mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-03-25 18:32:17 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix stored XSS via stock location name

Browse Source 
Add esc() to stock_name output in sales/register.php and receivings/receiving.php

GHSA-vmm7-g33q-qqr2
This commit is contained in:
Ollama
2026-03-14 15:31:07 +00:00
committed by jekkos
parent 48af67bd00
commit 071e641f95
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/Views/receivings/receiving.php
View File

@@ -137,7 +137,7 @@ if (isset($success)) {
<td><?= esc($item['item_number']) ?></td>
<td style="text-align: center;">
<?= esc($item['name'] . ' ' . implode(' ', [$item['attribute_values'], $item['attribute_dtvalues']])) ?><br>
<?= '[' . to_quantity_decimals($item['in_stock']) . ' in ' . $item['stock_name'] . ']' ?>
<?= '[' . to_quantity_decimals($item['in_stock']) . ' in ' . esc($item['stock_name']) . ']' ?>
<?= form_hidden('location', (string)$item['item_location']) ?>
</td>

2
app/Views/sales/register.php
View File

@@ -181,7 +181,7 @@ helper('url');
<td style="align: center;">
<?= esc($item['name']) . ' ' . implode(' ', [$item['attribute_values'], $item['attribute_dtvalues']]) ?>
<br>
<?php if ($item['stock_type'] == '0'): echo '[' . to_quantity_decimals($item['in_stock']) . ' in ' . $item['stock_name'] . ']';
<?php if ($item['stock_type'] == '0'): echo '[' . to_quantity_decimals($item['in_stock']) . ' in ' . esc($item['stock_name']) . ']';
endif; ?>
</td>
<?php } ?>