Sanitize activity log meta data values (on frontend)

[Boy132]

No description provided.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added HTML sanitization to ActivityLog: username output in htmlable() and scalar property values (including first elements of array-valued properties) in wrapProperties() now have HTML tags stripped; directory-normalization and count outputs remain unchanged.

Changes

Cohort / File(s)	Summary of Changes
ActivityLog sanitization app/Models/ActivityLog.php	Imported Illuminate\Support\Arr; in htmlable() stripped HTML from $user->username before output; in wrapProperties() scalar values and the first element of array-valued properties are returned with stripTags() applied; Arr::first() replaces array_first(); is_array($first) branch and directory-normalization/count outputs preserved; no public signature changes.

Sequence Diagram(s)

No sequence diagram — changes are limited to data sanitization within existing methods and do not alter control flow.

Pre-merge checks

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Description Check	❓ Inconclusive	No pull request description was provided, so there is insufficient author-provided context about intent, scope, or testing beyond the code changes summarized, making this check inconclusive.	Ask the author to add a short description stating the purpose, files affected (e.g., ActivityLog.php), why sanitization was added, and any testing or migration considerations so reviewers can assess intent and impact.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly and accurately summarizes the primary change—sanitizing activity log metadata for the frontend—and directly matches the changes in ActivityLog.php that add stripTags sanitization and array-first handling, making it clear and focused for reviewers.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b1469bc and 6eee406.

📒 Files selected for processing (1)

• app/Models/ActivityLog.php (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• app/Models/ActivityLog.php

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

app/Models/ActivityLog.php (1)

177-187: Escape interpolated values in htmlable() to prevent XSS.

User-controlled fields (username, label) are echoed unescaped into HTML.

-        return "
-            <div style='display: flex; align-items: center;'>
-                <img width='50px' height='50px' src='{$avatarUrl}' style='margin-right: 15px' />
-
-                <div>
-                    <p>$user->username — $this->event</p>
-                    <p>{$this->getLabel()}</p>
-                    <p>$this->ip — <span title='{$this->timestamp->format('M j, Y g:ia')}'>{$this->timestamp->diffForHumans()}</span></p>
-                </div>
-            </div>
-        ";
+        $username = e($user->username);
+        $event = e($this->event);
+        $label = e($this->getLabel());
+        $ip = e($this->ip);
+        $avatar = e($avatarUrl);
+        $title = e($this->timestamp->format('M j, Y g:ia'));
+        $ago = e($this->timestamp->diffForHumans());
+        return "
+            <div style='display: flex; align-items: center;'>
+                <img width='50px' height='50px' src='{$avatar}' alt='{$username} avatar' style='margin-right: 15px' />
+
+                <div>
+                    <p>{$username} — {$event}</p>
+                    <p>{$label}</p>
+                    <p>{$ip} — <span title='{$title}'>{$ago}</span></p>
+                </div>
+            </div>
+        ";

🧹 Nitpick comments (3)

app/Models/ActivityLog.php (3)

191-193: Fix return type in PHPDoc.

wrapProperties() returns ints for *_count and count keys.

-    /**
-     * @return array<string, string>
-     */
+    /**
+     * @return array<string, string|int>
+     */

---

209-209: Prefer Arr::first over array_first helper.

array_first is deprecated/absent in newer Laravel versions.

-            $first = array_first($value);
+            $first = \Illuminate\Support\Arr::first($value);

---

199-217: Add unit tests for sanitization paths.

Cover scalar, null, numeric, HTML-tagged strings, and arrays with first=null/string/int; ensure counts unchanged.

I can add tests under tests/Unit/Models/ActivityLogWrapPropertiesTest.php—want me to push a patch?

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8f1ec20 and 15194dc.

📒 Files selected for processing (1)

• app/Models/ActivityLog.php (2 hunks)

🔇 Additional comments (1)

app/Models/ActivityLog.php (1)

193-225: OK — no callers depend on numeric math; only 'count' is used for pluralisation

wrapProperties() is only called in:

• app/Models/ActivityLog.php (getLabel + event translation -> trans_choice using 'count')
• app/Transformers/Api/Client/ActivityLogTransformer.php (serializes properties)

No arithmetic/casts were found against wrapProperties() results; *_count/count remain the numeric use-site.