Skip to content

Version 1.7.0 into develop branch: PHP 8.2+ compatibility#1366

Closed
nielsdrost7 wants to merge 93 commits intodevelopfrom
prep/v170
Closed

Version 1.7.0 into develop branch: PHP 8.2+ compatibility#1366
nielsdrost7 wants to merge 93 commits intodevelopfrom
prep/v170

Conversation

@nielsdrost7
Copy link
Copy Markdown
Contributor

@nielsdrost7 nielsdrost7 commented Dec 2, 2025
edited by coderabbitai bot
Loading

addresses #1242
addresses #1223
addresses #1205
addresses #1180
addresses #1063
addresses #1009

Summary by CodeRabbit

Release Notes

  • New Features

    • Comprehensive GitHub Actions CI/CD automation for automated testing, code quality checks, dependency updates, translation syncing, and production release packaging.
    • Enhanced file security validation with stricter filename safety checks.

  • Bug Fixes

    • Fixed duplicate item discount rendering in quote PDF templates.

  • Improvements

    • Updated core dependencies and development tools for enhanced compatibility and performance.
    • Modernized internal code patterns for maintainability.

✏️ Tip: You can customize this high-level summary in your review settings.

nielsdrost7 and others added 30 commits August 21, 2025 17:21
@nielsdrost7
Temporary Commit Fix Niels - 1 - SalesByYear report
d7e6a08
@nielsdrost7
Fix Niels - 1 - SalesByYear
1766bbe
@nielsdrost7
Temporary Commit Fix Niels - 3 - Guest Get File
d80ae52
@nielsdrost7
Apply suggestions from code review
1dbdbc3 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@nielsdrost7
Suggestions after code-review
1212a2b 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@nielsdrost7
using strpos as per suggestion in code-review
5924d8f 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@nielsdrost7
suggestion after code-review
fd7ed1d 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@nielsdrost7
suggestion after code-review
f5ee38e 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@nielsdrost7
Final fixes for the Get file problem refs #1324
1b5d7a7
@nielsdrost7
suggestion after code-review
9c7acdb
@nielsdrost7
Merge branch 'fix/niels-1-sales-by-year' of github.com:InvoicePlane/I…
1139748 
…nvoicePlane into fix/niels-1-sales-by-year
@nielsdrost7
cleanup after code-review
366b3b5 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@nielsdrost7
cleanup after code-review
d86929a 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@nielsdrost7
Get file (guest) fix refs #1324
7094e50
@nielsdrost7
1340: Wrong quote/invoice guest download attachment button default te…
9b5ef4c 
…mplate
@nielsdrost7
1348: More fixes for PDF footer
44a94c2
@nielsdrost7
1322: Show open invoices on guest index
b27be93
@nielsdrost7
1340: guest route sanitization
572e82a
@nielsdrost7
1340: guest route sanitization
cd05e15
@nielsdrost7
1340: guest route sanitization
18a116f
@nielsdrost7
1340: guest route sanitization
33ce869
@nielsdrost7
Update application/modules/guest/controllers/Get.php
921225a 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@nielsdrost7
Update application/modules/reports/models/Mdl_reports.php
41227ea 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@nielsdrost7
Update application/modules/reports/models/Mdl_reports.php
9b90780 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@nielsdrost7
Merge branch 'fix/niels-1-sales-by-year' into prep/v164
1b7465c
@nielsdrost7
Merge branch 'fix/niels-3-guest-get-file' into prep/v164
b1953af
@nielsdrost7
Merge branch 'fix/1340-guest-route-sanitization' into prep/v164
8024e2c
@nielsdrost7
Merge branch 'fix/1348-downloading-pdf-gives-ugly-gray-screen' into p…
5cbf2b1 
…rep/v164
@nielsdrost7
Merge branch 'fix/1340-wrong-quoteinvoice-guest-download-attachment-b…
f985fce 
…utton' into prep/v164
@nielsdrost7
version 1.7.0: PHP 8.2+ compatibility
bed535f
Copilot AI and others added 2 commits February 3, 2026 20:20
@nielsdrost7
Fix GitHub Actions workflow issues identified in PR #1366 review (#1437)
5473939 
* Initial plan

* Fix GitHub Actions workflows per review feedback

- composer-update.yml: Parse JSON advisories array instead of file size check
- composer-update.yml: Check both composer.lock and composer.json for changes
- release.yml: Update action-gh-release from v1 to v2
- release.yml: Fix vendor-cleaner config to use extra.dev-files structure
- README.md: Update yarn-update.yml Update Types to match workflow options
- Create generate-package-update-report.cjs script for yarn updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback

- composer-update.yml: Use double-dash separator before file paths in git diff
- generate-package-update-report.cjs: Handle quoted/unquoted yarn.lock entries separately

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix git diff logic and improve regex patterns

- composer-update.yml: Restore correct git diff logic to detect changes in either file
- generate-package-update-report.cjs: Use more restrictive regex patterns

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
@nielsdrost7
Add complete version 1.7.0 release documentation with all issue numbe…
55c17af 
…rs and field sanitization details (#1436)

* Initial plan

* Add comprehensive version 1.7.0 documentation to README and CHANGELOG

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix formatting and update version 1.7.0 details

* Add complete release notes with issue numbers and field sanitization details, remove emoticons

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Feb 3, 2026
View reviewed changes
Comment thread assets/core/js/scripts.js Outdated
function sanitize_email_template_html(html) {
// Create a temporary DOM element to parse the HTML
var temp = document.createElement('div');
temp.innerHTML = html;

Check failure

Code scanning / CodeQL

DOM text reinterpreted as HTML High

DOM text is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 2 months ago

In general, the problem is that untrusted data is being parsed as HTML via innerHTML in the same browsing context; if any scripts or event handlers run during parsing, or if the sanitizer is incomplete, XSS is possible. To fix this, we should ensure that parsing the untrusted HTML cannot execute script, and that all dangerous nodes/attributes are removed before returning any HTML that will later be rendered. The best way, without changing functionality, is to keep the sanitizer but change how we build the DOM for cleaning: instead of using temp.innerHTML = html directly in the main document, we can parse into an inert container such as an HTML <template> element (whose .content never executes scripts), then sanitize its content and serialize it back.

Concretely in assets/core/js/scripts.js inside sanitize_email_template_html:

  1. Replace var temp = document.createElement('div'); temp.innerHTML = html; with a safer setup:
    • Create a <template> element.
    • Set template.innerHTML = html;.
    • Work on template.content instead of the live DOM.
    • Wrap the content into a separate <div> container used only for sanitization and serialization.
  2. Keep the existing allowedTags, allowedAttrs, and cleanNode logic, but make sure we pass the correct root for cleaning (the new container that holds the cloned nodes from template.content) and only operate on that.
  3. Finally, return container.innerHTML instead of temp.innerHTML.

This keeps the public API (sanitize_email_template_html(html) returning sanitized HTML) unchanged and continues to support the email template preview, but ensures that tainted HTML is never interpreted in a way that could execute scripts in the main document during parsing.

Suggested changeset 1
assets/core/js/scripts.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/core/js/scripts.js b/assets/core/js/scripts.js
--- a/assets/core/js/scripts.js
+++ b/assets/core/js/scripts.js
@@ -76,9 +76,12 @@
 // Sanitize HTML for email template preview
 // Allows only safe formatting tags and strips scripts, event handlers, and dangerous attributes
 function sanitize_email_template_html(html) {
-    // Create a temporary DOM element to parse the HTML
+    // Parse HTML in an inert context to avoid executing scripts during parsing
+    var template = document.createElement('template');
+    template.innerHTML = html || '';
+    // Use a detached container to run the sanitizer on the parsed nodes
     var temp = document.createElement('div');
-    temp.innerHTML = html;
+    temp.appendChild(template.content.cloneNode(true));
     
     // List of allowed tags (only safe formatting tags)
     var allowedTags = ['b', 'strong', 'em', 'i', 'p', 'br', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 
@@ -147,7 +149,7 @@
         });
     }
     
-    // Clean all child nodes
+    // Clean all child nodes in the detached container
     Array.from(temp.childNodes).forEach(function(child) {
         if (child.nodeType === 1) {
             cleanNode(child);
EOF
@@ -76,9 +76,12 @@
// Sanitize HTML for email template preview
// Allows only safe formatting tags and strips scripts, event handlers, and dangerous attributes
function sanitize_email_template_html(html) {
// Create a temporary DOM element to parse the HTML
// Parse HTML in an inert context to avoid executing scripts during parsing
var template = document.createElement('template');
template.innerHTML = html || '';
// Use a detached container to run the sanitizer on the parsed nodes
var temp = document.createElement('div');
temp.innerHTML = html;
temp.appendChild(template.content.cloneNode(true));

// List of allowed tags (only safe formatting tags)
var allowedTags = ['b', 'strong', 'em', 'i', 'p', 'br', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
@@ -147,7 +149,7 @@
});
}

// Clean all child nodes
// Clean all child nodes in the detached container
Array.from(temp.childNodes).forEach(function(child) {
if (child.nodeType === 1) {
cleanNode(child);
Copilot is powered by AI and may make mistakes. Always verify output.
@nielsdrost7 nielsdrost7 committed this autofix suggestion 2 months ago.
nielsdrost7 and others added 9 commits February 3, 2026 20:26
@nielsdrost7
Merge branch 'prep/v171' into prep/v170
da14650
@nielsdrost7
Track all resolved versions per package in yarn.lock update report (#…
2a1cf04 
…1440)

* Initial plan

* Refactor package update report script to track all versions per package using Map<string, Set<string>>

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Remove unnecessary Set creation in version comparison logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix bidirectional version change detection to catch all version updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
@nielsdrost7
Apply suggestions from code review
72bd368 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@nielsdrost7 @github-advanced-security
Potential fix for code scanning alert no. 16: DOM text reinterpreted …
11dbea4 
…as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@nielsdrost7
Update test-frontend.yml to remove pull_request trigger
3826c45 
Remove pull_request trigger from frontend test workflow.
@nielsdrost7
Update PHP testing workflow triggers
b35bdf7 
Remove pull_request trigger from PHP testing workflow
@nielsdrost7 @github-advanced-security
Potential fix for code scanning alert no. 17: DOM text reinterpreted …
b754aab 
…as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@nielsdrost7
Refactor input sanitization to follow DRY principles and fix log inje…
69e9bc4 
…ction vulnerabilities (#1441)

* Initial plan

* Apply code review feedback: improve regex handling and log sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Refactor: Extract sanitize_for_logging helper to follow DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
@nielsdrost7
Add security and DRY development guidelines for InvoicePlane (#1442)
2073810 
* Initial plan

* Add comprehensive guidelines and Copilot instructions for security and DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive security and DRY analysis for PR #1441

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback: improve documentation clarity and examples

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
accesslint[bot]
accesslint bot reviewed Feb 4, 2026
View reviewed changes
Copy link
Copy Markdown

@accesslint accesslint bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are accessibility issues in these changes.

Comment thread .junie/guidelines.md
<!-- In views -->
<h1><?php echo html_escape($invoice_number); ?></h1>
<div><?php echo html_escape($client_name); ?></div>
<textarea><?php echo html_escape($notes); ?></textarea>
Copy link
Copy Markdown

@accesslint accesslint bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this element is missing an accessible name or label. That makes it hard for people using screen readers or voice control to use the control.

Comment thread .junie/guidelines.md
<a href="<?php echo $base_url . '/' . $query_param; ?>">Link</a>

// HTML attribute context
<input type="text" value="<?php echo html_escape($value); ?>">
Copy link
Copy Markdown

@accesslint accesslint bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this element is missing an accessible name or label. That makes it hard for people using screen readers or voice control to use the control.

@nielsdrost7
Document XSS mitigation in Family Name field - no code changes requir…
f4fc786 
…ed (#1443)

* Initial plan

* Add comprehensive security audit documentation for XSS vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add executive security summary for XSS vulnerability verification

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
accesslint[bot]
accesslint bot reviewed Feb 4, 2026
View reviewed changes
Copy link
Copy Markdown

@accesslint accesslint bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are accessibility issues in these changes.

Comment thread SECURITY_SUMMARY.md Outdated
| Payload | Encoded Output | Result |
|---------|----------------|--------|
| `<script>alert("XSS")</script>` | `&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;` | ✅ Safe |
| `<img src=x onerror=alert(1)>` | `&lt;img src=x onerror=alert(1)&gt;` | ✅ Safe |
Copy link
Copy Markdown

@accesslint accesslint bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This image is missing a text alternative. This is a problem for people using screen readers.

Comment thread SECURITY_AUDIT_XSS_FAMILY_NAME.md Outdated
| Payload | Result |
|---------|--------|
| `<script>alert("XSS")</script>` | Encoded to `&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;` ✅ |
| `<img src=x onerror=alert("XSS")>` | Encoded to `&lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;` ✅ |
Copy link
Copy Markdown

@accesslint accesslint bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This image is missing a text alternative. This is a problem for people using screen readers.

Comment thread .junie/guidelines.md
<!-- In views -->
<h1><?php echo html_escape($invoice_number); ?></h1>
<div><?php echo html_escape($client_name); ?></div>
<textarea><?php echo html_escape($notes); ?></textarea>
Copy link
Copy Markdown

@accesslint accesslint bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this element is missing an accessible name or label. That makes it hard for people using screen readers or voice control to use the control.

Comment thread .junie/guidelines.md
<a href="<?php echo $base_url . '/' . $query_param; ?>">Link</a>

// HTML attribute context
<input type="text" value="<?php echo html_escape($value); ?>">
Copy link
Copy Markdown

@accesslint accesslint bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this element is missing an accessible name or label. That makes it hard for people using screen readers or voice control to use the control.

@nielsdrost7
Fix XSS vulnerability in payment form invoice_number display (#1445)
eb81e42 
* Initial plan

* Fix XSS vulnerability in payment form invoice_number field

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive XSS vulnerability documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
accesslint[bot]
accesslint bot reviewed Feb 4, 2026
View reviewed changes
Copy link
Copy Markdown

@accesslint accesslint bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are accessibility issues in these changes.

Comment thread SECURITY_SUMMARY.md Outdated
| Payload | Encoded Output | Result |
|---------|----------------|--------|
| `<script>alert("XSS")</script>` | `&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;` | ✅ Safe |
| `<img src=x onerror=alert(1)>` | `&lt;img src=x onerror=alert(1)&gt;` | ✅ Safe |
Copy link
Copy Markdown

@accesslint accesslint bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This image is missing a text alternative. This is a problem for people using screen readers.

Comment thread SECURITY_AUDIT_XSS_FAMILY_NAME.md Outdated
| Payload | Result |
|---------|--------|
| `<script>alert("XSS")</script>` | Encoded to `&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;` ✅ |
| `<img src=x onerror=alert("XSS")>` | Encoded to `&lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;` ✅ |
Copy link
Copy Markdown

@accesslint accesslint bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This image is missing a text alternative. This is a problem for people using screen readers.

Comment thread SECURITY_AUDIT_XSS_UNIT_INVOICE.md Outdated
| Payload | Encoded Output | Result |
|---------|----------------|--------|
| `<script>alert("XSS")</script>` | `&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;` | ✅ Safe |
| `<img src=x onerror=alert(1)>` | `&lt;img src=x onerror=alert(1)&gt;` | ✅ Safe |
Copy link
Copy Markdown

@accesslint accesslint bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This image is missing a text alternative. This is a problem for people using screen readers.

Comment thread .junie/guidelines.md
<!-- In views -->
<h1><?php echo html_escape($invoice_number); ?></h1>
<div><?php echo html_escape($client_name); ?></div>
<textarea><?php echo html_escape($notes); ?></textarea>
Copy link
Copy Markdown

@accesslint accesslint bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this element is missing an accessible name or label. That makes it hard for people using screen readers or voice control to use the control.

Comment thread SECURITY_AUDIT_XSS_UNIT_INVOICE.md Outdated
**Result:** ✅ XSS payload is displayed as text, not executed

### PoC Attack Scenario 3: Invoice Number (Payment Form)
1. Create an invoice with malicious number `<img src=x onerror=alert(1)>`
Copy link
Copy Markdown

@accesslint accesslint bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This image is missing a text alternative. This is a problem for people using screen readers.

Comment thread .junie/guidelines.md
<a href="<?php echo $base_url . '/' . $query_param; ?>">Link</a>

// HTML attribute context
<input type="text" value="<?php echo html_escape($value); ?>">
Copy link
Copy Markdown

@accesslint accesslint bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this element is missing an accessible name or label. That makes it hard for people using screen readers or voice control to use the control.

nielsdrost7 and others added 4 commits February 4, 2026 11:50
@nielsdrost7
Comment out invoice and quote password fields
87e5940 
Comment out password fields from bypass list.
@nielsdrost7 @coderabbitai
Update application/helpers/template_helper.php
e764741 
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
@nielsdrost7
Address PR #1439 feedback: sanitization and validation improvements (#…
11fd97a 
…1446)

* Initial plan

* Address PR #1439 feedback: sanitization and validation improvements

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve security: use DOMParser for HTML sanitization and load file_security_helper

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
@nielsdrost7
Fix stored XSS in credit invoice parent number display + comprehensiv…
1f8c964 
…e security audit (#1454)

* Initial plan

* Fix XSS vulnerability in parent invoice number display

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security documentation for Invoice Group XSS fix

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete SECURITY_AUDIT_XSS_INVOICE_GROUP.md

* Delete SECURITY_SUMMARY.md

* Add comprehensive XSS vulnerability audit documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete COMPREHENSIVE_XSS_AUDIT.md

* Delete SECURITY_AUDIT_XSS_UNIT_INVOICE.md

* Delete SECURITY_AUDIT_XSS_FAMILY_NAME.md

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
accesslint[bot]
accesslint bot reviewed Feb 13, 2026
View reviewed changes
Copy link
Copy Markdown

@accesslint accesslint bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found 2 issues across 1 rule.

Repeated issues:

  • application/helpers/invoice_helper.php Image element missing alt attribute. — lines 32, 55

Comment thread application/helpers/invoice_helper.php
return '';
}

return '<img src="' . base_url() . 'uploads/' . $logo_file . '">';
Copy link
Copy Markdown

@accesslint accesslint bot Feb 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WCAG 1.1.1: Image element missing alt attribute.

Images must have alternate text. Add an alt attribute to elements. Decorative images may use an empty alt attribute (alt=""), role='none', or role='presentation'.

Also on line 55.

Comment thread application/helpers/invoice_helper.php
}

return '<img src="' . $absolutePath . '/uploads/' . $CI->mdl_settings->setting('invoice_logo') . '" id="invoice-logo">';
return '<img src="' . $absolutePath . '/uploads/' . $logo_file . '" id="invoice-logo">';
Copy link
Copy Markdown

@accesslint accesslint bot Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WCAG 1.1.1: Image element missing alt attribute.

@nielsdrost7
Fix stored XSS vulnerabilities in multiple views (19 total) (#1455)
eb196fd 
* Initial plan

* Fix XSS vulnerability by adding HTML escaping to format_client() output

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in client view and invoice templates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerabilities in VAT ID and tax code fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
accesslint[bot]
accesslint bot reviewed Feb 14, 2026
View reviewed changes
Copy link
Copy Markdown

@accesslint accesslint bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found 2 issues across 1 rule.

Repeated issues:

  • application/helpers/invoice_helper.php Image element missing alt attribute. — lines 32, 55

Comment thread application/helpers/invoice_helper.php
return '';
}

return '<img src="' . base_url() . 'uploads/' . $logo_file . '">';
Copy link
Copy Markdown

@accesslint accesslint bot Feb 14, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WCAG 1.1.1: Image element missing alt attribute.

Images must have alternate text. Add an alt attribute to elements. Decorative images may use an empty alt attribute (alt=""), role='none', or role='presentation'.

Also on line 55.

Comment thread application/helpers/invoice_helper.php
}

return '<img src="' . $absolutePath . '/uploads/' . $CI->mdl_settings->setting('invoice_logo') . '" id="invoice-logo">';
return '<img src="' . $absolutePath . '/uploads/' . $logo_file . '" id="invoice-logo">';
Copy link
Copy Markdown

@accesslint accesslint bot Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WCAG 1.1.1: Image element missing alt attribute.

@nielsdrost7
Fix PHP 8.3 undefined array key warning in mPDF footer handling (#1453)
e2478f2 
* Initial plan

* Initial analysis - identify mpdf footer undefined array key issue

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix: Define html_footer to prevent PHP 8.3 undefined array key error

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete package-lock.json

* Delete yarn.lock

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
accesslint[bot]
accesslint bot reviewed Feb 14, 2026
View reviewed changes
Copy link
Copy Markdown

@accesslint accesslint bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found 2 issues across 1 rule.

Repeated issues:

  • application/helpers/invoice_helper.php Image element missing alt attribute. — lines 32, 55

Comment thread application/helpers/invoice_helper.php
return '';
}

return '<img src="' . base_url() . 'uploads/' . $logo_file . '">';
Copy link
Copy Markdown

@accesslint accesslint bot Feb 14, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WCAG 1.1.1: Image element missing alt attribute.

Images must have alternate text. Add an alt attribute to elements. Decorative images may use an empty alt attribute (alt=""), role='none', or role='presentation'.

Also on line 55.

Comment thread application/helpers/invoice_helper.php
}

return '<img src="' . $absolutePath . '/uploads/' . $CI->mdl_settings->setting('invoice_logo') . '" id="invoice-logo">';
return '<img src="' . $absolutePath . '/uploads/' . $logo_file . '" id="invoice-logo">';
Copy link
Copy Markdown

@accesslint accesslint bot Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WCAG 1.1.1: Image element missing alt attribute.

nielsdrost7 added a commit that referenced this pull request Feb 16, 2026
@nielsdrost7
@github-advanced-security @coderabbitai
v170 in to v171 (#1439)
2b9241f 
* Fix XSS vulnerabilities across InvoicePlane with comprehensive security audit, defense-in-depth protection, SVG execution prevention, and security logging (#1429)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Fix XSS vulnerabilities in quote/invoice numbers and SVG logo uploads

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in all quote/invoice number displays

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add XSS escaping for tax_rate_name and payment_method_name fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in guest view headers for quote/invoice numbers

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix remaining XSS in templates/mailer and add backend input sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve input sanitization comments for clarity

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in Sumex observations, client addresses, and custom field labels

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add backend XSS sanitization to Sumex fields and quote password/notes

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Block existing SVG logos from rendering to prevent XSS execution

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add SVG upload logging and README documentation for security change

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix log poisoning vulnerability in Upload controller (#1434)

* Initial plan

* Fix log poisoning vulnerability in Upload.php sanitize_file_name method

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 (#1433)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Add template validation to prevent LFI vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve logging in LFI fix for better security monitoring

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional LFI vulnerabilities in PDF generation endpoints

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback - simplify default template logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Add validation for invoice_template parameters in generate_invoice_pdf()

- Validate invoice_template when passed as URL parameter
- Mirror the same security pattern used for quote_template validation
- Ensure all invoice template sources are validated before use
- Prevent LFI vulnerability through invoice_template parameter bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix Stored XSS vulnerabilities with defense-in-depth: input sanitization and output encoding (#1435)

* Initial plan

* Fix three Stored XSS vulnerabilities by adding htmlsc() encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional unit_name XSS vulnerabilities in quotes and products modules

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in email template JavaScript context

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix filter_input() bug: Add input sanitization with logging and password bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve filter_input: Add recursive array sanitization, remove double-encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix sanitize_array: Add bypass support and consistent sanitization order

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add invoice_password and quote_password to sanitization bypass list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Optimize XSS logging: move ip_address and user_agent to request level

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix critical bugs from PR #1366 review: mb_rtrim, ClientTitleEnum, workflow triggers, email preview XSS (#1438)

* Initial plan

* Fix review comments: restore PR triggers, fix mb_rtrim usage, fix ClientTitleEnum, add translation, fix email preview

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add HTML sanitization to email template preview for defense-in-depth XSS protection

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve code review feedback: fix comment, use indexOf for compatibility, simplify ClientTitleEnum

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Enhance XSS protection: remove style tag support, validate href protocols

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Optimize sanitization: cache tagName, add style tag to explicit removal list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix GitHub Actions workflow issues identified in PR #1366 review (#1437)

* Initial plan

* Fix GitHub Actions workflows per review feedback

- composer-update.yml: Parse JSON advisories array instead of file size check
- composer-update.yml: Check both composer.lock and composer.json for changes
- release.yml: Update action-gh-release from v1 to v2
- release.yml: Fix vendor-cleaner config to use extra.dev-files structure
- README.md: Update yarn-update.yml Update Types to match workflow options
- Create generate-package-update-report.cjs script for yarn updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback

- composer-update.yml: Use double-dash separator before file paths in git diff
- generate-package-update-report.cjs: Handle quoted/unquoted yarn.lock entries separately

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix git diff logic and improve regex patterns

- composer-update.yml: Restore correct git diff logic to detect changes in either file
- generate-package-update-report.cjs: Use more restrictive regex patterns

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add complete version 1.7.0 release documentation with all issue numbers and field sanitization details (#1436)

* Initial plan

* Add comprehensive version 1.7.0 documentation to README and CHANGELOG

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix formatting and update version 1.7.0 details

* Add complete release notes with issue numbers and field sanitization details, remove emoticons

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Track all resolved versions per package in yarn.lock update report (#1440)

* Initial plan

* Refactor package update report script to track all versions per package using Map<string, Set<string>>

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Remove unnecessary Set creation in version comparison logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix bidirectional version change detection to catch all version updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Potential fix for code scanning alert no. 16: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Update test-frontend.yml to remove pull_request trigger

Remove pull_request trigger from frontend test workflow.

* Update PHP testing workflow triggers

Remove pull_request trigger from PHP testing workflow

* Potential fix for code scanning alert no. 17: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Refactor input sanitization to follow DRY principles and fix log injection vulnerabilities (#1441)

* Initial plan

* Apply code review feedback: improve regex handling and log sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Refactor: Extract sanitize_for_logging helper to follow DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security and DRY development guidelines for InvoicePlane (#1442)

* Initial plan

* Add comprehensive guidelines and Copilot instructions for security and DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive security and DRY analysis for PR #1441

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback: improve documentation clarity and examples

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Document XSS mitigation in Family Name field - no code changes required (#1443)

* Initial plan

* Add comprehensive security audit documentation for XSS vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add executive security summary for XSS vulnerability verification

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in payment form invoice_number display (#1445)

* Initial plan

* Fix XSS vulnerability in payment form invoice_number field

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive XSS vulnerability documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Comment out invoice and quote password fields

Comment out password fields from bypass list.

* Update application/helpers/template_helper.php

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Address PR #1439 feedback: sanitization and validation improvements (#1446)

* Initial plan

* Address PR #1439 feedback: sanitization and validation improvements

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve security: use DOMParser for HTML sanitization and load file_security_helper

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS in credit invoice parent number display + comprehensive security audit (#1454)

* Initial plan

* Fix XSS vulnerability in parent invoice number display

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security documentation for Invoice Group XSS fix

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete SECURITY_AUDIT_XSS_INVOICE_GROUP.md

* Delete SECURITY_SUMMARY.md

* Add comprehensive XSS vulnerability audit documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete COMPREHENSIVE_XSS_AUDIT.md

* Delete SECURITY_AUDIT_XSS_UNIT_INVOICE.md

* Delete SECURITY_AUDIT_XSS_FAMILY_NAME.md

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS vulnerabilities in multiple views (19 total) (#1455)

* Initial plan

* Fix XSS vulnerability by adding HTML escaping to format_client() output

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in client view and invoice templates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerabilities in VAT ID and tax code fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix PHP 8.3 undefined array key warning in mPDF footer handling (#1453)

* Initial plan

* Initial analysis - identify mpdf footer undefined array key issue

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix: Define html_footer to prevent PHP 8.3 undefined array key error

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete package-lock.json

* Delete yarn.lock

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
nielsdrost7 added a commit that referenced this pull request Feb 16, 2026
@nielsdrost7
@github-advanced-security @coderabbitai
merge 1.6.5 to development (#1458)
af1cfd8 
* Temporary Commit Fix Niels - 1 - SalesByYear report

* Fix Niels - 1 - SalesByYear

* Temporary Commit Fix Niels - 3 - Guest Get File

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Suggestions after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* using strpos as per suggestion in code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* suggestion after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* suggestion after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Final fixes for the Get file problem refs #1324

* suggestion after code-review

* cleanup after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* cleanup after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Get file (guest) fix refs #1324

* 1340: Wrong quote/invoice guest download attachment button default template

* 1348: More fixes for PDF footer

* 1322: Show open invoices on guest index

* 1340: guest route sanitization

* 1340: guest route sanitization

* 1340: guest route sanitization

* 1340: guest route sanitization

* Update application/modules/guest/controllers/Get.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update application/modules/reports/models/Mdl_reports.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update application/modules/reports/models/Mdl_reports.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* version 1.7.0: PHP 8.2+ compatibility

* for versioning purposes

* bumped composer dependencies

* Rename application/modules/setup/041_1.7.0.sql to application/modules/setup/sql/041_1.7.0.sql

* merged in development branch

* packages update

* ran pint
l

* fixed composer just a tiny bit

* improved .gitignore

* Potential fix for code scanning alert no. 9: Incomplete string escaping or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 6: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 7: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1387)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 10: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* more github actions

* Update GitHub Actions workflow for PHPMyAdmin

Removed specific branch and path triggers for pushes.

* Update GitHub Actions workflow for Docker image

Removed specific push triggers for branches and tags.

* Modify GitHub Actions workflow triggers

* Modify triggers for MariaDB Docker workflow

Updated workflow triggers for Docker image build.

* Update docker-publish.yml

* Change trigger from pull_request to workflow_dispatch

Updated workflow trigger to allow manual dispatch.

* Change trigger for PHP testing workflow

* Update PHP version in GitHub Actions workflow

* Remove emojis from yarn-update workflow output

* Potential fix for code scanning alert no. 11: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 12: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 13: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 14: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 15: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 5: Workflow does not contain permissions (#1389)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 5: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1388)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update .github/workflows/README.md

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Delete .github/workflows/quickstart.yml

* [WIP] Fix inconsistent language files in English (#1423)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Update custom_lang.php documentation to match modern array syntax

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

* Fix GitHub Actions workflow issues from code review (#1399)

* Initial plan

* Fix workflow issues based on code review feedback

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve script regex and add clarifying comments

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add workflow artifacts to .gitignore

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve script comments for clarity

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Update .github/scripts/generate-package-update-report.cjs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Rename transientChanges to transitiveChanges

* Fix vendor-cleaner config to use single extra.dev-files./ key

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* v170 in to v171 (#1439)

* Fix XSS vulnerabilities across InvoicePlane with comprehensive security audit, defense-in-depth protection, SVG execution prevention, and security logging (#1429)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Fix XSS vulnerabilities in quote/invoice numbers and SVG logo uploads

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in all quote/invoice number displays

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add XSS escaping for tax_rate_name and payment_method_name fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in guest view headers for quote/invoice numbers

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix remaining XSS in templates/mailer and add backend input sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve input sanitization comments for clarity

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in Sumex observations, client addresses, and custom field labels

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add backend XSS sanitization to Sumex fields and quote password/notes

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Block existing SVG logos from rendering to prevent XSS execution

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add SVG upload logging and README documentation for security change

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix log poisoning vulnerability in Upload controller (#1434)

* Initial plan

* Fix log poisoning vulnerability in Upload.php sanitize_file_name method

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 (#1433)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Add template validation to prevent LFI vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve logging in LFI fix for better security monitoring

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional LFI vulnerabilities in PDF generation endpoints

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback - simplify default template logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Add validation for invoice_template parameters in generate_invoice_pdf()

- Validate invoice_template when passed as URL parameter
- Mirror the same security pattern used for quote_template validation
- Ensure all invoice template sources are validated before use
- Prevent LFI vulnerability through invoice_template parameter bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix Stored XSS vulnerabilities with defense-in-depth: input sanitization and output encoding (#1435)

* Initial plan

* Fix three Stored XSS vulnerabilities by adding htmlsc() encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional unit_name XSS vulnerabilities in quotes and products modules

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in email template JavaScript context

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix filter_input() bug: Add input sanitization with logging and password bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve filter_input: Add recursive array sanitization, remove double-encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix sanitize_array: Add bypass support and consistent sanitization order

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add invoice_password and quote_password to sanitization bypass list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Optimize XSS logging: move ip_address and user_agent to request level

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix critical bugs from PR #1366 review: mb_rtrim, ClientTitleEnum, workflow triggers, email preview XSS (#1438)

* Initial plan

* Fix review comments: restore PR triggers, fix mb_rtrim usage, fix ClientTitleEnum, add translation, fix email preview

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add HTML sanitization to email template preview for defense-in-depth XSS protection

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve code review feedback: fix comment, use indexOf for compatibility, simplify ClientTitleEnum

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Enhance XSS protection: remove style tag support, validate href protocols

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Optimize sanitization: cache tagName, add style tag to explicit removal list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix GitHub Actions workflow issues identified in PR #1366 review (#1437)

* Initial plan

* Fix GitHub Actions workflows per review feedback

- composer-update.yml: Parse JSON advisories array instead of file size check
- composer-update.yml: Check both composer.lock and composer.json for changes
- release.yml: Update action-gh-release from v1 to v2
- release.yml: Fix vendor-cleaner config to use extra.dev-files structure
- README.md: Update yarn-update.yml Update Types to match workflow options
- Create generate-package-update-report.cjs script for yarn updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback

- composer-update.yml: Use double-dash separator before file paths in git diff
- generate-package-update-report.cjs: Handle quoted/unquoted yarn.lock entries separately

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix git diff logic and improve regex patterns

- composer-update.yml: Restore correct git diff logic to detect changes in either file
- generate-package-update-report.cjs: Use more restrictive regex patterns

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add complete version 1.7.0 release documentation with all issue numbers and field sanitization details (#1436)

* Initial plan

* Add comprehensive version 1.7.0 documentation to README and CHANGELOG

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix formatting and update version 1.7.0 details

* Add complete release notes with issue numbers and field sanitization details, remove emoticons

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Track all resolved versions per package in yarn.lock update report (#1440)

* Initial plan

* Refactor package update report script to track all versions per package using Map<string, Set<string>>

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Remove unnecessary Set creation in version comparison logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix bidirectional version change detection to catch all version updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Potential fix for code scanning alert no. 16: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Update test-frontend.yml to remove pull_request trigger

Remove pull_request trigger from frontend test workflow.

* Update PHP testing workflow triggers

Remove pull_request trigger from PHP testing workflow

* Potential fix for code scanning alert no. 17: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Refactor input sanitization to follow DRY principles and fix log injection vulnerabilities (#1441)

* Initial plan

* Apply code review feedback: improve regex handling and log sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Refactor: Extract sanitize_for_logging helper to follow DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security and DRY development guidelines for InvoicePlane (#1442)

* Initial plan

* Add comprehensive guidelines and Copilot instructions for security and DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive security and DRY analysis for PR #1441

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback: improve documentation clarity and examples

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Document XSS mitigation in Family Name field - no code changes required (#1443)

* Initial plan

* Add comprehensive security audit documentation for XSS vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add executive security summary for XSS vulnerability verification

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in payment form invoice_number display (#1445)

* Initial plan

* Fix XSS vulnerability in payment form invoice_number field

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive XSS vulnerability documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Comment out invoice and quote password fields

Comment out password fields from bypass list.

* Update application/helpers/template_helper.php

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Address PR #1439 feedback: sanitization and validation improvements (#1446)

* Initial plan

* Address PR #1439 feedback: sanitization and validation improvements

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve security: use DOMParser for HTML sanitization and load file_security_helper

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS in credit invoice parent number display + comprehensive security audit (#1454)

* Initial plan

* Fix XSS vulnerability in parent invoice number display

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security documentation for Invoice Group XSS fix

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete SECURITY_AUDIT_XSS_INVOICE_GROUP.md

* Delete SECURITY_SUMMARY.md

* Add comprehensive XSS vulnerability audit documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete COMPREHENSIVE_XSS_AUDIT.md

* Delete SECURITY_AUDIT_XSS_UNIT_INVOICE.md

* Delete SECURITY_AUDIT_XSS_FAMILY_NAME.md

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS vulnerabilities in multiple views (19 total) (#1455)

* Initial plan

* Fix XSS vulnerability by adding HTML escaping to format_client() output

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in client view and invoice templates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerabilities in VAT ID and tax code fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix PHP 8.3 undefined array key warning in mPDF footer handling (#1453)

* Initial plan

* Initial analysis - identify mpdf footer undefined array key issue

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix: Define html_footer to prevent PHP 8.3 undefined array key error

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete package-lock.json

* Delete yarn.lock

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Updated Composer and Yarn Packages

* to older version for 1.6.5 purposes

* to older version for 1.6.5 purposes

* [WIP] Fix path traversal vulnerability in get_file method (#1459)

* Initial plan

* Fix incomplete validate_template_name function in template_helper.php

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve log injection prevention in validate_template_name

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Potential fix for code scanning alert no. 18: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Ordissimo <thierry@ordissimo.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
nielsdrost7 added a commit that referenced this pull request Feb 16, 2026
@nielsdrost7
@github-advanced-security @coderabbitai
Version 1.7.1 to develop (#1463)
93622f2 
* Temporary Commit Fix Niels - 1 - SalesByYear report

* Fix Niels - 1 - SalesByYear

* Temporary Commit Fix Niels - 3 - Guest Get File

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Suggestions after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* using strpos as per suggestion in code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* suggestion after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* suggestion after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Final fixes for the Get file problem refs #1324

* suggestion after code-review

* cleanup after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* cleanup after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Get file (guest) fix refs #1324

* 1340: Wrong quote/invoice guest download attachment button default template

* 1348: More fixes for PDF footer

* 1322: Show open invoices on guest index

* 1340: guest route sanitization

* 1340: guest route sanitization

* 1340: guest route sanitization

* 1340: guest route sanitization

* Update application/modules/guest/controllers/Get.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update application/modules/reports/models/Mdl_reports.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update application/modules/reports/models/Mdl_reports.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* version 1.7.0: PHP 8.2+ compatibility

* for versioning purposes

* bumped composer dependencies

* Rename application/modules/setup/041_1.7.0.sql to application/modules/setup/sql/041_1.7.0.sql

* merged in development branch

* packages update

* ran pint
l

* fixed composer just a tiny bit

* improved .gitignore

* Potential fix for code scanning alert no. 9: Incomplete string escaping or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 6: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 7: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1387)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 10: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* more github actions

* Update GitHub Actions workflow for PHPMyAdmin

Removed specific branch and path triggers for pushes.

* Update GitHub Actions workflow for Docker image

Removed specific push triggers for branches and tags.

* Modify GitHub Actions workflow triggers

* Modify triggers for MariaDB Docker workflow

Updated workflow triggers for Docker image build.

* Update docker-publish.yml

* Change trigger from pull_request to workflow_dispatch

Updated workflow trigger to allow manual dispatch.

* Change trigger for PHP testing workflow

* Update PHP version in GitHub Actions workflow

* Remove emojis from yarn-update workflow output

* Potential fix for code scanning alert no. 11: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 12: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 13: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 14: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 15: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 5: Workflow does not contain permissions (#1389)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 5: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1388)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update .github/workflows/README.md

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Delete .github/workflows/quickstart.yml

* [WIP] Fix inconsistent language files in English (#1423)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Update custom_lang.php documentation to match modern array syntax

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

* Fix GitHub Actions workflow issues from code review (#1399)

* Initial plan

* Fix workflow issues based on code review feedback

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve script regex and add clarifying comments

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add workflow artifacts to .gitignore

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve script comments for clarity

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Update .github/scripts/generate-package-update-report.cjs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Rename transientChanges to transitiveChanges

* Fix vendor-cleaner config to use single extra.dev-files./ key

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* v170 in to v171 (#1439)

* Fix XSS vulnerabilities across InvoicePlane with comprehensive security audit, defense-in-depth protection, SVG execution prevention, and security logging (#1429)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Fix XSS vulnerabilities in quote/invoice numbers and SVG logo uploads

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in all quote/invoice number displays

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add XSS escaping for tax_rate_name and payment_method_name fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in guest view headers for quote/invoice numbers

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix remaining XSS in templates/mailer and add backend input sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve input sanitization comments for clarity

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in Sumex observations, client addresses, and custom field labels

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add backend XSS sanitization to Sumex fields and quote password/notes

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Block existing SVG logos from rendering to prevent XSS execution

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add SVG upload logging and README documentation for security change

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix log poisoning vulnerability in Upload controller (#1434)

* Initial plan

* Fix log poisoning vulnerability in Upload.php sanitize_file_name method

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 (#1433)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Add template validation to prevent LFI vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve logging in LFI fix for better security monitoring

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional LFI vulnerabilities in PDF generation endpoints

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback - simplify default template logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Add validation for invoice_template parameters in generate_invoice_pdf()

- Validate invoice_template when passed as URL parameter
- Mirror the same security pattern used for quote_template validation
- Ensure all invoice template sources are validated before use
- Prevent LFI vulnerability through invoice_template parameter bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix Stored XSS vulnerabilities with defense-in-depth: input sanitization and output encoding (#1435)

* Initial plan

* Fix three Stored XSS vulnerabilities by adding htmlsc() encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional unit_name XSS vulnerabilities in quotes and products modules

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in email template JavaScript context

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix filter_input() bug: Add input sanitization with logging and password bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve filter_input: Add recursive array sanitization, remove double-encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix sanitize_array: Add bypass support and consistent sanitization order

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add invoice_password and quote_password to sanitization bypass list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Optimize XSS logging: move ip_address and user_agent to request level

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix critical bugs from PR #1366 review: mb_rtrim, ClientTitleEnum, workflow triggers, email preview XSS (#1438)

* Initial plan

* Fix review comments: restore PR triggers, fix mb_rtrim usage, fix ClientTitleEnum, add translation, fix email preview

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add HTML sanitization to email template preview for defense-in-depth XSS protection

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve code review feedback: fix comment, use indexOf for compatibility, simplify ClientTitleEnum

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Enhance XSS protection: remove style tag support, validate href protocols

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Optimize sanitization: cache tagName, add style tag to explicit removal list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix GitHub Actions workflow issues identified in PR #1366 review (#1437)

* Initial plan

* Fix GitHub Actions workflows per review feedback

- composer-update.yml: Parse JSON advisories array instead of file size check
- composer-update.yml: Check both composer.lock and composer.json for changes
- release.yml: Update action-gh-release from v1 to v2
- release.yml: Fix vendor-cleaner config to use extra.dev-files structure
- README.md: Update yarn-update.yml Update Types to match workflow options
- Create generate-package-update-report.cjs script for yarn updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback

- composer-update.yml: Use double-dash separator before file paths in git diff
- generate-package-update-report.cjs: Handle quoted/unquoted yarn.lock entries separately

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix git diff logic and improve regex patterns

- composer-update.yml: Restore correct git diff logic to detect changes in either file
- generate-package-update-report.cjs: Use more restrictive regex patterns

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add complete version 1.7.0 release documentation with all issue numbers and field sanitization details (#1436)

* Initial plan

* Add comprehensive version 1.7.0 documentation to README and CHANGELOG

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix formatting and update version 1.7.0 details

* Add complete release notes with issue numbers and field sanitization details, remove emoticons

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Track all resolved versions per package in yarn.lock update report (#1440)

* Initial plan

* Refactor package update report script to track all versions per package using Map<string, Set<string>>

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Remove unnecessary Set creation in version comparison logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix bidirectional version change detection to catch all version updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Potential fix for code scanning alert no. 16: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Update test-frontend.yml to remove pull_request trigger

Remove pull_request trigger from frontend test workflow.

* Update PHP testing workflow triggers

Remove pull_request trigger from PHP testing workflow

* Potential fix for code scanning alert no. 17: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Refactor input sanitization to follow DRY principles and fix log injection vulnerabilities (#1441)

* Initial plan

* Apply code review feedback: improve regex handling and log sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Refactor: Extract sanitize_for_logging helper to follow DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security and DRY development guidelines for InvoicePlane (#1442)

* Initial plan

* Add comprehensive guidelines and Copilot instructions for security and DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive security and DRY analysis for PR #1441

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback: improve documentation clarity and examples

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Document XSS mitigation in Family Name field - no code changes required (#1443)

* Initial plan

* Add comprehensive security audit documentation for XSS vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add executive security summary for XSS vulnerability verification

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in payment form invoice_number display (#1445)

* Initial plan

* Fix XSS vulnerability in payment form invoice_number field

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive XSS vulnerability documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Comment out invoice and quote password fields

Comment out password fields from bypass list.

* Update application/helpers/template_helper.php

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Address PR #1439 feedback: sanitization and validation improvements (#1446)

* Initial plan

* Address PR #1439 feedback: sanitization and validation improvements

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve security: use DOMParser for HTML sanitization and load file_security_helper

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS in credit invoice parent number display + comprehensive security audit (#1454)

* Initial plan

* Fix XSS vulnerability in parent invoice number display

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security documentation for Invoice Group XSS fix

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete SECURITY_AUDIT_XSS_INVOICE_GROUP.md

* Delete SECURITY_SUMMARY.md

* Add comprehensive XSS vulnerability audit documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete COMPREHENSIVE_XSS_AUDIT.md

* Delete SECURITY_AUDIT_XSS_UNIT_INVOICE.md

* Delete SECURITY_AUDIT_XSS_FAMILY_NAME.md

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS vulnerabilities in multiple views (19 total) (#1455)

* Initial plan

* Fix XSS vulnerability by adding HTML escaping to format_client() output

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in client view and invoice templates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerabilities in VAT ID and tax code fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix PHP 8.3 undefined array key warning in mPDF footer handling (#1453)

* Initial plan

* Initial analysis - identify mpdf footer undefined array key issue

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix: Define html_footer to prevent PHP 8.3 undefined array key error

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete package-lock.json

* Delete yarn.lock

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Updated Composer and Yarn Packages

* Implement template name validation function

Added a validate_template_name function to check if a template name is valid based on type and scope.

* Add HTML encoder for safe email template sanitization

Added a basic HTML encoder function to prevent DOM text from being reinterpreted as HTML meta-characters before sanitizing email template HTML.

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Ordissimo <thierry@ordissimo.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@accesslint accesslint[bot] accesslint[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nielsdrost7 @github-advanced-security