Laravel 7.1.0 Released, Patch to Fix Potential XSS Attacks

Published on by

Laravel 7.1.0 Released, Patch to Fix Potential XSS Attacks image

The Laravel team released v7.1.0, along with some follow-up patches at the end of last week. Notably, the v7.1.2 patch fixes a potential cross-site scripting (XSS) vulnerability related to blade components.

We will briefly look at the new features in the 7.1.0 release, which introduced a convenient API resource method to work with new route caching in Laravel 7.x and the ability to customize the constrained table name.

RouteRegistrar apiResource() Method

Lasse Rafn contributed an apiResource() convenience method to work with the new Laravel 7.x caching. Lasse mentioned the following in his PR description for a reason behind this method:

Since Laravel 7.X has a new (optimized) routing implemented, route names are more important, and caching routes will break if naming collisions happen.

Normally you can use Route::name(‘posts’)->resource(….. to change the name of a group (useful for nested routes like: /posts/{post}/comments)

HOWEVER, this is not possible with apiResource.

I propose this change to allow that. It’s just a convenience to replace:

// Before
Route::name('posts')
->resource(
'posts/{post}/comments',
'PostCommentsController'
)
->only([
'index', 'show', 'store',
'update', 'destroy'
]);
 
 
// Using the apiResource() method
Route::name('posts')
->apiResource(
'posts/{post}/comments',
'PostCommentsController'
);

Customized constrained() Table Name

Samuel França contributed the ability to pass a table name to the constrained() method in the ForeignIdColumnDefinition class:

Here’s one example from the tests:

$blueprint
->foreignId('team_column_id')
->constrained('teams');

You can see the full list of new features and updates below and the whole diff between 7.0.8 and 7.1.3 on GitHub. The full release notes for Laravel 7.0.8 through 7.1.3 are available in the latest v7 changelog.

v7.1.3

Fixed

  • Unset pivotParent on Pivot::unsetRelations() (#31956)

Changed

  • Escape merged attributes by default in Illuminate\View\ComponentAttributeBag (83c8e6e)

v7.1.2

Fixed

  • Fixed null value injected from container in routes (#31867, c666c42)

Changed

  • Escape attributes automatically in some situations in Illuminate\View\Compilers\ComponentTagCompiler (#31945)

v7.1.1

Added

  • Added dispatchToQueue() to BusFake (#31935)
  • Support either order of arguments for symmetry with livewire (8d558670)

Fixed

  • Bring --daemon option back to queue:work command (24c1818)
  • Fixed ComponentAttributeBag merge behaviour (#31932)

Changed

  • Intelligently drop unnamed prefix name routes when caching (#31917)
  • Closure jobs needs illuminate/queue (#31933)
  • Fixed bad dependency assumptions (#31894)
  • Have a cache aware interface instead of concrete checks (#31903)

v7.1.0

Added

  • Added Illuminate\Routing\RouteRegistrar::apiResource() method (#31857)
  • Added optional $table parameter to ForeignIdColumnDefinition::constrained() method (#31853)
  • Added The connection is broken and recovery is not possible. ... to DetectsLostConnections (#31539)

Fixed

  • Fixed phpredis zadd and exists on cluster (#31838)
  • Fixed trailing slash in Illuminate\Routing\CompiledRouteCollection::match() (3d58cd9, ac6f3a8)

Changed

  • Fire MessageLogged event after the message has been logged (not before) (#31843)
  • Avoid using array_merge_recursive in HTTP client (#31858)
  • Expire the jobs cache keys after 1 day (#31854)
  • Avoid global app() when compiling components (#31868)
Paul Redmond photo

Staff writer at Laravel News. Full stack web developer and author.

Cube

Laravel Newsletter

Join 40k+ other developers and never miss out on new tips, tutorials, and more.

image
No Compromises

Joel and Aaron, the two seasoned devs from the No Compromises podcast, are now available to hire for your Laravel project.

Visit No Compromises
Laravel Forge logo

Laravel Forge

Easily create and manage your servers and deploy your Laravel applications in seconds.

Laravel Forge
Tinkerwell logo

Tinkerwell

The must-have code runner for Laravel developers. Tinker with AI, autocompletion and instant feedback on local and production environments.

Tinkerwell
No Compromises logo

No Compromises

Joel and Aaron, the two seasoned devs from the No Compromises podcast, are now available to hire for your Laravel project. ⬧ Flat rate of $7500/mo. ⬧ No lengthy sales process. ⬧ No contracts. ⬧ 100% money back guarantee.

No Compromises
Kirschbaum logo

Kirschbaum

Providing innovation and stability to ensure your web application succeeds.

Kirschbaum
Shift logo

Shift

Running an old Laravel version? Instant, automated Laravel upgrades and code modernization to keep your applications fresh.

Shift
LoadForge logo

LoadForge

Easy, affordable load testing and stress tests for websites, APIs and databases.

LoadForge
Paragraph logo

Paragraph

Manage your Laravel app as if it was a CMS – edit any text on any page or in any email without touching Blade or language files.

Paragraph
Lucky Media logo

Lucky Media

Bespoke software solutions built for your business. We ♥ Laravel

Lucky Media
Lunar: Laravel E-Commerce logo

Lunar: Laravel E-Commerce

E-Commerce for Laravel. An open-source package that brings the power of modern headless e-commerce functionality to Laravel.

Lunar: Laravel E-Commerce
Bacancy - Staff Augmentation logo

Bacancy - Staff Augmentation

Leave your web app development hustles to the leading IT Staff Augmentation Service Providers. Choose from an extensive pool of 1050+ developers and give yourself the sigh of success you deserve with Bacancy. Get In Touch Today!

Bacancy - Staff Augmentation
DocuWriter.ai logo

DocuWriter.ai

Save hours of manually writing Code Documentation, Comments & DocBlocks, Test suites and Refactoring.

DocuWriter.ai
Rector logo

Rector

Your partner for seamless Laravel upgrades, cutting costs, and accelerating innovation for successful companies

Rector

The latest

View all →
Use Google's Gemini AI in Laravel image

Use Google's Gemini AI in Laravel

Read article
PhpStorm is getting a brand new terminal image

PhpStorm is getting a brand new terminal

Read article
Six Essential Plugins for Visual Studio Code image

Six Essential Plugins for Visual Studio Code

Read article
Modularize Your Laravel Application With the Modular Package image

Modularize Your Laravel Application With the Modular Package

Read article
Handle Money Transactions in Eloquent with Laravel Wallet image

Handle Money Transactions in Eloquent with Laravel Wallet

Read article
Tempo: The Easiest Way to Work With Dates in JavaScript image

Tempo: The Easiest Way to Work With Dates in JavaScript

Read article