XSS mitigation features (#4041)

* Remove HtmlPurifier calls - All calls to Services::htmlPurifier()->purify() removed from data received from view. - Bootstrap and bootswatch bump in package-lock.json Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Customers Controller - Refactored code for clarity - Replaced == with === operator to prevent type juggling - Added Sanitization of Customer data before being sent to the view Signed-off-by: objecttothis <objecttothis@gmail.com> * Bump bootstrap-table to 1.23.1 - Bump bootstrap-table to 1.23.1 in attempt to resolve issue with sticky headers - Sanitize attribute data in tables - Sanitize item data with controller function. Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis <objecttothis@gmail.com> * Sanitize Item data - Sanitize category and item_number before display in forms. - refactor check in pic_filename for empty to be best practices compliant. - Added TODO Signed-off-by: objecttothis <objecttothis@gmail.com> * Minor changes - Refactored for code clarity. - Removed extra blank lines. - Minor reformatting. - Added PHPdocs - bumped bootstrap-table to 1.23.2 Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis <objecttothis@gmail.com> * Sanitize Item data - Sanitize category and item_number before display in forms. - refactor check in pic_filename for empty to be best practices compliant. - Added TODO Signed-off-by: objecttothis <objecttothis@gmail.com> --------- Signed-off-by: objecttothis <objecttothis@gmail.com> Co-authored-by: objecttothis <objecttothis@gmail.com>
2026-04-04 23:24:16 -04:00 · 2024-08-26 09:35:56 +02:00
parent 402997f0da
commit f49d763254
25 changed files with 158 additions and 88 deletions
--- a/app/Models/Customer.php
+++ b/app/Models/Customer.php
@@ -97,14 +97,9 @@ class Customer extends Person
 		$builder->where('customers.person_id', $person_id);
 		$query = $builder->get();

-		if($query->getNumRows() == 1)	//TODO: ===
-		{
-			return $query->getRow();
-		}
-		else
-		{
-			return $this->getEmptyObject('customers');
-		}
+		return $query->getNumRows() === 1
+			? $query->getRow()
+			: $this->getEmptyObject('customers');
 	}

 	/**
--- a/app/Models/Giftcard.php
+++ b/app/Models/Giftcard.php
@@ -360,11 +360,14 @@ class Giftcard extends Model
 	}

 	/**
-	 * Gets gift card customer
+	 * Gets gift card customer_id by gift card number
+	 *
+	 * @param string $giftcard_number Gift card number
+	 * @return int The customer_id of the gift card if it exists, 0 otherwise.
 	 */
 	public function get_giftcard_customer(string $giftcard_number): int
 	{
-		if( !$this->exists($this->get_giftcard_id($giftcard_number)) )
+		if(!$this->exists($this->get_giftcard_id($giftcard_number)))
 		{
 			return 0;
 		}
--- a/app/Models/Item.php
+++ b/app/Models/Item.php
@@ -202,14 +202,10 @@ class Item extends Model
 			$builder->where('location_id', $filters['stock_location_id']);
 		}

-		if(empty($config['date_or_time_format']))    //TODO: This needs to be replaced with Ternary notation
-		{
-			$builder->where('DATE_FORMAT(trans_date, "%Y-%m-%d") BETWEEN ' . $this->db->escape($filters['start_date']) . ' AND ' . $this->db->escape($filters['end_date']));
-		}
-		else
-		{
-			$builder->where('trans_date BETWEEN ' . $this->db->escape(rawurldecode($filters['start_date'])) . ' AND ' . $this->db->escape(rawurldecode($filters['end_date'])));
-		}
+		$where = empty($config['date_or_time_format'])
+			? 'DATE_FORMAT(trans_date, "%Y-%m-%d") BETWEEN ' . $this->db->escape($filters['start_date']) . ' AND ' . $this->db->escape($filters['end_date'])
+			: 'trans_date BETWEEN ' . $this->db->escape(rawurldecode($filters['start_date'])) . ' AND ' . $this->db->escape(rawurldecode($filters['end_date']));
+		$builder->where($where);

 		$attributes_enabled = count($filters['definition_ids']) > 0;