mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-04-04 15:13:40 -04:00
XSS mitigation features (#4041)
* Remove HtmlPurifier calls - All calls to Services::htmlPurifier()->purify() removed from data received from view. - Bootstrap and bootswatch bump in package-lock.json Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Customers Controller - Refactored code for clarity - Replaced == with === operator to prevent type juggling - Added Sanitization of Customer data before being sent to the view Signed-off-by: objecttothis <objecttothis@gmail.com> * Bump bootstrap-table to 1.23.1 - Bump bootstrap-table to 1.23.1 in attempt to resolve issue with sticky headers - Sanitize attribute data in tables - Sanitize item data with controller function. Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis <objecttothis@gmail.com> * Sanitize Item data - Sanitize category and item_number before display in forms. - refactor check in pic_filename for empty to be best practices compliant. - Added TODO Signed-off-by: objecttothis <objecttothis@gmail.com> * Minor changes - Refactored for code clarity. - Removed extra blank lines. - Minor reformatting. - Added PHPdocs - bumped bootstrap-table to 1.23.2 Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis <objecttothis@gmail.com> * Sanitize Item data - Sanitize category and item_number before display in forms. - refactor check in pic_filename for empty to be best practices compliant. - Added TODO Signed-off-by: objecttothis <objecttothis@gmail.com> --------- Signed-off-by: objecttothis <objecttothis@gmail.com> Co-authored-by: objecttothis <objecttothis@gmail.com>
This commit is contained in:
jekkos
@@ -186,7 +186,7 @@ class Sales extends Secure_Controller
|
||||
{
|
||||
$suggestions = [];
|
||||
$receipt = $search = $this->request->getGet('term') != ''
|
||||
? Services::htmlPurifier()->purify($this->request->getGet('term'))
|
||||
? $this->request->getGet('term')
|
||||
: null;
|
||||
|
||||
if($this->sale_lib->get_mode() == 'return' && $this->sale->is_valid_receipt($receipt))
|
||||
@@ -206,7 +206,7 @@ class Sales extends Secure_Controller
|
||||
public function suggest_search(): void
|
||||
{
|
||||
$search = $this->request->getPost('term') != ''
|
||||
? Services::htmlPurifier()->purify($this->request->getPost('term'))
|
||||
? $this->request->getPost('term')
|
||||
: null;
|
||||
|
||||
$suggestions = $this->sale->get_search_suggestions($search);
|
||||
|
||||
Reference in New Issue
Block a user