Escape return_policy in receipt + invoice (#4349)

* Escape return_policy in receipt + invoice * Enable CSRF using session token (#3632)
2025-12-23 17:47:54 -05:00 · 2025-12-17 20:39:58 +01:00
parent 2acdec431f
commit 3e844f2f89
8 changed files with 6 additions and 18 deletions
--- a/app/Config/Filters.php
+++ b/app/Config/Filters.php
@@ -70,7 +70,7 @@ class Filters extends BaseFilters
    public array $globals = [
        'before' => [
            'honeypot',
-            // 'csrf' => ['except' => 'login'],    // TODO: Temporarily disable CSRF until we get everything sorted
+            'csrf' => ['except' => 'login'],
            'invalidchars',
        ],
        'after' => [
--- a/app/Config/Security.php
+++ b/app/Config/Security.php
@@ -15,7 +15,7 @@ class Security extends BaseConfig
     *
     * @var string 'cookie' or 'session'
     */
-    public string $csrfProtection = 'cookie';
+    public string $csrfProtection = 'session';

    /**
     * --------------------------------------------------------------------------
@@ -71,7 +71,7 @@ class Security extends BaseConfig
     *
     * Regenerate CSRF Token on every submission.
     */
-    public bool $regenerate = true;
+    public bool $regenerate = false;

    /**
     * --------------------------------------------------------------------------
--- a/app/Views/partial/header_js.php
+++ b/app/Views/partial/header_js.php
@@ -32,10 +32,8 @@
        }
    });

-    var cookie_name = "<?= esc(config('Cookie')->prefix, 'js') . esc(config('Security')->cookieName, 'js') ?>";
-
    var csrf_token = function() {
-        return Cookies.get(cookie_name);
+        return "<?= csrf_hash() ?>";
    };

    var csrf_form_base = function() {
--- a/app/Views/sales/invoice_email.php
+++ b/app/Views/sales/invoice_email.php
@@ -176,7 +176,7 @@
                    <span><?= nl2br($config['payment_message']) ?></span>
                    <span><?= lang('Sales.comments') . ': ' . (empty($comments) ? $config['invoice_default_comments'] : $comments) ?></span>
                </h5>
-                <?= nl2br($config['return_policy']) ?>
+                <?= nl2br(esc($config['return_policy'])) ?>
            </div>
            <div id="barcode">
                <img alt=<?= '$sale_id' ?> src="data:image/svg+xml;base64,<?= base64_encode($barcode) ?>"><br>
--- a/app/Views/sales/receipt_default.php
+++ b/app/Views/sales/receipt_default.php
@@ -165,7 +165,7 @@
    </table>

    <div id="sale_return_policy">
-        <?= nl2br($config['return_policy']) ?>
+        <?= nl2br(esc($config['return_policy'])) ?>
    </div>

    <div id="barcode">
--- a/gulpfile.js
+++ b/gulpfile.js
@@ -130,7 +130,6 @@ gulp.task('debug-js', function() {
        './node_modules/chartist-plugin-axistitle/dist/chartist-plugin-axistitle.js',
        './node_modules/chartist-plugin-barlabels/dist/chartist-plugin-barlabels.js',
        './node_modules/bootstrap-notify/bootstrap-notify.js',
-        './node_modules/js-cookie/src/js.cookie.js',
        './node_modules/bootstrap-tagsinput-2021/dist/bootstrap-tagsinput.js',
        './node_modules/bootstrap-toggle/js/bootstrap-toggle.js',
        './node_modules/clipboard/dist/clipboard.js',
@@ -176,7 +175,6 @@ gulp.task('prod-js', function() {
        './node_modules/tableexport.jquery.plugin/tableExport.min.js'], { allowEmpty: true });

    var opensourcepos2js = gulp.src(['./node_modules/bootstrap-daterangepicker/daterangepicker.js',
-        './node_modules/js-cookie/src/js.cookie.js',
        './public/js/imgpreview.full.jquery.js',
        './public/js/manage_tables.js',
        './public/js/nominatim.autocomplete.js']).pipe(uglify());
@@ -293,7 +291,6 @@ gulp.task('build-database', function() {
 // Run all required tasks
 gulp.task('default',
    gulp.series('clean',
-        'update-licenses',
        'copy-bootswatch',
        'copy-bootswatch5',
        'copy-bootstrap',
--- a/package-lock.json
+++ b/package-lock.json
@@ -38,7 +38,6 @@
                "jquery-form": "^4.3.0",
                "jquery-ui-dist": "^1.12.1",
                "jquery-validation": "^1.19.5",
-                "js-cookie": "^2.2.1",
                "jspdf": "^3.0.2",
                "jspdf-autotable": "^5.0.2",
                "tableexport.jquery.plugin": "^1.30.0"
@@ -3724,11 +3723,6 @@
                "jquery": "^1.7 || ^2.0 || ^3.1"
            }
        },
-        "node_modules/js-cookie": {
-            "version": "2.2.1",
-            "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-2.2.1.tgz",
-            "integrity": "sha512-HvdH2LzI/EAZcUwA8+0nKNtWHqS+ZmijLA30RwZA0bo7ToCckjK5MkGhjED9KoRcXO6BaGI3I9UIzSA1FKFPOQ=="
-        },
        "node_modules/json-buffer": {
            "version": "3.0.1",
            "resolved": "https://registry.npmjs.org/json-buffer/-/json-buffer-3.0.1.tgz",
--- a/package.json
+++ b/package.json
@@ -59,7 +59,6 @@
        "jquery-form": "^4.3.0",
        "jquery-ui-dist": "^1.12.1",
        "jquery-validation": "^1.19.5",
-        "js-cookie": "^2.2.1",
        "jspdf": "^3.0.2",
        "jspdf-autotable": "^5.0.2",
        "tableexport.jquery.plugin": "^1.30.0"