Enable upload api route

config/nova-tinymce-editor.php

@@ -55,7 +55,7 @@
      */
     'extra' => [
         'upload_images' => [
-            'enabled' => false, // Set true for enable images local upload
+            'enable_api_routes' => env('TINYMCE_ENABLE_UPLOAD_API_ROUTES', true),
             'folder' => 'images',
             'maxSize' => 2048, // KB,
             'disk' => 'public',

routes/api.php

@@ -1,11 +1,10 @@
 <?php
 
-use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
 use Illuminate\Support\Facades\Route;
 use Murdercode\TinymceEditor\Http\Controllers\TinyImageController;
-use Murdercode\TinymceEditor\Http\Middleware\TinymceMiddleware;
 
 // Without CSRF protection
-// Route::post('/upload', TinyImageController::class)->name('tinymce.upload')
-//     ->withoutMiddleware([VerifyCsrfToken::class])
-//     ->middleware(TinymceMiddleware::class);
+if (config('nova-tinymce-editor.extra.upload_images.enable_api_routes', true)) {
+    Route::post('/upload', TinyImageController::class)->name('tinymce.upload')
+        ->middleware('auth');
+}

src/Http/Controllers/TinyImageController.php

@@ -14,21 +14,55 @@ public function __invoke(Request $request): JsonResponse
             'file' => [
                 'required',
                 'image',
-                'mimes:jpeg,png,jpg,gif',
+                'mimes:jpeg,png,jpg,webp',
                 'max:'.config('nova-tinymce-editor.extra.upload_images.maxSize', 2048),
             ],
         ]);
+
+        $uploadedFile = $request->file('file');
+
+        // Check if the uploaded file is a valid image
+        $imageInfo = @getimagesize($uploadedFile->getRealPath());
+        if ($imageInfo === false) {
+            return response()->json(['error' => 'The file is not a valid image.'], 422);
+        }
+
+        // Check MIME type
+        $allowedMimeTypes = ['image/jpeg', 'image/png', 'image/jpg', 'image/webp'];
+        if (! in_array($imageInfo['mime'], $allowedMimeTypes)) {
+            return response()->json(['error' => 'Unsupported image type.'], 422);
+        }
+
+        // Check for potentially dangerous content
+        $fileContent = file_get_contents($uploadedFile->getRealPath());
+        $dangerousPatterns = [
+            '/<\?php/i',
+            '/<\?=/i',
+            '/<script/i',
+            '/eval\(/i',
+            '/base64_decode/i',
+            '/system\(/i',
+            '/exec\(/i',
+            '/shell_exec/i',
+        ];
+
+        foreach ($dangerousPatterns as $pattern) {
+            if (preg_match($pattern, $fileContent)) {
+                return response()->json(['error' => 'The file contains potentially dangerous code.'], 422);
+            }
+        }
+
         $disk = config('nova-tinymce-editor.extra.upload_images.disk');
         try {
-            $file = $request->file('file')
+            $file = $uploadedFile
                 ->storePublicly(
                     config('nova-tinymce-editor.extra.upload_images.folder'),
                     compact('disk')
                 );
         } catch (\Throwable $e) {
             report($e);
 
-            return response()->json(['error' => 'Failed to move uploaded file.']);
+            return response()->json(['error' => 'Failed to move uploaded file.'], 422);
         }
 
         return response()->json(['location' => Storage::disk($disk)->url($file)]);