Fix log poisoning vulnerability in Upload controller#1434
Merged
nielsdrost7 merged 2 commits intoprep/v170from Feb 3, 2026
Merged
Fix log poisoning vulnerability in Upload controller#1434nielsdrost7 merged 2 commits intoprep/v170from
nielsdrost7 merged 2 commits intoprep/v170from
Conversation
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix log poisoning vulnerability in Upload.php
Fix log poisoning vulnerability in Upload controller
Feb 3, 2026
Contributor
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the
Comment |
nielsdrost7
added a commit
that referenced
this pull request
Feb 16, 2026
* Fix XSS vulnerabilities across InvoicePlane with comprehensive security audit, defense-in-depth protection, SVG execution prevention, and security logging (#1429) * fixed error Removed item discount display from invoice template. * Initial plan * Fix XSS vulnerabilities in quote/invoice numbers and SVG logo uploads Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix additional XSS vulnerabilities in all quote/invoice number displays Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add XSS escaping for tax_rate_name and payment_method_name fields Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS in guest view headers for quote/invoice numbers Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix remaining XSS in templates/mailer and add backend input sanitization Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve input sanitization comments for clarity Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS in Sumex observations, client addresses, and custom field labels Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add backend XSS sanitization to Sumex fields and quote password/notes Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Block existing SVG logos from rendering to prevent XSS execution Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add SVG upload logging and README documentation for security change Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix log poisoning vulnerability in Upload controller (#1434) * Initial plan * Fix log poisoning vulnerability in Upload.php sanitize_file_name method Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 (#1433) * fixed error Removed item discount display from invoice template. * Initial plan * Add template validation to prevent LFI vulnerability Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve logging in LFI fix for better security monitoring Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix additional LFI vulnerabilities in PDF generation endpoints Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Address code review feedback - simplify default template logic Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Add validation for invoice_template parameters in generate_invoice_pdf() - Validate invoice_template when passed as URL parameter - Mirror the same security pattern used for quote_template validation - Ensure all invoice template sources are validated before use - Prevent LFI vulnerability through invoice_template parameter bypass Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix Stored XSS vulnerabilities with defense-in-depth: input sanitization and output encoding (#1435) * Initial plan * Fix three Stored XSS vulnerabilities by adding htmlsc() encoding Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix additional unit_name XSS vulnerabilities in quotes and products modules Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS vulnerability in email template JavaScript context Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix filter_input() bug: Add input sanitization with logging and password bypass Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve filter_input: Add recursive array sanitization, remove double-encoding Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix sanitize_array: Add bypass support and consistent sanitization order Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add invoice_password and quote_password to sanitization bypass list Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Optimize XSS logging: move ip_address and user_agent to request level Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix critical bugs from PR #1366 review: mb_rtrim, ClientTitleEnum, workflow triggers, email preview XSS (#1438) * Initial plan * Fix review comments: restore PR triggers, fix mb_rtrim usage, fix ClientTitleEnum, add translation, fix email preview Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add HTML sanitization to email template preview for defense-in-depth XSS protection Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve code review feedback: fix comment, use indexOf for compatibility, simplify ClientTitleEnum Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Enhance XSS protection: remove style tag support, validate href protocols Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Optimize sanitization: cache tagName, add style tag to explicit removal list Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix GitHub Actions workflow issues identified in PR #1366 review (#1437) * Initial plan * Fix GitHub Actions workflows per review feedback - composer-update.yml: Parse JSON advisories array instead of file size check - composer-update.yml: Check both composer.lock and composer.json for changes - release.yml: Update action-gh-release from v1 to v2 - release.yml: Fix vendor-cleaner config to use extra.dev-files structure - README.md: Update yarn-update.yml Update Types to match workflow options - Create generate-package-update-report.cjs script for yarn updates Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Address code review feedback - composer-update.yml: Use double-dash separator before file paths in git diff - generate-package-update-report.cjs: Handle quoted/unquoted yarn.lock entries separately Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix git diff logic and improve regex patterns - composer-update.yml: Restore correct git diff logic to detect changes in either file - generate-package-update-report.cjs: Use more restrictive regex patterns Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add complete version 1.7.0 release documentation with all issue numbers and field sanitization details (#1436) * Initial plan * Add comprehensive version 1.7.0 documentation to README and CHANGELOG Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix formatting and update version 1.7.0 details * Add complete release notes with issue numbers and field sanitization details, remove emoticons Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Track all resolved versions per package in yarn.lock update report (#1440) * Initial plan * Refactor package update report script to track all versions per package using Map<string, Set<string>> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Remove unnecessary Set creation in version comparison logic Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix bidirectional version change detection to catch all version updates Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Potential fix for code scanning alert no. 16: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Update test-frontend.yml to remove pull_request trigger Remove pull_request trigger from frontend test workflow. * Update PHP testing workflow triggers Remove pull_request trigger from PHP testing workflow * Potential fix for code scanning alert no. 17: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Refactor input sanitization to follow DRY principles and fix log injection vulnerabilities (#1441) * Initial plan * Apply code review feedback: improve regex handling and log sanitization Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Refactor: Extract sanitize_for_logging helper to follow DRY principles Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add security and DRY development guidelines for InvoicePlane (#1442) * Initial plan * Add comprehensive guidelines and Copilot instructions for security and DRY principles Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add comprehensive security and DRY analysis for PR #1441 Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Address code review feedback: improve documentation clarity and examples Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Document XSS mitigation in Family Name field - no code changes required (#1443) * Initial plan * Add comprehensive security audit documentation for XSS vulnerability Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add executive security summary for XSS vulnerability verification Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS vulnerability in payment form invoice_number display (#1445) * Initial plan * Fix XSS vulnerability in payment form invoice_number field Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add comprehensive XSS vulnerability documentation Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Comment out invoice and quote password fields Comment out password fields from bypass list. * Update application/helpers/template_helper.php Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Address PR #1439 feedback: sanitization and validation improvements (#1446) * Initial plan * Address PR #1439 feedback: sanitization and validation improvements Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve security: use DOMParser for HTML sanitization and load file_security_helper Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix stored XSS in credit invoice parent number display + comprehensive security audit (#1454) * Initial plan * Fix XSS vulnerability in parent invoice number display Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add security documentation for Invoice Group XSS fix Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Delete SECURITY_AUDIT_XSS_INVOICE_GROUP.md * Delete SECURITY_SUMMARY.md * Add comprehensive XSS vulnerability audit documentation Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Delete COMPREHENSIVE_XSS_AUDIT.md * Delete SECURITY_AUDIT_XSS_UNIT_INVOICE.md * Delete SECURITY_AUDIT_XSS_FAMILY_NAME.md --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix stored XSS vulnerabilities in multiple views (19 total) (#1455) * Initial plan * Fix XSS vulnerability by adding HTML escaping to format_client() output Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix additional XSS vulnerabilities in client view and invoice templates Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS vulnerabilities in VAT ID and tax code fields Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix PHP 8.3 undefined array key warning in mPDF footer handling (#1453) * Initial plan * Initial analysis - identify mpdf footer undefined array key issue Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix: Define html_footer to prevent PHP 8.3 undefined array key error Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Delete package-lock.json * Delete yarn.lock --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
nielsdrost7
added a commit
that referenced
this pull request
Feb 16, 2026
* Temporary Commit Fix Niels - 1 - SalesByYear report * Fix Niels - 1 - SalesByYear * Temporary Commit Fix Niels - 3 - Guest Get File * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Suggestions after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * using strpos as per suggestion in code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * suggestion after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * suggestion after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Final fixes for the Get file problem refs #1324 * suggestion after code-review * cleanup after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * cleanup after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Get file (guest) fix refs #1324 * 1340: Wrong quote/invoice guest download attachment button default template * 1348: More fixes for PDF footer * 1322: Show open invoices on guest index * 1340: guest route sanitization * 1340: guest route sanitization * 1340: guest route sanitization * 1340: guest route sanitization * Update application/modules/guest/controllers/Get.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update application/modules/reports/models/Mdl_reports.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update application/modules/reports/models/Mdl_reports.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * version 1.7.0: PHP 8.2+ compatibility * for versioning purposes * bumped composer dependencies * Rename application/modules/setup/041_1.7.0.sql to application/modules/setup/sql/041_1.7.0.sql * merged in development branch * packages update * ran pint l * fixed composer just a tiny bit * improved .gitignore * Potential fix for code scanning alert no. 9: Incomplete string escaping or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 6: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 7: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1387) * fixed error Removed item discount display from invoice template. * Potential fix for code scanning alert no. 8: Unsafe jQuery plugin Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 10: Unsafe jQuery plugin Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * more github actions * Update GitHub Actions workflow for PHPMyAdmin Removed specific branch and path triggers for pushes. * Update GitHub Actions workflow for Docker image Removed specific push triggers for branches and tags. * Modify GitHub Actions workflow triggers * Modify triggers for MariaDB Docker workflow Updated workflow triggers for Docker image build. * Update docker-publish.yml * Change trigger from pull_request to workflow_dispatch Updated workflow trigger to allow manual dispatch. * Change trigger for PHP testing workflow * Update PHP version in GitHub Actions workflow * Remove emojis from yarn-update workflow output * Potential fix for code scanning alert no. 11: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 12: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 13: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 14: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 15: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 5: Workflow does not contain permissions (#1389) * fixed error Removed item discount display from invoice template. * Potential fix for code scanning alert no. 5: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1388) * fixed error Removed item discount display from invoice template. * Potential fix for code scanning alert no. 8: Unsafe jQuery plugin Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update .github/workflows/README.md Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Delete .github/workflows/quickstart.yml * [WIP] Fix inconsistent language files in English (#1423) * fixed error Removed item discount display from invoice template. * Initial plan * Update custom_lang.php documentation to match modern array syntax Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> * Fix GitHub Actions workflow issues from code review (#1399) * Initial plan * Fix workflow issues based on code review feedback Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve script regex and add clarifying comments Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add workflow artifacts to .gitignore Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve script comments for clarity Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Update .github/scripts/generate-package-update-report.cjs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Rename transientChanges to transitiveChanges * Fix vendor-cleaner config to use single extra.dev-files./ key Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * v170 in to v171 (#1439) * Fix XSS vulnerabilities across InvoicePlane with comprehensive security audit, defense-in-depth protection, SVG execution prevention, and security logging (#1429) * fixed error Removed item discount display from invoice template. * Initial plan * Fix XSS vulnerabilities in quote/invoice numbers and SVG logo uploads Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix additional XSS vulnerabilities in all quote/invoice number displays Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add XSS escaping for tax_rate_name and payment_method_name fields Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS in guest view headers for quote/invoice numbers Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix remaining XSS in templates/mailer and add backend input sanitization Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve input sanitization comments for clarity Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS in Sumex observations, client addresses, and custom field labels Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add backend XSS sanitization to Sumex fields and quote password/notes Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Block existing SVG logos from rendering to prevent XSS execution Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add SVG upload logging and README documentation for security change Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix log poisoning vulnerability in Upload controller (#1434) * Initial plan * Fix log poisoning vulnerability in Upload.php sanitize_file_name method Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 (#1433) * fixed error Removed item discount display from invoice template. * Initial plan * Add template validation to prevent LFI vulnerability Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve logging in LFI fix for better security monitoring Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix additional LFI vulnerabilities in PDF generation endpoints Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Address code review feedback - simplify default template logic Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Add validation for invoice_template parameters in generate_invoice_pdf() - Validate invoice_template when passed as URL parameter - Mirror the same security pattern used for quote_template validation - Ensure all invoice template sources are validated before use - Prevent LFI vulnerability through invoice_template parameter bypass Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix Stored XSS vulnerabilities with defense-in-depth: input sanitization and output encoding (#1435) * Initial plan * Fix three Stored XSS vulnerabilities by adding htmlsc() encoding Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix additional unit_name XSS vulnerabilities in quotes and products modules Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS vulnerability in email template JavaScript context Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix filter_input() bug: Add input sanitization with logging and password bypass Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve filter_input: Add recursive array sanitization, remove double-encoding Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix sanitize_array: Add bypass support and consistent sanitization order Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add invoice_password and quote_password to sanitization bypass list Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Optimize XSS logging: move ip_address and user_agent to request level Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix critical bugs from PR #1366 review: mb_rtrim, ClientTitleEnum, workflow triggers, email preview XSS (#1438) * Initial plan * Fix review comments: restore PR triggers, fix mb_rtrim usage, fix ClientTitleEnum, add translation, fix email preview Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add HTML sanitization to email template preview for defense-in-depth XSS protection Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve code review feedback: fix comment, use indexOf for compatibility, simplify ClientTitleEnum Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Enhance XSS protection: remove style tag support, validate href protocols Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Optimize sanitization: cache tagName, add style tag to explicit removal list Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix GitHub Actions workflow issues identified in PR #1366 review (#1437) * Initial plan * Fix GitHub Actions workflows per review feedback - composer-update.yml: Parse JSON advisories array instead of file size check - composer-update.yml: Check both composer.lock and composer.json for changes - release.yml: Update action-gh-release from v1 to v2 - release.yml: Fix vendor-cleaner config to use extra.dev-files structure - README.md: Update yarn-update.yml Update Types to match workflow options - Create generate-package-update-report.cjs script for yarn updates Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Address code review feedback - composer-update.yml: Use double-dash separator before file paths in git diff - generate-package-update-report.cjs: Handle quoted/unquoted yarn.lock entries separately Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix git diff logic and improve regex patterns - composer-update.yml: Restore correct git diff logic to detect changes in either file - generate-package-update-report.cjs: Use more restrictive regex patterns Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add complete version 1.7.0 release documentation with all issue numbers and field sanitization details (#1436) * Initial plan * Add comprehensive version 1.7.0 documentation to README and CHANGELOG Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix formatting and update version 1.7.0 details * Add complete release notes with issue numbers and field sanitization details, remove emoticons Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Track all resolved versions per package in yarn.lock update report (#1440) * Initial plan * Refactor package update report script to track all versions per package using Map<string, Set<string>> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Remove unnecessary Set creation in version comparison logic Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix bidirectional version change detection to catch all version updates Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Potential fix for code scanning alert no. 16: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Update test-frontend.yml to remove pull_request trigger Remove pull_request trigger from frontend test workflow. * Update PHP testing workflow triggers Remove pull_request trigger from PHP testing workflow * Potential fix for code scanning alert no. 17: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Refactor input sanitization to follow DRY principles and fix log injection vulnerabilities (#1441) * Initial plan * Apply code review feedback: improve regex handling and log sanitization Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Refactor: Extract sanitize_for_logging helper to follow DRY principles Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add security and DRY development guidelines for InvoicePlane (#1442) * Initial plan * Add comprehensive guidelines and Copilot instructions for security and DRY principles Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add comprehensive security and DRY analysis for PR #1441 Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Address code review feedback: improve documentation clarity and examples Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Document XSS mitigation in Family Name field - no code changes required (#1443) * Initial plan * Add comprehensive security audit documentation for XSS vulnerability Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add executive security summary for XSS vulnerability verification Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS vulnerability in payment form invoice_number display (#1445) * Initial plan * Fix XSS vulnerability in payment form invoice_number field Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add comprehensive XSS vulnerability documentation Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Comment out invoice and quote password fields Comment out password fields from bypass list. * Update application/helpers/template_helper.php Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Address PR #1439 feedback: sanitization and validation improvements (#1446) * Initial plan * Address PR #1439 feedback: sanitization and validation improvements Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve security: use DOMParser for HTML sanitization and load file_security_helper Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix stored XSS in credit invoice parent number display + comprehensive security audit (#1454) * Initial plan * Fix XSS vulnerability in parent invoice number display Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add security documentation for Invoice Group XSS fix Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Delete SECURITY_AUDIT_XSS_INVOICE_GROUP.md * Delete SECURITY_SUMMARY.md * Add comprehensive XSS vulnerability audit documentation Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Delete COMPREHENSIVE_XSS_AUDIT.md * Delete SECURITY_AUDIT_XSS_UNIT_INVOICE.md * Delete SECURITY_AUDIT_XSS_FAMILY_NAME.md --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix stored XSS vulnerabilities in multiple views (19 total) (#1455) * Initial plan * Fix XSS vulnerability by adding HTML escaping to format_client() output Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix additional XSS vulnerabilities in client view and invoice templates Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS vulnerabilities in VAT ID and tax code fields Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix PHP 8.3 undefined array key warning in mPDF footer handling (#1453) * Initial plan * Initial analysis - identify mpdf footer undefined array key issue Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix: Define html_footer to prevent PHP 8.3 undefined array key error Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Delete package-lock.json * Delete yarn.lock --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Updated Composer and Yarn Packages * to older version for 1.6.5 purposes * to older version for 1.6.5 purposes * [WIP] Fix path traversal vulnerability in get_file method (#1459) * Initial plan * Fix incomplete validate_template_name function in template_helper.php Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve log injection prevention in validate_template_name Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Potential fix for code scanning alert no. 18: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Ordissimo <thierry@ordissimo.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
nielsdrost7
added a commit
that referenced
this pull request
Feb 16, 2026
* Temporary Commit Fix Niels - 1 - SalesByYear report * Fix Niels - 1 - SalesByYear * Temporary Commit Fix Niels - 3 - Guest Get File * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Suggestions after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * using strpos as per suggestion in code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * suggestion after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * suggestion after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Final fixes for the Get file problem refs #1324 * suggestion after code-review * cleanup after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * cleanup after code-review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Get file (guest) fix refs #1324 * 1340: Wrong quote/invoice guest download attachment button default template * 1348: More fixes for PDF footer * 1322: Show open invoices on guest index * 1340: guest route sanitization * 1340: guest route sanitization * 1340: guest route sanitization * 1340: guest route sanitization * Update application/modules/guest/controllers/Get.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update application/modules/reports/models/Mdl_reports.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update application/modules/reports/models/Mdl_reports.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * version 1.7.0: PHP 8.2+ compatibility * for versioning purposes * bumped composer dependencies * Rename application/modules/setup/041_1.7.0.sql to application/modules/setup/sql/041_1.7.0.sql * merged in development branch * packages update * ran pint l * fixed composer just a tiny bit * improved .gitignore * Potential fix for code scanning alert no. 9: Incomplete string escaping or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 6: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 7: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1387) * fixed error Removed item discount display from invoice template. * Potential fix for code scanning alert no. 8: Unsafe jQuery plugin Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 10: Unsafe jQuery plugin Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * more github actions * Update GitHub Actions workflow for PHPMyAdmin Removed specific branch and path triggers for pushes. * Update GitHub Actions workflow for Docker image Removed specific push triggers for branches and tags. * Modify GitHub Actions workflow triggers * Modify triggers for MariaDB Docker workflow Updated workflow triggers for Docker image build. * Update docker-publish.yml * Change trigger from pull_request to workflow_dispatch Updated workflow trigger to allow manual dispatch. * Change trigger for PHP testing workflow * Update PHP version in GitHub Actions workflow * Remove emojis from yarn-update workflow output * Potential fix for code scanning alert no. 11: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 12: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 13: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 14: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 15: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 5: Workflow does not contain permissions (#1389) * fixed error Removed item discount display from invoice template. * Potential fix for code scanning alert no. 5: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1388) * fixed error Removed item discount display from invoice template. * Potential fix for code scanning alert no. 8: Unsafe jQuery plugin Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update .github/workflows/README.md Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Delete .github/workflows/quickstart.yml * [WIP] Fix inconsistent language files in English (#1423) * fixed error Removed item discount display from invoice template. * Initial plan * Update custom_lang.php documentation to match modern array syntax Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> * Fix GitHub Actions workflow issues from code review (#1399) * Initial plan * Fix workflow issues based on code review feedback Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve script regex and add clarifying comments Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add workflow artifacts to .gitignore Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve script comments for clarity Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Update .github/scripts/generate-package-update-report.cjs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Rename transientChanges to transitiveChanges * Fix vendor-cleaner config to use single extra.dev-files./ key Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * v170 in to v171 (#1439) * Fix XSS vulnerabilities across InvoicePlane with comprehensive security audit, defense-in-depth protection, SVG execution prevention, and security logging (#1429) * fixed error Removed item discount display from invoice template. * Initial plan * Fix XSS vulnerabilities in quote/invoice numbers and SVG logo uploads Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix additional XSS vulnerabilities in all quote/invoice number displays Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add XSS escaping for tax_rate_name and payment_method_name fields Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS in guest view headers for quote/invoice numbers Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix remaining XSS in templates/mailer and add backend input sanitization Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve input sanitization comments for clarity Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS in Sumex observations, client addresses, and custom field labels Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add backend XSS sanitization to Sumex fields and quote password/notes Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Block existing SVG logos from rendering to prevent XSS execution Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add SVG upload logging and README documentation for security change Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix log poisoning vulnerability in Upload controller (#1434) * Initial plan * Fix log poisoning vulnerability in Upload.php sanitize_file_name method Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 (#1433) * fixed error Removed item discount display from invoice template. * Initial plan * Add template validation to prevent LFI vulnerability Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve logging in LFI fix for better security monitoring Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix additional LFI vulnerabilities in PDF generation endpoints Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Address code review feedback - simplify default template logic Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Add validation for invoice_template parameters in generate_invoice_pdf() - Validate invoice_template when passed as URL parameter - Mirror the same security pattern used for quote_template validation - Ensure all invoice template sources are validated before use - Prevent LFI vulnerability through invoice_template parameter bypass Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix Stored XSS vulnerabilities with defense-in-depth: input sanitization and output encoding (#1435) * Initial plan * Fix three Stored XSS vulnerabilities by adding htmlsc() encoding Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix additional unit_name XSS vulnerabilities in quotes and products modules Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS vulnerability in email template JavaScript context Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix filter_input() bug: Add input sanitization with logging and password bypass Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve filter_input: Add recursive array sanitization, remove double-encoding Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix sanitize_array: Add bypass support and consistent sanitization order Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add invoice_password and quote_password to sanitization bypass list Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Optimize XSS logging: move ip_address and user_agent to request level Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix critical bugs from PR #1366 review: mb_rtrim, ClientTitleEnum, workflow triggers, email preview XSS (#1438) * Initial plan * Fix review comments: restore PR triggers, fix mb_rtrim usage, fix ClientTitleEnum, add translation, fix email preview Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add HTML sanitization to email template preview for defense-in-depth XSS protection Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve code review feedback: fix comment, use indexOf for compatibility, simplify ClientTitleEnum Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Enhance XSS protection: remove style tag support, validate href protocols Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Optimize sanitization: cache tagName, add style tag to explicit removal list Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix GitHub Actions workflow issues identified in PR #1366 review (#1437) * Initial plan * Fix GitHub Actions workflows per review feedback - composer-update.yml: Parse JSON advisories array instead of file size check - composer-update.yml: Check both composer.lock and composer.json for changes - release.yml: Update action-gh-release from v1 to v2 - release.yml: Fix vendor-cleaner config to use extra.dev-files structure - README.md: Update yarn-update.yml Update Types to match workflow options - Create generate-package-update-report.cjs script for yarn updates Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Address code review feedback - composer-update.yml: Use double-dash separator before file paths in git diff - generate-package-update-report.cjs: Handle quoted/unquoted yarn.lock entries separately Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix git diff logic and improve regex patterns - composer-update.yml: Restore correct git diff logic to detect changes in either file - generate-package-update-report.cjs: Use more restrictive regex patterns Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add complete version 1.7.0 release documentation with all issue numbers and field sanitization details (#1436) * Initial plan * Add comprehensive version 1.7.0 documentation to README and CHANGELOG Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix formatting and update version 1.7.0 details * Add complete release notes with issue numbers and field sanitization details, remove emoticons Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Track all resolved versions per package in yarn.lock update report (#1440) * Initial plan * Refactor package update report script to track all versions per package using Map<string, Set<string>> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Remove unnecessary Set creation in version comparison logic Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix bidirectional version change detection to catch all version updates Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Potential fix for code scanning alert no. 16: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Update test-frontend.yml to remove pull_request trigger Remove pull_request trigger from frontend test workflow. * Update PHP testing workflow triggers Remove pull_request trigger from PHP testing workflow * Potential fix for code scanning alert no. 17: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Refactor input sanitization to follow DRY principles and fix log injection vulnerabilities (#1441) * Initial plan * Apply code review feedback: improve regex handling and log sanitization Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Refactor: Extract sanitize_for_logging helper to follow DRY principles Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add security and DRY development guidelines for InvoicePlane (#1442) * Initial plan * Add comprehensive guidelines and Copilot instructions for security and DRY principles Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add comprehensive security and DRY analysis for PR #1441 Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Address code review feedback: improve documentation clarity and examples Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Document XSS mitigation in Family Name field - no code changes required (#1443) * Initial plan * Add comprehensive security audit documentation for XSS vulnerability Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add executive security summary for XSS vulnerability verification Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS vulnerability in payment form invoice_number display (#1445) * Initial plan * Fix XSS vulnerability in payment form invoice_number field Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add comprehensive XSS vulnerability documentation Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Comment out invoice and quote password fields Comment out password fields from bypass list. * Update application/helpers/template_helper.php Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Address PR #1439 feedback: sanitization and validation improvements (#1446) * Initial plan * Address PR #1439 feedback: sanitization and validation improvements Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Improve security: use DOMParser for HTML sanitization and load file_security_helper Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix stored XSS in credit invoice parent number display + comprehensive security audit (#1454) * Initial plan * Fix XSS vulnerability in parent invoice number display Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Add security documentation for Invoice Group XSS fix Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Delete SECURITY_AUDIT_XSS_INVOICE_GROUP.md * Delete SECURITY_SUMMARY.md * Add comprehensive XSS vulnerability audit documentation Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Delete COMPREHENSIVE_XSS_AUDIT.md * Delete SECURITY_AUDIT_XSS_UNIT_INVOICE.md * Delete SECURITY_AUDIT_XSS_FAMILY_NAME.md --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix stored XSS vulnerabilities in multiple views (19 total) (#1455) * Initial plan * Fix XSS vulnerability by adding HTML escaping to format_client() output Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix additional XSS vulnerabilities in client view and invoice templates Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix XSS vulnerabilities in VAT ID and tax code fields Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix PHP 8.3 undefined array key warning in mPDF footer handling (#1453) * Initial plan * Initial analysis - identify mpdf footer undefined array key issue Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Fix: Define html_footer to prevent PHP 8.3 undefined array key error Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> * Delete package-lock.json * Delete yarn.lock --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Updated Composer and Yarn Packages * Implement template name validation function Added a validate_template_name function to check if a template name is valid based on type and scope. * Add HTML encoder for safe email template sanitization Added a basic HTML encoder function to prevent DOM text from being reinterpreted as HTML meta-characters before sanitizing email template HTML. --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Ordissimo <thierry@ordissimo.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Log poisoning vulnerability in
Upload.phpline 182 where unsanitized filenames from user input were logged directly, enabling injection attacks via malicious filenames.Changes
application/modules/upload/controllers/Upload.php: Hash filename before logging insanitize_file_name()method using existinghash_for_logging()helperThis matches the secure logging pattern already used elsewhere in the same file (lines 99, 124, 150).
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/repos/Bacon/BaconQrCode/zipball/8674e51bb65af933a5ffaf1c308a660387c35c22/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/DASPRiD/Enum/zipball/b5874fa9ed0043116c72162ec7f4fb50e02e7cce/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/GrahamCampbell/Result-Type/zipball/e01f4a821471308ba86aa202fed6698b6b695e3b/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/PHPCSStandards/PHP_CodeSniffer/zipball/0ca86845ce43291e8f5692c7356fccf3bcf02bf4/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/PHPMailer/PHPMailer/zipball/d1ac35d784bf9f5e61b424901d5a014967f15b12/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/Setasign/FPDF/zipball/0838e0ee4925716fcbbc50ad9e1799b5edfae0a0/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/Setasign/FPDI/zipball/4b53852fde2734ec6a07e458a085db627c60eada/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/endroid/qr-code/zipball/0db25b506a8411a5e1644ebaa67123a6eb7b6a77/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/filp/whoops/zipball/d2102955e48b9fd9ab24280a7ad12ed552752c4d/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/guzzle/guzzle/zipball/b51ac707cfa420b7bfd4e4d5e510ba8008e822b4/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/guzzle/promises/zipball/481557b130ef3790cf82b713667b43030dc9c957/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/guzzle/psr7/zipball/21dc724a0583619cd1652f673303492272778051/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/laravel/pint/zipball/c67b4195b75491e4dfc6b00b1c78b68d86f54c90/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/moneyphp/money/zipball/b358727ea5a5cd2d7475e59c31dfc352440ae7ec/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/mpdf/mpdf/zipball/b59670a09498689c33ce639bac8f5ba26721dab3/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/mpdf/psr-http-message-shim/zipball/f25a0153d645e234f9db42e5433b16d9b113920f/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/mpdf/psr-log-aware-trait/zipball/a633da6065e946cc491e1c962850344bb0bf3e78/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/myclabs/DeepCopy/zipball/07d290f0c47959fd5eed98c95ee5602db07e0b6a/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/paragonie/random_compat/zipball/96c132c7f2f7bc3230723b66e89f8f150b29d5ae/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/php-fig/http-client/zipball/bb5906edc1c324c9a05aa0873d40117941e5fa90/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/php-fig/http-factory/zipball/2b4765fddfe3b508ac62f829e852b1501d3f6e8a/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/php-fig/http-message/zipball/402d35bcb92c70c026d1a6a9883f06b2ead23d71/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/php-fig/log/zipball/f16e1d5863e37f8d8c2a01719f5b34baa2b714d3/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/phpstan/phpstan/zipball/9e800e6bee7d5bd02784d4c6069b48032d16224f/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/pocketarc/codeigniter/zipball/d310726565c12ba99b8037e8fb231ed739258e6e/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/ralouphie/getallheaders/zipball/120b605dfeb996808c31b6477290a714d356e822/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/rectorphp/rector/zipball/9afc1bb43571b25629f353c61a9315b5ef31383a/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/schmittjoh/php-option/zipball/75365b91986c2405cf5e1e012c5595cd487a98be/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/smhg/sepa-qr-data-php/zipball/837d98eae6fdcf61aaffddb5d9c61b535ee7ce1a/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/stripe/stripe-php/zipball/7e1c4b5d2beadeaeddc42fd1f8a50fdb18b37f30/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/symfony/deprecation-contracts/zipball/63afe740e99a13ba87ec199bb07bbdee937a5b62/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/symfony/polyfill-ctype/zipball/a3cc8b044a6ea513310cbd48ef7333b384945638/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/symfony/polyfill-mbstring/zipball/6d857f4d76bd4b343eac26d6b539585d2bc56493/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/symfony/polyfill-php80/zipball/0cc9dd0f17f61d8131e7df6b84bd344899fe2608/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/symfony/var-dumper/zipball/cfae1497a2f1eaad78dbc0590311c599c7178d4a/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)https://api.github.com/repos/vlucas/phpdotenv/zipball/955e7815d677a3eaa7075231212f2110983adecc/usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/nQsfch /usr/bin/composer install --no-interaction(http block)If you need me to access, download, or install something from one of these locations, you can either:
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.