Skip to content

Complete validate_template_name() implementation to prevent LFI attacks#1459

Merged
nielsdrost7 merged 3 commits intoprep/v165from
copilot/fix-path-traversal-vulnerability
Feb 16, 2026
Merged

Complete validate_template_name() implementation to prevent LFI attacks#1459
nielsdrost7 merged 3 commits intoprep/v165from
copilot/fix-path-traversal-vulnerability

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 16, 2026
edited
Loading

Problem

Critical LFI vulnerability (CVSS 9.1) allowed authenticated admins to execute arbitrary code by setting public_invoice_template to paths like ../../../logs/log-2026-01-30, enabling inclusion of poisoned log files.

Changes

The validate_template_name() function in application/helpers/template_helper.php was declared but not implemented - only the docblock and closing brace existed.

Completed implementation:

function validate_template_name($template_name, $type = 'invoice', $scope = 'pdf')
{
    $CI = & get_instance();
    $CI->load->helper('file_security');
    $CI->load->model('invoices/mdl_templates');
    
    // Get filesystem-based whitelist of valid templates
    if ($type === 'invoice') {
        $valid_templates = $CI->mdl_templates->get_invoice_templates($scope);
    } elseif ($type === 'quote') {
        $valid_templates = $CI->mdl_templates->get_quote_templates($scope);
    } else {
        $safe_type = sanitize_for_logging((string) $type);
        log_message('error', 'Template validation failed: Invalid template type: ' . $safe_type);
        return false;
    }
    
    // Strict whitelist validation - no path traversal possible
    if (!in_array($template_name, $valid_templates, true)) {
        $safe_template_name = sanitize_for_logging((string) $template_name);
        log_message('error', 'Template validation failed: Template not in allowed list: ' . $safe_template_name);
        return false;
    }
    
    return $template_name;
}

Security mechanism:

  • Whitelist validation against actual filesystem templates (no user paths allowed)
  • Strict in_array() comparison prevents type juggling
  • sanitize_for_logging() prevents secondary log injection attacks
  • Returns validated name or false (never returns unsanitized user input)

This function is called by View::invoice() and View::quote() before template inclusion, breaking the LFI attack chain. Path traversal and log poisoning mitigations were already present in other controllers.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits February 16, 2026 11:53
@nielsdrost7
Fix incomplete validate_template_name function in template_helper.php
8e84977 
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
@nielsdrost7
Improve log injection prevention in validate_template_name
9fab816 
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
@nielsdrost7 nielsdrost7 marked this pull request as ready for review February 16, 2026 12:00
@nielsdrost7 nielsdrost7 merged commit 5e3c669 into prep/v165 Feb 16, 2026
@nielsdrost7 nielsdrost7 deleted the copilot/fix-path-traversal-vulnerability branch February 16, 2026 12:00
Copilot AI restored the copilot/fix-path-traversal-vulnerability branch February 16, 2026 12:01
Copilot AI changed the title [WIP] Fix path traversal vulnerability in get_file method Complete validate_template_name() implementation to prevent LFI attacks Feb 16, 2026
Copilot AI requested a review from nielsdrost7 February 16, 2026 12:01
Copilot stopped work on behalf of nielsdrost7 due to an error February 16, 2026 12:01
The session was cancelled by the user.
@nielsdrost7 nielsdrost7 deleted the copilot/fix-path-traversal-vulnerability branch February 16, 2026 12:08
nielsdrost7 added a commit that referenced this pull request Feb 16, 2026
@nielsdrost7
@github-advanced-security @coderabbitai
merge 1.6.5 to development (#1458)
af1cfd8 
* Temporary Commit Fix Niels - 1 - SalesByYear report

* Fix Niels - 1 - SalesByYear

* Temporary Commit Fix Niels - 3 - Guest Get File

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Suggestions after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* using strpos as per suggestion in code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* suggestion after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* suggestion after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Final fixes for the Get file problem refs #1324

* suggestion after code-review

* cleanup after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* cleanup after code-review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Get file (guest) fix refs #1324

* 1340: Wrong quote/invoice guest download attachment button default template

* 1348: More fixes for PDF footer

* 1322: Show open invoices on guest index

* 1340: guest route sanitization

* 1340: guest route sanitization

* 1340: guest route sanitization

* 1340: guest route sanitization

* Update application/modules/guest/controllers/Get.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update application/modules/reports/models/Mdl_reports.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update application/modules/reports/models/Mdl_reports.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* version 1.7.0: PHP 8.2+ compatibility

* for versioning purposes

* bumped composer dependencies

* Rename application/modules/setup/041_1.7.0.sql to application/modules/setup/sql/041_1.7.0.sql

* merged in development branch

* packages update

* ran pint
l

* fixed composer just a tiny bit

* improved .gitignore

* Potential fix for code scanning alert no. 9: Incomplete string escaping or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 6: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 7: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1387)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 10: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* more github actions

* Update GitHub Actions workflow for PHPMyAdmin

Removed specific branch and path triggers for pushes.

* Update GitHub Actions workflow for Docker image

Removed specific push triggers for branches and tags.

* Modify GitHub Actions workflow triggers

* Modify triggers for MariaDB Docker workflow

Updated workflow triggers for Docker image build.

* Update docker-publish.yml

* Change trigger from pull_request to workflow_dispatch

Updated workflow trigger to allow manual dispatch.

* Change trigger for PHP testing workflow

* Update PHP version in GitHub Actions workflow

* Remove emojis from yarn-update workflow output

* Potential fix for code scanning alert no. 11: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 12: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 13: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 14: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 15: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 5: Workflow does not contain permissions (#1389)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 5: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin (#1388)

* fixed error

Removed item discount display from invoice template.

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update .github/workflows/README.md

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Delete .github/workflows/quickstart.yml

* [WIP] Fix inconsistent language files in English (#1423)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Update custom_lang.php documentation to match modern array syntax

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

* Fix GitHub Actions workflow issues from code review (#1399)

* Initial plan

* Fix workflow issues based on code review feedback

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve script regex and add clarifying comments

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add workflow artifacts to .gitignore

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve script comments for clarity

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Update .github/scripts/generate-package-update-report.cjs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Rename transientChanges to transitiveChanges

* Fix vendor-cleaner config to use single extra.dev-files./ key

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* v170 in to v171 (#1439)

* Fix XSS vulnerabilities across InvoicePlane with comprehensive security audit, defense-in-depth protection, SVG execution prevention, and security logging (#1429)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Fix XSS vulnerabilities in quote/invoice numbers and SVG logo uploads

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in all quote/invoice number displays

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add XSS escaping for tax_rate_name and payment_method_name fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in guest view headers for quote/invoice numbers

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix remaining XSS in templates/mailer and add backend input sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve input sanitization comments for clarity

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS in Sumex observations, client addresses, and custom field labels

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add backend XSS sanitization to Sumex fields and quote password/notes

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Block existing SVG logos from rendering to prevent XSS execution

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add SVG upload logging and README documentation for security change

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix log poisoning vulnerability in Upload controller (#1434)

* Initial plan

* Fix log poisoning vulnerability in Upload.php sanitize_file_name method

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 (#1433)

* fixed error

Removed item discount display from invoice template.

* Initial plan

* Add template validation to prevent LFI vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve logging in LFI fix for better security monitoring

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional LFI vulnerabilities in PDF generation endpoints

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback - simplify default template logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Add validation for invoice_template parameters in generate_invoice_pdf()

- Validate invoice_template when passed as URL parameter
- Mirror the same security pattern used for quote_template validation
- Ensure all invoice template sources are validated before use
- Prevent LFI vulnerability through invoice_template parameter bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Niels Drost <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix Stored XSS vulnerabilities with defense-in-depth: input sanitization and output encoding (#1435)

* Initial plan

* Fix three Stored XSS vulnerabilities by adding htmlsc() encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional unit_name XSS vulnerabilities in quotes and products modules

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in email template JavaScript context

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix filter_input() bug: Add input sanitization with logging and password bypass

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve filter_input: Add recursive array sanitization, remove double-encoding

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix sanitize_array: Add bypass support and consistent sanitization order

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add invoice_password and quote_password to sanitization bypass list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Optimize XSS logging: move ip_address and user_agent to request level

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix critical bugs from PR #1366 review: mb_rtrim, ClientTitleEnum, workflow triggers, email preview XSS (#1438)

* Initial plan

* Fix review comments: restore PR triggers, fix mb_rtrim usage, fix ClientTitleEnum, add translation, fix email preview

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add HTML sanitization to email template preview for defense-in-depth XSS protection

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve code review feedback: fix comment, use indexOf for compatibility, simplify ClientTitleEnum

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Enhance XSS protection: remove style tag support, validate href protocols

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Optimize sanitization: cache tagName, add style tag to explicit removal list

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix GitHub Actions workflow issues identified in PR #1366 review (#1437)

* Initial plan

* Fix GitHub Actions workflows per review feedback

- composer-update.yml: Parse JSON advisories array instead of file size check
- composer-update.yml: Check both composer.lock and composer.json for changes
- release.yml: Update action-gh-release from v1 to v2
- release.yml: Fix vendor-cleaner config to use extra.dev-files structure
- README.md: Update yarn-update.yml Update Types to match workflow options
- Create generate-package-update-report.cjs script for yarn updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback

- composer-update.yml: Use double-dash separator before file paths in git diff
- generate-package-update-report.cjs: Handle quoted/unquoted yarn.lock entries separately

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix git diff logic and improve regex patterns

- composer-update.yml: Restore correct git diff logic to detect changes in either file
- generate-package-update-report.cjs: Use more restrictive regex patterns

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add complete version 1.7.0 release documentation with all issue numbers and field sanitization details (#1436)

* Initial plan

* Add comprehensive version 1.7.0 documentation to README and CHANGELOG

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix formatting and update version 1.7.0 details

* Add complete release notes with issue numbers and field sanitization details, remove emoticons

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Track all resolved versions per package in yarn.lock update report (#1440)

* Initial plan

* Refactor package update report script to track all versions per package using Map<string, Set<string>>

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Remove unnecessary Set creation in version comparison logic

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix bidirectional version change detection to catch all version updates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Potential fix for code scanning alert no. 16: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Update test-frontend.yml to remove pull_request trigger

Remove pull_request trigger from frontend test workflow.

* Update PHP testing workflow triggers

Remove pull_request trigger from PHP testing workflow

* Potential fix for code scanning alert no. 17: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Refactor input sanitization to follow DRY principles and fix log injection vulnerabilities (#1441)

* Initial plan

* Apply code review feedback: improve regex handling and log sanitization

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Refactor: Extract sanitize_for_logging helper to follow DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security and DRY development guidelines for InvoicePlane (#1442)

* Initial plan

* Add comprehensive guidelines and Copilot instructions for security and DRY principles

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive security and DRY analysis for PR #1441

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Address code review feedback: improve documentation clarity and examples

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Document XSS mitigation in Family Name field - no code changes required (#1443)

* Initial plan

* Add comprehensive security audit documentation for XSS vulnerability

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add executive security summary for XSS vulnerability verification

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerability in payment form invoice_number display (#1445)

* Initial plan

* Fix XSS vulnerability in payment form invoice_number field

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add comprehensive XSS vulnerability documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Comment out invoice and quote password fields

Comment out password fields from bypass list.

* Update application/helpers/template_helper.php

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Address PR #1439 feedback: sanitization and validation improvements (#1446)

* Initial plan

* Address PR #1439 feedback: sanitization and validation improvements

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve security: use DOMParser for HTML sanitization and load file_security_helper

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS in credit invoice parent number display + comprehensive security audit (#1454)

* Initial plan

* Fix XSS vulnerability in parent invoice number display

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Add security documentation for Invoice Group XSS fix

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete SECURITY_AUDIT_XSS_INVOICE_GROUP.md

* Delete SECURITY_SUMMARY.md

* Add comprehensive XSS vulnerability audit documentation

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete COMPREHENSIVE_XSS_AUDIT.md

* Delete SECURITY_AUDIT_XSS_UNIT_INVOICE.md

* Delete SECURITY_AUDIT_XSS_FAMILY_NAME.md

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix stored XSS vulnerabilities in multiple views (19 total) (#1455)

* Initial plan

* Fix XSS vulnerability by adding HTML escaping to format_client() output

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix additional XSS vulnerabilities in client view and invoice templates

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix XSS vulnerabilities in VAT ID and tax code fields

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix PHP 8.3 undefined array key warning in mPDF footer handling (#1453)

* Initial plan

* Initial analysis - identify mpdf footer undefined array key issue

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Fix: Define html_footer to prevent PHP 8.3 undefined array key error

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Delete package-lock.json

* Delete yarn.lock

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Updated Composer and Yarn Packages

* to older version for 1.6.5 purposes

* to older version for 1.6.5 purposes

* [WIP] Fix path traversal vulnerability in get_file method (#1459)

* Initial plan

* Fix incomplete validate_template_name function in template_helper.php

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Improve log injection prevention in validate_template_name

Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: nielsdrost7 <47660417+nielsdrost7@users.noreply.github.com>

* Potential fix for code scanning alert no. 18: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Ordissimo <thierry@ordissimo.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nielsdrost7 nielsdrost7 Awaiting requested review from nielsdrost7

Assignees

@nielsdrost7 nielsdrost7

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nielsdrost7