Laravel 7.1.0 Released, Patch to Fix Potential XSS Attacks

News

March 17th, 2020

laravel7.jpg

The Laravel team released v7.1.0, along with some follow-up patches at the end of last week. Notably, the v7.1.2 patch fixes a potential cross-site scripting (XSS) vulnerability related to blade components.

We will briefly look at the new features in the 7.1.0 release, which introduced a convenient API resource method to work with new route caching in Laravel 7.x and the ability to customize the constrained table name.

RouteRegistrar apiResource() Method

Lasse Rafn contributed an apiResource() convenience method to work with the new Laravel 7.x caching. Lasse mentioned the following in his PR description for a reason behind this method:

Since Laravel 7.X has a new (optimized) routing implemented, route names are more important, and caching routes will break if naming collisions happen.

Normally you can use Route::name(‘posts’)->resource(….. to change the name of a group (useful for nested routes like: /posts/{post}/comments)

HOWEVER, this is not possible with apiResource.

I propose this change to allow that. It’s just a convenience to replace:

1// Before
2Route::name('posts')
3 ->resource(
4 'posts/{post}/comments',
5 'PostCommentsController'
6 )
7 ->only([
8 'index', 'show', 'store',
9 'update', 'destroy'
10 ]);
11
12
13// Using the apiResource() method
14Route::name('posts')
15 ->apiResource(
16 'posts/{post}/comments',
17 'PostCommentsController'
18 );

Customized constrained() Table Name

Samuel França contributed the ability to pass a table name to the constrained() method in the ForeignIdColumnDefinition class:

Here’s one example from the tests:

1$blueprint
2 ->foreignId('team_column_id')
3 ->constrained('teams');

You can see the full list of new features and updates below and the whole diff between 7.0.8 and 7.1.3 on GitHub. The full release notes for Laravel 7.0.8 through 7.1.3 are available in the latest v7 changelog.

v7.1.3

Fixed

  • Unset pivotParent on Pivot::unsetRelations() (#31956)

Changed

  • Escape merged attributes by default in Illuminate\View\ComponentAttributeBag (83c8e6e)

v7.1.2

Fixed

  • Fixed null value injected from container in routes (#31867, c666c42)

Changed

  • Escape attributes automatically in some situations in Illuminate\View\Compilers\ComponentTagCompiler (#31945)

v7.1.1

Added

  • Added dispatchToQueue() to BusFake (#31935)
  • Support either order of arguments for symmetry with livewire (8d558670)

Fixed

  • Bring --daemon option back to queue:work command (24c1818)
  • Fixed ComponentAttributeBag merge behaviour (#31932)

Changed

  • Intelligently drop unnamed prefix name routes when caching (#31917)
  • Closure jobs needs illuminate/queue (#31933)
  • Fixed bad dependency assumptions (#31894)
  • Have a cache aware interface instead of concrete checks (#31903)

v7.1.0

Added

  • Added Illuminate\Routing\RouteRegistrar::apiResource() method (#31857)
  • Added optional $table parameter to ForeignIdColumnDefinition::constrained() method (#31853)
  • Added The connection is broken and recovery is not possible. ... to DetectsLostConnections (#31539)

Fixed

  • Fixed phpredis zadd and exists on cluster (#31838)
  • Fixed trailing slash in Illuminate\Routing\CompiledRouteCollection::match() (3d58cd9, ac6f3a8)

Changed

  • Fire MessageLogged event after the message has been logged (not before) (#31843)
  • Avoid using array_merge_recursive in HTTP client (#31858)
  • Expire the jobs cache keys after 1 day (#31854)
  • Avoid global app() when compiling components (#31868)

Filed in:

Paul Redmond

Full stack web developer. Author of Lumen Programming Guide and Docker for PHP Developers.