mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-03-26 02:43:03 -04:00
Code Issues Packages Projects Releases Wiki Activity
6,599 Commits 66 Branches 38 Tags
master
Commit Graph

116 Commits

Author SHA1 Message Date
jekkos
bafe3ddf1b Fix stored XSS vulnerability in Attribute Definitions (GHSA-rvfg-ww4r-rwqf) (#4429) 
* Fix stored XSS vulnerability in Attribute Definitions

GHSA-rvfg-ww4r-rwqf: Stored XSS via Attribute Definition Name

Security Impact:
- Authenticated users with attribute management permission can inject XSS payloads
- Payloads execute when viewing/editing attributes in admin panel
- Can steal session cookies, perform CSRF attacks, or compromise admin operations

Root Cause:
1. Input: Attributes.php postSaveDefinition() accepts definition_name without sanitization
2. Output: Views echo definition_name without proper escaping

Fix Applied:
- Input sanitization: Added FILTER_SANITIZE_FULL_SPECIAL_CHARS to definition_name and definition_unit
- Output escaping: Added esc() wrapper when displaying definition_name in views
- Defense-in-depth: htmlspecialchars on attribute values saved to database

Files Changed:
- app/Controllers/Attributes.php - Sanitize inputs on save
- app/Views/attributes/form.php - Escape output on display
- app/Views/attributes/item.php - Escape output on display

* Remove input sanitization, keep output escaping only

Use escaping on output (esc() in views) as the sole XSS prevention
measure instead of sanitizing on input. This preserves the original
data in the database while still protecting against XSS attacks.

* Add validation for definition_fk foreign key in attribute definitions

Validate definition_group input before saving:
- Must be a positive integer (> 0)
- Must exist in attribute_definitions table
- Must be of type GROUP to ensure data integrity

Also add translation for definition_invalid_group error message
in all 45 language files (English placeholder for translations).

* Refactor definition_fk validation into single conditional statement

* Add esc() to attribute value outputs for XSS protection

- Add esc() to TEXT input value in item.php
- Add esc() to definition_unit in form.php

These fields display user-provided content and need output escaping
to prevent stored XSS attacks.

* Refactor definition_group validation into separate method

Extract validation logic for definition_fk into validateDefinitionGroup()
private method to improve code readability and reduce method complexity.

Returns:
- null if input is empty (no group selected)
- false if validation fails (invalid group)
- integer ID if valid

* Add translations for definition_invalid_group in all languages

- Added proper translations for 28 languages (de, es, fr, it, nl, pl, pt-BR, ru, tr, uk, th, zh-Hans, zh-Hant, ro, sv, vi, id, el, he, fa, hu, da, sw-KE, sw-TZ, ar-LB, ar-EG)
- Set empty string for 14 languages to fallback to English (cs, hr-HR, bg, bs, ckb, hy, km, lo, ml, nb, ta, tl, ur, az)

---------

Co-authored-by: Ollama <ollama@steganos.dev>
 2026-03-14 15:33:58 +00:00
Ollama
9a2b308647 Sync language files (#3468) 
- Add csv_import_invalid_location to Items.php for CSV import validation
- Add error_deleting_admin and error_updating_admin to Employees.php for admin protection messages

Strings added with empty values so they fallback to English and show as untranslated in Weblate.
 2026-03-09 07:45:19 +01:00
Lucas Lyimo
5c8905aa1b Language Array Key Typo Fix (#4371) 
* Fix typo in stock location translation

* Fix typo in stock location key

* Fix typo in Language Receivings files stock_location

* Add Swahili-TZ Language Files

* Add Swahili-KE Language Files
 2026-03-04 22:06:17 +01:00
Mohamed-Qadir
7ba60ba58b Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (38 of 38 strings)

Translation: opensourcepos/item_kits
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/item_kits/ckb/
 2025-05-10 02:04:32 +02:00
Mohamed-Qadir
64f34933c4 Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (145 of 145 strings)

Translation: opensourcepos/reports
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/reports/ckb/
 2025-05-10 02:04:32 +02:00
Mohamed-Qadir
1c0442c4f6 Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (68 of 68 strings)

Translation: opensourcepos/giftcards
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/giftcards/ckb/
 2025-05-10 02:04:32 +02:00
Mohamed-Qadir
8bc4ee3792 Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (45 of 45 strings)

Translation: opensourcepos/module
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/module/ckb/
 2025-05-10 02:04:31 +02:00
Mohamed-Qadir
c200561eb5 Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (117 of 117 strings)

Translation: opensourcepos/items
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/items/ckb/
 2025-05-10 02:04:19 +02:00
Mohamed-Qadir
a55d5b415e Translated using Weblate (Kurdish (Central)) 
Currently translated at 73.3% (33 of 45 strings)

Translation: opensourcepos/module
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/module/ckb/
 2025-05-09 19:33:42 +02:00
Mohamed-Qadir
f31d004fb7 Translated using Weblate (Kurdish (Central)) 
Currently translated at 55.2% (21 of 38 strings)

Translation: opensourcepos/item_kits
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/item_kits/ckb/
 2025-05-09 19:33:41 +02:00
Mohamed-Qadir
40e4ad3d38 Translated using Weblate (Kurdish (Central)) 
Currently translated at 35.8% (42 of 117 strings)

Translation: opensourcepos/items
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/items/ckb/
 2025-05-09 19:33:41 +02:00
Mohamed-Qadir
7658ca8dd2 Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (68 of 68 strings)

Translation: opensourcepos/giftcards
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/giftcards/ckb/
 2025-05-09 19:33:41 +02:00
Mohamed-Qadir
f38272cb59 Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (12 of 12 strings)

Translation: opensourcepos/login
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/login/ckb/
 2025-05-09 19:33:40 +02:00
Mohamed-Qadir
dca3cdeaf5 Translated using Weblate (Kurdish (Central)) 
Currently translated at 31.1% (14 of 45 strings)

Translation: opensourcepos/module
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/module/ckb/
 2025-05-09 19:11:03 +02:00
Mohamed-Qadir
41eb07caec Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (145 of 145 strings)

Translation: opensourcepos/reports
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/reports/ckb/
 2025-05-09 19:11:03 +02:00
Mohamed-Qadir
766c9bb0f2 Translated using Weblate (Kurdish (Central)) 
Currently translated at 33.3% (39 of 117 strings)

Translation: opensourcepos/items
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/items/ckb/
 2025-05-09 19:11:02 +02:00
Mohamed-Qadir
7113e1167c Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (55 of 55 strings)

Translation: opensourcepos/receivings
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/receivings/ckb/
 2025-05-09 19:11:02 +02:00
Mohamed-Qadir
eaeb9cb426 Translated using Weblate (Kurdish (Central)) 
Currently translated at 89.7% (61 of 68 strings)

Translation: opensourcepos/giftcards
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/giftcards/ckb/
 2025-05-09 19:11:01 +02:00
Mohamed-Qadir
1971519629 Translated using Weblate (Kurdish (Central)) 
Currently translated at 31.5% (12 of 38 strings)

Translation: opensourcepos/item_kits
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/item_kits/ckb/
 2025-05-09 19:11:00 +02:00
Mohamed-Qadir
b4e010dab8 Translated using Weblate (Kurdish (Central)) 
Currently translated at 33.8% (23 of 68 strings)

Translation: opensourcepos/giftcards
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/giftcards/ckb/
 2025-05-09 17:52:39 +02:00
Mohamed-Qadir
75e709d0b5 Translated using Weblate (Kurdish (Central)) 
Currently translated at 51.7% (75 of 145 strings)

Translation: opensourcepos/reports
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/reports/ckb/
 2025-05-09 17:52:39 +02:00
Mohamed-Qadir
605f550666 Translated using Weblate (Kurdish (Central)) 
Currently translated at 20.0% (9 of 45 strings)

Translation: opensourcepos/module
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/module/ckb/
 2025-05-09 17:52:38 +02:00
Mohamed-Qadir
bc55908af2 Translated using Weblate (Kurdish (Central)) 
Currently translated at 20.5% (24 of 117 strings)

Translation: opensourcepos/items
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/items/ckb/
 2025-05-09 17:52:38 +02:00
Mohamed-Qadir
707339f3b5 Translated using Weblate (Kurdish (Central)) 
Currently translated at 27.9% (19 of 68 strings)

Translation: opensourcepos/giftcards
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/giftcards/ckb/
 2025-05-09 16:40:06 +02:00
Mohamed-Qadir
d0bb7998a9 Translated using Weblate (Kurdish (Central)) 
Currently translated at 18.8% (22 of 117 strings)

Translation: opensourcepos/items
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/items/ckb/
 2025-05-09 16:40:06 +02:00
Mohamed-Qadir
c47ea659bc Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (12 of 12 strings)

Translation: opensourcepos/messages
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/messages/ckb/
 2025-05-09 16:40:06 +02:00
Mohamed-Qadir
9b8d6acb79 Translated using Weblate (Kurdish (Central)) 
Currently translated at 16.2% (19 of 117 strings)

Translation: opensourcepos/items
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/items/ckb/
 2025-05-07 22:48:28 +02:00
Mohamed-Qadir
640bdfd0f9 Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (21 of 21 strings)

Translation: opensourcepos/suppliers
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/suppliers/ckb/
 2025-05-07 22:48:27 +02:00
Mohamed-Qadir
0ea4fcd474 Translated using Weblate (Kurdish (Central)) 
Currently translated at 42.0% (61 of 145 strings)

Translation: opensourcepos/reports
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/reports/ckb/
 2025-05-07 22:48:27 +02:00
Mohamed-Qadir
056add7979 Translated using Weblate (Kurdish (Central)) 
Currently translated at 11.7% (8 of 68 strings)

Translation: opensourcepos/giftcards
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/giftcards/ckb/
 2025-05-07 22:48:27 +02:00
Mohamed-Qadir
4577525566 Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (19 of 19 strings)

Translation: opensourcepos/expenses_categories
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/expenses_categories/ckb/
 2025-05-07 22:48:27 +02:00
Mohamed-Qadir
75d4d894a4 Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (41 of 41 strings)

Translation: opensourcepos/employees
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/employees/ckb/
 2025-05-07 22:48:27 +02:00
Mohamed-Qadir
e4b07125d6 Translated using Weblate (Kurdish (Central)) 
Currently translated at 89.4% (17 of 19 strings)

Translation: opensourcepos/expenses_categories
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/expenses_categories/ckb/
 2025-05-07 22:48:27 +02:00
Mohamed-Qadir
2d35346d16 Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (47 of 47 strings)

Translation: opensourcepos/expenses
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/expenses/ckb/
 2025-05-04 15:27:04 +02:00
Mohamed-Qadir
e0969a8c2b Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (20 of 20 strings)

Translation: opensourcepos/datepicker
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/datepicker/ckb/
 2025-05-03 23:45:43 +02:00
Mohamed-Qadir
965f3706da Translated using Weblate (Kurdish (Central)) 
Currently translated at 36.3% (20 of 55 strings)

Translation: opensourcepos/receivings
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/receivings/ckb/
 2025-05-03 23:45:00 +02:00
BudsieBuds
e83c23cf0c Improve code style and PSR-12 compliance (#4204) 
* Improve code style and PSR-12 compliance
- refactored code formatting to adhere to PSR-12 guidelines
- standardized coding conventions across the codebase
- added missing framework files and reverted markup changes
- reformatted arrays for enhanced readability
- updated language files for consistent styling and clarity
- minor miscellaneous improvements
 2025-05-02 19:37:06 +02:00
Mohamed-Qadir
1456feae58 Translated using Weblate (Kurdish (Central)) 
Currently translated at 75.0% (15 of 20 strings)

Translation: opensourcepos/datepicker
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/datepicker/ckb/
 2025-05-02 12:54:14 +02:00
Mohamed-Qadir
32c0b74e0a Translated using Weblate (Kurdish (Central)) 
Currently translated at 35.0% (7 of 20 strings)

Translation: opensourcepos/datepicker
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/datepicker/ckb/
 2025-05-02 12:05:16 +02:00
Mohamed-Qadir
9ecbe5770c Translated using Weblate (Kurdish (Central)) 
Currently translated at 100.0% (327 of 327 strings)

Translation: opensourcepos/config
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/config/ckb/
 2025-05-02 11:31:10 +02:00
Mohamed-Qadir
cedcbf459e Translated using Weblate (Kurdish (Central)) 
Currently translated at 41.6% (5 of 12 strings)

Translation: opensourcepos/messages
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/messages/ckb/
 2025-05-02 11:31:09 +02:00
Mohamed-Qadir
73df6db4f8 Translated using Weblate (Kurdish (Central)) 
Currently translated at 94.4% (309 of 327 strings)

Translation: opensourcepos/config
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/config/ckb/
 2025-05-02 10:55:23 +02:00
Mohamed-Qadir
b0e0b5b429 Translated using Weblate (Kurdish (Central)) 
Currently translated at 94.1% (308 of 327 strings)

Translation: opensourcepos/config
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/config/ckb/
 2025-05-02 10:50:44 +02:00
Mohamed-Qadir
36f41db6aa Translated using Weblate (Kurdish (Central)) 
Currently translated at 15.5% (7 of 45 strings)

Translation: opensourcepos/module
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/module/ckb/
 2025-05-02 10:50:44 +02:00
Mohamed-Qadir
a6c9011954 Translated using Weblate (Kurdish (Central)) 
Currently translated at 16.2% (19 of 117 strings)

Translation: opensourcepos/items
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/items/ckb/
 2025-05-02 10:50:43 +02:00
Mohamed-Qadir
9f19a15845 Translated using Weblate (Kurdish (Central)) 
Currently translated at 11.7% (8 of 68 strings)

Translation: opensourcepos/giftcards
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/giftcards/ckb/
 2025-05-02 10:50:34 +02:00
Mohamed-Qadir
c33bd9a868 Translated using Weblate (Kurdish (Central)) 
Currently translated at 26.3% (10 of 38 strings)

Translation: opensourcepos/item_kits
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/item_kits/ckb/
 2025-05-02 10:50:33 +02:00
Mohamed-Qadir
d4e775d252 Translated using Weblate (Kurdish (Central)) 
Currently translated at 42.0% (61 of 145 strings)

Translation: opensourcepos/reports
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/reports/ckb/
 2025-05-02 10:50:33 +02:00
Mohamed-Qadir
aeda461743 Translated using Weblate (Kurdish (Central)) 
Currently translated at 90.5% (296 of 327 strings)

Translation: opensourcepos/config
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/config/ckb/
 2025-05-02 10:39:47 +02:00
Mohamed-Qadir
c1c74279f1 Translated using Weblate (Kurdish (Central)) 
Currently translated at 32.4% (47 of 145 strings)

Translation: opensourcepos/reports
Translate-URL: https://translate.opensourcepos.org/projects/opensourcepos/reports/ckb/
 2025-05-02 10:39:46 +02:00