From 25afd8f074733d31bd68703e32281301e5da662d Mon Sep 17 00:00:00 2001
From: Julian Prieber <60265788+JulianPrieber@users.noreply.github.com>
Date: Sat, 10 Sep 2022 11:15:40 +0200
Subject: [PATCH] Added options to disable custom code in themes

---
 .env                                           | 6 +++++-
 resources/views/components/finishing.blade.php | 3 +++
 resources/views/home.blade.php                 | 6 +++---
 resources/views/littlelink.blade.php           | 6 +++---
 storage/backups/default_settings               | 6 +++++-
 5 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/.env b/.env
index 0e202bb..134c3a3 100644
--- a/.env
+++ b/.env
@@ -80,4 +80,8 @@ CUSTOM_META_TAGS=false
 
 #=FORCE_HTTPS either true or false. Used to redirect any request to HTTPS. 
 #=Note that this will only affect port 443 if you are using the docker image.
-FORCE_HTTPS=false
\ No newline at end of file
+FORCE_HTTPS=false
+
+#=Defines wether or not themes are allowed to inject custom code.
+#=Themes V2 can now implement fully custom code which you might want to disable for security reasons.
+ALLOW_CUSTOM_CODE_IN_THEMES=true
\ No newline at end of file
diff --git a/resources/views/components/finishing.blade.php b/resources/views/components/finishing.blade.php
index 2b007d3..dcb2dfd 100644
--- a/resources/views/components/finishing.blade.php
+++ b/resources/views/components/finishing.blade.php
@@ -13,6 +13,9 @@
             if(EnvEditor::keyExists('MAINTENANCE_MODE')){ /* Do nothing if key already exists */ 
             } else {EnvEditor::addKey('MAINTENANCE_MODE', 'false');}
 
+            if(EnvEditor::keyExists('ALLOW_CUSTOM_CODE_IN_THEMES')){ /* Do nothing if key already exists */ 
+            } else {EnvEditor::addKey('ALLOW_CUSTOM_CODE_IN_THEMES', 'true');}
+
             if (!config()->has('advanced-config.expand_panel_admin_menu_permanently') and !config()->has('disable_default_password_notice')) {
             
             function getStringBetween($string, $start, $end) {
diff --git a/resources/views/home.blade.php b/resources/views/home.blade.php
index 13cd169..701c32d 100755
--- a/resources/views/home.blade.php
+++ b/resources/views/home.blade.php
@@ -23,7 +23,7 @@ $path = url('themes/' . $GLOBALS['themeName'] . '/extra/custom-assets/' . $path)
 return $path;}
 ?>
 
-@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true")@include($GLOBALS['themeName'] . '.extra.custom-head')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-head')@endif
 
 @include('layouts.analytics')
 
@@ -91,7 +91,7 @@ return $path;}
 </head>
 <body>
 
-@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body')@endif
 
 @if(config('advanced-config.home_theme') != '' and config('advanced-config.home_theme') != 'default')
     <!-- Enables parallax background animations -->
@@ -234,6 +234,6 @@ foreach($pages as $page)
   </div>
 </body>
 
-@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif
 
 </html>
diff --git a/resources/views/littlelink.blade.php b/resources/views/littlelink.blade.php
index d15f533..e30c656 100644
--- a/resources/views/littlelink.blade.php
+++ b/resources/views/littlelink.blade.php
@@ -23,7 +23,7 @@ $path = url('themes/' . $GLOBALS['themeName'] . '/extra/custom-assets/' . $path)
 return $path;}
 ?>
 
-@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true")@include($GLOBALS['themeName'] . '.extra.custom-head')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-head')@endif
 
 @include('layouts.analytics')
 
@@ -124,7 +124,7 @@ return $path;}
 </head>
 <body>
 
-@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body')@endif
 
 @if($info->theme != '' and $info->theme != 'default')
     <!-- Enables parallax background animations -->
@@ -294,7 +294,7 @@ function get_operating_system() {
     </div>
   </div>
 
-@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif
 
 </body>
 </html>
diff --git a/storage/backups/default_settings b/storage/backups/default_settings
index f4179b4..716f520 100644
--- a/storage/backups/default_settings
+++ b/storage/backups/default_settings
@@ -80,4 +80,8 @@ CUSTOM_META_TAGS=false
 
 #=FORCE_HTTPS either true or false. Used to redirect any request to HTTPS. 
 #=Note that this will only affect port 443 if you are using the docker image.
-FORCE_HTTPS=false
\ No newline at end of file
+FORCE_HTTPS=false
+
+#=Defines wether or not themes are allowed to inject custom code.
+#=Themes V2 can now implement fully custom code which you might want to disable for security reasons.
+ALLOW_CUSTOM_CODE_IN_THEMES=true
\ No newline at end of file