mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-03-30 21:05:46 -04:00
XSS mitigation features (#4041)
* Remove HtmlPurifier calls - All calls to Services::htmlPurifier()->purify() removed from data received from view. - Bootstrap and bootswatch bump in package-lock.json Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Customers Controller - Refactored code for clarity - Replaced == with === operator to prevent type juggling - Added Sanitization of Customer data before being sent to the view Signed-off-by: objecttothis <objecttothis@gmail.com> * Bump bootstrap-table to 1.23.1 - Bump bootstrap-table to 1.23.1 in attempt to resolve issue with sticky headers - Sanitize attribute data in tables - Sanitize item data with controller function. Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis <objecttothis@gmail.com> * Sanitize Item data - Sanitize category and item_number before display in forms. - refactor check in pic_filename for empty to be best practices compliant. - Added TODO Signed-off-by: objecttothis <objecttothis@gmail.com> * Minor changes - Refactored for code clarity. - Removed extra blank lines. - Minor reformatting. - Added PHPdocs - bumped bootstrap-table to 1.23.2 Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis <objecttothis@gmail.com> * Sanitize Item data - Sanitize category and item_number before display in forms. - refactor check in pic_filename for empty to be best practices compliant. - Added TODO Signed-off-by: objecttothis <objecttothis@gmail.com> --------- Signed-off-by: objecttothis <objecttothis@gmail.com> Co-authored-by: objecttothis <objecttothis@gmail.com>
This commit is contained in:
jekkos
@@ -32,7 +32,7 @@ class Giftcards extends Secure_Controller
|
||||
*/
|
||||
public function getSearch(): void
|
||||
{
|
||||
$search = Services::htmlPurifier()->purify($this->request->getGet('search'));
|
||||
$search = $this->request->getGet('search');
|
||||
$limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
|
||||
$offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT);
|
||||
$sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
|
||||
@@ -58,7 +58,7 @@ class Giftcards extends Secure_Controller
|
||||
*/
|
||||
public function getSuggest(): void
|
||||
{
|
||||
$search = Services::htmlPurifier()->purify($this->request->getPost('term'));
|
||||
$search = $this->request->getPost('term');
|
||||
$suggestions = $this->giftcard->get_search_suggestions($search, true);
|
||||
|
||||
echo json_encode($suggestions);
|
||||
@@ -69,7 +69,7 @@ class Giftcards extends Secure_Controller
|
||||
*/
|
||||
public function suggest_search(): void
|
||||
{
|
||||
$search = Services::htmlPurifier()->purify($this->request->getPost('term'));
|
||||
$search = $this->request->getPost('term');
|
||||
$suggestions = $this->giftcard->get_search_suggestions($search);
|
||||
|
||||
echo json_encode($suggestions);
|
||||
|
||||
Reference in New Issue
Block a user