From 071e641f95039ec61cfe39d1d39bbb90338d8511 Mon Sep 17 00:00:00 2001
From: Ollama <ollama@steganos.dev>
Date: Sat, 14 Mar 2026 15:31:07 +0000
Subject: [PATCH] Fix stored XSS via stock location name

Add esc() to stock_name output in sales/register.php and receivings/receiving.php

GHSA-vmm7-g33q-qqr2
---
 app/Views/receivings/receiving.php | 2 +-
 app/Views/sales/register.php       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/Views/receivings/receiving.php b/app/Views/receivings/receiving.php
index 7a39ab682..f516c1d6d 100644
--- a/app/Views/receivings/receiving.php
+++ b/app/Views/receivings/receiving.php
@@ -137,7 +137,7 @@ if (isset($success)) {
                         <td><?= esc($item['item_number']) ?></td>
                         <td style="text-align: center;">
                             <?= esc($item['name'] . ' ' . implode(' ', [$item['attribute_values'], $item['attribute_dtvalues']])) ?><br>
-                            <?= '[' . to_quantity_decimals($item['in_stock']) . ' in ' . $item['stock_name'] . ']' ?>
+                            <?= '[' . to_quantity_decimals($item['in_stock']) . ' in ' . esc($item['stock_name']) . ']' ?>
                             <?= form_hidden('location', (string)$item['item_location']) ?>
                         </td>
 
diff --git a/app/Views/sales/register.php b/app/Views/sales/register.php
index f0ca9df98..12fc10c08 100644
--- a/app/Views/sales/register.php
+++ b/app/Views/sales/register.php
@@ -181,7 +181,7 @@ helper('url');
                                 <td style="align: center;">
                                     <?= esc($item['name']) . ' ' . implode(' ', [$item['attribute_values'], $item['attribute_dtvalues']]) ?>
                                     <br>
-                                    <?php if ($item['stock_type'] == '0'): echo '[' . to_quantity_decimals($item['in_stock']) . ' in ' . $item['stock_name'] . ']';
+                                    <?php if ($item['stock_type'] == '0'): echo '[' . to_quantity_decimals($item['in_stock']) . ' in ' . esc($item['stock_name']) . ']';
                                     endif; ?>
                                 </td>
                             <?php } ?>