bafe3ddf1b
* Fix stored XSS vulnerability in Attribute Definitions GHSA-rvfg-ww4r-rwqf: Stored XSS via Attribute Definition Name Security Impact: - Authenticated users with attribute management permission can inject XSS payloads - Payloads execute when viewing/editing attributes in admin panel - Can steal session cookies, perform CSRF attacks, or compromise admin operations Root Cause: 1. Input: Attributes.php postSaveDefinition() accepts definition_name without sanitization 2. Output: Views echo definition_name without proper escaping Fix Applied: - Input sanitization: Added FILTER_SANITIZE_FULL_SPECIAL_CHARS to definition_name and definition_unit - Output escaping: Added esc() wrapper when displaying definition_name in views - Defense-in-depth: htmlspecialchars on attribute values saved to database Files Changed: - app/Controllers/Attributes.php - Sanitize inputs on save - app/Views/attributes/form.php - Escape output on display - app/Views/attributes/item.php - Escape output on display * Remove input sanitization, keep output escaping only Use escaping on output (esc() in views) as the sole XSS prevention measure instead of sanitizing on input. This preserves the original data in the database while still protecting against XSS attacks. * Add validation for definition_fk foreign key in attribute definitions Validate definition_group input before saving: - Must be a positive integer (> 0) - Must exist in attribute_definitions table - Must be of type GROUP to ensure data integrity Also add translation for definition_invalid_group error message in all 45 language files (English placeholder for translations). * Refactor definition_fk validation into single conditional statement * Add esc() to attribute value outputs for XSS protection - Add esc() to TEXT input value in item.php - Add esc() to definition_unit in form.php These fields display user-provided content and need output escaping to prevent stored XSS attacks. * Refactor definition_group validation into separate method Extract validation logic for definition_fk into validateDefinitionGroup() private method to improve code readability and reduce method complexity. Returns: - null if input is empty (no group selected) - false if validation fails (invalid group) - integer ID if valid * Add translations for definition_invalid_group in all languages - Added proper translations for 28 languages (de, es, fr, it, nl, pl, pt-BR, ru, tr, uk, th, zh-Hans, zh-Hant, ro, sv, vi, id, el, he, fa, hu, da, sw-KE, sw-TZ, ar-LB, ar-EG) - Set empty string for 14 languages to fallback to English (cs, hr-HR, bg, bs, ckb, hy, km, lo, ml, nb, ta, tl, ur, az) --------- Co-authored-by: Ollama <ollama@steganos.dev>
Open Source Point of Sale
Introduction · Demo · Installation · Contributing · Bugs · FAQ · Donate · License · Credits
👋 Introduction
Open Source Point of Sale is a web-based point of sale system. The application is written in PHP, uses MySQL (or MariaDB) as the data storage back-end, and has a simple but intuitive user interface.
The latest 3.4 version is a complete overhaul of the original software. It uses CodeIgniter 4 as a framework and is based on Bootstrap 3 using Bootswatch themes. Along with improved functionality and security.
The features include:
- Stock management (items and kits with an extensible list of attributes)
- VAT, GST, customer, and multi tiers taxation
- Sale register with transactions logging
- Quotation and invoicing
- Expenses logging
- Cash up function
- Printing and emailing of receipts, invoices and quotations
- Barcode generation and printing
- Database of customers and suppliers
- Multiuser with permission control
- Reporting on sales, orders, expenses, inventory status and more
- Receivings
- Gift cards
- Rewards
- Restaurant tables
- Messaging (SMS)
- Multilanguage
- Selectable Bootstrap based UI theme with Bootswatch
- MailChimp integration
- Optional Google reCAPTCHA to protect the login page from brute force attacks
- GDPR ready
🧪 Live Demo
We've got a live version of our latest master running for you to play around with and test everything out. It's a containerized install that will reinitialize when new functionality is merged into our code repository.
You can find the demo here and log in with these credentials.
👤 Username admin
🔒 Password pointofsale
If you bump into an issue, please check the status page here to confirm if the server is up and running.
🖥️ Development Demo
Besides the demo of the latest master, we also have a development server that builds when there's a new commit to our repository. It's mainly used for testing out new code before merging it into the master. It can be found here.
The log in credentials are the same as the regular live demo.
💾 Installation
Please refrain from creating issues about installation problems before having read the FAQ and going through existing GitHub issues. We have a build pipeline that checks the sanity of our latest repository commit, and in case the application itself is broken then our build will be as well.
This application can be set up in many different ways and we only support the ones described in the INSTALL.md file.
For more information and recommendations on support hardware, like receipt printers and barcode scanners, read this page on our wiki.
✨ Contributing
Everyone is more than welcome to help us improve this project. If you think you've got something to help us go forward, feel free to open a pull request or join the conversation on Element.
Want to help translate Open Source Point of Sale in your language? You can find our Weblate here, sign up, and start translating. You can subscribe to different languages to receive a notification once a new string is added or needs updating. Have a look at our guidelines below to help you get started.
Only with the help of the community, we can keep language translations up to date. Thanks!
🐛 Reporting Bugs
Before creating a new issue, you'll need copy and include the info under the System Info tab in the configuration section in most cases. If that information is not provided in full, your issue might be tagged as pending.
If you're reporting a potential security issue, please refer to our security policy found in the SECURITY.md file.
NOTE: If you're running non-release code, please make sure you always run the latest database upgrade script and download the latest master code.
📖 FAQ
-
If you get the message
system folder missing, then you have cloned the source using git and you need to run a build first. Check INSTALL.md for instructions or download latest zip file from GitHub releases instead. -
If at login time you read
The installation is not correct, check your php.ini file., please check the error_log inpublicfolder to understand what's wrong and make sure you read the INSTALL.md. To know how to enableerror_log, please read the comment in issue #1770. -
If you installed your OSPOS under a web server subdir, please edit
public/.htaccessand go to the lines with the commentsif in web rootorif in subdir, uncomment one and replace<OSPOS path>with your path, and follow the instruction on the second comment line. If you face more issues, please read issue #920 for more information. -
Apache server configurations are SysAdmin issues and not strictly related to OSPOS. Please make sure you can show a "Hello world" HTML page before pointing to OSPOS public directory. Make sure
.htaccessis correctly configured. -
If the avatar pictures are not shown in items or at item save you get an error, please make sure your
writableand subdirs are assigned to the correct owner and the access permission is set to750. -
If you install OSPOS in Docker behind a proxy that performs
ssloffloading, you can enable the URL generated to be HTTPS instead of HTTP, by activating the environment variableFORCE_HTTPS = 1. -
If you install OSPOS behind a proxy and OSPOS constantly drops your session, consider whitelisting the proxy IP address by setting
public array $proxyIPs = [];in the main PHP config file. -
If you have suhosin installed and face an issue with CSRF, please make sure you read issue #1492.
-
PHP
≥ 8.1is required to run this app.
🏃 Keep the Machine Running
If you like our project, please consider buying us a coffee through the button below so we can keep adding features.
Or refer to the FUNDING.yml file.
If you choose to deploy OSPOS in the cloud, you can contribute to the project by using DigitalOcean and signing up through our referral link. You'll receive a free $200, 60-day credit if you run OSPOS in a DigitalOcean droplet through our referral link.
📄 License
Open Source Point of Sale is licensed under MIT terms with an important addition:
The footer signature "© 2010 - current year · opensourcepos.org · 3.x.x - hash" including the version, hash and link to our website MUST BE RETAINED, MUST BE VISIBLE IN EVERY PAGE and CANNOT BE MODIFIED.
Also worth noting:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
For more details please read the LICENSE file.
It's important to understand that although you are free to use the application, the copyright has to stay and the license agreement applies in all cases. Therefore, any actions like:
- Removing LICENSE and/or any license files is prohibited
- Authoring the footer notice replacing it with your own or even worse claiming the copyright is absolutely prohibited
- Claiming full ownership of the code is prohibited
In short, you are free to use the application, but you cannot claim any property on it.
Any person or company found breaching the license agreement might find a bunch of monkeys at the door ready to destroy their servers.
🙏 Credits
DigitalOcean |
JetBrains |
Travis CI |
|---|---|---|
| Many thanks to DigitalOcean for providing the project with hosting credits. | Many thanks to JetBrains for providing a free license of IntelliJ IDEA to kindly support the development of OSPOS. | Many thanks to Travis CI for providing a free continuous integration service for open source projects. |