Skip to content

Fix XSS vulnerability in payment form invoice_number display#1445

Merged
nielsdrost7 merged 3 commits intoprep/v170from
copilot/fix-xss-vulnerability-invoiceplane
Feb 4, 2026
Merged

Fix XSS vulnerability in payment form invoice_number display#1445
nielsdrost7 merged 3 commits intoprep/v170from
copilot/fix-xss-vulnerability-invoiceplane

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 4, 2026
edited by coderabbitai bot
Loading

Problem

Stored XSS vulnerability (CVSS 4.8) in invoice_number field allows authenticated admins to inject JavaScript that executes when other admins view payment forms.

Changes

Code Fix

  • application/modules/payments/views/form.php (lines 57, 64): Wrapped invoice_number output with htmlsc()

Before:

<?php echo $invoice->invoice_number . ' - ' . htmlsc(format_client($invoice)); ?>

After:

<?php echo htmlsc($invoice->invoice_number) . ' - ' . htmlsc(format_client($invoice)); ?>

Security Audit

  • Verified all reported XSS vectors (unit names, invoice numbers) are protected across 20+ display locations
  • Most locations already using proper encoding; only payment form dropdown was vulnerable
  • Added comprehensive documentation: SECURITY_AUDIT_XSS_UNIT_INVOICE.md

Defense-in-Depth

InvoicePlane's two-layer protection now complete:

  1. Input sanitization: Admin_Controller::filter_input() with XSS cleaning
  2. Output encoding: htmlsc() with ENT_QUOTES on all user content

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/Bacon/BaconQrCode/zipball/8674e51bb65af933a5ffaf1c308a660387c35c22
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/DASPRiD/Enum/zipball/b5874fa9ed0043116c72162ec7f4fb50e02e7cce
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/GrahamCampbell/Result-Type/zipball/e01f4a821471308ba86aa202fed6698b6b695e3b
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/PHPCSStandards/PHP_CodeSniffer/zipball/0ca86845ce43291e8f5692c7356fccf3bcf02bf4
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/PHPMailer/PHPMailer/zipball/d1ac35d784bf9f5e61b424901d5a014967f15b12
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/Setasign/FPDF/zipball/0838e0ee4925716fcbbc50ad9e1799b5edfae0a0
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/Setasign/FPDI/zipball/4b53852fde2734ec6a07e458a085db627c60eada
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/endroid/qr-code/zipball/0db25b506a8411a5e1644ebaa67123a6eb7b6a77
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/filp/whoops/zipball/d2102955e48b9fd9ab24280a7ad12ed552752c4d
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/guzzle/guzzle/zipball/b51ac707cfa420b7bfd4e4d5e510ba8008e822b4
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/guzzle/promises/zipball/481557b130ef3790cf82b713667b43030dc9c957
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/guzzle/psr7/zipball/21dc724a0583619cd1652f673303492272778051
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/laravel/pint/zipball/c67b4195b75491e4dfc6b00b1c78b68d86f54c90
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/moneyphp/money/zipball/b358727ea5a5cd2d7475e59c31dfc352440ae7ec
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/mpdf/mpdf/zipball/b59670a09498689c33ce639bac8f5ba26721dab3
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/mpdf/psr-http-message-shim/zipball/f25a0153d645e234f9db42e5433b16d9b113920f
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/mpdf/psr-log-aware-trait/zipball/a633da6065e946cc491e1c962850344bb0bf3e78
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/myclabs/DeepCopy/zipball/07d290f0c47959fd5eed98c95ee5602db07e0b6a
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/paragonie/random_compat/zipball/96c132c7f2f7bc3230723b66e89f8f150b29d5ae
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/php-fig/http-client/zipball/bb5906edc1c324c9a05aa0873d40117941e5fa90
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/php-fig/http-factory/zipball/2b4765fddfe3b508ac62f829e852b1501d3f6e8a
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/php-fig/http-message/zipball/402d35bcb92c70c026d1a6a9883f06b2ead23d71
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/php-fig/log/zipball/f16e1d5863e37f8d8c2a01719f5b34baa2b714d3
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/phpstan/phpstan/zipball/9e800e6bee7d5bd02784d4c6069b48032d16224f
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/pocketarc/codeigniter/zipball/d310726565c12ba99b8037e8fb231ed739258e6e
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/ralouphie/getallheaders/zipball/120b605dfeb996808c31b6477290a714d356e822
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/rectorphp/rector/zipball/9afc1bb43571b25629f353c61a9315b5ef31383a
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/schmittjoh/php-option/zipball/75365b91986c2405cf5e1e012c5595cd487a98be
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/smhg/sepa-qr-data-php/zipball/837d98eae6fdcf61aaffddb5d9c61b535ee7ce1a
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/stripe/stripe-php/zipball/7e1c4b5d2beadeaeddc42fd1f8a50fdb18b37f30
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/symfony/deprecation-contracts/zipball/63afe740e99a13ba87ec199bb07bbdee937a5b62
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/symfony/polyfill-ctype/zipball/a3cc8b044a6ea513310cbd48ef7333b384945638
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/symfony/polyfill-mbstring/zipball/6d857f4d76bd4b343eac26d6b539585d2bc56493
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/symfony/polyfill-php80/zipball/0cc9dd0f17f61d8131e7df6b84bd344899fe2608
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/symfony/var-dumper/zipball/cfae1497a2f1eaad78dbc0590311c599c7178d4a
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)
  • https://api.github.com/repos/vlucas/phpdotenv/zipball/955e7815d677a3eaa7075231212f2110983adecc
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ShjYTV /usr/bin/composer install --no-interaction --prefer-dist (http block)

If you need me to access, download, or install something from one of these locations, you can either:

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Summary by CodeRabbit

  • Bug Fixes

    • Fixed cross-site scripting (XSS) vulnerabilities in payment form invoice number fields through proper output escaping.

  • Documentation

    • Added comprehensive security audit documenting identified vulnerabilities, applied fixes, and verification results.
    • Updated security summary with defense-in-depth strategies and testing scenarios. Overall security status verified as secure.

Copilot AI and others added 2 commits February 4, 2026 10:10
@nielsdrost7
Fix XSS vulnerability in payment form invoice_number field
0aa606d 
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
@nielsdrost7
Add comprehensive XSS vulnerability documentation
da2f3b6 
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix stored XSS vulnerability in product unit name fields Fix XSS vulnerability in payment form invoice_number display Feb 4, 2026
Copilot AI requested a review from nielsdrost7 February 4, 2026 10:16
@nielsdrost7 nielsdrost7 requested a review from Copilot February 4, 2026 10:18
@nielsdrost7
Copy link
Copy Markdown
Contributor

nielsdrost7 commented Feb 4, 2026

@coderabbitai full review

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Feb 4, 2026

✅ Actions performed

Full review triggered.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Feb 4, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This pull request adds security audit documentation for XSS vulnerabilities found in the payments module and implements the corresponding fix by wrapping invoice_number output with htmlsc() in the form view template.

Changes

Cohort / File(s) Summary
Security Documentation
SECURITY_AUDIT_XSS_UNIT_INVOICE.md, SECURITY_SUMMARY.md		 New audit document detailing XSS vulnerability findings, fixes, and testing. Summary updated with before/after code examples, vulnerability reorganization, and verification status.
XSS Vulnerability Fix
application/modules/payments/views/form.php		 Added htmlsc() escaping around invoice_number values in two locations: open invoices dropdown and selected payment invoice lines to prevent XSS attacks.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A rabbit hops through code so fine,
Finding XSS in invoice line,
With htmlsc() guards now in place,
Security wins the coding race!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely describes the main change: fixing an XSS vulnerability in the payment form's invoice_number display field.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch copilot/fix-xss-vulnerability-invoiceplane

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed Feb 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes a stored Cross-Site Scripting (XSS) vulnerability in the payment form where the invoice_number field was not properly HTML-escaped when displayed in dropdown options. The fix applies the existing htmlsc() function to properly encode the invoice number output.

Changes:

  • Added htmlsc() wrapper to invoice_number fields in payment form dropdown (2 instances)
  • Updated SECURITY_SUMMARY.md to document all XSS vulnerabilities and their mitigation status
  • Added comprehensive security audit documentation in SECURITY_AUDIT_XSS_UNIT_INVOICE.md

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
application/modules/payments/views/form.php Fixed XSS vulnerability by wrapping invoice_number output with htmlsc() in two dropdown option locations (lines 57, 64)
SECURITY_SUMMARY.md Updated to document all three reported XSS vulnerability vectors (family name, unit name, invoice number) and their mitigation status
SECURITY_AUDIT_XSS_UNIT_INVOICE.md Added comprehensive security audit documentation covering unit name and invoice number XSS vulnerabilities, including all display locations, defense-in-depth architecture, and verification testing

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

coderabbitai[bot]
coderabbitai bot reviewed Feb 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
SECURITY_SUMMARY.md (1)

68-101: ⚠️ Potential issue | 🟡 Minor

Add language identifiers to fenced code blocks (MD040).

Markdownlint flags these fences; please add language tags (e.g., php, text) to all code blocks in this doc.

🔧 Example fix (apply similarly to other fences) 
-```
+```php
 protected function filter_input(): void
 {
     foreach ($input as $key => $value) {
@@
 }
-```
+```

@nielsdrost7 nielsdrost7 marked this pull request as ready for review February 4, 2026 10:32
@nielsdrost7 nielsdrost7 merged commit eb81e42 into prep/v170 Feb 4, 2026
6 checks passed
@nielsdrost7 nielsdrost7 deleted the copilot/fix-xss-vulnerability-invoiceplane branch February 4, 2026 10:32
@coderabbitai coderabbitai bot mentioned this pull request Feb 13, 2026
Merged
nielsdrost7 added a commit that referenced this pull request Feb 16, 2026
@nielsdrost7
@github-advanced-security @coderabbitai
v170 in to v171 (#1439)
2b9241f 
* Fix XSS vulnerabilities across InvoicePlane with comprehensive security audit, defense-in-depth protection, SVG execution prevention, and security logging (#1429)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Fix XSS vulnerabilities in quote/invoice numbers and SVG logo uploads

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in all quote/invoice number displays

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add XSS escaping for tax_rate_name and payment_method_name fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in guest view headers for quote/invoice numbers

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix remaining XSS in templates/mailer and add backend input sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve input sanitization comments for clarity

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in Sumex observations, client addresses, and custom field labels

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add backend XSS sanitization to Sumex fields and quote password/notes

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Block existing SVG logos from rendering to prevent XSS execution

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add SVG upload logging and README documentation for security change

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix log poisoning vulnerability in Upload controller (#1434)

* Initial plan

* Fix log poisoning vulnerability in Upload.php sanitize_file_name method

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 (#1433)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Add template validation to prevent LFI vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve logging in LFI fix for better security monitoring

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional LFI vulnerabilities in PDF generation endpoints

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback - simplify default template logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Add validation for invoice_template parameters in generate_invoice_pdf()

- Validate invoice_template when passed as URL parameter
- Mirror the same security pattern used for quote_template validation
- Ensure all invoice template sources are validated before use
- Prevent LFI vulnerability through invoice_template parameter bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix Stored XSS vulnerabilities with defense-in-depth: input sanitization and output encoding (#1435)

* Initial plan

* Fix three Stored XSS vulnerabilities by adding htmlsc() encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional unit_name XSS vulnerabilities in quotes and products modules

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in email template JavaScript context

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix filter_input() bug: Add input sanitization with logging and password bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve filter_input: Add recursive array sanitization, remove double-encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix sanitize_array: Add bypass support and consistent sanitization order

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add invoice_password and quote_password to sanitization bypass list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Optimize XSS logging: move ip_address and user_agent to request level

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix critical bugs from PR #1366 review: mb_rtrim, ClientTitleEnum, workflow triggers, email preview XSS (#1438)

* Initial plan

* Fix review comments: restore PR triggers, fix mb_rtrim usage, fix ClientTitleEnum, add translation, fix email preview

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add HTML sanitization to email template preview for defense-in-depth XSS protection

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve code review feedback: fix comment, use indexOf for compatibility, simplify ClientTitleEnum

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Enhance XSS protection: remove style tag support, validate href protocols

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Optimize sanitization: cache tagName, add style tag to explicit removal list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix GitHub Actions workflow issues identified in PR #1366 review (#1437)

* Initial plan

* Fix GitHub Actions workflows per review feedback

- composer-update.yml: Parse JSON advisories array instead of file size check
- composer-update.yml: Check both composer.lock and composer.json for changes
- release.yml: Update action-gh-release from v1 to v2
- release.yml: Fix vendor-cleaner config to use extra.dev-files structure
- README.md: Update yarn-update.yml Update Types to match workflow options
- Create generate-package-update-report.cjs script for yarn updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback

- composer-update.yml: Use double-dash separator before file paths in git diff
- generate-package-update-report.cjs: Handle quoted/unquoted yarn.lock entries separately

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix git diff logic and improve regex patterns

- composer-update.yml: Restore correct git diff logic to detect changes in either file
- generate-package-update-report.cjs: Use more restrictive regex patterns

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add complete version 1.7.0 release documentation with all issue numbers and field sanitization details (#1436)

* Initial plan

* Add comprehensive version 1.7.0 documentation to README and CHANGELOG

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix formatting and update version 1.7.0 details

* Add complete release notes with issue numbers and field sanitization details, remove emoticons

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Track all resolved versions per package in yarn.lock update report (#1440)

* Initial plan

* Refactor package update report script to track all versions per package using Map<string, Set<string>>

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Remove unnecessary Set creation in version comparison logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix bidirectional version change detection to catch all version updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Potential fix for code scanning alert no. 16: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Update test-frontend.yml to remove pull_request trigger

Remove pull_request trigger from frontend test workflow.

* Update PHP testing workflow triggers

Remove pull_request trigger from PHP testing workflow

* Potential fix for code scanning alert no. 17: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Refactor input sanitization to follow DRY principles and fix log injection vulnerabilities (#1441)

* Initial plan

* Apply code review feedback: improve regex handling and log sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Refactor: Extract sanitize_for_logging helper to follow DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security and DRY development guidelines for InvoicePlane (#1442)

* Initial plan

* Add comprehensive guidelines and Copilot instructions for security and DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive security and DRY analysis for PR #1441

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback: improve documentation clarity and examples

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Document XSS mitigation in Family Name field - no code changes required (#1443)

* Initial plan

* Add comprehensive security audit documentation for XSS vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add executive security summary for XSS vulnerability verification

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in payment form invoice_number display (#1445)

* Initial plan

* Fix XSS vulnerability in payment form invoice_number field

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive XSS vulnerability documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Comment out invoice and quote password fields

Comment out password fields from bypass list.

* Update application/helpers/template_helper.php

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Address PR #1439 feedback: sanitization and validation improvements (#1446)

* Initial plan

* Address PR #1439 feedback: sanitization and validation improvements

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve security: use DOMParser for HTML sanitization and load file_security_helper

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS in credit invoice parent number display + comprehensive security audit (#1454)

* Initial plan

* Fix XSS vulnerability in parent invoice number display

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security documentation for Invoice Group XSS fix

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete SECURITY_AUDIT_XSS_INVOICE_GROUP.md

* Delete SECURITY_SUMMARY.md

* Add comprehensive XSS vulnerability audit documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete COMPREHENSIVE_XSS_AUDIT.md

* Delete SECURITY_AUDIT_XSS_UNIT_INVOICE.md

* Delete SECURITY_AUDIT_XSS_FAMILY_NAME.md

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS vulnerabilities in multiple views (19 total) (#1455)

* Initial plan

* Fix XSS vulnerability by adding HTML escaping to format_client() output

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in client view and invoice templates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerabilities in VAT ID and tax code fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix PHP 8.3 undefined array key warning in mPDF footer handling (#1453)

* Initial plan

* Initial analysis - identify mpdf footer undefined array key issue

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix: Define html_footer to prevent PHP 8.3 undefined array key error

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete package-lock.json

* Delete yarn.lock

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
nielsdrost7 added a commit that referenced this pull request Feb 16, 2026
@nielsdrost7
@github-advanced-security @coderabbitai
merge 1.6.5 to development (#1458)
af1cfd8 
* Temporary Commit Fix Niels - 1 - SalesByYear report

* Fix Niels - 1 - SalesByYear

* Temporary Commit Fix Niels - 3 - Guest Get File

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Suggestions after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* using strpos as per suggestion in code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* suggestion after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* suggestion after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Final fixes for the Get file problem refs #1324

* suggestion after code-review

* cleanup after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* cleanup after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Get file (guest) fix refs #1324

* 1340: Wrong quote/invoice guest download attachment button default template

* 1348: More fixes for PDF footer

* 1322: Show open invoices on guest index

* 1340: guest route sanitization

* 1340: guest route sanitization

* 1340: guest route sanitization

* 1340: guest route sanitization

* Update application/modules/guest/controllers/Get.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update application/modules/reports/models/Mdl_reports.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update application/modules/reports/models/Mdl_reports.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* version 1.7.0: PHP 8.2+ compatibility

* for versioning purposes

* bumped composer dependencies

* Rename application/modules/setup/041_1.7.0.sql to application/modules/setup/sql/041_1.7.0.sql

* merged in development branch

* packages update

* ran pint
l

* fixed composer just a tiny bit

* improved .gitignore

* Potential fix for code scanning alert no. 9: Incomplete string escaping or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 6: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 7: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1387)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 10: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* more github actions

* Update GitHub Actions workflow for PHPMyAdmin

Removed specific branch and path triggers for pushes.

* Update GitHub Actions workflow for Docker image

Removed specific push triggers for branches and tags.

* Modify GitHub Actions workflow triggers

* Modify triggers for MariaDB Docker workflow

Updated workflow triggers for Docker image build.

* Update docker-publish.yml

* Change trigger from pull_request to workflow_dispatch

Updated workflow trigger to allow manual dispatch.

* Change trigger for PHP testing workflow

* Update PHP version in GitHub Actions workflow

* Remove emojis from yarn-update workflow output

* Potential fix for code scanning alert no. 11: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 12: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 13: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 14: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 15: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 5: Workflow does not contain permissions (#1389)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 5: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1388)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update .github/workflows/README.md

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Delete .github/workflows/quickstart.yml

* [WIP] Fix inconsistent language files in English (#1423)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Update custom_lang.php documentation to match modern array syntax

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

* Fix GitHub Actions workflow issues from code review (#1399)

* Initial plan

* Fix workflow issues based on code review feedback

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve script regex and add clarifying comments

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add workflow artifacts to .gitignore

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve script comments for clarity

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Update .github/scripts/generate-package-update-report.cjs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Rename transientChanges to transitiveChanges

* Fix vendor-cleaner config to use single extra.dev-files./ key

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* v170 in to v171 (#1439)

* Fix XSS vulnerabilities across InvoicePlane with comprehensive security audit, defense-in-depth protection, SVG execution prevention, and security logging (#1429)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Fix XSS vulnerabilities in quote/invoice numbers and SVG logo uploads

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in all quote/invoice number displays

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add XSS escaping for tax_rate_name and payment_method_name fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in guest view headers for quote/invoice numbers

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix remaining XSS in templates/mailer and add backend input sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve input sanitization comments for clarity

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in Sumex observations, client addresses, and custom field labels

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add backend XSS sanitization to Sumex fields and quote password/notes

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Block existing SVG logos from rendering to prevent XSS execution

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add SVG upload logging and README documentation for security change

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix log poisoning vulnerability in Upload controller (#1434)

* Initial plan

* Fix log poisoning vulnerability in Upload.php sanitize_file_name method

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 (#1433)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Add template validation to prevent LFI vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve logging in LFI fix for better security monitoring

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional LFI vulnerabilities in PDF generation endpoints

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback - simplify default template logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Add validation for invoice_template parameters in generate_invoice_pdf()

- Validate invoice_template when passed as URL parameter
- Mirror the same security pattern used for quote_template validation
- Ensure all invoice template sources are validated before use
- Prevent LFI vulnerability through invoice_template parameter bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix Stored XSS vulnerabilities with defense-in-depth: input sanitization and output encoding (#1435)

* Initial plan

* Fix three Stored XSS vulnerabilities by adding htmlsc() encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional unit_name XSS vulnerabilities in quotes and products modules

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in email template JavaScript context

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix filter_input() bug: Add input sanitization with logging and password bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve filter_input: Add recursive array sanitization, remove double-encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix sanitize_array: Add bypass support and consistent sanitization order

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add invoice_password and quote_password to sanitization bypass list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Optimize XSS logging: move ip_address and user_agent to request level

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix critical bugs from PR #1366 review: mb_rtrim, ClientTitleEnum, workflow triggers, email preview XSS (#1438)

* Initial plan

* Fix review comments: restore PR triggers, fix mb_rtrim usage, fix ClientTitleEnum, add translation, fix email preview

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add HTML sanitization to email template preview for defense-in-depth XSS protection

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve code review feedback: fix comment, use indexOf for compatibility, simplify ClientTitleEnum

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Enhance XSS protection: remove style tag support, validate href protocols

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Optimize sanitization: cache tagName, add style tag to explicit removal list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix GitHub Actions workflow issues identified in PR #1366 review (#1437)

* Initial plan

* Fix GitHub Actions workflows per review feedback

- composer-update.yml: Parse JSON advisories array instead of file size check
- composer-update.yml: Check both composer.lock and composer.json for changes
- release.yml: Update action-gh-release from v1 to v2
- release.yml: Fix vendor-cleaner config to use extra.dev-files structure
- README.md: Update yarn-update.yml Update Types to match workflow options
- Create generate-package-update-report.cjs script for yarn updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback

- composer-update.yml: Use double-dash separator before file paths in git diff
- generate-package-update-report.cjs: Handle quoted/unquoted yarn.lock entries separately

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix git diff logic and improve regex patterns

- composer-update.yml: Restore correct git diff logic to detect changes in either file
- generate-package-update-report.cjs: Use more restrictive regex patterns

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add complete version 1.7.0 release documentation with all issue numbers and field sanitization details (#1436)

* Initial plan

* Add comprehensive version 1.7.0 documentation to README and CHANGELOG

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix formatting and update version 1.7.0 details

* Add complete release notes with issue numbers and field sanitization details, remove emoticons

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Track all resolved versions per package in yarn.lock update report (#1440)

* Initial plan

* Refactor package update report script to track all versions per package using Map<string, Set<string>>

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Remove unnecessary Set creation in version comparison logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix bidirectional version change detection to catch all version updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Potential fix for code scanning alert no. 16: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Update test-frontend.yml to remove pull_request trigger

Remove pull_request trigger from frontend test workflow.

* Update PHP testing workflow triggers

Remove pull_request trigger from PHP testing workflow

* Potential fix for code scanning alert no. 17: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Refactor input sanitization to follow DRY principles and fix log injection vulnerabilities (#1441)

* Initial plan

* Apply code review feedback: improve regex handling and log sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Refactor: Extract sanitize_for_logging helper to follow DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security and DRY development guidelines for InvoicePlane (#1442)

* Initial plan

* Add comprehensive guidelines and Copilot instructions for security and DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive security and DRY analysis for PR #1441

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback: improve documentation clarity and examples

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Document XSS mitigation in Family Name field - no code changes required (#1443)

* Initial plan

* Add comprehensive security audit documentation for XSS vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add executive security summary for XSS vulnerability verification

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in payment form invoice_number display (#1445)

* Initial plan

* Fix XSS vulnerability in payment form invoice_number field

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive XSS vulnerability documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Comment out invoice and quote password fields

Comment out password fields from bypass list.

* Update application/helpers/template_helper.php

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Address PR #1439 feedback: sanitization and validation improvements (#1446)

* Initial plan

* Address PR #1439 feedback: sanitization and validation improvements

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve security: use DOMParser for HTML sanitization and load file_security_helper

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS in credit invoice parent number display + comprehensive security audit (#1454)

* Initial plan

* Fix XSS vulnerability in parent invoice number display

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security documentation for Invoice Group XSS fix

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete SECURITY_AUDIT_XSS_INVOICE_GROUP.md

* Delete SECURITY_SUMMARY.md

* Add comprehensive XSS vulnerability audit documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete COMPREHENSIVE_XSS_AUDIT.md

* Delete SECURITY_AUDIT_XSS_UNIT_INVOICE.md

* Delete SECURITY_AUDIT_XSS_FAMILY_NAME.md

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS vulnerabilities in multiple views (19 total) (#1455)

* Initial plan

* Fix XSS vulnerability by adding HTML escaping to format_client() output

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in client view and invoice templates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerabilities in VAT ID and tax code fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix PHP 8.3 undefined array key warning in mPDF footer handling (#1453)

* Initial plan

* Initial analysis - identify mpdf footer undefined array key issue

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix: Define html_footer to prevent PHP 8.3 undefined array key error

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete package-lock.json

* Delete yarn.lock

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Updated Composer and Yarn Packages

* to older version for 1.6.5 purposes

* to older version for 1.6.5 purposes

* [WIP] Fix path traversal vulnerability in get_file method (#1459)

* Initial plan

* Fix incomplete validate_template_name function in template_helper.php

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve log injection prevention in validate_template_name

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Potential fix for code scanning alert no. 18: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Ordissimo <thierry@ordissimo.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
nielsdrost7 added a commit that referenced this pull request Feb 16, 2026
@nielsdrost7
@github-advanced-security @coderabbitai
Version 1.7.1 to develop (#1463)
93622f2 
* Temporary Commit Fix Niels - 1 - SalesByYear report

* Fix Niels - 1 - SalesByYear

* Temporary Commit Fix Niels - 3 - Guest Get File

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Suggestions after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* using strpos as per suggestion in code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* suggestion after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* suggestion after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Final fixes for the Get file problem refs #1324

* suggestion after code-review

* cleanup after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* cleanup after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Get file (guest) fix refs #1324

* 1340: Wrong quote/invoice guest download attachment button default template

* 1348: More fixes for PDF footer

* 1322: Show open invoices on guest index

* 1340: guest route sanitization

* 1340: guest route sanitization

* 1340: guest route sanitization

* 1340: guest route sanitization

* Update application/modules/guest/controllers/Get.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update application/modules/reports/models/Mdl_reports.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update application/modules/reports/models/Mdl_reports.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* version 1.7.0: PHP 8.2+ compatibility

* for versioning purposes

* bumped composer dependencies

* Rename application/modules/setup/041_1.7.0.sql to application/modules/setup/sql/041_1.7.0.sql

* merged in development branch

* packages update

* ran pint
l

* fixed composer just a tiny bit

* improved .gitignore

* Potential fix for code scanning alert no. 9: Incomplete string escaping or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 6: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 7: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1387)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 10: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* more github actions

* Update GitHub Actions workflow for PHPMyAdmin

Removed specific branch and path triggers for pushes.

* Update GitHub Actions workflow for Docker image

Removed specific push triggers for branches and tags.

* Modify GitHub Actions workflow triggers

* Modify triggers for MariaDB Docker workflow

Updated workflow triggers for Docker image build.

* Update docker-publish.yml

* Change trigger from pull_request to workflow_dispatch

Updated workflow trigger to allow manual dispatch.

* Change trigger for PHP testing workflow

* Update PHP version in GitHub Actions workflow

* Remove emojis from yarn-update workflow output

* Potential fix for code scanning alert no. 11: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 12: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 13: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 14: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 15: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 5: Workflow does not contain permissions (#1389)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 5: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1388)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update .github/workflows/README.md

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Delete .github/workflows/quickstart.yml

* [WIP] Fix inconsistent language files in English (#1423)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Update custom_lang.php documentation to match modern array syntax

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

* Fix GitHub Actions workflow issues from code review (#1399)

* Initial plan

* Fix workflow issues based on code review feedback

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve script regex and add clarifying comments

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add workflow artifacts to .gitignore

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve script comments for clarity

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Update .github/scripts/generate-package-update-report.cjs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Rename transientChanges to transitiveChanges

* Fix vendor-cleaner config to use single extra.dev-files./ key

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* v170 in to v171 (#1439)

* Fix XSS vulnerabilities across InvoicePlane with comprehensive security audit, defense-in-depth protection, SVG execution prevention, and security logging (#1429)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Fix XSS vulnerabilities in quote/invoice numbers and SVG logo uploads

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in all quote/invoice number displays

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add XSS escaping for tax_rate_name and payment_method_name fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in guest view headers for quote/invoice numbers

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix remaining XSS in templates/mailer and add backend input sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve input sanitization comments for clarity

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in Sumex observations, client addresses, and custom field labels

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add backend XSS sanitization to Sumex fields and quote password/notes

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Block existing SVG logos from rendering to prevent XSS execution

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add SVG upload logging and README documentation for security change

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix log poisoning vulnerability in Upload controller (#1434)

* Initial plan

* Fix log poisoning vulnerability in Upload.php sanitize_file_name method

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 (#1433)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Add template validation to prevent LFI vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve logging in LFI fix for better security monitoring

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional LFI vulnerabilities in PDF generation endpoints

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback - simplify default template logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Add validation for invoice_template parameters in generate_invoice_pdf()

- Validate invoice_template when passed as URL parameter
- Mirror the same security pattern used for quote_template validation
- Ensure all invoice template sources are validated before use
- Prevent LFI vulnerability through invoice_template parameter bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix Stored XSS vulnerabilities with defense-in-depth: input sanitization and output encoding (#1435)

* Initial plan

* Fix three Stored XSS vulnerabilities by adding htmlsc() encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional unit_name XSS vulnerabilities in quotes and products modules

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in email template JavaScript context

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix filter_input() bug: Add input sanitization with logging and password bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve filter_input: Add recursive array sanitization, remove double-encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix sanitize_array: Add bypass support and consistent sanitization order

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add invoice_password and quote_password to sanitization bypass list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Optimize XSS logging: move ip_address and user_agent to request level

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix critical bugs from PR #1366 review: mb_rtrim, ClientTitleEnum, workflow triggers, email preview XSS (#1438)

* Initial plan

* Fix review comments: restore PR triggers, fix mb_rtrim usage, fix ClientTitleEnum, add translation, fix email preview

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add HTML sanitization to email template preview for defense-in-depth XSS protection

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve code review feedback: fix comment, use indexOf for compatibility, simplify ClientTitleEnum

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Enhance XSS protection: remove style tag support, validate href protocols

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Optimize sanitization: cache tagName, add style tag to explicit removal list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix GitHub Actions workflow issues identified in PR #1366 review (#1437)

* Initial plan

* Fix GitHub Actions workflows per review feedback

- composer-update.yml: Parse JSON advisories array instead of file size check
- composer-update.yml: Check both composer.lock and composer.json for changes
- release.yml: Update action-gh-release from v1 to v2
- release.yml: Fix vendor-cleaner config to use extra.dev-files structure
- README.md: Update yarn-update.yml Update Types to match workflow options
- Create generate-package-update-report.cjs script for yarn updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback

- composer-update.yml: Use double-dash separator before file paths in git diff
- generate-package-update-report.cjs: Handle quoted/unquoted yarn.lock entries separately

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix git diff logic and improve regex patterns

- composer-update.yml: Restore correct git diff logic to detect changes in either file
- generate-package-update-report.cjs: Use more restrictive regex patterns

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add complete version 1.7.0 release documentation with all issue numbers and field sanitization details (#1436)

* Initial plan

* Add comprehensive version 1.7.0 documentation to README and CHANGELOG

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix formatting and update version 1.7.0 details

* Add complete release notes with issue numbers and field sanitization details, remove emoticons

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Track all resolved versions per package in yarn.lock update report (#1440)

* Initial plan

* Refactor package update report script to track all versions per package using Map<string, Set<string>>

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Remove unnecessary Set creation in version comparison logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix bidirectional version change detection to catch all version updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Potential fix for code scanning alert no. 16: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Update test-frontend.yml to remove pull_request trigger

Remove pull_request trigger from frontend test workflow.

* Update PHP testing workflow triggers

Remove pull_request trigger from PHP testing workflow

* Potential fix for code scanning alert no. 17: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Refactor input sanitization to follow DRY principles and fix log injection vulnerabilities (#1441)

* Initial plan

* Apply code review feedback: improve regex handling and log sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Refactor: Extract sanitize_for_logging helper to follow DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security and DRY development guidelines for InvoicePlane (#1442)

* Initial plan

* Add comprehensive guidelines and Copilot instructions for security and DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive security and DRY analysis for PR #1441

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback: improve documentation clarity and examples

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Document XSS mitigation in Family Name field - no code changes required (#1443)

* Initial plan

* Add comprehensive security audit documentation for XSS vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add executive security summary for XSS vulnerability verification

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in payment form invoice_number display (#1445)

* Initial plan

* Fix XSS vulnerability in payment form invoice_number field

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive XSS vulnerability documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Comment out invoice and quote password fields

Comment out password fields from bypass list.

* Update application/helpers/template_helper.php

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Address PR #1439 feedback: sanitization and validation improvements (#1446)

* Initial plan

* Address PR #1439 feedback: sanitization and validation improvements

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve security: use DOMParser for HTML sanitization and load file_security_helper

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS in credit invoice parent number display + comprehensive security audit (#1454)

* Initial plan

* Fix XSS vulnerability in parent invoice number display

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security documentation for Invoice Group XSS fix

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete SECURITY_AUDIT_XSS_INVOICE_GROUP.md

* Delete SECURITY_SUMMARY.md

* Add comprehensive XSS vulnerability audit documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete COMPREHENSIVE_XSS_AUDIT.md

* Delete SECURITY_AUDIT_XSS_UNIT_INVOICE.md

* Delete SECURITY_AUDIT_XSS_FAMILY_NAME.md

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS vulnerabilities in multiple views (19 total) (#1455)

* Initial plan

* Fix XSS vulnerability by adding HTML escaping to format_client() output

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in client view and invoice templates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerabilities in VAT ID and tax code fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix PHP 8.3 undefined array key warning in mPDF footer handling (#1453)

* Initial plan

* Initial analysis - identify mpdf footer undefined array key issue

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix: Define html_footer to prevent PHP 8.3 undefined array key error

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete package-lock.json

* Delete yarn.lock

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Updated Composer and Yarn Packages

* Implement template name validation function

Added a validate_template_name function to check if a template name is valid based on type and scope.

* Add HTML encoder for safe email template sanitization

Added a basic HTML encoder function to prevent DOM text from being reinterpreted as HTML meta-characters before sanitizing email template HTML.

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Ordissimo <thierry@ordissimo.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

@nielsdrost7 nielsdrost7 Awaiting requested review from nielsdrost7

Assignees

@nielsdrost7 nielsdrost7

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nielsdrost7