From 829336b4b6f8b21361e86471348b8588bfbdc234 Mon Sep 17 00:00:00 2001
From: Christian Weiske <cweiske+github.com@cweiske.de>
Date: Wed, 23 Feb 2022 19:31:24 +0100
Subject: [PATCH 1/2] Fix E_NOTICE when requesting invalid script (#449)

It is possible to trigger an exception by requesting an invalid script path.

The following URL path leads to XSS on the exception page,
showing two nice popups:

  http://myapp/_ignition/scripts/--><svg onload=alert(1337)>

The exception is:

  ErrorException
  Undefined index: --><svg onload=alert(1337)>

  Illuminate\Foundation\Bootstrap\HandleExceptions::handleError
  vendor/facade/ignition/src/Http/Controllers/ScriptController.php:14

This happens with facade/ignition 1.18.0 (the last with laravel 6 support)
and should be fixed there.
The error probably also occurs in all later versions.
---
 src/Http/Controllers/ScriptController.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Http/Controllers/ScriptController.php b/src/Http/Controllers/ScriptController.php
index ccb70fef..aced6ce9 100644
--- a/src/Http/Controllers/ScriptController.php
+++ b/src/Http/Controllers/ScriptController.php
@@ -9,6 +9,9 @@ class ScriptController
 {
     public function __invoke(Request $request)
     {
+        if (!isset(Ignition::scripts()[$request->script])) {
+            abort(404, 'Script not found');
+        }
         return response(
             file_get_contents(
                 Ignition::scripts()[$request->script]

From dad70e5705699c3f83e35e638bad59d7c044a17b Mon Sep 17 00:00:00 2001
From: freekmurze <freekmurze@users.noreply.github.com>
Date: Wed, 23 Feb 2022 18:31:55 +0000
Subject: [PATCH 2/2] Fix styling

---
 src/Http/Controllers/ScriptController.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Http/Controllers/ScriptController.php b/src/Http/Controllers/ScriptController.php
index aced6ce9..9860f45e 100644
--- a/src/Http/Controllers/ScriptController.php
+++ b/src/Http/Controllers/ScriptController.php
@@ -9,9 +9,10 @@ class ScriptController
 {
     public function __invoke(Request $request)
     {
-        if (!isset(Ignition::scripts()[$request->script])) {
+        if (! isset(Ignition::scripts()[$request->script])) {
             abort(404, 'Script not found');
         }
+
         return response(
             file_get_contents(
                 Ignition::scripts()[$request->script]