Added options to disable custom code in themes

2022-09-10 11:15:40 +02:00 · 2022-09-10 11:15:40 +02:00 · 25afd8f074
parent 9f8b865a35
commit 25afd8f074
5 changed files with 19 additions and 8 deletions
--- a/.env
+++ b/.env
@ -80,4 +80,8 @@ CUSTOM_META_TAGS=false

 #=FORCE_HTTPS either true or false. Used to redirect any request to HTTPS. 
 #=Note that this will only affect port 443 if you are using the docker image.
-FORCE_HTTPS=false
+FORCE_HTTPS=false
+
+#=Defines wether or not themes are allowed to inject custom code.
+#=Themes V2 can now implement fully custom code which you might want to disable for security reasons.
+ALLOW_CUSTOM_CODE_IN_THEMES=true
--- a/resources/views/components/finishing.blade.php
+++ b/resources/views/components/finishing.blade.php
@ -13,6 +13,9 @@
            if(EnvEditor::keyExists('MAINTENANCE_MODE')){ /* Do nothing if key already exists */ 
            } else {EnvEditor::addKey('MAINTENANCE_MODE', 'false');}

+            if(EnvEditor::keyExists('ALLOW_CUSTOM_CODE_IN_THEMES')){ /* Do nothing if key already exists */ 
+            } else {EnvEditor::addKey('ALLOW_CUSTOM_CODE_IN_THEMES', 'true');}
+
            if (!config()->has('advanced-config.expand_panel_admin_menu_permanently') and !config()->has('disable_default_password_notice')) {
            
            function getStringBetween($string, $start, $end) {
--- a/resources/views/home.blade.php
+++ b/resources/views/home.blade.php
@ -23,7 +23,7 @@ $path = url('themes/' . $GLOBALS['themeName'] . '/extra/custom-assets/' . $path)
 return $path;}
 ?>

-@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true")@include($GLOBALS['themeName'] . '.extra.custom-head')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-head')@endif

@include('layouts.analytics')

@ -91,7 +91,7 @@ return $path;}
 </head>
 <body>

-@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body')@endif

@if(config('advanced-config.home_theme') != '' and config('advanced-config.home_theme') != 'default')
    <!-- Enables parallax background animations -->
@ -234,6 +234,6 @@ foreach($pages as $page)
  </div>
 </body>

-@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif

 </html>
--- a/resources/views/littlelink.blade.php
+++ b/resources/views/littlelink.blade.php
@ -23,7 +23,7 @@ $path = url('themes/' . $GLOBALS['themeName'] . '/extra/custom-assets/' . $path)
 return $path;}
 ?>

-@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true")@include($GLOBALS['themeName'] . '.extra.custom-head')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-head')@endif

@include('layouts.analytics')

@ -124,7 +124,7 @@ return $path;}
 </head>
 <body>

-@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body')@endif

@if($info->theme != '' and $info->theme != 'default')
    <!-- Enables parallax background animations -->
@ -294,7 +294,7 @@ function get_operating_system() {
    </div>
  </div>

-@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif

 </body>
 </html>
--- a/storage/backups/default_settings
+++ b/storage/backups/default_settings
@ -80,4 +80,8 @@ CUSTOM_META_TAGS=false

 #=FORCE_HTTPS either true or false. Used to redirect any request to HTTPS. 
 #=Note that this will only affect port 443 if you are using the docker image.
-FORCE_HTTPS=false
+FORCE_HTTPS=false
+
+#=Defines wether or not themes are allowed to inject custom code.
+#=Themes V2 can now implement fully custom code which you might want to disable for security reasons.
+ALLOW_CUSTOM_CODE_IN_THEMES=true