mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-03-26 19:04:34 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
dc1e448bc3e034b8e51d64afe08dabe8403d6cb9
opensourcepos/app/Language/zh-Hans/Attributes.php
jekkos bafe3ddf1b Fix stored XSS vulnerability in Attribute Definitions (GHSA-rvfg-ww4r-rwqf) (#4429) 
* Fix stored XSS vulnerability in Attribute Definitions

GHSA-rvfg-ww4r-rwqf: Stored XSS via Attribute Definition Name

Security Impact:
- Authenticated users with attribute management permission can inject XSS payloads
- Payloads execute when viewing/editing attributes in admin panel
- Can steal session cookies, perform CSRF attacks, or compromise admin operations

Root Cause:
1. Input: Attributes.php postSaveDefinition() accepts definition_name without sanitization
2. Output: Views echo definition_name without proper escaping

Fix Applied:
- Input sanitization: Added FILTER_SANITIZE_FULL_SPECIAL_CHARS to definition_name and definition_unit
- Output escaping: Added esc() wrapper when displaying definition_name in views
- Defense-in-depth: htmlspecialchars on attribute values saved to database

Files Changed:
- app/Controllers/Attributes.php - Sanitize inputs on save
- app/Views/attributes/form.php - Escape output on display
- app/Views/attributes/item.php - Escape output on display

* Remove input sanitization, keep output escaping only

Use escaping on output (esc() in views) as the sole XSS prevention
measure instead of sanitizing on input. This preserves the original
data in the database while still protecting against XSS attacks.

* Add validation for definition_fk foreign key in attribute definitions

Validate definition_group input before saving:
- Must be a positive integer (> 0)
- Must exist in attribute_definitions table
- Must be of type GROUP to ensure data integrity

Also add translation for definition_invalid_group error message
in all 45 language files (English placeholder for translations).

* Refactor definition_fk validation into single conditional statement

* Add esc() to attribute value outputs for XSS protection

- Add esc() to TEXT input value in item.php
- Add esc() to definition_unit in form.php

These fields display user-provided content and need output escaping
to prevent stored XSS attacks.

* Refactor definition_group validation into separate method

Extract validation logic for definition_fk into validateDefinitionGroup()
private method to improve code readability and reduce method complexity.

Returns:
- null if input is empty (no group selected)
- false if validation fails (invalid group)
- integer ID if valid

* Add translations for definition_invalid_group in all languages

- Added proper translations for 28 languages (de, es, fr, it, nl, pl, pt-BR, ru, tr, uk, th, zh-Hans, zh-Hant, ro, sv, vi, id, el, he, fa, hu, da, sw-KE, sw-TZ, ar-LB, ar-EG)
- Set empty string for 14 languages to fallback to English (cs, hr-HR, bg, bs, ckb, hy, km, lo, ml, nb, ta, tl, ur, az)

---------

Co-authored-by: Ollama <ollama@steganos.dev>
2026-03-14 15:33:58 +00:00

35 lines
1.9 KiB
PHP
Raw Blame History

<?php
return [
"attribute_value_invalid_chars" => "属性特征不能包含':' or '|'",
"confirm_delete" => "确定要删除所选属性吗",
"confirm_restore" => "您确定要还原所选属性吗?",
"definition_cannot_be_deleted" => "不能删除该特征属性",
"definition_invalid_group" => "所选组不存在或无效。",
"definition_error_adding_updating" => "无法添加或更新属性{0}。 请检查错误日志。",
"definition_flags" => "属性可见性",
"definition_group" => "",
"definition_id" => "ID卡",
"definition_name" => "添加特征属性",
"definition_name_required" => "属性必须填写",
"definition_one_or_multiple" => "属性特征",
"definition_successful_adding" => "你成功添加物品",
"definition_successful_deleted" => "已经成功删除",
"definition_successful_updating" => "更新属性成功",
"definition_type" => "属性类别",
"definition_type_required" => "属性必填",
"definition_unit" => "计量单位",
"definition_values" => "属性特征值",
"new" => "新属性",
"no_attributes_to_display" => "没有物品需要显示",
"receipt_visibility" => "小票",
"show_in_items" => "在项目中显示",
"show_in_items_visibility" => "物品",
"show_in_receipt" => "在收据中显示",
"show_in_receivings" => "在收据中显示",
"show_in_receivings_visibility" => "收据",
"show_in_sales" => "在销售中显示",
"show_in_sales_visibility" => "销售",
"update" => "更新属性",
];
Reference in New Issue View Git Blame Copy Permalink