mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-03-12 20:18:02 -04:00
690f43578d
Complete Content-Type application/json fix for all AJAX responses - Add missing return statements to all ->response->setJSON() calls - Fix Items.php method calls from JSON() to setJSON() - Convert echo statements to proper JSON responses - Ensure consistent Content-Type headers across all controllers - Fix 46+ instances across 12 controller files - Change Config.php methods to : ResponseInterface (all return setJSON only): - postSaveRewards(), postSaveBarcode(), postSaveReceipt() - postSaveInvoice(), postRemoveLogo() - Update PHPDoc @return tags - Change Receivings.php _reload() to : string (only returns view) - Change Receivings.php methods to : string (all return _reload()): - getIndex(), postSelectSupplier(), postChangeMode(), postAdd() - postEditItem(), getDeleteItem(), getRemoveSupplier() - postComplete(), postRequisitionComplete(), getReceipt(), postCancelReceiving() - Change postSave() to : ResponseInterface (returns setJSON) - Update all PHPDoc @return tags Fix XSS vulnerabilities in sales templates, login, and config pages This commit addresses 5 XSS vulnerabilities by adding proper escaping to all user-controlled configuration values in HTML contexts. Fixed Files: - app/Views/sales/invoice.php: Escaped company_logo (URL context) and company (HTML) - app/Views/sales/work_order.php: Escaped company_logo (URL context) - app/Views/sales/receipt_email.php: Added file path validation and escaping for logo - app/Views/login.php: Escaped all config values in title, logo src, and alt - app/Views/configs/info_config.php: Escaped company_logo (URL context) Security Impact: - Prevents stored XSS attacks if configuration is compromised - Defense-in-depth principle applied to administrative interfaces - Follows OWASP best practices for output encoding Testing: - Verified no script execution with XSS payloads in config values - Confirmed proper escaping in HTML, URL, and file contexts - All templates render correctly with valid configuration Severity: High (4 files), Medium-High (1 file) CVSS Score: ~6.1 CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation) Fix critical password validation bypass and add unit tests This commit addresses a critical security vulnerability where the password minimum length check was performed on the HASHED password (always 60 characters for bcrypt) instead of the actual password before hashing. Vulnerability Details: - Original code: strlen($employee_data['password']) >= 8 - This compared the hash length (always 60) instead of raw password - Impact: Users could set 1-character passwords like "a" - Severity: Critical (enables brute force attacks on weak passwords) - CVE-like issue: CWE-307 (Improper Restriction of Excessive Authentication Attempts) Fix Applied: - Validate password length BEFORE hashing - Clear error message when password is too short - Added unit tests to verify minimum length enforcement - Regression test to prevent future vulnerability re-introduction Test Coverage: - testPasswordMinLength_Rejects7Characters: Verify 7 chars rejected - testPasswordMinLength_Accepts8Characters: Verify 8 chars accepted - testPasswordMinLength_RejectsEmptyString: Verify empty rejected - testPasswordMinLength_RejectsWhitespaceOnly: Verify whitespace rejected - testPasswordMinLength_AcceptsSpecialCharacters: Verify special chars OK - testPasswordMinLength_RejectsPreviousBehavior: Regression test for bug Files Modified: - app/Controllers/Home.php: Fixed password validation logic - tests/Controllers/HomeTest.php: Added comprehensive unit tests Security Impact: - Enforces 8-character minimum password policy - Prevents extremely weak passwords that facilitate brute-force attacks - Critical for credential security and user account protection Breaking Changes: - Users with passwords < 8 characters will need to reset their password - This is the intended security improvement Severity: Critical CVSS Score: ~7.5 CWE: CWE-305 (Authentication Bypass by Primary Weakness), CWE-307 Add GitHub Actions workflow to run PHPUnit tests Move business logic from views to controllers for better separation of concerns - Move logo URL computation from info_config view to Config::getIndex() - Move image base64 encoding from receipt_email view to Sales controller - Improves separation of concerns by keeping business logic in controllers - Simplifies view templates to only handle presentation Fix XSS vulnerabilities in report views - escape user-controllable summary data and labels Fix base64 encoding URL issue in delete payment - properly URL encode base64 string Fix remaining return type declarations for Sales controller Fixed additional methods that call _reload(): - postAdd() - returns _reload($data) - postAddPayment() - returns _reload($data) - postEditItem() - returns _reload($data) - postSuspend() - returns _reload($data) - postSetPaymentType() - returns _reload() All methods now return ResponseInterface|string to match _reload() signature. This resolves PHP TypeError errors.
215 lines
8.8 KiB
PHP
215 lines
8.8 KiB
PHP
<?php
|
|
/**
|
|
* @var int $sale_id_num
|
|
* @var bool $print_after_sale
|
|
* @var string $sales_work_order
|
|
* @var string $customer_info
|
|
* @var string $company_info
|
|
* @var string $work_order_number_label
|
|
* @var string $work_order_number
|
|
* @var string $transaction_date
|
|
* @var bool $print_price_info
|
|
* @var string $total
|
|
* @var array $cart
|
|
* @var float $subtotal
|
|
* @var array $taxes
|
|
* @var array $payments
|
|
* @var array $config
|
|
*/
|
|
?>
|
|
|
|
<?= view('partial/header') ?>
|
|
|
|
<?php
|
|
if (isset($error_message)) {
|
|
echo '<div class="alert alert-dismissible alert-danger">' . $error_message . '</div>';
|
|
exit;
|
|
}
|
|
?>
|
|
|
|
<?php if (!empty($customer_email)): ?>
|
|
<script type="text/javascript">
|
|
$(document).ready(function() {
|
|
var send_email = function() {
|
|
$.get('<?= esc("/sales/sendPdf/$sale_id_num/work_order") ?>',
|
|
function(response) {
|
|
$.notify({
|
|
message: response.message
|
|
}, {
|
|
type: response.success ? 'success' : 'danger'
|
|
})
|
|
}, 'json'
|
|
);
|
|
};
|
|
|
|
$("#show_email_button").click(send_email);
|
|
|
|
<?php if (!empty($email_receipt)): ?>
|
|
send_email();
|
|
<?php endif; ?>
|
|
});
|
|
</script>
|
|
<?php endif; ?>
|
|
|
|
<?= view('partial/print_receipt', ['print_after_sale' => $print_after_sale, 'selected_printer' => 'invoice_printer']) ?>
|
|
|
|
<div class="print_hide" id="control_buttons" style="text-align: right;">
|
|
<a href="javascript:printdoc();">
|
|
<div class="btn btn-info btn-sm" id="show_print_button"><?= '<span class="glyphicon glyphicon-print"> </span>' . lang('Common.print') ?></div>
|
|
</a>
|
|
<?php
|
|
/* This line will allow to print and go back to sales automatically.
|
|
* echo anchor('sales', '<span class="glyphicon glyphicon-print"> </span>' . lang('Common.print'), ['class' => 'btn btn-info btn-sm', 'id' => 'show_print_button', 'onclick' => 'window.print();'));
|
|
*/
|
|
?>
|
|
<?php if (isset($customer_email) && !empty($customer_email)): ?>
|
|
<a href="javascript:void(0);">
|
|
<div class="btn btn-info btn-sm" id="show_email_button"><?= '<span class="glyphicon glyphicon-envelope"> </span>' . lang('Sales.send_work_order') ?></div>
|
|
</a>
|
|
<?php endif; ?>
|
|
<?= anchor("sales", '<span class="glyphicon glyphicon-shopping-cart"> </span>' . lang('Sales.register'), ['class' => 'btn btn-info btn-sm', 'id' => 'show_sales_button']) ?>
|
|
<?= anchor("sales/discard_suspended_sale", '<span class="glyphicon glyphicon-remove"> </span>' . lang('Sales.discard'), ['class' => 'btn btn-danger btn-sm', 'id' => 'discard_work_order_button']) ?>
|
|
</div>
|
|
|
|
<div id="page-wrap">
|
|
<div id="header"><?= $sales_work_order ?></div>
|
|
<div id="block1">
|
|
<div id="customer-title">
|
|
<?php if (isset($customer)) { ?>
|
|
<div id="customer"><?= esc(nl2br($customer_info)) ?></div>
|
|
<?php } ?>
|
|
</div>
|
|
|
|
<div id="logo">
|
|
<?php if ($config['company_logo'] != '') { ?>
|
|
<img id="image" src="<?= base_url('uploads/' . esc($config['company_logo'], 'url')) ?>" alt="company_logo">
|
|
<?php } ?>
|
|
<div> </div>
|
|
<?php if ($config['receipt_show_company_name']) { ?>
|
|
<div id="company_name"><?= esc($config['company']) ?></div>
|
|
<?php } ?>
|
|
</div>
|
|
</div>
|
|
|
|
<div id="block2">
|
|
<div id="company-title"><?= esc(nl2br($company_info)) ?></div>
|
|
<table id="meta">
|
|
<tr>
|
|
<td class="meta-head"><?= esc($work_order_number_label) ?> </td>
|
|
<td><?= esc($work_order_number) ?></td>
|
|
</tr>
|
|
<tr>
|
|
<td class="meta-head"><?= lang('Common.date') ?></td>
|
|
<td><?= esc($transaction_date) ?></td>
|
|
</tr>
|
|
<?php if ($print_price_info) { ?>
|
|
<tr>
|
|
<td class="meta-head"><?= lang('Sales.amount_due') ?></td>
|
|
<td><?= to_currency(esc($total)) ?></td>
|
|
</tr>
|
|
<?php } ?>
|
|
</table>
|
|
</div>
|
|
|
|
<table id="items">
|
|
<tr>
|
|
<th><?= lang('Sales.item_number') ?></th>
|
|
<th><?= lang('Sales.item_name') ?></th>
|
|
<th><?= lang('Sales.quantity') ?></th>
|
|
<th><?= lang('Sales.price') ?></th>
|
|
<th><?= lang('Sales.discount') ?></th>
|
|
<th><?= lang('Sales.total') ?></th>
|
|
</tr>
|
|
<?php
|
|
foreach ($cart as $line => $item) {
|
|
if ($item['print_option'] == PRINT_YES) {
|
|
?>
|
|
<tr class="item-row">
|
|
<td><?= esc($item['item_number']) ?></td>
|
|
<td class="item-name"><?= esc($item['name']) ?></td>
|
|
<td style="text-align: center;"><?= to_quantity_decimals($item['quantity']) ?></td>
|
|
<td><?php if ($print_price_info) echo to_currency($item['price']) ?></td>
|
|
<td style="text-align: center;"><?= ($item['discount_type'] == FIXED) ? to_currency($item['discount']) : to_decimals($item['discount']) . '%' ?></td>
|
|
<td style="border-right: solid 1px; text-align: right;"><?php if ($print_price_info) echo to_currency($item['discounted_total']) ?></td>
|
|
</tr>
|
|
|
|
<?php if ($item['is_serialized'] || $item['allow_alt_description'] && !empty($item['description'])) { ?>
|
|
<tr class="item-row">
|
|
<td></td>
|
|
<td class="item-name" colspan="4"><?= esc($item['description']) ?></td>
|
|
<td style="text-align: center;"><?= esc($item['serialnumber']) ?></td>
|
|
</tr>
|
|
<?php
|
|
}
|
|
}
|
|
}
|
|
?>
|
|
<tr>
|
|
<td class="blank" colspan="6" style="text-align: center;"><?= ' ' //TODO: Why is PHP needed for an HTML ` `? ?></td>
|
|
</tr>
|
|
<?php if ($print_price_info) { ?>
|
|
<tr>
|
|
<td colspan="3" class="blank-bottom"> </td>
|
|
<td colspan="2" class="total-line"><?= lang('Sales.sub_total') ?></td>
|
|
<td class="total-value" id="subtotal"><?= to_currency($subtotal) ?></td>
|
|
</tr>
|
|
<?php foreach ($taxes as $tax_group_index => $tax) { ?>
|
|
<tr>
|
|
<td colspan="3" class="blank"> </td>
|
|
<td colspan="2" class="total-line"><?= (float)$tax['tax_rate'] . '% ' . esc($tax['tax_group']) ?></td>
|
|
<td class="total-value" id="taxes"><?= to_currency_tax($tax['sale_tax_amount']) ?></td>
|
|
</tr>
|
|
<?php } ?>
|
|
<tr>
|
|
<td colspan="3" class="blank"> </td>
|
|
<td colspan="2" class="total-line"><?= lang('Sales.total') ?></td>
|
|
<td class="total-value" id="total"><?= to_currency($total) ?></td>
|
|
</tr>
|
|
<?php } ?>
|
|
<?php
|
|
$only_sale_check = false;
|
|
$show_giftcard_remainder = false;
|
|
foreach ($payments as $payment_id => $payment) {
|
|
$only_sale_check |= $payment['payment_type'] == lang('Sales.check');
|
|
$splitpayment = explode(':', $payment['payment_type']); // TODO: $splitpayment does not match naming conventions for the project
|
|
$show_giftcard_remainder |= $splitpayment[0] == lang('Sales.giftcard');
|
|
?>
|
|
<tr>
|
|
<td colspan="3" class="blank"> </td>
|
|
<td colspan="2" class="total-line"><?= esc($splitpayment[0]) ?></td>
|
|
<td class="total-value" id="paid"><?= to_currency($payment['payment_amount']) ?></td>
|
|
</tr>
|
|
<?php } ?>
|
|
</table>
|
|
<div id="terms">
|
|
<div id="sale_return_policy">
|
|
<h5>
|
|
<span style="padding: 4%;"><?= empty($comments) ? '' : lang('Sales.comments') . esc(": $comments") ?></span>
|
|
</h5>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<script type="text/javascript">
|
|
$(window).on("load", function() {
|
|
// Install firefox addon in order to use this plugin
|
|
if (window.jsPrintSetup) {
|
|
<?php if (!$config['print_header']) { ?>
|
|
// Set page header
|
|
jsPrintSetup.setOption('headerStrLeft', '');
|
|
jsPrintSetup.setOption('headerStrCenter', '');
|
|
jsPrintSetup.setOption('headerStrRight', '');
|
|
<?php } ?>
|
|
|
|
<?php if (!$config['print_footer']) { ?>
|
|
// Set empty page footer
|
|
jsPrintSetup.setOption('footerStrLeft', '');
|
|
jsPrintSetup.setOption('footerStrCenter', '');
|
|
jsPrintSetup.setOption('footerStrRight', '');
|
|
<?php } ?>
|
|
}
|
|
});
|
|
</script>
|
|
|
|
<?= view('partial/footer') ?>
|