mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-03-25 18:32:17 -04:00
bafe3ddf1b
* Fix stored XSS vulnerability in Attribute Definitions GHSA-rvfg-ww4r-rwqf: Stored XSS via Attribute Definition Name Security Impact: - Authenticated users with attribute management permission can inject XSS payloads - Payloads execute when viewing/editing attributes in admin panel - Can steal session cookies, perform CSRF attacks, or compromise admin operations Root Cause: 1. Input: Attributes.php postSaveDefinition() accepts definition_name without sanitization 2. Output: Views echo definition_name without proper escaping Fix Applied: - Input sanitization: Added FILTER_SANITIZE_FULL_SPECIAL_CHARS to definition_name and definition_unit - Output escaping: Added esc() wrapper when displaying definition_name in views - Defense-in-depth: htmlspecialchars on attribute values saved to database Files Changed: - app/Controllers/Attributes.php - Sanitize inputs on save - app/Views/attributes/form.php - Escape output on display - app/Views/attributes/item.php - Escape output on display * Remove input sanitization, keep output escaping only Use escaping on output (esc() in views) as the sole XSS prevention measure instead of sanitizing on input. This preserves the original data in the database while still protecting against XSS attacks. * Add validation for definition_fk foreign key in attribute definitions Validate definition_group input before saving: - Must be a positive integer (> 0) - Must exist in attribute_definitions table - Must be of type GROUP to ensure data integrity Also add translation for definition_invalid_group error message in all 45 language files (English placeholder for translations). * Refactor definition_fk validation into single conditional statement * Add esc() to attribute value outputs for XSS protection - Add esc() to TEXT input value in item.php - Add esc() to definition_unit in form.php These fields display user-provided content and need output escaping to prevent stored XSS attacks. * Refactor definition_group validation into separate method Extract validation logic for definition_fk into validateDefinitionGroup() private method to improve code readability and reduce method complexity. Returns: - null if input is empty (no group selected) - false if validation fails (invalid group) - integer ID if valid * Add translations for definition_invalid_group in all languages - Added proper translations for 28 languages (de, es, fr, it, nl, pl, pt-BR, ru, tr, uk, th, zh-Hans, zh-Hant, ro, sv, vi, id, el, he, fa, hu, da, sw-KE, sw-TZ, ar-LB, ar-EG) - Set empty string for 14 languages to fallback to English (cs, hr-HR, bg, bs, ckb, hy, km, lo, ml, nb, ta, tl, ur, az) --------- Co-authored-by: Ollama <ollama@steganos.dev>
35 lines
1.9 KiB
PHP
35 lines
1.9 KiB
PHP
<?php
|
|
|
|
return [
|
|
"attribute_value_invalid_chars" => "Attribute value cannot contain ':' or '|'",
|
|
"confirm_delete" => "Are you sure you want to delete the selected attribute(s)?",
|
|
"confirm_restore" => "",
|
|
"definition_cannot_be_deleted" => "Could not delete selected attribute(s)",
|
|
"definition_invalid_group" => "",
|
|
"definition_error_adding_updating" => "",
|
|
"definition_flags" => "Attribute Visibility",
|
|
"definition_group" => "Group",
|
|
"definition_id" => "Id",
|
|
"definition_name" => "Attribute Name",
|
|
"definition_name_required" => "Attribute name is a required field",
|
|
"definition_one_or_multiple" => "attribute(s)",
|
|
"definition_successful_adding" => "You have successfully added item",
|
|
"definition_successful_deleted" => "You have successfully deleted",
|
|
"definition_successful_updating" => "You have successfully updated attribute",
|
|
"definition_type" => "Attribute Type",
|
|
"definition_type_required" => "Attribute type is a required field",
|
|
"definition_unit" => "",
|
|
"definition_values" => "Attribute Values",
|
|
"new" => "New Attribute",
|
|
"no_attributes_to_display" => "No Items to display",
|
|
"receipt_visibility" => "Receipt",
|
|
"show_in_items" => "Show in items",
|
|
"show_in_items_visibility" => "Items",
|
|
"show_in_receipt" => "Show in receipt",
|
|
"show_in_receivings" => "Show in receivings",
|
|
"show_in_receivings_visibility" => "Receivings",
|
|
"show_in_sales" => "Show in sales",
|
|
"show_in_sales_visibility" => "Sales",
|
|
"update" => "Update Attribute",
|
|
];
|