Use Binput for xss protection

app/config/app.php

@@ -121,6 +121,8 @@ return [
         'Illuminate\View\ViewServiceProvider',
 
         'Dingo\Api\Provider\ApiServiceProvider',
+        'GrahamCampbell\Security\SecurityServiceProvider',
+        'GrahamCampbell\Binput\BinputServiceProvider',
         'GrahamCampbell\Throttle\ThrottleServiceProvider',
         'GrahamCampbell\Markdown\MarkdownServiceProvider',
         'Thujohn\Rss\RssServiceProvider',

composer.json

@@ -13,13 +13,14 @@
         "ext-mcrypt": "*",
         "ext-openssl": "*",
         "laravel/framework": "4.2.*",
-        "guzzlehttp/guzzle": "~5.0",
         "dingo/api": "0.8.*",
-        "graham-campbell/throttle": "~2.0",
+        "doctrine/dbal": "2.5.*",
+        "graham-campbell/binput": "~2.1",
         "graham-campbell/markdown": "~2.0",
-        "watson/validating": "0.10.*",
+        "graham-campbell/throttle": "~2.0",
+        "guzzlehttp/guzzle": "~5.0",
         "thujohn/rss": "~1.0",
-        "doctrine/dbal": "2.5.*"
+        "watson/validating": "0.10.*"
     },
     "require-dev": {
         "phpunit/phpunit": "~4.3",

composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "hash": "bb692ec0057ca30fa36edd005963b3cb",
+    "hash": "10cd158111365c98b217fc244a6c3a6e",
     "packages": [
         {
             "name": "classpreloader/classpreloader",
@@ -768,6 +768,61 @@
             ],
             "time": "2014-10-26 09:05:09"
         },
+        {
+            "name": "graham-campbell/binput",
+            "version": "v2.1.2",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/GrahamCampbell/Laravel-Binput.git",
+                "reference": "43dcec3dcabace1018e2fa009fc11165199f3889"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/GrahamCampbell/Laravel-Binput/zipball/43dcec3dcabace1018e2fa009fc11165199f3889",
+                "reference": "43dcec3dcabace1018e2fa009fc11165199f3889",
+                "shasum": ""
+            },
+            "require": {
+                "graham-campbell/security": "~2.0",
+                "illuminate/http": "~4.1",
+                "illuminate/support": "~4.1",
+                "php": ">=5.4.7"
+            },
+            "require-dev": {
+                "graham-campbell/testbench": "~1.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "GrahamCampbell\\Binput\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "Apache-2.0"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "graham@mineuk.com"
+                }
+            ],
+            "description": "Binput Is An Input Protector For Laravel 4.1/4.2",
+            "keywords": [
+                "Binput",
+                "Graham Campbell",
+                "GrahamCampbell",
+                "Laravel Binput",
+                "Laravel-Binput",
+                "better",
+                "better input",
+                "framework",
+                "input",
+                "laravel",
+                "security"
+            ],
+            "time": "2014-10-05 15:29:30"
+        },
         {
             "name": "graham-campbell/markdown",
             "version": "v2.0.5",
@@ -825,6 +880,56 @@
             ],
             "time": "2014-10-05 14:49:46"
         },
+        {
+            "name": "graham-campbell/security",
+            "version": "v2.1.2",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/GrahamCampbell/Laravel-Security.git",
+                "reference": "51b822b6cfcba80a3d8ec1ac6a5e7af9b8d17907"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/GrahamCampbell/Laravel-Security/zipball/51b822b6cfcba80a3d8ec1ac6a5e7af9b8d17907",
+                "reference": "51b822b6cfcba80a3d8ec1ac6a5e7af9b8d17907",
+                "shasum": ""
+            },
+            "require": {
+                "illuminate/support": "~4.1",
+                "php": ">=5.4.7"
+            },
+            "require-dev": {
+                "graham-campbell/testbench": "~1.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "GrahamCampbell\\Security\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "Apache-2.0"
+            ],
+            "authors": [
+                {
+                    "name": "Graham Campbell",
+                    "email": "graham@mineuk.com"
+                }
+            ],
+            "description": "Security Is A Port Of The Security Class From Codeigniter 2.2 For Laravel 4.1/4.2",
+            "keywords": [
+                "Graham Campbell",
+                "GrahamCampbell",
+                "Laravel Security",
+                "Laravel-Security",
+                "codeigniter",
+                "framework",
+                "laravel",
+                "security"
+            ],
+            "time": "2014-11-27 23:04:50"
+        },
         {
             "name": "graham-campbell/throttle",
             "version": "v2.0.1",

src/Http/Controllers/Api/ComponentController.php

@@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers\Api;
 
 use CachetHQ\Cachet\Repositories\Component\ComponentRepository;
 use Dingo\Api\Routing\ControllerTrait;
+use GrahamCampbell\Binput\Facades\Binput;
 use Illuminate\Routing\Controller;
-use Illuminate\Support\Facades\Input;
 
 class ComponentController extends Controller
 {
@@ -71,6 +71,6 @@ class ComponentController extends Controller
      */
     public function postComponents()
     {
-        return $this->component->create($this->auth->user()->id, Input::all());
+        return $this->component->create($this->auth->user()->id, Binput::all());
     }
 }

src/Http/Controllers/Api/IncidentController.php

@@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers\Api;
 
 use CachetHQ\Cachet\Repositories\Incident\IncidentRepository;
 use Dingo\Api\Routing\ControllerTrait;
+use GrahamCampbell\Binput\Facades\Binput;
 use Illuminate\Routing\Controller;
-use Illuminate\Support\Facades\Input;
 
 class IncidentController extends Controller
 {
@@ -59,7 +59,7 @@ class IncidentController extends Controller
      */
     public function postIncidents()
     {
-        return $this->incident->create($this->auth->user()->id, Input::all());
+        return $this->incident->create($this->auth->user()->id, Binput::all());
     }
 
     /**
@@ -71,6 +71,6 @@ class IncidentController extends Controller
      */
     public function putIncident($id)
     {
-        return $this->incident->update($id, Input::all());
+        return $this->incident->update($id, Binput::all());
     }
 }

src/Http/Controllers/Api/MetricController.php

@@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers\Api;
 
 use CachetHQ\Cachet\Repositories\Metric\MetricRepository;
 use Dingo\Api\Routing\ControllerTrait;
+use GrahamCampbell\Binput\Facades\Binput;
 use Illuminate\Routing\Controller;
-use Illuminate\Support\Facades\Input;
 
 class MetricController extends Controller
 {
@@ -58,7 +58,7 @@ class MetricController extends Controller
      */
     public function postMetrics()
     {
-        return $this->metric->create(Input::all());
+        return $this->metric->create(Binput::all());
     }
 
     /**
@@ -70,6 +70,6 @@ class MetricController extends Controller
      */
     public function putMetric($id)
     {
-        return $this->metric->update($id, Input::all());
+        return $this->metric->update($id, Binput::all());
     }
 }

src/Http/Controllers/Api/MetricPointController.php

@@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers\Api;
 
 use CachetHQ\Cachet\Repositories\MetricPoint\MetricPointRepository;
 use Dingo\Api\Routing\ControllerTrait;
+use GrahamCampbell\Binput\Facades\Binput;
 use Illuminate\Routing\Controller;
-use Illuminate\Support\Facades\Input;
 
 class MetricPointController extends Controller
 {
@@ -58,6 +58,6 @@ class MetricPointController extends Controller
      */
     public function postMetricPoints()
     {
-        return $this->metricPoint->create(Input::all());
+        return $this->metricPoint->create(Binput::all());
     }
 }

src/Http/Controllers/AuthController.php

@@ -3,9 +3,9 @@
 namespace CachetHQ\Cachet\Http\Controllers;
 
 use GrahamCampbell\Throttle\Facades\Throttle;
+use GrahamCampbell\Binput\Facades\Binput;
 use Illuminate\Routing\Controller;
 use Illuminate\Support\Facades\Auth;
-use Illuminate\Support\Facades\Input;
 use Illuminate\Support\Facades\Redirect;
 use Illuminate\Support\Facades\Request;
 use Illuminate\Support\Facades\View;
@@ -32,14 +32,14 @@ class AuthController extends Controller
      */
     public function postLogin()
     {
-        if (Auth::attempt(Input::only(['email', 'password']))) {
+        if (Auth::attempt(Binput::only(['email', 'password']))) {
             return Redirect::intended('dashboard');
         }
 
         Throttle::hit(Request::instance(), 10, 10);
 
         return Redirect::back()
-            ->withInput(Input::except('password'))
+            ->withInput(Binput::except('password'))
             ->with('error', 'Invalid email or password');
     }
 

src/Http/Controllers/DashAPIController.php

@@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers;
 
 use CachetHQ\Cachet\Models\Component;
 use Exception;
+use GrahamCampbell\Binput\Facades\Binput;
 use Illuminate\Routing\Controller;
-use Illuminate\Support\Facades\Input;
 
 class DashAPIController extends Controller
 {
@@ -20,7 +20,7 @@ class DashAPIController extends Controller
      */
     public function postUpdateComponent(Component $component)
     {
-        if (!$component->update(Input::except(['_token']))) {
+        if (!$component->update(Binput::except(['_token']))) {
             throw new Exception('Failed to update the component.');
         }
 
@@ -34,7 +34,7 @@ class DashAPIController extends Controller
      */
     public function postUpdateComponentOrder()
     {
-        $componentData = Input::all();
+        $componentData = Binput::all();
         unset($componentData['component'][0]); // Remove random 0 index.
 
         foreach ($componentData['component'] as $componentId => $order) {

src/Http/Controllers/DashComponentController.php

@@ -3,8 +3,8 @@
 namespace CachetHQ\Cachet\Http\Controllers;
 
 use CachetHQ\Cachet\Models\Component;
+use GrahamCampbell\Binput\Facades\Binput;
 use Illuminate\Routing\Controller;
-use Illuminate\Support\Facades\Input;
 use Illuminate\Support\Facades\Redirect;
 use Illuminate\Support\Facades\View;
 
@@ -49,7 +49,7 @@ class DashComponentController extends Controller
      */
     public function updateComponentAction(Component $component)
     {
-        $_component = Input::get('component');
+        $_component = Binput::get('component');
         $component->update($_component);
 
         return Redirect::back()->with('savedComponent', $component);
@@ -74,7 +74,7 @@ class DashComponentController extends Controller
      */
     public function createComponentAction()
     {
-        $_component = Input::get('component');
+        $_component = Binput::get('component');
         $component = Component::create($_component);
 
         return Redirect::back()->with('component', $component);

src/Http/Controllers/DashIncidentController.php

@@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers;
 
 use CachetHQ\Cachet\Models\Incident;
 use CachetHQ\Cachet\Models\IncidentTemplate;
+use GrahamCampbell\Binput\Facades\Binput;
 use Illuminate\Routing\Controller;
-use Illuminate\Support\Facades\Input;
 use Illuminate\Support\Facades\Redirect;
 use Illuminate\Support\Facades\View;
 
@@ -57,7 +57,7 @@ class DashIncidentController extends Controller
      */
     public function createIncidentTemplateAction()
     {
-        $_template = Input::get('template');
+        $_template = Binput::get('template');
         $template = IncidentTemplate::create($_template);
 
         return Redirect::back()->with('template', $template);
@@ -70,7 +70,7 @@ class DashIncidentController extends Controller
      */
     public function createIncidentAction()
     {
-        $_incident = Input::get('incident');
+        $_incident = Binput::get('incident');
         $incident = Incident::create($_incident);
 
         return Redirect::back()->with('incident', $incident);

src/Http/Controllers/DashSettingsController.php

@@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers;
 
 use CachetHQ\Cachet\Models\Setting;
 use Exception;
+use GrahamCampbell\Binput\Facades\Binput;
 use Illuminate\Routing\Controller;
-use Illuminate\Support\Facades\Input;
 use Illuminate\Support\Facades\Redirect;
 use Illuminate\Support\Facades\View;
 
@@ -114,13 +114,13 @@ class DashSettingsController extends Controller
      */
     public function postSettings()
     {
-        if (Input::get('remove_banner') == "1") {
+        if (Binput::get('remove_banner') == "1") {
             $setting = Setting::where('name', 'app_banner');
             $setting->delete();
         }
 
-        if (Input::hasFile('app_banner')) {
-            $file = Input::file('app_banner');
+        if (Binput::hasFile('app_banner')) {
+            $file = Binput::file('app_banner');
 
             // Image Validation.
             // Image size in bytes.
@@ -154,7 +154,7 @@ class DashSettingsController extends Controller
         }
 
         try {
-            foreach (Input::except(['app_banner', 'remove_banner']) as $settingName => $settingValue) {
+            foreach (Binput::except(['app_banner', 'remove_banner']) as $settingName => $settingValue) {
                 Setting::firstOrCreate([
                     'name' => $settingName,
                 ])->update([

src/Http/Controllers/DashUserController.php

@@ -2,9 +2,9 @@
 
 namespace CachetHQ\Cachet\Http\Controllers;
 
+use GrahamCampbell\Binput\Facades\Binput;
 use Illuminate\Routing\Controller;
 use Illuminate\Support\Facades\Auth;
-use Illuminate\Support\Facades\Input;
 use Illuminate\Support\Facades\Redirect;
 use Illuminate\Support\Facades\View;
 
@@ -29,7 +29,7 @@ class DashUserController extends Controller
      */
     public function postUser()
     {
-        $items = Input::all();
+        $items = Binput::all();
 
         $updated = Auth::user()->update($items);
 

src/Http/Controllers/SetupController.php

@@ -4,9 +4,9 @@ namespace CachetHQ\Cachet\Http\Controllers;
 
 use CachetHQ\Cachet\Models\Setting;
 use CachetHQ\Cachet\Models\User;
+use GrahamCampbell\Binput\Facades\Binput;
 use Illuminate\Routing\Controller;
 use Illuminate\Support\Facades\Auth;
-use Illuminate\Support\Facades\Input;
 use Illuminate\Support\Facades\Redirect;
 use Illuminate\Support\Facades\Validator;
 use Illuminate\Support\Facades\View;
@@ -42,7 +42,7 @@ class SetupController extends Controller
      */
     public function postIndex()
     {
-        $postData = Input::get();
+        $postData = Binput::get();
 
         $v = Validator::make($postData, [
             'settings.app_name'     => 'required',