From 3564cfff74163d37c99ae2350191d7b8e2375512 Mon Sep 17 00:00:00 2001
From: Julian Prieber <60265788+JulianPrieber@users.noreply.github.com>
Date: Thu, 10 Nov 2022 21:48:48 +0100
Subject: [PATCH] Added protection against use of JS in users page description

---
 app/Http/Controllers/UserController.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
index 8c1c6be..b88cd37 100755
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -526,7 +526,8 @@ class UserController extends Controller
 
         $profilePhoto = $request->file('image');
         $pageName = $request->pageName;
-        $pageDescription = $request->pageDescription;
+        $pageDescription = strip_tags($request->pageDescription,'<a><p><strong><i><ul><ol><li><blockquote><h2><h3><h4>');
+        $pageDescription = preg_replace("/<a([^>]*)>/i", "<a $1 rel=\"noopener noreferrer nofollow\">", $pageDescription);
         $name = $request->Name;
 
         User::where('id', $userId)->update(['littlelink_name' => $pageName, 'littlelink_description' => $pageDescription, 'name' => $name]);