From 3c217bbdddb6ff0be5b8ad4f1d53450c1ef6bc09 Mon Sep 17 00:00:00 2001
From: jekkos <jeroen.peelaerts@gmail.com>
Date: Wed, 4 Mar 2026 17:53:18 +0000
Subject: [PATCH] Fix XSS vulnerabilities in invoice_email.php view

---
 app/Views/sales/invoice_email.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/Views/sales/invoice_email.php b/app/Views/sales/invoice_email.php
index 2acf146b7..076bed071 100644
--- a/app/Views/sales/invoice_email.php
+++ b/app/Views/sales/invoice_email.php
@@ -30,7 +30,7 @@
 <body>
     <?php
     if (isset($error_message)) {
-        echo '<div class="alert alert-dismissible alert-danger">' . $error_message . '</div>';
+        echo '<div class="alert alert-dismissible alert-danger">' . esc($error_message) . '</div>';
         exit;
     }
     ?>
@@ -98,7 +98,7 @@
                 if ($item['print_option'] == PRINT_YES) {
             ?>
                     <tr class="item-row">
-                        <td><?= $item['item_number'] ?></td>
+                        <td><?= esc($item['item_number']) ?></td>
                         <td class="item-name"><?= esc($item['name']) ?></td>
                         <td><?= to_quantity_decimals($item['quantity']) ?></td>
                         <td><?= to_currency($item['price']) ?></td>
@@ -179,8 +179,8 @@
                 <?= nl2br(esc($config['return_policy'])) ?>
             </div>
             <div id="barcode">
-                <img alt=<?= '$sale_id' ?> src="data:image/svg+xml;base64,<?= base64_encode($barcode) ?>"><br>
-                <?= $sale_id ?>
+                <img alt="<?= esc($sale_id) ?>" src="data:image/svg+xml;base64,<?= base64_encode($barcode) ?>"><br>
+                <?= esc($sale_id) ?>
             </div>
         </div>
     </div>