Added options to disable custom code in themes

JulianPrieber · JulianPrieber · commit 25afd8f07473 · 2022-09-10T11:15:40.000+02:00
diff --git a/.env b/.env
@@ -80,4 +80,8 @@ CUSTOM_META_TAGS=false
 
 #=FORCE_HTTPS either true or false. Used to redirect any request to HTTPS. 
 #=Note that this will only affect port 443 if you are using the docker image.
-FORCE_HTTPS=false
+FORCE_HTTPS=false
+
+#=Defines wether or not themes are allowed to inject custom code.
+#=Themes V2 can now implement fully custom code which you might want to disable for security reasons.
+ALLOW_CUSTOM_CODE_IN_THEMES=true
diff --git a/resources/views/components/finishing.blade.php b/resources/views/components/finishing.blade.php
@@ -13,6 +13,9 @@
             if(EnvEditor::keyExists('MAINTENANCE_MODE')){ /* Do nothing if key already exists */ 
             } else {EnvEditor::addKey('MAINTENANCE_MODE', 'false');}
 
+            if(EnvEditor::keyExists('ALLOW_CUSTOM_CODE_IN_THEMES')){ /* Do nothing if key already exists */ 
+            } else {EnvEditor::addKey('ALLOW_CUSTOM_CODE_IN_THEMES', 'true');}
+
             if (!config()->has('advanced-config.expand_panel_admin_menu_permanently') and !config()->has('disable_default_password_notice')) {
             
             function getStringBetween($string, $start, $end) {
diff --git a/resources/views/home.blade.php b/resources/views/home.blade.php
@@ -23,7 +23,7 @@ function themeAsset($path){
 return $path;}
 ?>
 
-@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true")@include($GLOBALS['themeName'] . '.extra.custom-head')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-head')@endif
 
 @include('layouts.analytics')
 
@@ -91,7 +91,7 @@ function themeAsset($path){
 </head>
 <body>
 
-@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body')@endif
 
 @if(config('advanced-config.home_theme') != '' and config('advanced-config.home_theme') != 'default')
     <!-- Enables parallax background animations -->
@@ -234,6 +234,6 @@ function themeAsset($path){
   </div>
 </body>
 
-@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif
 
 </html>
diff --git a/resources/views/littlelink.blade.php b/resources/views/littlelink.blade.php
@@ -23,7 +23,7 @@ function themeAsset($path){
 return $path;}
 ?>
 
-@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true")@include($GLOBALS['themeName'] . '.extra.custom-head')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_head') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-head')@endif
 
 @include('layouts.analytics')
 
@@ -124,7 +124,7 @@ function themeAsset($path){
 </head>
 <body>
 
-@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_body') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body')@endif
 
 @if($info->theme != '' and $info->theme != 'default')
     <!-- Enables parallax background animations -->
@@ -294,7 +294,7 @@ function get_operating_system() {
     </div>
   </div>
 
-@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true")@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif
+@if(theme('enable_custom_code') == "true" and theme('enable_custom_body_end') == "true" and env('ALLOW_CUSTOM_CODE_IN_THEMES') == 'true')@include($GLOBALS['themeName'] . '.extra.custom-body-end')@endif
 
 </body>
 </html>
diff --git a/storage/backups/default_settings b/storage/backups/default_settings
@@ -80,4 +80,8 @@ CUSTOM_META_TAGS=false
 
 #=FORCE_HTTPS either true or false. Used to redirect any request to HTTPS. 
 #=Note that this will only affect port 443 if you are using the docker image.
-FORCE_HTTPS=false
+FORCE_HTTPS=false
+
+#=Defines wether or not themes are allowed to inject custom code.
+#=Themes V2 can now implement fully custom code which you might want to disable for security reasons.
+ALLOW_CUSTOM_CODE_IN_THEMES=true
