From f49d763254af6eb034c8db80fa281bbcc8044b01 Mon Sep 17 00:00:00 2001 From: jekkos Date: Mon, 26 Aug 2024 09:35:56 +0200 Subject: [PATCH] XSS mitigation features (#4041) * Remove HtmlPurifier calls - All calls to Services::htmlPurifier()->purify() removed from data received from view. - Bootstrap and bootswatch bump in package-lock.json Signed-off-by: objecttothis * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis * Pre-view filtering Customers Controller - Refactored code for clarity - Replaced == with === operator to prevent type juggling - Added Sanitization of Customer data before being sent to the view Signed-off-by: objecttothis * Bump bootstrap-table to 1.23.1 - Bump bootstrap-table to 1.23.1 in attempt to resolve issue with sticky headers - Sanitize attribute data in tables - Sanitize item data with controller function. Signed-off-by: objecttothis * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis * Sanitize Item data - Sanitize category and item_number before display in forms. - refactor check in pic_filename for empty to be best practices compliant. - Added TODO Signed-off-by: objecttothis * Minor changes - Refactored for code clarity. - Removed extra blank lines. - Minor reformatting. - Added PHPdocs - bumped bootstrap-table to 1.23.2 Signed-off-by: objecttothis * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis * Sanitize Item data - Sanitize category and item_number before display in forms. - refactor check in pic_filename for empty to be best practices compliant. - Added TODO Signed-off-by: objecttothis --------- Signed-off-by: objecttothis Co-authored-by: objecttothis --- app/Config/Events.php | 1 + app/Controllers/Attributes.php | 2 +- app/Controllers/Cashups.php | 2 +- app/Controllers/Customers.php | 45 +++++++++++----- app/Controllers/Employees.php | 6 +-- app/Controllers/Expenses.php | 2 +- app/Controllers/Expenses_categories.php | 2 +- app/Controllers/Giftcards.php | 6 +-- app/Controllers/Item_kits.php | 4 +- app/Controllers/Items.php | 69 ++++++++++++++++++------- app/Controllers/Persons.php | 2 +- app/Controllers/Receivings.php | 4 +- app/Controllers/Sales.php | 4 +- app/Controllers/Suppliers.php | 6 +-- app/Controllers/Tax_categories.php | 2 +- app/Controllers/Tax_codes.php | 2 +- app/Controllers/Tax_jurisdictions.php | 2 +- app/Controllers/Taxes.php | 8 +-- app/Helpers/security_helper.php | 15 ++++++ app/Helpers/tabular_helper.php | 21 +++++--- app/Models/Customer.php | 11 ++-- app/Models/Giftcard.php | 7 ++- app/Models/Item.php | 12 ++--- package-lock.json | 9 ++-- package.json | 2 +- 25 files changed, 158 insertions(+), 88 deletions(-) diff --git a/app/Config/Events.php b/app/Config/Events.php index bd84b5962..457b5aae0 100644 --- a/app/Config/Events.php +++ b/app/Config/Events.php @@ -5,6 +5,7 @@ namespace Config; use App\Events\Db_log; use App\Events\Load_config; use App\Events\Method; +use App\Events\PurifyOutput; use CodeIgniter\Events\Events; use CodeIgniter\Exceptions\FrameworkException; use CodeIgniter\HotReloader\HotReloader; diff --git a/app/Controllers/Attributes.php b/app/Controllers/Attributes.php index 07dad9d4d..93b52d673 100644 --- a/app/Controllers/Attributes.php +++ b/app/Controllers/Attributes.php @@ -38,7 +38,7 @@ class Attributes extends Secure_Controller */ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')); + $search = $this->request->getGet('search'); $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); diff --git a/app/Controllers/Cashups.php b/app/Controllers/Cashups.php index 518c8462b..d17a1b6e5 100644 --- a/app/Controllers/Cashups.php +++ b/app/Controllers/Cashups.php @@ -43,7 +43,7 @@ class Cashups extends Secure_Controller */ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')); + $search = $this->request->getGet('search'); $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); diff --git a/app/Controllers/Customers.php b/app/Controllers/Customers.php index 3ff28aa88..6dd78bf28 100644 --- a/app/Controllers/Customers.php +++ b/app/Controllers/Customers.php @@ -87,7 +87,7 @@ class Customers extends Persons */ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')); + $search = $this->request->getGet('search'); $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); @@ -114,7 +114,7 @@ class Customers extends Persons $stats->quantity = 0; } - $data_rows[] = get_customer_data_row($person, $stats); + $data_rows[] = get_customer_data_row($person, $stats); //TODO: We either need to create a function to sanitize $person here (and for line 77) or we need to sanitize inside of get_customer_data_row(). } echo json_encode (['total' => $total_rows, 'rows' => $data_rows]); @@ -125,7 +125,7 @@ class Customers extends Persons */ public function getSuggest(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('term')); + $search = $this->request->getPost('term'); $suggestions = $this->customer->get_search_suggestions($search); echo json_encode($suggestions); @@ -136,7 +136,7 @@ class Customers extends Persons */ public function suggest_search(): void { - $search = Services::htmlPurifier()->purify($this->request->getPost('term')); + $search = $this->request->getPost('term'); $suggestions = $this->customer->get_search_suggestions($search, 25, false); echo json_encode($suggestions); @@ -185,14 +185,7 @@ class Customers extends Persons $data['packages'] = $packages; $data['selected_package'] = $info->package_id; - if($this->config['use_destination_based_tax']) //TODO: This can be shortened for ternary notation - { - $data['use_destination_based_tax'] = true; - } - else - { - $data['use_destination_based_tax'] = false; - } + $data['use_destination_based_tax'] = $this->config['use_destination_based_tax']; // retrieve the total amount the customer spent so far together with min, max and average values $stats = $this->customer->get_stats($customer_id); @@ -260,7 +253,9 @@ class Customers extends Persons } } - echo view("customers/form", $data); + $sanitized_data = $this->sanitizeCustomerData($data); + + echo view("customers/form", $sanitized_data); } /** @@ -539,4 +534,28 @@ class Customers extends Persons } } } + + /** + * Sanitizes customer values to remove unsafe HTML tags and javascript. + * This is not meant to replace CI4 sanitization. + * + * @param array $data Attribute data to sanitize. + * @return array Sanitized Attribute data. + */ + private function sanitizeCustomerData(array $data): array + { + $data['person_info']->first_name = Services::htmlPurifier()->purify($data['person_info']->first_name); + $data['person_info']->last_name = Services::htmlPurifier()->purify($data['person_info']->last_name); + $data['person_info']->address_1 = Services::htmlPurifier()->purify($data['person_info']->address_1); + $data['person_info']->address_2 = Services::htmlPurifier()->purify($data['person_info']->address_2); + $data['person_info']->city = Services::htmlPurifier()->purify($data['person_info']->city); + $data['person_info']->state = Services::htmlPurifier()->purify($data['person_info']->state); + $data['person_info']->zip = Services::htmlPurifier()->purify($data['person_info']->zip); + $data['person_info']->country = Services::htmlPurifier()->purify($data['person_info']->country); + $data['person_info']->comments = Services::htmlPurifier()->purify($data['person_info']->comments); + + $data['person_info']->company_name = Services::htmlPurifier()->purify($data['person_info']->company_name); + + return $data; + } } diff --git a/app/Controllers/Employees.php b/app/Controllers/Employees.php index 4b5542ca7..c75bdbc27 100644 --- a/app/Controllers/Employees.php +++ b/app/Controllers/Employees.php @@ -27,7 +27,7 @@ class Employees extends Persons */ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')); + $search = $this->request->getGet('search'); $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); @@ -52,7 +52,7 @@ class Employees extends Persons */ public function getSuggest(): void { - $search = Services::htmlPurifier()->purify($this->request->getPost('term')); + $search = $this->request->getPost('term'); $suggestions = $this->employee->get_search_suggestions($search, 25, true); echo json_encode($suggestions); @@ -63,7 +63,7 @@ class Employees extends Persons */ public function suggest_search(): void { - $search = Services::htmlPurifier()->purify($this->request->getPost('term')); + $search = $this->request->getPost('term'); $suggestions = $this->employee->get_search_suggestions($search); echo json_encode($suggestions); diff --git a/app/Controllers/Expenses.php b/app/Controllers/Expenses.php index 7c037123b..2135df26f 100644 --- a/app/Controllers/Expenses.php +++ b/app/Controllers/Expenses.php @@ -45,7 +45,7 @@ class Expenses extends Secure_Controller */ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')); + $search = $this->request->getGet('search'); $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); diff --git a/app/Controllers/Expenses_categories.php b/app/Controllers/Expenses_categories.php index e2a965e30..e12d801ef 100644 --- a/app/Controllers/Expenses_categories.php +++ b/app/Controllers/Expenses_categories.php @@ -31,7 +31,7 @@ class Expenses_categories extends Secure_Controller //TODO: Is this class ever u **/ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')); + $search = $this->request->getGet('search'); $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); diff --git a/app/Controllers/Giftcards.php b/app/Controllers/Giftcards.php index 61dc2a4f4..770be9baa 100644 --- a/app/Controllers/Giftcards.php +++ b/app/Controllers/Giftcards.php @@ -32,7 +32,7 @@ class Giftcards extends Secure_Controller */ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')); + $search = $this->request->getGet('search'); $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); @@ -58,7 +58,7 @@ class Giftcards extends Secure_Controller */ public function getSuggest(): void { - $search = Services::htmlPurifier()->purify($this->request->getPost('term')); + $search = $this->request->getPost('term'); $suggestions = $this->giftcard->get_search_suggestions($search, true); echo json_encode($suggestions); @@ -69,7 +69,7 @@ class Giftcards extends Secure_Controller */ public function suggest_search(): void { - $search = Services::htmlPurifier()->purify($this->request->getPost('term')); + $search = $this->request->getPost('term'); $suggestions = $this->giftcard->get_search_suggestions($search); echo json_encode($suggestions); diff --git a/app/Controllers/Item_kits.php b/app/Controllers/Item_kits.php index 6628e423a..f64e5bd2c 100644 --- a/app/Controllers/Item_kits.php +++ b/app/Controllers/Item_kits.php @@ -76,7 +76,7 @@ class Item_kits extends Secure_Controller */ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')) ?? ''; + $search = $this->request->getGet('search') ?? ''; $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); @@ -101,7 +101,7 @@ class Item_kits extends Secure_Controller */ public function suggest_search(): void { - $search = Services::htmlPurifier()->purify($this->request->getPost('term')); + $search = $this->request->getPost('term'); $suggestions = $this->item_kit->get_search_suggestions($search); echo json_encode($suggestions); diff --git a/app/Controllers/Items.php b/app/Controllers/Items.php index bd0ae269d..b95e0d081 100644 --- a/app/Controllers/Items.php +++ b/app/Controllers/Items.php @@ -94,7 +94,7 @@ class Items extends Secure_Controller **/ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')); + $search = $this->request->getGet('search'); $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); @@ -182,7 +182,7 @@ class Items extends Secure_Controller 'is_deleted' => $this->request->getPost('is_deleted') !== null ]; - $search = Services::htmlPurifier()->purify($this->request->getPost('term')); + $search = $this->request->getPost('term'); $suggestions = $this->item->get_search_suggestions($search, $options); echo json_encode($suggestions); @@ -195,7 +195,7 @@ class Items extends Secure_Controller */ public function getSuggest(): void { - $search = Services::htmlPurifier()->purify($this->request->getPost('term')); + $search = $this->request->getPost('term'); $suggestions = $this->item->get_search_suggestions($search, ['search_custom' => false, 'is_deleted' => false], true); echo json_encode($suggestions); @@ -267,7 +267,7 @@ class Items extends Secure_Controller * @param int $item_id * @return void */ - public function getView(int $item_id = NEW_ENTRY): void //TODO: Super long function. Perhaps we need to refactor out some methods. + public function getView(int $item_id = NEW_ENTRY): void //TODO: Long function. Perhaps we need to refactor out some methods. { // Set default values if($item_id == null) $item_id = NEW_ENTRY; @@ -277,8 +277,7 @@ class Items extends Secure_Controller $data = []; } - //allow_temp_items is set in the index function of items.php or sales.php - $data['allow_temp_item'] = $this->session->get('allow_temp_items'); + $data['allow_temp_item'] = $this->session->get('allow_temp_items'); //allow_temp_items is set in the index function of items.php or sales.php $data['item_tax_info'] = $this->item_taxes->get_info($item_id); $data['default_tax_1_rate'] = ''; $data['default_tax_2_rate'] = ''; @@ -316,7 +315,7 @@ class Items extends Secure_Controller $item_info->receiving_quantity = 1; $item_info->reorder_level = 1; - $item_info->item_type = ITEM; //Standard + $item_info->item_type = ITEM; //Standard $item_info->item_id = $item_id; $item_info->stock_type = HAS_STOCK; $item_info->tax_category_id = null; @@ -328,7 +327,6 @@ class Items extends Secure_Controller $item_info->tax_category_id = $this->config['default_tax_category']; } } - $data['standard_item_locked'] = ( $data['item_kit_disabled'] && $item_info->item_type == ITEM_KIT @@ -348,14 +346,9 @@ class Items extends Secure_Controller $data['suppliers'] = $suppliers; $data['selected_supplier'] = $item_info->supplier_id; - if($data['include_hsn']) //TODO: Transform this to ternary notation - { - $data['hsn_code'] = $item_info->hsn_code; - } - else - { - $data['hsn_code'] = ''; - } + $data['hsn_code'] = $data['include_hsn'] + ? $item_info->hsn_code + : ''; if($use_destination_based_tax) { @@ -428,7 +421,9 @@ class Items extends Secure_Controller $data['selected_low_sell_item'] = ''; } - echo view('items/form', $data); + $sanitized_data = $this->sanitizeItemData($data); + + echo view('items/form', $sanitized_data); } /** @@ -555,7 +550,9 @@ class Items extends Secure_Controller unset($data['definition_names'][$definition_id]); } - echo view('attributes/item', $data); + $sanitized_data = $this->sanitizeAttributeData($data); + + echo view('attributes/item', $sanitized_data); } /** @@ -1443,4 +1440,40 @@ class Items extends Secure_Controller } } } + + /** + * Sanitizes unsafe data prior to sending it to the view. + * This is not meant to replace CI4 sanitization. + * + * @param array $data + * @return array + */ + private function sanitizeItemData(array $data): array + { + $data['item_info']->category = Services::htmlPurifier()->purify($data['item_info']->category); + $data['item_info']->item_number = Services::htmlPurifier()->purify($data['item_info']->item_number); + $data['item_info']->description = Services::htmlPurifier()->purify($data['item_info']->description); + + return $data; + } + + /** + * Sanitizes TEXT type attribute values to remove unsafe HTML tags and javascript. + * This is not meant to replace CI4 sanitization. + * + * @param array $data Attribute data to sanitize. + * @return array Sanitized Attribute data. + */ + private function sanitizeAttributeData(array $data): array + { + foreach($data['definition_values'] as $definition_id => &$definition_values) + { + if($definition_values['definition_type'] === 'TEXT') + { + $definition_values['attribute_value']->attribute_value = Services::htmlPurifier()->purify($definition_values['attribute_value']->attribute_value); + } + } + + return $data; + } } diff --git a/app/Controllers/Persons.php b/app/Controllers/Persons.php index f0fb365ad..d8e0a0b18 100644 --- a/app/Controllers/Persons.php +++ b/app/Controllers/Persons.php @@ -35,7 +35,7 @@ abstract class Persons extends Secure_Controller */ public function getSuggest(): void { - $search = Services::htmlPurifier()->purify($this->request->getPost('term')); + $search = $this->request->getPost('term'); $suggestions = $this->person->get_search_suggestions($search); echo json_encode($suggestions); diff --git a/app/Controllers/Receivings.php b/app/Controllers/Receivings.php index e870aec58..74b9e31df 100644 --- a/app/Controllers/Receivings.php +++ b/app/Controllers/Receivings.php @@ -61,7 +61,7 @@ class Receivings extends Secure_Controller */ public function getItemSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('term')); + $search = $this->request->getGet('term'); $suggestions = $this->item->get_search_suggestions($search, ['search_custom' => false, 'is_deleted' => false], true); $suggestions = array_merge($suggestions, $this->item_kit->get_search_suggestions($search)); @@ -76,7 +76,7 @@ class Receivings extends Secure_Controller */ public function getStockItemSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('term')); + $search = $this->request->getGet('term'); $suggestions = $this->item->get_stock_search_suggestions($search, ['search_custom' => false, 'is_deleted' => false], true); $suggestions = array_merge($suggestions, $this->item_kit->get_search_suggestions($search)); diff --git a/app/Controllers/Sales.php b/app/Controllers/Sales.php index 94591f393..03fb37541 100644 --- a/app/Controllers/Sales.php +++ b/app/Controllers/Sales.php @@ -186,7 +186,7 @@ class Sales extends Secure_Controller { $suggestions = []; $receipt = $search = $this->request->getGet('term') != '' - ? Services::htmlPurifier()->purify($this->request->getGet('term')) + ? $this->request->getGet('term') : null; if($this->sale_lib->get_mode() == 'return' && $this->sale->is_valid_receipt($receipt)) @@ -206,7 +206,7 @@ class Sales extends Secure_Controller public function suggest_search(): void { $search = $this->request->getPost('term') != '' - ? Services::htmlPurifier()->purify($this->request->getPost('term')) + ? $this->request->getPost('term') : null; $suggestions = $this->sale->get_search_suggestions($search); diff --git a/app/Controllers/Suppliers.php b/app/Controllers/Suppliers.php index d436b5c17..02c4c3592 100644 --- a/app/Controllers/Suppliers.php +++ b/app/Controllers/Suppliers.php @@ -45,7 +45,7 @@ class Suppliers extends Persons **/ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')); + $search = $this->request->getGet('search'); $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); @@ -71,7 +71,7 @@ class Suppliers extends Persons **/ public function getSuggest(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('term')); + $search = $this->request->getGet('term'); $suggestions = $this->supplier->get_search_suggestions($search, true); echo json_encode($suggestions); @@ -82,7 +82,7 @@ class Suppliers extends Persons */ public function suggest_search(): void { - $search = Services::htmlPurifier()->purify($this->request->getPost('term')); + $search = $this->request->getPost('term'); $suggestions = $this->supplier->get_search_suggestions($search, false); echo json_encode($suggestions); diff --git a/app/Controllers/Tax_categories.php b/app/Controllers/Tax_categories.php index 5b417369b..39e3c6600 100644 --- a/app/Controllers/Tax_categories.php +++ b/app/Controllers/Tax_categories.php @@ -36,7 +36,7 @@ class Tax_categories extends Secure_Controller */ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')); + $search = $this->request->getGet('search'); $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); diff --git a/app/Controllers/Tax_codes.php b/app/Controllers/Tax_codes.php index 24e48ee23..7226d0501 100644 --- a/app/Controllers/Tax_codes.php +++ b/app/Controllers/Tax_codes.php @@ -46,7 +46,7 @@ class Tax_codes extends Secure_Controller */ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')); + $search = $this->request->getGet('search'); $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); diff --git a/app/Controllers/Tax_jurisdictions.php b/app/Controllers/Tax_jurisdictions.php index f094b833b..28b1d49ad 100644 --- a/app/Controllers/Tax_jurisdictions.php +++ b/app/Controllers/Tax_jurisdictions.php @@ -39,7 +39,7 @@ class Tax_jurisdictions extends Secure_Controller */ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')); + $search = $this->request->getGet('search'); $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); diff --git a/app/Controllers/Taxes.php b/app/Controllers/Taxes.php index 0f9b8de7d..6c519a916 100644 --- a/app/Controllers/Taxes.php +++ b/app/Controllers/Taxes.php @@ -83,7 +83,7 @@ class Taxes extends Secure_Controller */ public function getSearch(): void { - $search = Services::htmlPurifier()->purify($this->request->getGet('search')); + $search = $this->request->getGet('search'); $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT); $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT); $sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS); @@ -107,7 +107,7 @@ class Taxes extends Secure_Controller */ public function suggest_search(): void { - $search = Services::htmlPurifier()->purify($this->request->getPost('term')); + $search = $this->request->getPost('term'); $suggestions = $this->tax->get_search_suggestions($search); //TODO: There is no get_search_suggestions function in the tax model echo json_encode($suggestions); @@ -120,7 +120,7 @@ class Taxes extends Secure_Controller */ public function suggest_tax_categories(): void { - $search = Services::htmlPurifier()->purify($this->request->getPost('term')); + $search = $this->request->getPost('term'); $suggestions = $this->tax_category->get_tax_category_suggestions($search); echo json_encode($suggestions); @@ -461,7 +461,7 @@ class Taxes extends Secure_Controller */ public function getSuggestTaxCodes(): void { - $search = Services::htmlPurifier()->purify($this->request->getPostGet('term')); + $search = $this->request->getPostGet('term'); $suggestions = $this->tax_code->get_tax_codes_search_suggestions($search); echo json_encode($suggestions); diff --git a/app/Helpers/security_helper.php b/app/Helpers/security_helper.php index 97cda041f..b8af69438 100644 --- a/app/Helpers/security_helper.php +++ b/app/Helpers/security_helper.php @@ -1,6 +1,7 @@ purify($data); + } + + return $data; +} diff --git a/app/Helpers/tabular_helper.php b/app/Helpers/tabular_helper.php index a618ceabe..39ad5dc1e 100644 --- a/app/Helpers/tabular_helper.php +++ b/app/Helpers/tabular_helper.php @@ -7,6 +7,7 @@ use App\Models\Tax_category; use CodeIgniter\Database\ResultInterface; use CodeIgniter\Session\Session; use Config\OSPOS; +use Config\Services; /** * Tabular views helper @@ -281,7 +282,7 @@ function get_customer_data_row(object $person, object $stats): array return [ 'people.person_id' => $person->person_id, 'last_name' => $person->last_name, - 'first_name' => $person->first_name, + 'first_name' => Services::htmlPurifier()->purify($person->first_name), 'email' => empty($person->email) ? '' : mailto($person->email, $person->email), 'phone_number' => $person->phone_number, 'total' => to_currency($stats->total), @@ -447,7 +448,8 @@ function get_item_data_row(object $item): array { $tax_percents .= to_tax_decimals($tax_info['percent']) . '%, '; } - // remove ', ' from last item //TODO: if this won't be added back into the code then it should be deleted. + + // remove ', ' from last item $tax_percents = substr($tax_percents, 0, -2); $tax_percents = !$tax_percents ? '-' : $tax_percents; } @@ -455,7 +457,7 @@ function get_item_data_row(object $item): array $controller = get_controller(); $image = null; - if($item->pic_filename != '') //TODO: !== ? + if(!empty($item->pic_filename)) { $ext = pathinfo($item->pic_filename, PATHINFO_EXTENSION); @@ -478,10 +480,10 @@ function get_item_data_row(object $item): array $columns = [ 'items.item_id' => $item->item_id, - 'item_number' => $item->item_number, - 'name' => $item->name, - 'category' => $item->category, - 'company_name' => $item->company_name, + 'item_number' => Services::htmlPurifier()->purify($item->item_number), + 'name' => Services::htmlPurifier()->purify($item->name), + 'category' => Services::htmlPurifier()->purify($item->category), + 'company_name' => Services::htmlPurifier()->purify($item->company_name), //TODO: This isn't in the items table. Should this be here? 'cost_price' => to_currency($item->cost_price), 'unit_price' => to_currency($item->unit_price), 'quantity' => to_quantity_decimals($item->quantity), @@ -649,6 +651,11 @@ function expand_attribute_values(array $definition_names, array $row): array if(isset($indexed_values[$definition_id])) { $attribute_value = $indexed_values[$definition_id]; + if(is_string($attribute_value)) + { + $attribute_value = Services::htmlPurifier()->purify($attribute_value); + } + $attribute_values["$definition_id"] = $attribute_value; } } diff --git a/app/Models/Customer.php b/app/Models/Customer.php index e5bca7688..e9cebb1b0 100644 --- a/app/Models/Customer.php +++ b/app/Models/Customer.php @@ -97,14 +97,9 @@ class Customer extends Person $builder->where('customers.person_id', $person_id); $query = $builder->get(); - if($query->getNumRows() == 1) //TODO: === - { - return $query->getRow(); - } - else - { - return $this->getEmptyObject('customers'); - } + return $query->getNumRows() === 1 + ? $query->getRow() + : $this->getEmptyObject('customers'); } /** diff --git a/app/Models/Giftcard.php b/app/Models/Giftcard.php index ffd50d079..30fede220 100644 --- a/app/Models/Giftcard.php +++ b/app/Models/Giftcard.php @@ -360,11 +360,14 @@ class Giftcard extends Model } /** - * Gets gift card customer + * Gets gift card customer_id by gift card number + * + * @param string $giftcard_number Gift card number + * @return int The customer_id of the gift card if it exists, 0 otherwise. */ public function get_giftcard_customer(string $giftcard_number): int { - if( !$this->exists($this->get_giftcard_id($giftcard_number)) ) + if(!$this->exists($this->get_giftcard_id($giftcard_number))) { return 0; } diff --git a/app/Models/Item.php b/app/Models/Item.php index 786555f69..9f88b5185 100644 --- a/app/Models/Item.php +++ b/app/Models/Item.php @@ -202,14 +202,10 @@ class Item extends Model $builder->where('location_id', $filters['stock_location_id']); } - if(empty($config['date_or_time_format'])) //TODO: This needs to be replaced with Ternary notation - { - $builder->where('DATE_FORMAT(trans_date, "%Y-%m-%d") BETWEEN ' . $this->db->escape($filters['start_date']) . ' AND ' . $this->db->escape($filters['end_date'])); - } - else - { - $builder->where('trans_date BETWEEN ' . $this->db->escape(rawurldecode($filters['start_date'])) . ' AND ' . $this->db->escape(rawurldecode($filters['end_date']))); - } + $where = empty($config['date_or_time_format']) + ? 'DATE_FORMAT(trans_date, "%Y-%m-%d") BETWEEN ' . $this->db->escape($filters['start_date']) . ' AND ' . $this->db->escape($filters['end_date']) + : 'trans_date BETWEEN ' . $this->db->escape(rawurldecode($filters['start_date'])) . ' AND ' . $this->db->escape(rawurldecode($filters['end_date'])); + $builder->where($where); $attributes_enabled = count($filters['definition_ids']) > 0; diff --git a/package-lock.json b/package-lock.json index 4f7ee8a01..f9e27a907 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14,7 +14,7 @@ "bootstrap-datetime-picker": "2.4.4", "bootstrap-notify": "^3.1.3", "bootstrap-select": "^1.13.18", - "bootstrap-table": "^1.22.4", + "bootstrap-table": "^1.23.2", "bootstrap-tagsinput-2021": "^0.8.6", "bootstrap-toggle": "^2.2.2", "bootstrap3-dialog": "github:nakupanda/bootstrap3-dialog#master", @@ -1185,9 +1185,10 @@ } }, "node_modules/bootstrap-table": { - "version": "1.22.5", - "resolved": "https://registry.npmjs.org/bootstrap-table/-/bootstrap-table-1.22.5.tgz", - "integrity": "sha512-iaQBfZzNuMRVughNYdonPGvgL6A7xfsruqYKaSuDuUWqQDTt8WvTBVwV61XiDv2aks7RaAQoZhoi2jo9nF6U7w==", + "version": "1.23.2", + "resolved": "https://registry.npmjs.org/bootstrap-table/-/bootstrap-table-1.23.2.tgz", + "integrity": "sha512-1IFiWFZzbKlleXgYEHdwHkX6rxlQMEx2N1tA8rJK/j08pI+NjIGnxFeXUL26yQLQ0U135eis/BX3OV1+anY25g==", + "license": "MIT", "peerDependencies": { "jquery": "3" } diff --git a/package.json b/package.json index 6a20aef04..7c52a944e 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,7 @@ "bootstrap-datetime-picker": "2.4.4", "bootstrap-notify": "^3.1.3", "bootstrap-select": "^1.13.18", - "bootstrap-table": "^1.22.4", + "bootstrap-table": "^1.23.2", "bootstrap-tagsinput-2021": "^0.8.6", "bootstrap-toggle": "^2.2.2", "bootstrap3-dialog": "github:nakupanda/bootstrap3-dialog#master",