From 97ca738b2da2f77f4eae9d4184038157b26d4038 Mon Sep 17 00:00:00 2001
From: jekkos <jekkos@users.noreply.github.com>
Date: Thu, 16 Apr 2026 19:37:06 +0000
Subject: [PATCH] fix: Escape dynamic output and fix CSS property in
 barcode_sheet.php (#4501)

- Add esc() for dynamic output in HTML attributes and URLs
- Cast numeric values to int for CSS properties
- Fix invalid 'borderspacing' CSS property to 'border-spacing'
- Add quotes around class attribute

Closes #4487

Co-authored-by: Ollama <ollama@steganos.dev>
---
 app/Views/barcodes/barcode_sheet.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/Views/barcodes/barcode_sheet.php b/app/Views/barcodes/barcode_sheet.php
index c6a13b831..3e27880f0 100644
--- a/app/Views/barcodes/barcode_sheet.php
+++ b/app/Views/barcodes/barcode_sheet.php
@@ -13,17 +13,17 @@ $barcode_lib = new Barcode_lib();
 <html lang="<?= current_language_code() ?>">
     <head>
         <meta charset="utf-8">
-        <title><?= lang('Items.generate_barcodes') ?></title>
-        <link rel="stylesheet" href="<?= base_url() ?>css/barcode_font.css">
+        <title><?= esc(lang('Items.generate_barcodes')) ?></title>
+        <link rel="stylesheet" href="<?= esc(base_url('css/barcode_font.css'), 'url') ?>">
         <style>
             .barcode svg {
-                height: <?= $barcode_config['barcode_height'] ?>px;
-                width: <?= $barcode_config['barcode_width'] ?>px;
+                height: <?= (int) $barcode_config['barcode_height'] ?>px;
+                width: <?= (int) $barcode_config['barcode_width'] ?>px;
             }
         </style>
     </head>
-    <body class=<?= 'font_' . $barcode_lib->get_font_name($barcode_config['barcode_font']) ?> style="font-size: <?= $barcode_config['barcode_font_size'] ?>px;">
-        <table style="border-spacing: <?= $barcode_config['barcode_page_cellspacing'] ?>; width: <?= $barcode_config['barcode_page_width'] ?>%;">
+    <body class="<?= esc('font_' . $barcode_lib->get_font_name($barcode_config['barcode_font']), 'attr') ?>" style="font-size: <?= (int) $barcode_config['barcode_font_size'] ?>px;">
+        <table style="border-spacing: <?= (int) $barcode_config['barcode_page_cellspacing'] ?>px; width: <?= (int) $barcode_config['barcode_page_width'] ?>%;">
             <tr>
                 <?php
                     $count = 0;