diff --git a/.env b/.env index 0e202bb..134c3a3 100644 --- a/.env +++ b/.env @@ -80,4 +80,8 @@ CUSTOM_META_TAGS=false #=FORCE_HTTPS either true or false. Used to redirect any request to HTTPS. #=Note that this will only affect port 443 if you are using the docker image. -FORCE_HTTPS=false \ No newline at end of file +FORCE_HTTPS=false + +#=Defines wether or not themes are allowed to inject custom code. +#=Themes V2 can now implement fully custom code which you might want to disable for security reasons. +ALLOW_CUSTOM_CODE_IN_THEMES=true \ No newline at end of file diff --git a/resources/views/components/finishing.blade.php b/resources/views/components/finishing.blade.php index 2b007d3..dcb2dfd 100644 --- a/resources/views/components/finishing.blade.php +++ b/resources/views/components/finishing.blade.php @@ -13,6 +13,9 @@ if(EnvEditor::keyExists('MAINTENANCE_MODE')){ /* Do nothing if key already exists */ } else {EnvEditor::addKey('MAINTENANCE_MODE', 'false');} + if(EnvEditor::keyExists('ALLOW_CUSTOM_CODE_IN_THEMES')){ /* Do nothing if key already exists */ + } else {EnvEditor::addKey('ALLOW_CUSTOM_CODE_IN_THEMES', 'true');} + if (!config()->has('advanced-config.expand_panel_admin_menu_permanently') and !config()->has('disable_default_password_notice')) { function getStringBetween($string, $start, $end) { diff --git a/resources/views/home.blade.php b/resources/views/home.blade.php index 13cd169..701c32d 100755 --- a/resources/views/home.blade.php +++ b/resources/views/home.blade.php @@ -23,7 +23,7 @@ $path = url('themes/' . $GLOBALS['themeName'] . '/extra/custom-assets/' . $path) return $path;} ?> -@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true")@include($GLOBALS['themeName'] . '.extra.custom-head')@endif +@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-head')@endif @include('layouts.analytics') @@ -91,7 +91,7 @@ return $path;} -@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body')@endif +@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body')@endif @if(config('advanced-config.home_theme') != '' and config('advanced-config.home_theme') != 'default') @@ -234,6 +234,6 @@ foreach($pages as $page) -@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif +@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif diff --git a/resources/views/littlelink.blade.php b/resources/views/littlelink.blade.php index d15f533..e30c656 100644 --- a/resources/views/littlelink.blade.php +++ b/resources/views/littlelink.blade.php @@ -23,7 +23,7 @@ $path = url('themes/' . $GLOBALS['themeName'] . '/extra/custom-assets/' . $path) return $path;} ?> -@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true")@include($GLOBALS['themeName'] . '.extra.custom-head')@endif +@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-head')@endif @include('layouts.analytics') @@ -124,7 +124,7 @@ return $path;} -@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body')@endif +@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body')@endif @if($info->theme != '' and $info->theme != 'default') @@ -294,7 +294,7 @@ function get_operating_system() { -@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif +@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif diff --git a/storage/backups/default_settings b/storage/backups/default_settings index f4179b4..716f520 100644 --- a/storage/backups/default_settings +++ b/storage/backups/default_settings @@ -80,4 +80,8 @@ CUSTOM_META_TAGS=false #=FORCE_HTTPS either true or false. Used to redirect any request to HTTPS. #=Note that this will only affect port 443 if you are using the docker image. -FORCE_HTTPS=false \ No newline at end of file +FORCE_HTTPS=false + +#=Defines wether or not themes are allowed to inject custom code. +#=Themes V2 can now implement fully custom code which you might want to disable for security reasons. +ALLOW_CUSTOM_CODE_IN_THEMES=true \ No newline at end of file