Merge branch '3.x' into 4.x

filamentphp · Oct 16, 2024 · 0de2587 · 0de2587
2 parents 9423afa + 2b6a3bb
commit 0de2587
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 13 deletions.
diff --git a/packages/forms/docs/02-fields/10-rich-editor.md b/packages/forms/docs/02-fields/10-rich-editor.md
@@ -15,6 +15,16 @@ RichEditor::make('content')
 
 <AutoScreenshot name="forms/fields/rich-editor/simple" alt="Rich editor" version="4.x" />
 
+## Security
+
+By default, the editor outputs raw HTML, and sends it to the backend. Attackers are able to intercept the value of the component and send a different raw HTML string to the backend. As such, it is important that when outputting the HTML from a rich editor, it is sanitized; otherwise your site may be exposed to Cross-Site Scripting (XSS) vulnerabilities.
+
+When Filament outputs raw HTML from the database in components such as `TextColumn` and `TextEntry`, it sanitizes it to remove any dangerous JavaScript. However, if you are outputting the HTML from a rich editor in your own Blade view, this is your responsibility. One option is to use Filament's `sanitizeHtml()` helper to do this, which is the same tool we use to sanitize HTML in the components mentioned above:
+
+```blade
+{!! str($record->content)->sanitizeHtml() !!}
+```
+
 ## Customizing the toolbar buttons
 
 You may set the toolbar buttons for the editor using the `toolbarButtons()` method. The options shown here are the defaults. In addition to these, `'h1'` is also available:

diff --git a/packages/forms/docs/02-fields/11-markdown-editor.md b/packages/forms/docs/02-fields/11-markdown-editor.md
@@ -15,6 +15,16 @@ MarkdownEditor::make('content')
 
 <AutoScreenshot name="forms/fields/markdown-editor/simple" alt="Markdown editor" version="4.x" />
 
+## Security
+
+By default, the editor outputs raw Markdown and HTML, and sends it to the backend. Attackers are able to intercept the value of the component and send a different raw HTML string to the backend. As such, it is important that when outputting the HTML from a Markdown editor, it is sanitized; otherwise your site may be exposed to Cross-Site Scripting (XSS) vulnerabilities.
+
+When Filament outputs raw HTML from the database in components such as `TextColumn` and `TextEntry`, it sanitizes it to remove any dangerous JavaScript. However, if you are outputting the HTML from a Markdown editor in your own Blade view, this is your responsibility. One option is to use Filament's `sanitizeHtml()` helper to do this, which is the same tool we use to sanitize HTML in the components mentioned above:
+
+```blade
+{!! str($record->content)->markdown()->sanitizeHtml() !!}
+```
+
 ## Customizing the toolbar buttons
 
 You may set the toolbar buttons for the editor using the `toolbarButtons()` method. The options shown here are the defaults:

diff --git a/packages/forms/src/Components/Concerns/CanBeValidated.php b/packages/forms/src/Components/Concerns/CanBeValidated.php
@@ -534,7 +534,7 @@ public function unique(string | Closure | null $table = null, string | Closure |
         return $this;
     }
 
-    public function distinct(): static
+    public function distinct(bool | Closure $condition = true): static
     {
         $this->rule(static function (Field $component, mixed $state) {
             return function (string $attribute, mixed $value, Closure $fail) use ($component, $state) {
@@ -610,7 +610,7 @@ public function distinct(): static
 
                 $fail(__($validationMessages['distinct'] ?? 'validation.distinct', ['attribute' => $component->getValidationAttribute()]));
             };
-        });
+        }, $condition);
 
         return $this;
     }

diff --git a/packages/forms/src/Components/Concerns/CanFixIndistinctState.php b/packages/forms/src/Components/Concerns/CanFixIndistinctState.php
@@ -4,16 +4,21 @@
 
 use Filament\Schema\Components\Component;
 use Filament\Schema\Components\Utilities\Set;
+use Closure;
 use Illuminate\Support\Arr;
 
 trait CanFixIndistinctState
 {
-    public function fixIndistinctState(): static
+    public function fixIndistinctState(bool | Closure $condition = true): static
     {
-        $this->distinct();
-        $this->live();
+        $this->distinct($condition);
+        $this->live(condition: $condition);
+
+        $this->afterStateUpdated(static function (Component $component, mixed $state, Set $set) use ($condition) {
+            if (! $component->evaluate($condition)) {
+                return;
+            }
 
-        $this->afterStateUpdated(static function (Component $component, mixed $state, Set $set) {
             if (blank($state)) {
                 return;
             }

diff --git a/packages/schema/src/Concerns/HasStateBindingModifiers.php b/packages/schema/src/Concerns/HasStateBindingModifiers.php
@@ -3,6 +3,7 @@
 namespace Filament\Schema\Concerns;
 
 use Filament\Schema\Components\Component;
+use Closure;
 
 trait HasStateBindingModifiers
 {
@@ -13,11 +14,11 @@ trait HasStateBindingModifiers
 
     protected int | string | null $liveDebounce = null;
 
-    protected ?bool $isLive = null;
+    protected bool | Closure | null $isLive = null;
 
     protected bool $isLiveOnBlur = false;
 
-    public function live(bool $onBlur = false, int | string | null $debounce = null, ?bool $condition = true): static
+    public function live(bool $onBlur = false, int | string | null $debounce = null, bool | Closure | null $condition = true): static
     {
         $this->isLive = $condition;
         $this->isLiveOnBlur = $onBlur;
@@ -85,7 +86,9 @@ public function getStateBindingModifiers(bool $withBlur = true, bool $withDeboun
             return $this->stateBindingModifiers;
         }
 
-        if ($this->isLive === false) {
+        $isLive = $this->evaluate($this->isLive);
+
+        if ($isLive === false) {
             return [];
         }
 
@@ -105,7 +108,7 @@ public function getStateBindingModifiers(bool $withBlur = true, bool $withDeboun
             return ['live', 'debounce', $this->liveDebounce];
         }
 
-        if ($this->isLive) {
+        if ($isLive) {
             return ['live'];
         }
 
@@ -122,8 +125,10 @@ public function getStateBindingModifiers(bool $withBlur = true, bool $withDeboun
 
     public function isLive(): bool
     {
-        if ($this->isLive !== null) {
-            return $this->isLive;
+        $isLive = $this->evaluate($this->isLive);
+
+        if ($isLive !== null) {
+            return $isLive;
         }
 
         if ($this instanceof Component) {
@@ -139,7 +144,9 @@ public function isLive(): bool
 
     public function isLiveOnBlur(): bool
     {
-        if ($this->isLive !== null) {
+        $isLive = $this->evaluate($this->isLive);
+
+        if ($isLive !== null) {
             return $this->isLiveOnBlur;
         }