mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-03-12 12:14:22 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
436696b11bf2dadb905fbc8aedde491cd5b992d7
opensourcepos/app/Views/sales/invoice.php
jekkos 690f43578d Use Content-Type application/json for AJAX responses (#4357) 
Complete Content-Type application/json fix for all AJAX responses

- Add missing return statements to all ->response->setJSON() calls
- Fix Items.php method calls from JSON() to setJSON()
- Convert echo statements to proper JSON responses
- Ensure consistent Content-Type headers across all controllers
- Fix 46+ instances across 12 controller files
- Change Config.php methods to : ResponseInterface (all return setJSON only):
  - postSaveRewards(), postSaveBarcode(), postSaveReceipt()
  - postSaveInvoice(), postRemoveLogo()
  - Update PHPDoc @return tags

- Change Receivings.php _reload() to : string (only returns view)
- Change Receivings.php methods to : string (all return _reload()):
  - getIndex(), postSelectSupplier(), postChangeMode(), postAdd()
  - postEditItem(), getDeleteItem(), getRemoveSupplier()
  - postComplete(), postRequisitionComplete(), getReceipt(), postCancelReceiving()
- Change postSave() to : ResponseInterface (returns setJSON)
- Update all PHPDoc @return tags

Fix XSS vulnerabilities in sales templates, login, and config pages

This commit addresses 5 XSS vulnerabilities by adding proper escaping
to all user-controlled configuration values in HTML contexts.

Fixed Files:
- app/Views/sales/invoice.php: Escaped company_logo (URL context) and company (HTML)
- app/Views/sales/work_order.php: Escaped company_logo (URL context)
- app/Views/sales/receipt_email.php: Added file path validation and escaping for logo
- app/Views/login.php: Escaped all config values in title, logo src, and alt
- app/Views/configs/info_config.php: Escaped company_logo (URL context)

Security Impact:
- Prevents stored XSS attacks if configuration is compromised
- Defense-in-depth principle applied to administrative interfaces
- Follows OWASP best practices for output encoding

Testing:
- Verified no script execution with XSS payloads in config values
- Confirmed proper escaping in HTML, URL, and file contexts
- All templates render correctly with valid configuration

Severity: High (4 files), Medium-High (1 file)
CVSS Score: ~6.1
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation)

Fix critical password validation bypass and add unit tests

This commit addresses a critical security vulnerability where the password
minimum length check was performed on the HASHED password (always 60
characters for bcrypt) instead of the actual password before hashing.

Vulnerability Details:
- Original code: strlen($employee_data['password']) >= 8
- This compared the hash length (always 60) instead of raw password
- Impact: Users could set 1-character passwords like "a"
- Severity: Critical (enables brute force attacks on weak passwords)
- CVE-like issue: CWE-307 (Improper Restriction of Excessive Authentication Attempts)

Fix Applied:
- Validate password length BEFORE hashing
- Clear error message when password is too short
- Added unit tests to verify minimum length enforcement
- Regression test to prevent future vulnerability re-introduction

Test Coverage:
- testPasswordMinLength_Rejects7Characters: Verify 7 chars rejected
- testPasswordMinLength_Accepts8Characters: Verify 8 chars accepted
- testPasswordMinLength_RejectsEmptyString: Verify empty rejected
- testPasswordMinLength_RejectsWhitespaceOnly: Verify whitespace rejected
- testPasswordMinLength_AcceptsSpecialCharacters: Verify special chars OK
- testPasswordMinLength_RejectsPreviousBehavior: Regression test for bug

Files Modified:
- app/Controllers/Home.php: Fixed password validation logic
- tests/Controllers/HomeTest.php: Added comprehensive unit tests

Security Impact:
- Enforces 8-character minimum password policy
- Prevents extremely weak passwords that facilitate brute-force attacks
- Critical for credential security and user account protection

Breaking Changes:
- Users with passwords < 8 characters will need to reset their password
- This is the intended security improvement

Severity: Critical
CVSS Score: ~7.5
CWE: CWE-305 (Authentication Bypass by Primary Weakness), CWE-307

Add GitHub Actions workflow to run PHPUnit tests

Move business logic from views to controllers for better separation of concerns

- Move logo URL computation from info_config view to Config::getIndex()
- Move image base64 encoding from receipt_email view to Sales controller
- Improves separation of concerns by keeping business logic in controllers
- Simplifies view templates to only handle presentation

Fix XSS vulnerabilities in report views - escape user-controllable summary data and labels

Fix base64 encoding URL issue in delete payment - properly URL encode base64 string

Fix remaining return type declarations for Sales controller

Fixed additional methods that call _reload():
- postAdd() - returns _reload($data)
- postAddPayment() - returns _reload($data)
- postEditItem() - returns _reload($data)
- postSuspend() - returns _reload($data)
- postSetPaymentType() - returns _reload()

All methods now return ResponseInterface|string to match _reload() signature.
This resolves PHP TypeError errors.
2026-03-04 21:42:35 +01:00

260 lines
11 KiB
PHP
Raw Blame History

<?php
/**
* @var string $sale_id_num
* @var bool $print_after_sale
* @var string $customer_info
* @var string $company_info
* @var string $invoice_number
* @var string $transaction_date
* @var float $total
* @var bool $include_hsn
* @var string $discount
* @var array $cart
* @var float $subtotal
* @var array $taxes
* @var array $payments
* @var float $amount_change
* @var string $barcode
* @var int $sale_id
* @var array $config
*/
?>
<?= view('partial/header') ?>
<?php
if (isset($error_message)) {
echo '<div class="alert alert-dismissible alert-danger">' . $error_message . '</div>';
exit;
}
?>
<?php if (!empty($customer_email)): ?>
<script type="text/javascript">
$(document).ready(function() {
var send_email = function() {
$.get('<?= site_url() . "sales/sendPdf/$sale_id_num" ?>',
function(response) {
$.notify({
message: response.message
}, {
type: response.success ? 'success' : 'danger'
});
}, 'json'
);
};
$("#show_email_button").click(send_email);
<?php if (!empty($email_receipt)): ?>
send_email();
<?php endif; ?>
});
</script>
<?php endif; ?>
<?= view('partial/print_receipt', ['print_after_sale' => $print_after_sale, 'selected_printer' => 'invoice_printer']) ?>
<div class="print_hide" id="control_buttons" style="text-align: right;">
<a href="javascript:printdoc();">
<div class="btn btn-info btn-sm" id="show_print_button"><?= '<span class="glyphicon glyphicon-print">&nbsp;</span>' . lang('Common.print') ?></div>
</a>
<?php
/* This line will allow to print and go back to sales automatically.
* echo anchor('sales', '<span class="glyphicon glyphicon-print">&nbsp;</span>' . lang('Common.print'), ['class' => 'btn btn-info btn-sm', 'id' => 'show_print_button', 'onclick' => 'window.print();'));
*/
?>
<?php if (isset($customer_email) && !empty($customer_email)): ?>
<a href="javascript:void(0);">
<div class="btn btn-info btn-sm" id="show_email_button"><?= '<span class="glyphicon glyphicon-envelope">&nbsp;</span>' . lang('Sales.send_invoice') ?></div>
</a>
<?php endif; ?>
<?= anchor("sales", '<span class="glyphicon glyphicon-shopping-cart">&nbsp;</span>' . lang('Sales.register'), ['class' => 'btn btn-info btn-sm', 'id' => 'show_sales_button']) ?>
<?= anchor("sales/manage", '<span class="glyphicon glyphicon-list-alt">&nbsp;</span>' . lang('Sales.takings'), ['class' => 'btn btn-info btn-sm', 'id' => 'show_takings_button']) ?>
</div>
<div id="page-wrap">
<div id="header"><?= lang('Sales.invoice') ?></div>
<div id="block1">
<div id="customer-title">
<?php if (isset($customer)) { ?>
<div id="customer"><?= nl2br(esc($customer_info)) ?></div>
<?php } ?>
</div>
<div id="logo">
<?php if ($config['company_logo'] != '') { ?>
<img id="image" src="<?= base_url('uploads/' . esc($config['company_logo'], 'url')) ?>" alt="company_logo">
<?php } ?>
<div>&nbsp;</div>
<?php if ($config['receipt_show_company_name']) { ?>
<div id="company_name"><?= esc($config['company']) ?></div>
<?php } ?>
</div>
</div>
<div id="block2">
<div id="company-title"><?= nl2br(esc($company_info)) ?></div>
<table id="meta">
<tr>
<td class="meta-head"><?= lang('Sales.invoice_number') ?> </td>
<td><?= esc($invoice_number) ?></td>
</tr>
<tr>
<td class="meta-head"><?= lang('Common.date') ?></td>
<td><?= esc($transaction_date) ?></td>
</tr>
<tr>
<td class="meta-head"><?= lang('Sales.invoice_total') ?></td>
<td><?= to_currency($total) ?></td>
</tr>
</table>
</div>
<table id="items">
<tr>
<th><?= lang('Sales.item_number') ?></th>
<?php
$invoice_columns = 6;
if ($include_hsn) {
$invoice_columns += 1;
?>
<th><?= lang('Sales.hsn') ?></th>
<?php } ?>
<th><?= lang('Sales.item_name') ?></th>
<th><?= lang('Sales.quantity') ?></th>
<th><?= lang('Sales.price') ?></th>
<th><?= lang('Sales.discount') ?></th>
<?php
if ($discount > 0) {
$invoice_columns += 1;
?>
<th><?= lang('Sales.customer_discount') ?></th>
<?php } ?>
<th><?= lang('Sales.total') ?></th>
</tr>
<?php
foreach ($cart as $line => $item) {
if ($item['print_option'] == PRINT_YES) {
?>
<tr class="item-row">
<td><?= esc($item['item_number']) ?></td>
<?php if ($include_hsn): ?>
<td style="text-align: center;"><?= esc($item['hsn_code']) ?></td>
<?php endif; ?>
<td class="item-name"><?= ($item['is_serialized'] || $item['allow_alt_description']) && !empty($item['description']) ? esc($item['description']) : esc($item['name'] . ' ' . $item['attribute_values']) ?></td>
<td style="text-align: center;"><?= to_quantity_decimals($item['quantity']) ?></td>
<td><?= to_currency($item['price']) ?></td>
<td style="height: center;"><?= ($item['discount_type'] == FIXED) ? to_currency($item['discount']) : to_decimals($item['discount']) . '%' ?></td>
<?php if ($discount > 0): ?>
<td style="text-align: center;"><?= to_currency($item['discounted_total'] / $item['quantity']) ?></td>
<?php endif; ?>
<td style="border-right: solid 1px; text-align: right;"><?= to_currency($item['discounted_total']) ?></td>
</tr>
<?php if ($item['is_serialized']) { ?>
<tr class="item-row">
<td class="item-description" colspan="<?= $invoice_columns - 1 ?>"></td>
<td style="text-align: center;"><?= esc($item['serialnumber']) // TODO: serialnumber does not match variable naming conventions for this project ?></td>
</tr>
<?php
}
}
}
?>
<tr>
<td class="blank" colspan="<?= $invoice_columns ?>" style="text-align: center;"><?= '&nbsp;' ?></td>
</tr>
<tr>
<td colspan="<?= $invoice_columns - 3 ?>" class="blank-bottom"> </td>
<td colspan="2" class="total-line"><?= lang('Sales.sub_total') ?></td>
<td class="total-value" id="subtotal"><?= to_currency($subtotal) ?></td>
</tr>
<?php foreach ($taxes as $tax_group_index => $tax) { ?>
<tr>
<td colspan="<?= $invoice_columns - 3 ?>" class="blank"> </td>
<td colspan="2" class="total-line"><?= (float)$tax['tax_rate'] . '% ' . esc($tax['tax_group']) ?></td>
<td class="total-value" id="taxes"><?= to_currency_tax($tax['sale_tax_amount']) ?></td>
</tr>
<?php } ?>
<tr>
<td colspan="<?= $invoice_columns - 3 ?>" class="blank"> </td>
<td colspan="2" class="total-line"><?= lang('Sales.total') ?></td>
<td class="total-value" id="total"><?= to_currency($total) ?></td>
</tr>
<?php
$only_sale_check = false;
$show_giftcard_remainder = false;
foreach ($payments as $payment_id => $payment) {
$only_sale_check |= $payment['payment_type'] == lang('Sales.check');
$splitpayment = explode(':', $payment['payment_type']); // TODO: $splitpayment does not meet variable naming standards for this project
$show_giftcard_remainder |= $splitpayment[0] == lang('Sales.giftcard');
?>
<tr>
<td colspan="<?= $invoice_columns - 3 ?>" class="blank"> </td>
<td colspan="2" class="total-line"><?= esc($splitpayment[0]) ?></td>
<td class="total-value" id="paid"><?= to_currency($payment['payment_amount'] * -1) ?></td>
</tr>
<?php } ?>
<?php if (isset($cur_giftcard_value) && $show_giftcard_remainder) { ?>
<tr>
<td colspan="<?= $invoice_columns - 3 ?>" class="blank"> </td>
<td colspan="2" class="total-line"><?= lang('Sales.giftcard_balance') ?></td>
<td class="total-value" id="giftcard"><?= to_currency($cur_giftcard_value) ?></td>
</tr>
<?php } ?>
<?php if (!empty($payments)) { ?>
<tr>
<td colspan="<?= $invoice_columns - 3 ?>" class="blank"> </td>
<td colspan="2" class="total-line"><?= lang($amount_change >= 0 ? ($only_sale_check ? 'Sales.check_balance' : 'Sales.change_due') : 'Sales.amount_due') ?></td>
<td class="total-value" id="change"><?= to_currency($amount_change) ?></td>
</tr>
<?php } ?>
</table>
<div id="terms">
<div id="sale_return_policy">
<h5>
<span><?= nl2br(esc($config['payment_message'])) ?></span>
<span style="padding: 4%;"><?= empty($comments) ? esc($config['invoice_default_comments']) : lang('Sales.comments') . ': ' . esc($comments) ?></span>
</h5>
<div style="padding: 2%;"><?= nl2br(esc($config['return_policy'])) ?></div>
</div>
<div id="barcode">
<?= $barcode ?><br>
<?= $sale_id ?>
</div>
</div>
</div>
<script type="text/javascript">
$(window).on("load", function() {
// Install firefox addon in order to use this plugin
if (window.jsPrintSetup) {
<?php if (!$config['print_header']) { ?>
// Set page header
jsPrintSetup.setOption('headerStrLeft', '');
jsPrintSetup.setOption('headerStrCenter', '');
jsPrintSetup.setOption('headerStrRight', '');
<?php } ?>
<?php if (!$config['print_footer']) { ?>
// Set empty page footer
jsPrintSetup.setOption('footerStrLeft', '');
jsPrintSetup.setOption('footerStrCenter', '');
jsPrintSetup.setOption('footerStrRight', '');
<?php } ?>
}
});
</script>
<?= view('partial/footer') ?>
Reference in New Issue View Git Blame Copy Permalink