mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-06-15 11:01:06 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): Escape email addresses in mailto() to prevent XSS

Browse Source 
Email columns in bootstrap tables had escaping disabled (line 52) and
mailto() function doesn't escape its parameters. This fix escapes email
addresses before passing to mailto() in:
- get_person_data_row() (employees)
- get_customer_data_row() (customers)
- get_supplier_data_row() (suppliers)

Attack vector: Malicious email via CSV import renders XSS in table view.
This commit is contained in:
Ollama
2026-06-03 20:50:15 +02:00
committed by jekkos
parent 968d850b9d
commit 1100712c9b
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/Helpers/tabular_helper.php
View File

@@ -226,7 +226,7 @@ function get_person_data_row(object $person): array
'people.person_id' => $person->person_id,
'last_name' => $person->last_name,
'first_name' => $person->first_name,
'email' => empty($person->email) ? '' : mailto($person->email, $person->email),
'email' => empty($person->email) ? '' : mailto(esc($person->email), esc($person->email)),
'phone_number' => $person->phone_number,
'messages' => empty($person->phone_number)
? ''
@@ -292,7 +292,7 @@ function get_customer_data_row(object $person, object $stats): array
'people.person_id' => $person->person_id,
'last_name' => $person->last_name,
'first_name' => $person->first_name,
'email' => empty($person->email) ? '' : mailto($person->email, $person->email),
'email' => empty($person->email) ? '' : mailto(esc($person->email), esc($person->email)),
'phone_number' => $person->phone_number,
'total' => to_currency($stats->total),
'messages' => empty($person->phone_number)
@@ -363,7 +363,7 @@ function get_supplier_data_row(object $supplier): array
'category' => $supplier->category,
'last_name' => $supplier->last_name,
'first_name' => $supplier->first_name,
'email' => empty($supplier->email) ? '' : mailto($supplier->email, $supplier->email),
'email' => empty($supplier->email) ? '' : mailto(esc($supplier->email), esc($supplier->email)),
'phone_number' => $supplier->phone_number,
'messages' => empty($supplier->phone_number)
? ''