- Move admin modules list from is_admin method to ADMIN_MODULES constant
- Rename is_admin() to isAdmin() following CodeIgniter naming conventions
- Rename can_modify_employee() to canModifyEmployee() following conventions
- Update all callers in Employees controller and tests
Complete Content-Type application/json fix for all AJAX responses
- Add missing return statements to all ->response->setJSON() calls
- Fix Items.php method calls from JSON() to setJSON()
- Convert echo statements to proper JSON responses
- Ensure consistent Content-Type headers across all controllers
- Fix 46+ instances across 12 controller files
- Change Config.php methods to : ResponseInterface (all return setJSON only):
- postSaveRewards(), postSaveBarcode(), postSaveReceipt()
- postSaveInvoice(), postRemoveLogo()
- Update PHPDoc @return tags
- Change Receivings.php _reload() to : string (only returns view)
- Change Receivings.php methods to : string (all return _reload()):
- getIndex(), postSelectSupplier(), postChangeMode(), postAdd()
- postEditItem(), getDeleteItem(), getRemoveSupplier()
- postComplete(), postRequisitionComplete(), getReceipt(), postCancelReceiving()
- Change postSave() to : ResponseInterface (returns setJSON)
- Update all PHPDoc @return tags
Fix XSS vulnerabilities in sales templates, login, and config pages
This commit addresses 5 XSS vulnerabilities by adding proper escaping
to all user-controlled configuration values in HTML contexts.
Fixed Files:
- app/Views/sales/invoice.php: Escaped company_logo (URL context) and company (HTML)
- app/Views/sales/work_order.php: Escaped company_logo (URL context)
- app/Views/sales/receipt_email.php: Added file path validation and escaping for logo
- app/Views/login.php: Escaped all config values in title, logo src, and alt
- app/Views/configs/info_config.php: Escaped company_logo (URL context)
Security Impact:
- Prevents stored XSS attacks if configuration is compromised
- Defense-in-depth principle applied to administrative interfaces
- Follows OWASP best practices for output encoding
Testing:
- Verified no script execution with XSS payloads in config values
- Confirmed proper escaping in HTML, URL, and file contexts
- All templates render correctly with valid configuration
Severity: High (4 files), Medium-High (1 file)
CVSS Score: ~6.1
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation)
Fix critical password validation bypass and add unit tests
This commit addresses a critical security vulnerability where the password
minimum length check was performed on the HASHED password (always 60
characters for bcrypt) instead of the actual password before hashing.
Vulnerability Details:
- Original code: strlen($employee_data['password']) >= 8
- This compared the hash length (always 60) instead of raw password
- Impact: Users could set 1-character passwords like "a"
- Severity: Critical (enables brute force attacks on weak passwords)
- CVE-like issue: CWE-307 (Improper Restriction of Excessive Authentication Attempts)
Fix Applied:
- Validate password length BEFORE hashing
- Clear error message when password is too short
- Added unit tests to verify minimum length enforcement
- Regression test to prevent future vulnerability re-introduction
Test Coverage:
- testPasswordMinLength_Rejects7Characters: Verify 7 chars rejected
- testPasswordMinLength_Accepts8Characters: Verify 8 chars accepted
- testPasswordMinLength_RejectsEmptyString: Verify empty rejected
- testPasswordMinLength_RejectsWhitespaceOnly: Verify whitespace rejected
- testPasswordMinLength_AcceptsSpecialCharacters: Verify special chars OK
- testPasswordMinLength_RejectsPreviousBehavior: Regression test for bug
Files Modified:
- app/Controllers/Home.php: Fixed password validation logic
- tests/Controllers/HomeTest.php: Added comprehensive unit tests
Security Impact:
- Enforces 8-character minimum password policy
- Prevents extremely weak passwords that facilitate brute-force attacks
- Critical for credential security and user account protection
Breaking Changes:
- Users with passwords < 8 characters will need to reset their password
- This is the intended security improvement
Severity: Critical
CVSS Score: ~7.5
CWE: CWE-305 (Authentication Bypass by Primary Weakness), CWE-307
Add GitHub Actions workflow to run PHPUnit tests
Move business logic from views to controllers for better separation of concerns
- Move logo URL computation from info_config view to Config::getIndex()
- Move image base64 encoding from receipt_email view to Sales controller
- Improves separation of concerns by keeping business logic in controllers
- Simplifies view templates to only handle presentation
Fix XSS vulnerabilities in report views - escape user-controllable summary data and labels
Fix base64 encoding URL issue in delete payment - properly URL encode base64 string
Fix remaining return type declarations for Sales controller
Fixed additional methods that call _reload():
- postAdd() - returns _reload($data)
- postAddPayment() - returns _reload($data)
- postEditItem() - returns _reload($data)
- postSuspend() - returns _reload($data)
- postSetPaymentType() - returns _reload()
All methods now return ResponseInterface|string to match _reload() signature.
This resolves PHP TypeError errors.
* Add show/hide cost price & profit feature
* .env should be ignored.
* js code formatted. .vscode folder ignore for vscode user settings.json
* style is replaced with bootstrap class, formatted and .env.example
* toggle button on table to like in other
* comment corrected.
* class re-factored
* minor refactor
* formatted with 4 space
---------
Co-authored-by: Lotussoft Youngtech <lotussoftyoungtech@gmail.com>
* Improve code style and PSR-12 compliance
- refactored code formatting to adhere to PSR-12 guidelines
- standardized coding conventions across the codebase
- added missing framework files and reverted markup changes
- reformatted arrays for enhanced readability
- updated language files for consistent styling and clarity
- minor miscellaneous improvements
* Replace tabs with spaces
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Composer package bumps
- Bump codeigniter4/framework to 4.6.0
- Bump codeIgniter/coding-standard to ^1.8
- Bump codeigniter4/devkit to ^1.3
- Updated framework files required by CI4.6.0
- Removed Deprecated variables
- Added new file in the repo from framework
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Reflect PHP 8.4 support
Updates for PHP 8.4 support introduced with the upgrade to CodeIgniter 4.6.x
* Update INSTALL.md
- Revert PHP 8.4 support for now.
- Removed extra space before comma
---------
Signed-off-by: objecttothis <objecttothis@gmail.com>
Co-authored-by: BudsieBuds <bas_hubers@hotmail.com>
- Added TODO
- Copied directives from .htaccess to the ContentSecurityPolicy.php config file.
- Left CSPEnabled set to false in App.php because there is currently no CSP3 support in CI4
- Added `img-src blob:` To Content-Security-Policy header to remove error.
Signed-off-by: objecttothis <objecttothis@gmail.com>
- Refactored code for clarity
- Created and called sanitization functions.
- Sanitize TEXT type Attributes before being sent to the view.
Signed-off-by: objecttothis <objecttothis@gmail.com>
- Bump bootstrap-table to 1.23.1 in attempt to resolve issue with sticky headers
- Sanitize attribute data in tables
- Sanitize item data with controller function.
Signed-off-by: objecttothis <objecttothis@gmail.com>
Sanitize Item data
- Sanitize category and item_number before display in forms.
- refactor check in pic_filename for empty to be best practices compliant.
- Added TODO
Signed-off-by: objecttothis <objecttothis@gmail.com>
Minor changes
- Refactored for code clarity.
- Removed extra blank lines.
- Minor reformatting.
- Added PHPdocs
- bumped bootstrap-table to 1.23.2
Signed-off-by: objecttothis <objecttothis@gmail.com>
Pre-view filtering Items Controller
- Refactored code for clarity
- Created and called sanitization functions.
- Sanitize TEXT type Attributes before being sent to the view.
Signed-off-by: objecttothis <objecttothis@gmail.com>
- Bump bootstrap-table to 1.23.1 in attempt to resolve issue with sticky headers
- Sanitize attribute data in tables
- Sanitize item data with controller function.
Signed-off-by: objecttothis <objecttothis@gmail.com>
Pre-view filtering Items Controller
- Refactored code for clarity
- Created and called sanitization functions.
- Sanitize TEXT type Attributes before being sent to the view.
Signed-off-by: objecttothis <objecttothis@gmail.com>
Sanitize Item data
- Sanitize category and item_number before display in forms.
- refactor check in pic_filename for empty to be best practices compliant.
- Added TODO
Signed-off-by: objecttothis <objecttothis@gmail.com>
Pre-view filtering Items Controller
- Refactored code for clarity
- Created and called sanitization functions.
- Sanitize TEXT type Attributes before being sent to the view.
Signed-off-by: objecttothis <objecttothis@gmail.com>
Removed unnecessary use statement
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Remove HtmlPurifier calls
- All calls to Services::htmlPurifier()->purify() removed from data received from view.
- Bootstrap and bootswatch bump in package-lock.json
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Pre-view filtering Items Controller
- Refactored code for clarity
- Created and called sanitization functions.
- Sanitize TEXT type Attributes before being sent to the view.
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Pre-view filtering Customers Controller
- Refactored code for clarity
- Replaced == with === operator to prevent type juggling
- Added Sanitization of Customer data before being sent to the view
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Bump bootstrap-table to 1.23.1
- Bump bootstrap-table to 1.23.1 in attempt to resolve issue with sticky headers
- Sanitize attribute data in tables
- Sanitize item data with controller function.
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Pre-view filtering Items Controller
- Refactored code for clarity
- Created and called sanitization functions.
- Sanitize TEXT type Attributes before being sent to the view.
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Sanitize Item data
- Sanitize category and item_number before display in forms.
- refactor check in pic_filename for empty to be best practices compliant.
- Added TODO
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Minor changes
- Refactored for code clarity.
- Removed extra blank lines.
- Minor reformatting.
- Added PHPdocs
- bumped bootstrap-table to 1.23.2
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Pre-view filtering Items Controller
- Refactored code for clarity
- Created and called sanitization functions.
- Sanitize TEXT type Attributes before being sent to the view.
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Sanitize Item data
- Sanitize category and item_number before display in forms.
- refactor check in pic_filename for empty to be best practices compliant.
- Added TODO
Signed-off-by: objecttothis <objecttothis@gmail.com>
---------
Signed-off-by: objecttothis <objecttothis@gmail.com>
Co-authored-by: objecttothis <objecttothis@gmail.com>
- Added @noinspection PhpUnused to AJAX-called functions to remove weak warning that the function is unused. This will be needed for the linter.
- Referenced where the function is called in the PHPdocs.
- Removed redundant transaction. batch_save() is already being run in a transaction.
- Fixed function name in controller and view.
- Removed form helper load because it's autoloaded.
- Corrected variable reference in Secure_Controller.php
Signed-off-by: objecttothis <objecttothis@gmail.com>
- Replaced == with === to avoid type juggling
- Removed unneeded TODO
- Added HTMLPurifier to composer.json
- Added Service to allow singleton instance of purifier.
- Implemented use in Customer Controller Search function.
Signed-off-by: objecttothis <objecttothis@gmail.com>
- Added TODO where we need to convert to querybuilder
- Converted to switch statement.
- Removed unnecessary local variable
- Replaced Qualifiers with imports
- Replaced isset() call with null coalescing operator
- Replaced strpos function calls in if statements with str_contains calls
- Removed unnecessary leading \ in use statement
- Replaced deprecated functions
- Updated PHPdocs to match function signature
- Added missing type declarations
- Made class variables private.
- Explicitly declared dynamic properties
- use https:// links instead of http://
- Fixed type error from sending null when editing transactions
- Fixed Search Suggestion function name in Employees, Persons, Suppliers controller
- Fixed function name on Receivings Controller
Signed-off-by: objecttothis <objecttothis@gmail.com>
Receivings receipt returning the following errors:
. Param count in the URI are greater than the controller method
. ($supplier_id) must be of type int
- Updated formatting to reflect standard
- Wrapped Decimal type in to_decimals() function for localization
- Fixed function name
- Removed unneeded TODO
- Fixed problems with sales register not receiving decimals with comma for separator properly.
Signed-off-by: objecttothis <objecttothis@gmail.com>
- Made view CI form helper function call format uniform.
- replaced calls to array() with []
- Placed { on its own line
- Removed empty lines where there shouldn't be any.
- Replaced text/javascript with application/javascript as the former is deprecated
- Removed overflow-visible as it is not needed.
- Bumped TamTamChik/nameCase to latest.
- Workaround to prevent nameCase from capitalizing the first letter of html entities
- Autoload security_helper.php
- Develop means of escaping outputs without encoding characters we don't want encoded.
- proof of concept in form_basic_info.php
- Format percentage per locale rules
- Moved constants to Constants.php
- Added PHPdoc comments
- Refactor code for clarity and simplicity.
- Added decimal formatting per locale for display.
- autoload locale helper
- Remove unneeded calls to helpers
- Removed unneeded comments
- fixed errors causing checks in parse_decimals to return false due to locales which use a comma.
- Corrected syntax to allow all 8.x versions of PHP in composer.json
- Bumped CodeIgniter from 4.4.3 to 4.4.5
- Bumped Code from 4.4.3 format to 4.4.4 format
- Added missing PHPdocs
- Corrected Syntax
- Added noinspection parameters to PHPdoc for AJAX called functions
- Added missing function return types
- Added missing parameter types
- Added public keyword to functions without visibility modifier
- Corrected incorrectly formatted PHPdocs
- Added public to constants and functions missing a visibility keyword
- Replaced TRUE/FALSE constants with true/false keywords
- Replaced NULL constant with null keyword
- Replaced `<?php echo` in views with shortened `<?=`
- Added missing variable declaration
- Added missing function return type in declaration
- replaced `== true`, `== false`, `=== true` and `=== false` in if statements with simplified forms
