mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-03-25 18:32:17 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
dc1e448bc3e034b8e51d64afe08dabe8403d6cb9
opensourcepos/app/Language/az/Attributes.php
jekkos bafe3ddf1b Fix stored XSS vulnerability in Attribute Definitions (GHSA-rvfg-ww4r-rwqf) (#4429) 
* Fix stored XSS vulnerability in Attribute Definitions

GHSA-rvfg-ww4r-rwqf: Stored XSS via Attribute Definition Name

Security Impact:
- Authenticated users with attribute management permission can inject XSS payloads
- Payloads execute when viewing/editing attributes in admin panel
- Can steal session cookies, perform CSRF attacks, or compromise admin operations

Root Cause:
1. Input: Attributes.php postSaveDefinition() accepts definition_name without sanitization
2. Output: Views echo definition_name without proper escaping

Fix Applied:
- Input sanitization: Added FILTER_SANITIZE_FULL_SPECIAL_CHARS to definition_name and definition_unit
- Output escaping: Added esc() wrapper when displaying definition_name in views
- Defense-in-depth: htmlspecialchars on attribute values saved to database

Files Changed:
- app/Controllers/Attributes.php - Sanitize inputs on save
- app/Views/attributes/form.php - Escape output on display
- app/Views/attributes/item.php - Escape output on display

* Remove input sanitization, keep output escaping only

Use escaping on output (esc() in views) as the sole XSS prevention
measure instead of sanitizing on input. This preserves the original
data in the database while still protecting against XSS attacks.

* Add validation for definition_fk foreign key in attribute definitions

Validate definition_group input before saving:
- Must be a positive integer (> 0)
- Must exist in attribute_definitions table
- Must be of type GROUP to ensure data integrity

Also add translation for definition_invalid_group error message
in all 45 language files (English placeholder for translations).

* Refactor definition_fk validation into single conditional statement

* Add esc() to attribute value outputs for XSS protection

- Add esc() to TEXT input value in item.php
- Add esc() to definition_unit in form.php

These fields display user-provided content and need output escaping
to prevent stored XSS attacks.

* Refactor definition_group validation into separate method

Extract validation logic for definition_fk into validateDefinitionGroup()
private method to improve code readability and reduce method complexity.

Returns:
- null if input is empty (no group selected)
- false if validation fails (invalid group)
- integer ID if valid

* Add translations for definition_invalid_group in all languages

- Added proper translations for 28 languages (de, es, fr, it, nl, pl, pt-BR, ru, tr, uk, th, zh-Hans, zh-Hant, ro, sv, vi, id, el, he, fa, hu, da, sw-KE, sw-TZ, ar-LB, ar-EG)
- Set empty string for 14 languages to fallback to English (cs, hr-HR, bg, bs, ckb, hy, km, lo, ml, nb, ta, tl, ur, az)

---------

Co-authored-by: Ollama <ollama@steganos.dev>
2026-03-14 15:33:58 +00:00

35 lines
2.1 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<?php
return [
"attribute_value_invalid_chars" => "Atribut dəyəri bu ':' və ya '|' olmaz",
"confirm_delete" => "Seçilmiş Atributları silmək istədiyinizdən əminsinizmi?",
"confirm_restore" => "Seçilmiş atributları bərpa etmək istədiyinizə əminsinizmi?",
"definition_cannot_be_deleted" => "Seçilmiş xüsusiyyətləri silmək olmadı",
"definition_invalid_group" => "",
"definition_error_adding_updating" => "{0} -in atributları əlavə oluna və yenilənə bilmədi. Lütfən XƏTA loq faylını yoxlayın.",
"definition_flags" => "Atribut görünüşü",
"definition_group" => "Qrup",
"definition_id" => "Id",
"definition_name" => "Atribut əlavə et",
"definition_name_required" => "Atribut adı zəruri bir sahədir",
"definition_one_or_multiple" => "atribut (lar)",
"definition_successful_adding" => "Malı uğurla əlavə etdiniz",
"definition_successful_deleted" => "Siz uğurla sildiniz",
"definition_successful_updating" => "Atributunuzu müvəffəqiyyətlə yenilədiniz",
"definition_type" => "Atribut Tipi",
"definition_type_required" => "Atribut növü tələb olunan sahədir",
"definition_unit" => "Ölçü vahidi",
"definition_values" => "Atribut dəyərləri",
"new" => "Yeni atributlar",
"no_attributes_to_display" => "Göstərmək üçün heç bir element yoxdur",
"receipt_visibility" => "Qəbz",
"show_in_items" => "Malları göstər",
"show_in_items_visibility" => "Mallar",
"show_in_receipt" => "Qəbzi göstərin",
"show_in_receivings" => "Alacaqlarda göstərin",
"show_in_receivings_visibility" => "Alınanlar",
"show_in_sales" => "Satışda göstərin",
"show_in_sales_visibility" => "Satışlar",
"update" => "Atributları yenilə",
];
Reference in New Issue View Git Blame Copy Permalink