mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-03-29 04:11:37 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
dc1e448bc3e034b8e51d64afe08dabe8403d6cb9
opensourcepos/app/Language/zh-Hant/Attributes.php
jekkos bafe3ddf1b Fix stored XSS vulnerability in Attribute Definitions (GHSA-rvfg-ww4r-rwqf) (#4429) 
* Fix stored XSS vulnerability in Attribute Definitions

GHSA-rvfg-ww4r-rwqf: Stored XSS via Attribute Definition Name

Security Impact:
- Authenticated users with attribute management permission can inject XSS payloads
- Payloads execute when viewing/editing attributes in admin panel
- Can steal session cookies, perform CSRF attacks, or compromise admin operations

Root Cause:
1. Input: Attributes.php postSaveDefinition() accepts definition_name without sanitization
2. Output: Views echo definition_name without proper escaping

Fix Applied:
- Input sanitization: Added FILTER_SANITIZE_FULL_SPECIAL_CHARS to definition_name and definition_unit
- Output escaping: Added esc() wrapper when displaying definition_name in views
- Defense-in-depth: htmlspecialchars on attribute values saved to database

Files Changed:
- app/Controllers/Attributes.php - Sanitize inputs on save
- app/Views/attributes/form.php - Escape output on display
- app/Views/attributes/item.php - Escape output on display

* Remove input sanitization, keep output escaping only

Use escaping on output (esc() in views) as the sole XSS prevention
measure instead of sanitizing on input. This preserves the original
data in the database while still protecting against XSS attacks.

* Add validation for definition_fk foreign key in attribute definitions

Validate definition_group input before saving:
- Must be a positive integer (> 0)
- Must exist in attribute_definitions table
- Must be of type GROUP to ensure data integrity

Also add translation for definition_invalid_group error message
in all 45 language files (English placeholder for translations).

* Refactor definition_fk validation into single conditional statement

* Add esc() to attribute value outputs for XSS protection

- Add esc() to TEXT input value in item.php
- Add esc() to definition_unit in form.php

These fields display user-provided content and need output escaping
to prevent stored XSS attacks.

* Refactor definition_group validation into separate method

Extract validation logic for definition_fk into validateDefinitionGroup()
private method to improve code readability and reduce method complexity.

Returns:
- null if input is empty (no group selected)
- false if validation fails (invalid group)
- integer ID if valid

* Add translations for definition_invalid_group in all languages

- Added proper translations for 28 languages (de, es, fr, it, nl, pl, pt-BR, ru, tr, uk, th, zh-Hans, zh-Hant, ro, sv, vi, id, el, he, fa, hu, da, sw-KE, sw-TZ, ar-LB, ar-EG)
- Set empty string for 14 languages to fallback to English (cs, hr-HR, bg, bs, ckb, hy, km, lo, ml, nb, ta, tl, ur, az)

---------

Co-authored-by: Ollama <ollama@steganos.dev>
2026-03-14 15:33:58 +00:00

35 lines
1.9 KiB
PHP
Raw Blame History

<?php
return [
"attribute_value_invalid_chars" => "屬性設定值中不可含有「_」或「|」",
"confirm_delete" => "您確定要刪除此屬性?",
"confirm_restore" => "您確定要還原所選屬性嗎?",
"definition_cannot_be_deleted" => "無法刪除所選屬性",
"definition_invalid_group" => "所選擇的群組不存在或無效。",
"definition_error_adding_updating" => "無法添加或更新屬性 {0}。 請檢查錯誤日誌。",
"definition_flags" => "屬性可見性",
"definition_group" => "群組",
"definition_id" => "編號",
"definition_name" => "添加屬性",
"definition_name_required" => "屬性名稱必需填寫",
"definition_one_or_multiple" => "屬性",
"definition_successful_adding" => "您已成功添加項目",
"definition_successful_deleted" => "您已成功刪除",
"definition_successful_updating" => "您已成功更新屬性",
"definition_type" => "屬性類型",
"definition_type_required" => "屬性類型必需填寫",
"definition_unit" => "測量單位",
"definition_values" => "屬性值",
"new" => "新屬性",
"no_attributes_to_display" => "沒有項目可顯示",
"receipt_visibility" => "收據",
"show_in_items" => "在項目中顯示",
"show_in_items_visibility" => "物品",
"show_in_receipt" => "在收據中顯示",
"show_in_receivings" => "在收貨中顯示",
"show_in_receivings_visibility" => "收貨",
"show_in_sales" => "在銷售中顯示",
"show_in_sales_visibility" => "銷售",
"update" => "更新屬性",
];
Reference in New Issue View Git Blame Copy Permalink