fix(security): add csrf filter + prevent xss attacks by escaping user input

- update CI4 to v4.1.9's stable production package - update php and js dependencies to latest
2026-04-16 04:57:46 +02:00 · 2022-03-04 14:33:48 +00:00 · 2022-03-04 14:33:48 +00:00 · cd2e1e1dc3
commit cd2e1e1dc3
parent a597cf4ecf
182 changed files with 4410 additions and 4214 deletions
--- a/app/Controllers/WebmanifestController.php
+++ b/app/Controllers/WebmanifestController.php
@ -18,7 +18,7 @@ use CodeIgniter\HTTP\ResponseInterface;
 class WebmanifestController extends Controller
 {
    /**
-     * @var array<string, string>
+     * @var array<string, array<string, string>>
     */
    public const THEME_COLORS = [
        'pine' => [
@ -50,10 +50,8 @@ class WebmanifestController extends Controller
    public function index(): ResponseInterface
    {
        $webmanifest = [
-            'name' => service('settings')
-                ->get('App.siteName'),
-            'description' => service('settings')
-                ->get('App.siteDescription'),
+            'name' => esc(service('settings') ->get('App.siteName')),
+            'description' => esc(service('settings') ->get('App.siteDescription')),
            'lang' => service('request')
                ->getLocale(),
            'start_url' => base_url(),
@ -89,12 +87,12 @@ class WebmanifestController extends Controller
        }

        $webmanifest = [
-            'name' => $podcast->title,
-            'short_name' => '@' . $podcast->handle,
+            'name' => esc($podcast->title),
+            'short_name' => '@' . esc($podcast->handle),
            'description' => $podcast->description,
            'lang' => $podcast->language_code,
            'start_url' => $podcast->link,
-            'scope' => '/@' . $podcast->handle,
+            'scope' => '/@' . esc($podcast->handle),
            'display' => 'standalone',
            'orientation' => 'portrait',
            'theme_color' => self::THEME_COLORS[service('settings')->get('App.theme')]['theme'],