1. Stock Location XSS (GHSA-7hg5-68rx-xpmg):
- Stock location names were rendered unescaped in employee form
- Malicious stock locations could contain XSS payloads that execute
when viewing employee permissions
- Fixed by adding esc() to permission display in employees/form.php
2. Customer Name XSS (GHSA-hcfr-9hfv-mcwp):
- Bootstrap-table columns had escape disabled for customer_name,
email, phone_number, and note fields
- Malicious customer names could execute XSS in Daily Sales view
- Fixed by removing user-controlled fields from escape exception list
- Only 'edit', 'messages', and 'item_pic' remain in exception list
(these contain safe server-generated HTML)
Both vulnerabilities allow authenticated attackers with basic permissions
to inject JavaScript that executes in admin/other user sessions.
* `execute_script()` now returns a boolean for error handling.
* Added transaction to `Migration_MissingConfigKeys.up()`.
* Added logging to various migrations.
* Added transaction to `Migration_MissingConfigKeys.up()`.
* Added logging to various migrations.
* Formatting and function call fixes
Fixed a minor formatting issue in the migration helper.
Replaced a few remaining error_log() calls.
Updated executeScriptWithTransaction() to use log_message()
* Function call fix
Replaced the last error_log() calls with log_message().
---------
Co-authored-by: Joe Williams <hey-there-joe@outlook.com>
* `execute_script()` now returns a boolean for error handling.
* Added transaction to `Migration_MissingConfigKeys.up()`.
* Added `executeScriptWithTransaction()` to migration helpers.
* Many changes for testing; also minor formatting fixes.
* Removed test code and pointed the `NullableTaxCategoryId` migration at the right SQL file.
* Fixed header.php
* Code cleanup from code review:
- Added IGNORE to SQL scripts.
- Added try-catch to executeScriptWithTransaction().
- Various comment changes.
* Fixed naming issue
Nullable tax category ID migration now runs the correct script.
* Updated SQL
Replaced INSERT WHERE NOT EXISTS in missing config keys sql script to use a single INSERT IGNORE.
* Updated migration helper
Updated executeScriptWithTransaction to use transRollback
---------
Co-authored-by: Joe Williams <hey-there-joe@outlook.com>
- Refactored function names for PSR-12 compliance
- Programmatically cascade delete attribute_link rows when a drop-down attribute is deleted but leave attribute_link rows associated with transactions.
- Added `WHERE item_id IS NOT NULL` to migration to prevent failure on MySQL databases during migration
- Retroactive correction of migration to prevent MySQL databases from failing.
- Refactored generic functions to helper
- Reverted attribute_links foreign key to ON DELETE RESTRICT which is required for a unique constraint on this table. Cascading deletes are now handled programmatically.
- Migration Session table to match Code Igniter 4.6
- Add index to attribute_links to prevent query timeout in items view on large databases
- Added overridePrefix() function to the migration_helper. Any time QueryBuilder is adding a prefix to the query when we don't want it to, this query can be used to override the prefix then set it back after you're done.
- Added dropAllForeignKeyConstraints() helper function.
- Added deleteIndex() helper function.
- Added indexExists() helper function.
- Added primaryKeyExists() helper function.
- Added recreateForeignKeyConstraints() helper function.
- Added CRUD section headings to the Attribute model.
- Replaced `==` with `===` to prevent type juggling.
- Removed unused delete_value function.
- Reworked deleteDefinition() and deleteDefinitionList() functions to delete rows from the attribute_links table which are associated.
- Added deleteAttributeLinksByDefinitionId() function
Implement Cascading Delete
- Function to delete attribute links with one or more attribute definitions.
- Call function to implement an effective cascading delete.
- Refactor function naming to meet PSR-12 conventions
Fix Migration
- Add drop of Generated Column to prevent failure of migration on MySQL databases.
Fix Migration
- Removed blank lines
- Refactored function naming for PSR compliance
- Reformatted code for PSR compliance
- Added logic to drop dependent foreign key constraints before deleting an index then recreating them.
Migrate ospos_sessions table
- DROP and CREATE session table to prevent migration problems on populated databases
Fixed Bug in Migration
- In the event that item_id = null (e.g., it's a dropdown) it should not be included in the results.
Fixed bug in Dropdown deletes
- Removed delete_value function in Attributes Controller as it is unused.
- Renamed postDelete_attribute_value function for PSR-12 compliance.
- Renamed delete_value Attribute model function for PSR-12 compliance.
- Refactored out function to getAttributeIdByValue
- Replaced == with === to prevent type juggling
- Reorganized parts of model to make it easier to find CRUD functions.
Refactoring
- PSR-12 Compliance formatting changes
- Refactored several generic functions into the migration_helper.php
- First check if primary key exists before attempting to create it.
- Grouped functions together in migration_helper.php
- phpdoc commenting functions
Optimizing Indices
- There are two queries run while opening the Items view which time out on large databases with weak hardware. These indices cut the query execution in half or better.
Add Unique constraint back into attribute_links
- This migration reverts ospos_attribute_links_ibfk_1 and 2 to ON DELETE RESTRICT. Cascade delete is done programmatically. This is needed to have a unique column on the attribute_links table which prevents duplicate attributes from begin created with the same item_id-attribute_id-definition_id combination
Correct spacing after if for PSR-12
Minor code cleanup.
- Removed Comments separating sections of code in Attribute model
- Removed extra log line to prevent cluttering of the log
* Improve code style and PSR-12 compliance
- refactored code formatting to adhere to PSR-12 guidelines
- standardized coding conventions across the codebase
- added missing framework files and reverted markup changes
- reformatted arrays for enhanced readability
- updated language files for consistent styling and clarity
- minor miscellaneous improvements
Fixed issue with Attribute Values not saving correctly
This issue was caused by the Attribute->attributeValueExists function receiving a date which was already in Y-m-d format, so the conversion was returning false. Added logic to pass the date through if it was already in Y-m-d format.
Signed-off-by: objecttothis <objecttothis@gmail.com>
- Added check in controller to convert locale-specific decimal formats to use a period decimal separator.
- Added PHPdoc explanation
Signed-off-by: objecttothis <objecttothis@gmail.com>
Add TODO to clarify workaround
Signed-off-by: objecttothis <objecttothis@gmail.com>
Fixed bugs in SQL
- Added checks before attempting to delete non-existing values.
- Corrected function which deletes duplicate attribute values and replaces the attribute_ids
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Remove HtmlPurifier calls
- All calls to Services::htmlPurifier()->purify() removed from data received from view.
- Bootstrap and bootswatch bump in package-lock.json
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Pre-view filtering Items Controller
- Refactored code for clarity
- Created and called sanitization functions.
- Sanitize TEXT type Attributes before being sent to the view.
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Pre-view filtering Customers Controller
- Refactored code for clarity
- Replaced == with === operator to prevent type juggling
- Added Sanitization of Customer data before being sent to the view
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Bump bootstrap-table to 1.23.1
- Bump bootstrap-table to 1.23.1 in attempt to resolve issue with sticky headers
- Sanitize attribute data in tables
- Sanitize item data with controller function.
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Pre-view filtering Items Controller
- Refactored code for clarity
- Created and called sanitization functions.
- Sanitize TEXT type Attributes before being sent to the view.
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Sanitize Item data
- Sanitize category and item_number before display in forms.
- refactor check in pic_filename for empty to be best practices compliant.
- Added TODO
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Minor changes
- Refactored for code clarity.
- Removed extra blank lines.
- Minor reformatting.
- Added PHPdocs
- bumped bootstrap-table to 1.23.2
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Pre-view filtering Items Controller
- Refactored code for clarity
- Created and called sanitization functions.
- Sanitize TEXT type Attributes before being sent to the view.
Signed-off-by: objecttothis <objecttothis@gmail.com>
* Sanitize Item data
- Sanitize category and item_number before display in forms.
- refactor check in pic_filename for empty to be best practices compliant.
- Added TODO
Signed-off-by: objecttothis <objecttothis@gmail.com>
---------
Signed-off-by: objecttothis <objecttothis@gmail.com>
Co-authored-by: objecttothis <objecttothis@gmail.com>
- Added TODO where we need to convert to querybuilder
- Converted to switch statement.
- Removed unnecessary local variable
- Replaced Qualifiers with imports
- Replaced isset() call with null coalescing operator
- Replaced strpos function calls in if statements with str_contains calls
- Removed unnecessary leading \ in use statement
- Replaced deprecated functions
- Updated PHPdocs to match function signature
- Added missing type declarations
- Made class variables private.
- Explicitly declared dynamic properties
- use https:// links instead of http://
- Fixed type error from sending null when editing transactions
- Fixed Search Suggestion function name in Employees, Persons, Suppliers controller
- Fixed function name on Receivings Controller
Signed-off-by: objecttothis <objecttothis@gmail.com>
- Updated formatting to reflect standard
- Wrapped Decimal type in to_decimals() function for localization
- Fixed function name
- Removed unneeded TODO
- Fixed problems with sales register not receiving decimals with comma for separator properly.
Signed-off-by: objecttothis <objecttothis@gmail.com>
- Removed overflow-visible as it is not needed.
- Bumped TamTamChik/nameCase to latest.
- Workaround to prevent nameCase from capitalizing the first letter of html entities
- Autoload security_helper.php
- Develop means of escaping outputs without encoding characters we don't want encoded.
- proof of concept in form_basic_info.php
- Format percentage per locale rules
- Moved constants to Constants.php
- Added PHPdoc comments
- Refactor code for clarity and simplicity.
- Added decimal formatting per locale for display.
- autoload locale helper
- Remove unneeded calls to helpers
- Removed unneeded comments
- fixed errors causing checks in parse_decimals to return false due to locales which use a comma.
- Removed TODO which is already a github issue (https://github.com/opensourcepos/opensourcepos/issues/3833)
- Removed call to auto_detect_line_endings which was deprecated in php 8.1. This only negatively affects files created using macOS 9 or earlier which had an EOL in 2002.
- Updated PHPdoc comments
- Removed unnecessary comments
- Removed `mixed` function return type from some functions for backward compatibility with php 7.4
- Refactored string concatination for readability.
- Added TODO for later
- Corrected PHPdocs
- Removed unneeded TODO
- Refactored function names with mixed snake and pascal case names
- Added missing PHPdocs
- Corrected Syntax
- Added noinspection parameters to PHPdoc for AJAX called functions
- Added missing function return types
- Added missing parameter types
- Added public keyword to functions without visibility modifier
- Corrected incorrectly formatted PHPdocs
- Added public to constants and functions missing a visibility keyword
