Merge branch 'development' into release

Author: ssddanbrown

.github/translators.txt

@@ -528,3 +528,5 @@ serinf-lauza :: French
 Diyan Nikolaev (nikolaev.diyan) :: Bulgarian
 Shadluk Avan (quldosh) :: Uzbek
 Marci (MartonPoto) :: Hungarian
+Michał Sadurski (wheeskeey) :: Polish
+JanDziaslo :: Polish

app/Activity/Models/Comment.php

@@ -82,7 +82,7 @@ public function logDescriptor(): string
 
     public function safeHtml(): string
     {
-        return HtmlContentFilter::removeScriptsFromHtmlString($this->html ?? '');
+        return HtmlContentFilter::removeActiveContentFromHtmlString($this->html ?? '');
     }
 
     public function jointPermissions(): HasMany

app/Entities/Tools/EntityHtmlDescription.php

@@ -50,7 +50,7 @@ public function getHtml(bool $raw = false): string
             return $html;
         }
 
-        return HtmlContentFilter::removeScriptsFromHtmlString($html);
+        return HtmlContentFilter::removeActiveContentFromHtmlString($html);
     }
 
     public function getPlain(): string

app/Entities/Tools/PageContent.php

@@ -318,7 +318,7 @@ public function render(bool $blankIncludes = false): string
         }
 
         if (!config('app.allow_content_scripts')) {
-            HtmlContentFilter::removeScriptsFromDocument($doc);
+            HtmlContentFilter::removeActiveContentFromDocument($doc);
         }
 
         return $doc->getBodyInnerHtml();

app/Http/Middleware/ApiAuthenticate.php

@@ -17,7 +17,7 @@ class ApiAuthenticate
     public function handle(Request $request, Closure $next)
     {
         // Validate the token and it's users API access
-        $this->ensureAuthorizedBySessionOrToken();
+        $this->ensureAuthorizedBySessionOrToken($request);
 
         return $next($request);
     }
@@ -28,22 +28,28 @@ public function handle(Request $request, Closure $next)
      *
      * @throws ApiAuthException
      */
-    protected function ensureAuthorizedBySessionOrToken(): void
+    protected function ensureAuthorizedBySessionOrToken(Request $request): void
     {
-        // Return if the user is already found to be signed in via session-based auth.
-        // This is to make it easy to browser the API via browser after just logging into the system.
-        if (!user()->isGuest() || session()->isStarted()) {
+        // Use the active user session already exists.
+        // This is to make it easy to explore API endpoints via the UI.
+        if (session()->isStarted()) {
+            // Ensure the user has API access permission
             if (!$this->sessionUserHasApiAccess()) {
                 throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
             }
 
+            // Only allow GET requests for cookie-based API usage
+            if ($request->method() !== 'GET') {
+                throw new ApiAuthException(trans('errors.api_cookie_auth_only_get'), 403);
+            }
+
             return;
         }
 
         // Set our api guard to be the default for this request lifecycle.
         auth()->shouldUse('api');
 
-        // Validate the token and it's users API access
+        // Validate the token and its users API access
         auth()->authenticate();
     }
 

app/Theming/CustomHtmlHeadContentProvider.php

@@ -50,7 +50,7 @@ public function forExport(): string
         $hash = md5($content);
 
         return $this->cache->remember('custom-head-export:' . $hash, 86400, function () use ($content) {
-            return HtmlContentFilter::removeScriptsFromHtmlString($content);
+            return HtmlContentFilter::removeActiveContentFromHtmlString($content);
         });
     }
 

app/Util/HtmlContentFilter.php

@@ -9,9 +9,11 @@
 class HtmlContentFilter
 {
     /**
-     * Remove all the script elements from the given HTML document.
+     * Remove all active content from the given HTML document.
+     * This aims to cover anything which can dynamically deal with, or send, data
+     * like any JavaScript actions or form content.
      */
-    public static function removeScriptsFromDocument(HtmlDocument $doc)
+    public static function removeActiveContentFromDocument(HtmlDocument $doc): void
     {
         // Remove standard script tags
         $scriptElems = $doc->queryXPath('//script');
@@ -21,7 +23,7 @@ public static function removeScriptsFromDocument(HtmlDocument $doc)
         $badLinks = $doc->queryXPath('//*[' . static::xpathContains('@href', 'javascript:') . ']');
         static::removeNodes($badLinks);
 
-        // Remove forms with calls to JavaScript URI
+        // Remove elements with form-like attributes with calls to JavaScript URI
         $badForms = $doc->queryXPath('//*[' . static::xpathContains('@action', 'javascript:') . '] | //*[' . static::xpathContains('@formaction', 'javascript:') . ']');
         static::removeNodes($badForms);
 
@@ -47,25 +49,71 @@ public static function removeScriptsFromDocument(HtmlDocument $doc)
         // Remove 'on*' attributes
         $onAttributes = $doc->queryXPath('//@*[starts-with(name(), \'on\')]');
         static::removeAttributes($onAttributes);
+
+        // Remove form elements
+        $formElements = ['form', 'fieldset', 'button', 'textarea', 'select'];
+        foreach ($formElements as $formElement) {
+            $matchingFormElements = $doc->queryXPath('//' . $formElement);
+            static::removeNodes($matchingFormElements);
+        }
+
+        // Remove non-checkbox inputs
+        $inputsToRemove = $doc->queryXPath('//input');
+        /** @var DOMElement $input */
+        foreach ($inputsToRemove as $input) {
+            $type = strtolower($input->getAttribute('type'));
+            if ($type !== 'checkbox') {
+                $input->parentNode->removeChild($input);
+            }
+        }
+
+        // Remove form attributes
+        $formAttrs = ['form', 'formaction', 'formmethod', 'formtarget'];
+        foreach ($formAttrs as $formAttr) {
+            $matchingFormAttrs = $doc->queryXPath('//@' . $formAttr);
+            static::removeAttributes($matchingFormAttrs);
+        }
     }
 
     /**
-     * Remove scripts from the given HTML string.
+     * Remove active content from the given HTML string.
+     * This aims to cover anything which can dynamically deal with, or send, data
+     * like any JavaScript actions or form content.
      */
-    public static function removeScriptsFromHtmlString(string $html): string
+    public static function removeActiveContentFromHtmlString(string $html): string
     {
         if (empty($html)) {
             return $html;
         }
 
         $doc = new HtmlDocument($html);
-        static::removeScriptsFromDocument($doc);
+        static::removeActiveContentFromDocument($doc);
 
         return $doc->getBodyInnerHtml();
     }
 
     /**
-     * Create a xpath contains statement with a translation automatically built within
+     * Alias using the old method name to avoid potential compatibility breaks during patch release.
+     * To remove in future feature release.
+     * @deprecated Use removeActiveContentFromDocument instead.
+     */
+    public static function removeScriptsFromDocument(HtmlDocument $doc): void
+    {
+        static::removeActiveContentFromDocument($doc);
+    }
+
+    /**
+     * Alias using the old method name to avoid potential compatibility breaks during patch release.
+     * To remove in future feature release.
+     * @deprecated Use removeActiveContentFromHtmlString instead.
+     */
+    public static function removeScriptsFromHtmlString(string $html): string
+    {
+        return static::removeActiveContentFromHtmlString($html);
+    }
+
+    /**
+     * Create an x-path 'contains' statement with a translation automatically built within
      * to affectively search in a cases-insensitive manner.
      */
     protected static function xpathContains(string $property, string $value): string