Add complete version 1.7.0 release documentation with all issue numbers and field sanitization details

[Copilot]

Addresses review feedback requesting complete release notes for the 1.7.0 PHP 8.2+ compatibility release with all GitHub issue numbers and field sanitization documentation.

Complete Release Notes for Version 1.7.0

Issues Fixed

Security Fixes:

• Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 #1433 - Local File Inclusion (LFI) vulnerabilities in PDF template handling (Post-v1.7.0 tag)
• Potential fix for code scanning alert no. 8: Unsafe jQuery plugin #1388, Potential fix for code scanning alert no. 8: Unsafe jQuery plugin #1387 - Unsafe jQuery plugin vulnerabilities (Code scanning alerts)
• Security: Fix file access vulnerabilities across all controllers with reusable helper #1383 - File access vulnerabilities across all controllers
• Code scanning alerts: Customize quote / invoice groups #5, Forbid invoice deletion / changes after printing #6, Adjust the alert box margins #7, Redmine integration #9, Export of invoices to different formats #10, Add subject line to email templates #11, Year or From-To date filter in Dashboard Overviews #12, Adding VAT ID and Tax/Fiscal Code as customer and user/company fields #13, SQL errors while adding custom fields #14, Cant find setup #15 (workflow permissions and security issues)

Bug Fixes and Improvements:

• Potential fix for code scanning alert no. 5: Workflow does not contain permissions #1389 - Workflow permissions in GitHub Actions
• Add version checking, logging, and log sanitization for client_einvoicing fields to handle unmigrated databases #1381 - E-invoicing field migration and version checking
• Bump qs from 6.14.0 to 6.14.1 #1380 - Dependency update (qs package bump from 6.14.0 to 6.14.1)
• [IP-1376]: Reduce QR code image width to 100px #1377 - QR code image width reduced to 100px
• Fix email address verification to allow both comma and semicolon separators #1375 - Email address verification now supports comma and semicolon separators
• fix: remove libs that are deprecated #1373 - Removed deprecated library dependencies
• [Projects] Improve formatting of default rate #1367, prevent the format_number returning other than numbers #1368 - Various bug fixes

Fields Sanitized for XSS Protection

The following fields have been sanitized and properly escaped to prevent XSS attacks:

• invoice_number - Escaped in all templates and views
• quote_number - Escaped in all templates and views
• tax_rate_name - Sanitized on input, escaped on output
• payment_method_name - Sanitized on input, escaped on output
• custom_field_label - Protected in all custom field displays
• Client address fields - Sanitized for safe display
• sumex_observations - Sanitized on input
• quote_password - Sanitized on input
• quote_notes - Sanitized on input
• Email template content - Proper HTML escaping applied
• File names in upload operations - Sanitized before logging (prevents log poisoning)

Differences Between v1.7.0 Tag and This Branch

Post-v1.7.0 Additions (This Branch)

Security Fix - PR #1433 (commit 0f5b9ff)

• Fixed Local File Inclusion (LFI) vulnerabilities in PDF generation
• Added template validation for invoice_template and quote_template URL parameters
• Improved security logging for template operations
• Prevented directory traversal attacks through template selection

Documentation Improvements (commits 2e4cff7, 4d6b4ef, 9bdbd5c, 4e2496e)

• Added "What's New in Version 1.7.0" section to README
• Created CHANGELOG.md with detailed release notes
• Added complete list of all GitHub issues addressed with numbers
• Documented all fields sanitized for XSS protection
• Added upgrade guidance for 1.6.x users
• Removed decorative emoticons per maintainer feedback

What Was Already in v1.7.0 (from v1.6.4)

• Core PHP 8.2+ compatibility (commit bed535f)
• XSS vulnerability fixes across templates and user inputs
• Log poisoning vulnerability fix in file upload handling
• SVG logo blocking for security
• Multiple code scanning alert fixes
• Workflow permission improvements

Changes Made

• Added "What's New in Version 1.7.0" section to README

  • PHP 8.2+ compatibility highlighted as primary feature
  • Complete list of all issues fixed with GitHub issue numbers
  • Detailed breakdown of fields sanitized for XSS protection
  • Security fixes (XSS, LFI, log poisoning) documented with appropriate detail
  • SVG logo blocking explained with upgrade path
  • 5-step upgrade guide for 1.6.x users
  • Professional formatting without emoticons

• Created comprehensive CHANGELOG.md following Keep a Changelog format

  • Complete 1.7.0 release notes categorized by type (Added, Changed, Security, Fixed Issues, Removed)
  • All GitHub issue numbers explicitly listed (Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 #1433, Potential fix for code scanning alert no. 8: Unsafe jQuery plugin #1388, Potential fix for code scanning alert no. 8: Unsafe jQuery plugin #1387, Potential fix for code scanning alert no. 5: Workflow does not contain permissions #1389, Security: Fix file access vulnerabilities across all controllers with reusable helper #1383, Add version checking, logging, and log sanitization for client_einvoicing fields to handle unmigrated databases #1381, Bump qs from 6.14.0 to 6.14.1 #1380, [IP-1376]: Reduce QR code image width to 100px #1377, Fix email address verification to allow both comma and semicolon separators #1375, fix: remove libs that are deprecated #1373, [Projects] Improve formatting of default rate #1367, prevent the format_number returning other than numbers #1368)
  • All code scanning alerts documented (Customize quote / invoice groups #5, Forbid invoice deletion / changes after printing #6, Adjust the alert box margins #7, Redmine integration #9, Export of invoices to different formats #10, Add subject line to email templates #11, Year or From-To date filter in Dashboard Overviews #12, Adding VAT ID and Tax/Fiscal Code as customer and user/company fields #13, SQL errors while adding custom fields #14, Cant find setup #15)
  • Detailed field sanitization documentation with specific field names
  • Technical detail on security vulnerabilities for maintainers
  • Security disclosure policy included

• Cross-linked documentation

  • README links to CHANGELOG for full details
  • Consistent messaging across both files

Structure

The README now flows: badges → version highlights → issues fixed → fields sanitized → upgrade steps → existing content (features, installation, community).

Information density optimized for users deciding whether to upgrade and how to do so safely, with complete transparency about all issues addressed and security improvements made.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Summary by CodeRabbit

• Documentation
  • Added comprehensive CHANGELOG documenting project changes and security advisories for version 1.7.0
  • Updated README with version 1.7.0 release details, including PHP 8.2+ compatibility requirements, security enhancements, and upgrade guidance

[nielsdrost7]

@copilot I actually meant the exact changelog for this release. Which issues have been addressed.

• Show me in the main comment of this pull-request, at the top of this PR.
• What are the differences between tag v1.7.0 and this branch
• Which improvements have been made

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

@copilot I actually meant the exact changelog for this release. Which issues have been addressed.

• Show me in the main comment of this pull-request, at the top of this PR.
  ...

Differences between v1.7.0 and this branch

Commits added after v1.7.0 tag:

1. Security Fix - PR #1433 (commit 0f5b9ff)

• Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0
• Added template validation to prevent LFI vulnerability in PDF generation
• Validated invoice_template and quote_template URL parameters
• Improved security logging for template operations
• Prevented directory traversal attacks through template selection

2. Documentation improvements (commits 2e4cff7, 4d6b4ef)

• Added "What's New in Version 1.7.0" section to README
• Created CHANGELOG.md with detailed release notes
• Added upgrade guidance for 1.6.x users
• Documented PHP 8.2+ compatibility and security improvements

Issues addressed in this branch (post-v1.7.0):

• Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 #1433 - Local File Inclusion (LFI) vulnerabilities in PDF template handling

What was already in v1.7.0 (from v1.6.4):

• Potential fix for code scanning alert no. 8: Unsafe jQuery plugin #1388, Potential fix for code scanning alert no. 8: Unsafe jQuery plugin #1387 - Unsafe jQuery plugin vulnerabilities
• Potential fix for code scanning alert no. 5: Workflow does not contain permissions #1389, Security: Fix file access vulnerabilities across all controllers with reusable helper #1383 - File access and workflow permission security fixes
• Add version checking, logging, and log sanitization for client_einvoicing fields to handle unmigrated databases #1381 - E-invoicing field migration handling
• Bump qs from 6.14.0 to 6.14.1 #1380 - Dependency update (qs package)
• [IP-1376]: Reduce QR code image width to 100px #1377 - QR code display improvement
• Fix email address verification to allow both comma and semicolon separators #1375 - Email separator handling
• fix: remove libs that are deprecated #1373 - Deprecated library removal
• [Projects] Improve formatting of default rate #1367, prevent the format_number returning other than numbers #1368 - Various bug fixes
• Core PHP 8.2+ compatibility (commit bed535f)

The v1.7.0 tag was the initial release. This branch adds critical post-release security fixes (#1433) plus comprehensive documentation.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@README.md`:
- Around line 28-32: Update the PHP compatibility wording to be consistent:
either change the heading text "PHP 8.2+ compatibility" (near "InvoicePlane
1.7.0") to "PHP 8.1+ compatibility" if you intend to support 8.1–8.3+, or remove
"8.1" from the bullet "- * PHP 8.2+ Compatibility:** Full support for modern PHP
versions (8.1, 8.2, 8.3+)" so the list matches "8.2+"; modify the README.md
lines that contain the heading and the bullet to keep both the header and the
parenthetical list synchronized.
- Around line 32-38: The README has malformed Markdown bold/emphasis markers
(extra spaces inside "** ... **" and a stray leading "*" before the PHP line)
causing MD037 lint errors and broken rendering; fix by removing the stray "*"
and normalizing the bold markers to the correct form (e.g., change "- * PHP 8.2+
Compatibility:** Full support..." to a single list bullet and use "**PHP 8.2+
Compatibility:** Full support..." and similarly remove inner spaces in other
occurrences such as the section around "Enhanced Security" and the repeated
instance mentioned at line 52 so all bold/italic tokens are in the form
"**Text**" or "*Text*" with no leading/trailing spaces inside the asterisks.

[nielsdrost7]

@copilot show the full and complete release notes in the main content of this pull request.

• Which exact github issues have been addressed by this release.
• Show the issue numbers.
• Show the notes about fields being sanitized.
• Stop adding those fucking emoticons

[Copilot]

@copilot show the full and complete release notes in the main content of this pull request.

• Which exact github issues have been addressed by this release.
• Show the issue numbers.
  ...

Updated in commit 4e2496e. The README and CHANGELOG now include:

Issue numbers addressed:

• Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 #1433 (LFI), Potential fix for code scanning alert no. 8: Unsafe jQuery plugin #1388/Potential fix for code scanning alert no. 8: Unsafe jQuery plugin #1387 (jQuery), Potential fix for code scanning alert no. 5: Workflow does not contain permissions #1389 (Workflow), Security: Fix file access vulnerabilities across all controllers with reusable helper #1383 (File access), Add version checking, logging, and log sanitization for client_einvoicing fields to handle unmigrated databases #1381 (E-invoicing), Bump qs from 6.14.0 to 6.14.1 #1380 (qs bump), [IP-1376]: Reduce QR code image width to 100px #1377 (QR code), Fix email address verification to allow both comma and semicolon separators #1375 (Email separators), fix: remove libs that are deprecated #1373 (Deprecated libs), [Projects] Improve formatting of default rate #1367/prevent the format_number returning other than numbers #1368 (Bug fixes)
• Code scanning alerts: Customize quote / invoice groups #5, Forbid invoice deletion / changes after printing #6, Adjust the alert box margins #7, Redmine integration #9, Export of invoices to different formats #10, Add subject line to email templates #11, Year or From-To date filter in Dashboard Overviews #12, Adding VAT ID and Tax/Fiscal Code as customer and user/company fields #13, SQL errors while adding custom fields #14, Cant find setup #15

Fields sanitized for XSS:

• invoice_number, quote_number, tax_rate_name, payment_method_name, custom_field_label, client addresses, sumex_observations, quote_password, quote_notes, email template content, file names in upload logging

All emoticons removed from documentation.