X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/62342433f41f2eaef19c5e85f5ce960297ee8206..refs/pull/846/head:/app/Repos/EntityRepo.php

diff --git a/app/Repos/EntityRepo.php b/app/Repos/EntityRepo.php
index 64f7a0810..14f9d8d0e 100644
--- a/app/Repos/EntityRepo.php
+++ b/app/Repos/EntityRepo.php
@@ -492,14 +492,19 @@ class EntityRepo
     public function createFromInput($type, $input = [], $book = false)
     {
         $isChapter = strtolower($type) === 'chapter';
-        $entity = $this->getEntity($type)->newInstance($input);
-        $entity->slug = $this->findSuitableSlug($type, $entity->name, false, $isChapter ? $book->id : false);
-        $entity->created_by = user()->id;
-        $entity->updated_by = user()->id;
-        $isChapter ? $book->chapters()->save($entity) : $entity->save();
-        $this->permissionService->buildJointPermissionsForEntity($entity);
-        $this->searchService->indexEntity($entity);
-        return $entity;
+        $entityModel = $this->getEntity($type)->newInstance($input);
+        $entityModel->slug = $this->findSuitableSlug($type, $entityModel->name, false, $isChapter ? $book->id : false);
+        $entityModel->created_by = user()->id;
+        $entityModel->updated_by = user()->id;
+        $isChapter ? $book->chapters()->save($entityModel) : $entityModel->save();
+
+        if (isset($input['tags'])) {
+            $this->tagRepo->saveTagsToEntity($entityModel, $input['tags']);
+        }
+
+        $this->permissionService->buildJointPermissionsForEntity($entityModel);
+        $this->searchService->indexEntity($entityModel);
+        return $entityModel;
     }
 
     /**
@@ -518,6 +523,11 @@ class EntityRepo
         $entityModel->fill($input);
         $entityModel->updated_by = user()->id;
         $entityModel->save();
+
+        if (isset($input['tags'])) {
+            $this->tagRepo->saveTagsToEntity($entityModel, $input['tags']);
+        }
+
         $this->permissionService->buildJointPermissionsForEntity($entityModel);
         $this->searchService->indexEntity($entityModel);
         return $entityModel;
@@ -713,6 +723,10 @@ class EntityRepo
     public function renderPage(Page $page, $ignorePermissions = false)
     {
         $content = $page->html;
+        if (!config('app.allow_content_scripts')) {
+            $content = $this->escapeScripts($content);
+        }
+
         $matches = [];
         preg_match_all("/{{@\s?([0-9].*?)}}/", $content, $matches);
         if (count($matches[0]) === 0) {
@@ -760,6 +774,26 @@ class EntityRepo
         return $content;
     }
 
+    /**
+     * Escape script tags within HTML content.
+     * @param string $html
+     * @return mixed
+     */
+    protected function escapeScripts(string $html)
+    {
+        $scriptSearchRegex = '/<script.*?>.*?<\/script>/ms';
+        $matches = [];
+        preg_match_all($scriptSearchRegex, $html, $matches);
+        if (count($matches) === 0) {
+            return $html;
+        }
+
+        foreach ($matches[0] as $match) {
+            $html = str_replace($match, htmlentities($match), $html);
+        }
+        return $html;
+    }
+
     /**
      * Get the plain text version of a page's content.
      * @param Page $page