mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-03-10 03:00:09 -04:00
977fa5647b
GHSA-q58g-gg7v-f9rf: Stored XSS via Item Description Security Impact: - Authenticated users with item management permission can inject XSS payloads - Payloads execute in POS register view (sales and receivings) - Can steal session cookies, perform CSRF attacks, or compromise POS operations Root Cause: 1. Input: Items.php:614 accepts description without sanitization 2. Output: register.php:255 and receiving.php:220 echo description without escaping Fix Applied: - Input sanitization: Added FILTER_SANITIZE_FULL_SPECIAL_CHARS to description POST - Output escaping: Added esc() wrapper when echoing item descriptions - Defense-in-depth approach: sanitize on input, escape on output Files Changed: - app/Controllers/Items.php - Sanitize description on save - app/Views/sales/register.php - Escape description on display - app/Views/receivings/receiving.php - Escape description on display Testing: - XSS payloads like '<script>alert(1)</script>' are now sanitized on input - Any existing malicious descriptions are escaped on output - Does not break legitimate descriptions with special characters