Add comprehensive version 1.7.0 documentation to README and CHANGELOG

Copilot · nielsdrost7 · Copilot · commit 4d6b4ef4fa1c · 2026-02-03T15:50:23.000Z
Co-authored-by: nielsdrost7 &lt;47660417+nielsdrost7@users.noreply.github.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,60 @@
+# Changelog
+
+All notable changes to InvoicePlane will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.7.0] - 2025-12-02
+
+### Added
+- Full PHP 8.2+ compatibility support (PHP 8.1, 8.2, 8.3+)
+- Enhanced security logging for file uploads and template operations
+- Comprehensive input validation for template parameters
+- Security warnings in admin interface for SVG logo files
+
+### Changed
+- Updated all PHP dependencies for PHP 8.2+ compatibility
+- Improved error handling in PDF generation
+- Enhanced input sanitization across all user-facing forms
+- Modernized codebase to follow PHP 8+ standards
+
+### Security
+- **CRITICAL:** Fixed multiple Cross-Site Scripting (XSS) vulnerabilities
+  - Quote and invoice number fields now properly escaped in all templates
+  - Tax rate names and payment method names sanitized
+  - Custom field labels and client addresses protected from XSS
+  - Sumex observations and quote notes/passwords sanitized
+  - Email templates now use proper HTML escaping
+- **CRITICAL:** Fixed Local File Inclusion (LFI) vulnerabilities
+  - Template validation added to PDF generation endpoints
+  - Invoice and quote template parameters now validated
+  - Prevented directory traversal attacks through template selection
+- **HIGH:** Fixed log poisoning vulnerability in file upload controller
+  - File names are now sanitized before logging
+  - Prevents control character injection in log files
+- **HIGH:** SVG logo files are now blocked entirely
+  - SVG files can contain embedded JavaScript that could execute in user browsers
+  - Existing SVG logos will not display (security block)
+  - Users should convert to PNG, JPG, or GIF formats
+
+### Removed
+- Support for SVG logo uploads (security measure)
+- Deprecated library dependencies
+- PHP 7.x compatibility (minimum PHP 8.1 required)
+
+### Fixed
+- Email address verification now supports both comma and semicolon separators
+- QR code image width reduced to 100px for better display
+- Version checking and logging for e-invoicing fields
+- File access vulnerabilities across multiple controllers
+
+## [1.6.4] - Earlier Release
+
+For changes in version 1.6.4 and earlier, please see the git commit history.
+
+---
+
+## Security Disclosure
+
+If you discover a security vulnerability in InvoicePlane, please email **[mail@invoiceplane.com](mailto:mail@invoiceplane.com)** before disclosing it publicly. We will address all security concerns promptly.
diff --git a/README.md b/README.md
@@ -23,6 +23,36 @@ _A libre self-hosted web application designed to help you manage invoices, clien
 
 ---
 
+## 🎉 What's New in Version 1.7.0
+
+**InvoicePlane 1.7.0** brings PHP 8.2+ compatibility and critical security enhancements to keep your financial data safe.
+
+### Major Improvements
+
+- **✅ PHP 8.2+ Compatibility:** Full support for modern PHP versions (8.1, 8.2, 8.3+)
+- **🔒 Enhanced Security:** Multiple security vulnerabilities have been addressed:
+  - Fixed Cross-Site Scripting (XSS) vulnerabilities across templates and user inputs
+  - Resolved Local File Inclusion (LFI) vulnerabilities in PDF generation
+  - Patched log poisoning vulnerability in file upload handling
+- **🛡️ SVG Logo Protection:** SVG uploads are now blocked to prevent embedded script execution (see details below)
+- **📦 Updated Dependencies:** All PHP packages updated for compatibility and security
+
+### Upgrading from Version 1.6.x
+
+If you're upgrading from InvoicePlane 1.6.x:
+
+1. **Backup your data** - Create a full backup of your database and files
+2. **Check PHP version** - Ensure your server runs PHP 8.1 or higher
+3. **Update files** - Replace all application files with the new version
+4. **Run migrations** - Visit `/index.php/setup` to apply database updates
+5. **Review logo settings** - If using an SVG logo, convert it to PNG/JPG (see SVG notice below)
+
+For detailed upgrade instructions, visit the [InvoicePlane Wiki](https://wiki.invoiceplane.com/).
+
+> **📋 Full Release Notes:** See [CHANGELOG.md](CHANGELOG.md) for a complete list of changes, security fixes, and improvements.
+
+---
+
 ## Key Features
 
 - **Invoice & Quote Management:** Create, send, and manage professional invoices and quotes effortlessly.
