ilmedova
/
Attendize
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix XSS vulnerability on QR code scanner

This commit is contained in:
Sebastian Schmidt 2018-09-22 21:12:16 +10:00
parent 510bdefec2
commit 5cdfe7151b
8 changed files with 39 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/Http/Controllers/EventCheckInController.php
View File

@ -185,7 +185,9 @@ class EventCheckInController extends MyBaseController
return response()->json([
'status' => 'success',
'message' => trans("Controllers.attendee_check_in_success", ["name"=>$attendee->first_name." ".$attendee->last_name, "ref"=>$attendee->reference, "ticket"=>$attendee->ticket]).$appendedText
'name' => $attendee->first_name." ".$attendee->last_name,
'reference' => $attendee->reference,
'ticket' => $attendee->ticket
]);
}

8
public/assets/javascript/check_in.js
View File

@ -15,8 +15,7 @@ var checkinApp = new Vue({
canvasContext: $('canvas#QrCanvas')[0].getContext('2d'),
successBeep: new Audio('/mp3/beep.mp3'),
scanResult: false,
scanResultMessage: '',
scanResultType: null
scanResultObject: {}
},
created: function () {
@ -78,11 +77,10 @@ var checkinApp = new Vue({
this.$http.post(Attendize.qrcodeCheckInRoute, {attendee_reference: attendeeReferenceCode}).then(function (res) {
this.successBeep.play();
this.scanResult = true;
this.scanResultMessage = res.data.message;
this.scanResultType = res.data.status;
this.scanResultObject = res.data;
}, function (response) {
this.scanResultMessage = lang("whoops2");
this.scanResultObject.message = lang("whoops2");
});
},

3
public/assets/stylesheet/check_in.css
View File

@ -216,6 +216,9 @@ footer {
text-shadow: 1px 1px 1px rgba(0, 0, 0, 0.63);
}
.uppercase {
text-transform: uppercase;
}

6
resources/lang/en/Attendee.php
View File

@ -1,6 +1,6 @@
<?php
/*************************************************************************
Generated via "php artisan localization:missing" at 2018/04/19 17:07:35
Generated via "php artisan localization:missing" at 2018/04/19 17:07:35
*************************************************************************/
return array (
@ -16,6 +16,8 @@ return array (
'first_name' => 'First Name',
'last_name' => 'Last Name',
'name' => 'Name',
'ticket' => 'Ticket',
'reference' => 'Reference',
'search_attendees' => 'Search Attendees...',
'send_invitation_n_ticket_to_attendee' => 'Send invitation & ticket to attendee.',
);
);

19
resources/lang/en/Controllers.php
View File

@ -1,12 +1,12 @@
<?php
/*************************************************************************
Generated via "php artisan localization:missing" at 2018/04/26 10:21:11
Generated via "php artisan localization:missing" at 2018/04/26 10:21:11
*************************************************************************/
return array (
//============================== New strings to translate ==============================//
// Defined in file C:\\wamp\\www\\attendize\\resources\\views\\ManageOrganiser\\Events.blade.php
'sort' =>
'sort' =>
array (
'event_title' => 'Event Title',
'start_date' => 'Start Date',
@ -22,7 +22,6 @@ return array (
'addInviteError' => 'You need to create a ticket before you can invite an attendee.',
'attendee_already_cancelled' => 'Attendee Already Cancelled',
'attendee_already_checked_in' => 'Attendee already checked in at :time ',
'attendee_check_in_success' => 'Success !<br>Name: :name <br>Reference: :ref<br>Ticket: :ticket.',
'attendee_exception' => 'An error occurred while inviting this attendee. Please try again.',
'attendee_successfully_checked_in' => 'Attendee Succesfully Checked In',
'attendee_successfully_checked_out' => 'Attendee Succesfully Checked Out',
@ -31,31 +30,31 @@ return array (
'check_in_all_tickets' => 'Check in all tickets associated to this order',
'confirmation_malformed' => 'The confirmation code is missing or malformed.',
'confirmation_successful' => 'Success! Your email is now verified. You can now login.',
'error' =>
'error' =>
array (
'email' =>
'email' =>
array (
'email' => 'Please enter a valid E-mail address.',
'required' => 'E-mail address is required.',
'unique' => 'E-mail already in use for this account.',
),
'first_name' =>
'first_name' =>
array (
'required' => 'Please enter your first name.',
),
'last_name' =>
'last_name' =>
array (
'required' => 'Please enter your last name.',
),
'page_bg_color' =>
'page_bg_color' =>
array (
'required' => 'Please enter a background color.',
),
'page_header_bg_color' =>
'page_header_bg_color' =>
array (
'required' => 'Please enter a header background color.',
),
'password' =>
'password' =>
array (
'passcheck' => 'This password is incorrect.',
),

8
resources/lang/pl/Attendee.php
View File

@ -1,6 +1,6 @@
<?php
/*************************************************************************
Generated via "php artisan localization:missing" at 2018/04/19 17:07:35
Generated via "php artisan localization:missing" at 2018/04/19 17:07:35
*************************************************************************/
return array (
@ -15,7 +15,9 @@ return array (
'event_attendees' => 'Uczestnicy Wydarzenia',
'first_name' => 'Imię',
'last_name' => 'Nazwisko',
'name' => 'Imię i Nazwisko',
'name' => 'Imię',
'ticket' => 'Bilet',
'reference' => 'Zamówienie',
'search_attendees' => 'Przeszukaj dane uczestników...',
'send_invitation_n_ticket_to_attendee' => 'Wyślij zaproszenie i bilet do uczestnika.',
);
);

3
resources/lang/pl/Controllers.php
View File

@ -7,7 +7,7 @@ return array (
//============================== New strings to translate ==============================//
// Defined in file C:\\wamp\\www\\attendize\\resources\\views\\ManageOrganiser\\Events.blade.php
'sort' =>
array (
array (
'event_title' => 'Nazwa Wydarzenia',
'start_date' => 'Data Rozpoczęcia',
'created_at' => 'Data Utworzenia',
@ -22,7 +22,6 @@ return array (
'addInviteError' => 'Musisz utworzyć bilet zanim utworzysz uczestnika.',
'attendee_already_cancelled' => 'Uczestnik już anulowany',
'attendee_already_checked_in' => 'Uczestnik już wszedł w tym momencie: :time ',
'attendee_check_in_success' => 'Sukces !<br>Imię: :name <br>Zamówienie: :ref<br>Bilet: :ticket.',
'attendee_exception' => 'Wystąpił błąd w trakcie zapraszania tego uczestnika. Spróbuj ponownie.',
'attendee_successfully_checked_in' => 'Uczestnik oznaczony',
'attendee_successfully_checked_out' => 'Uczestnik odznaczony',

17
resources/views/ManageEvent/CheckIn.blade.php
View File

@ -132,16 +132,21 @@
<div v-if="isScanning" class="scannerAimer">
</div>
<div v-if="scanResult" class="scannerResult @{{ scanResultType }}">
<i v-if="scanResultType == 'success'" class="ico-checkmark"></i>
<i v-if="scanResultType == 'error'" class="ico-close"></i>
<div v-if="scanResult" class="scannerResult @{{ scanResultObject.status }}">
<i v-if="scanResultObject.status == 'success'" class="ico-checkmark"></i>
<i v-if="scanResultObject.status == 'error'" class="ico-close"></i>
</div>
<div class="ScanResultMessage">
<span class="message" v-if="!isScanning">
@{{{ scanResultMessage }}}
<span class="message" v-if="scanResultObject.status == 'error'">
@{{ scanResultObject.message }}
</span>
<span v-else>
<span class="message" v-if="scanResultObject.status == 'success'">
<span class="uppercase">@lang("Attendee.name")</span>: @{{ scanResultObject.name }}<br>
<span class="uppercase">@lang("Attendee.reference")</span>: @{{scanResultObject.reference }}<br>
<span class="uppercase">@lang("Attendee.ticket")</span>: @{{scanResultObject.ticket }}
</span>
<span v-if="isScanning">
<div id="scanning-ellipsis">@lang("Attendee.scanning")<span>.</span><span>.</span><span>.</span></div>
</span>
</div>