App.theme');

            $defaultBanner = config('Images')

            ->podcastBannerDefaultPaths[service('settings')->get('App.theme')] ?? config(

                'Images'

            )->podcastBannerDefaultPaths['default'];

                ->podcastBannerDefaultPaths[$appTheme] ?? config('Images')->podcastBannerDefaultPaths['default'];

        } catch (Exception) {

            $defaultBanner = config('Images')

                ->podcastBannerDefaultPaths['default'];

        }



        ['dirname' => $dirname, 'extension' => $extension, 'filename' => $filename] = pathinfo(

            $defaultBanner['path']

app/Config/Filters.php

+5 −4
Original line number Diff line number Diff line
@@ -39,18 +39,19 @@ class Filters extends BaseConfig 
    /**

     * List of filter aliases that are always applied before and after every request.

     *

     * @var array<string, string[]>

     * @var array<string, mixed>

     */

    public array $globals = [

        'before' => [

            // 'honeypot',

            // 'csrf',

            'csrf' => [

                'except' => ['@[a-zA-Z0-9\_]{1,32}/inbox'],

            ],

            // 'invalidchars',

        ],

        'after' => [

            'toolbar',

            // 'honeypot',

            // 'honeypot',

            // 'secureheaders',

        ],

    ];

app/Config/Paths.php

+1 −1
Original line number Diff line number Diff line
@@ -26,7 +26,7 @@ class Paths 
     * the path if the folder is not in the same directory as this file.

     */

    public string $systemDirectory =

        __DIR__ . '/../../vendor/codeigniter4/codeigniter4/system';

        __DIR__ . '/../../vendor/codeigniter4/framework/system';



    /**

     * ---------------------------------------------------------------

app/Config/Security.php

+1 −1
Original line number Diff line number Diff line
@@ -26,7 +26,7 @@ class Security extends BaseConfig 
     *

     * Randomize the CSRF Token for added security.

     */

    public bool $tokenRandomize = false;

    public bool $tokenRandomize = true;



    /**

     * --------------------------------------------------------------------------