Version 1.7.1 to develop

[nielsdrost7]

Summary by CodeRabbit

• Security

  • SVG logo uploads now blocked for security reasons; use PNG, JPG, or GIF files instead
  • Enhanced input validation for invoices and quotes
  • Improved XSS protection across template rendering

• Dependencies

  • Updated PHP requirement to 8.2+
  • Updated Composer and npm dependencies to latest stable versions

• Documentation

  • Added comprehensive development guidelines and coding standards reference

[accesslint]

Found 3 issues across 2 rules.

Repeated issues:

• application/helpers/invoice_helper.php Image element missing alt attribute. — lines 32, 55

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This pull request introduces InvoicePlane version 1.7.0 with PHP 8.2+ compatibility, comprehensive security hardening (XSS sanitization in templates, template validation, SVG logo blocking), new automated CI/CD workflows, enhanced logging and input validation, and dependency updates across PHP and Node.js packages.

Changes

Cohort / File(s)	Summary
Documentation & Guidelines .github/copilot-instructions.md, .junie/PR-1441-security-dry-analysis.md, .junie/guidelines.md, CHANGELOG.md, README.md, application/language/english/custom_lang.php	Added comprehensive guidance for security-first development, coding standards, PSR-12 compliance, and detailed security/DRY analysis. Updated custom language documentation to clarify relationship with ip_lang.php. Added version 1.7.0 release notes and SVG security notice.
GitHub Actions Workflows .github/workflows/composer-update.yml, .github/workflows/yarn-update.yml, .github/workflows/crowdin-sync.yml, .github/workflows/release.yml, .github/workflows/setup.yml, .github/workflows/phpunit.yml, .github/workflows/phpstan.yml, .github/workflows/pint.yml	New comprehensive CI/CD workflows for automated dependency updates (Composer and Yarn), production releases with versioning, Crowdin translation synchronization, setup validation with error handling, test execution, static analysis, and code style checking.
GitHub Workflow Configuration Changes .github/workflows/test-frontend.yml, .github/workflows/test-php.yml, .github/workflows/docker*.yml, .github/workflows/docker-publish.yml	Migrated workflows from automatic push/tag triggers to manual workflow_dispatch triggers; updated PHP version matrix from 8.1 to 8.2; added explicit permissions declarations.
GitHub Automation Scripts & Config .github/scripts/generate-package-update-report.cjs, .github/workflows/README.md, .gitignore	Added Node.js script for generating human-readable Yarn package update reports; comprehensive workflow documentation; new ignore rules for workflow artifacts.
Core Security & Input Sanitization application/core/Admin_Controller.php, application/helpers/file_security_helper.php	Introduced recursive XSS sanitization with bypass lists for specific fields; enhanced logging of XSS detection attempts with contextual metadata; added sanitize_for_logging() helper to prevent log injection attacks; renamed extract_safe_basename return key for consistency.
Template & PDF Validation application/helpers/template_helper.php, application/helpers/pdf_helper.php	New validation functions validate_template_name() and validate_pdf_template() to prevent Local File Inclusion attacks; enhanced template selection with fallback to safe defaults; updated generate_invoice_pdf() signature to accept $is_guest parameter.
XSS Output Escaping in Views application/modules/invoices/views/*, application/modules/quotes/views/*, application/modules/guest/views/*, application/modules/payments/views/*, application/modules/dashboard/views/*, application/modules/products/views/*, application/modules/settings/views/*, application/modules/tasks/views/*, application/modules/email_templates/views/*, application/modules/mailer/views/*, application/modules/layout/views/*, application/views/*	Systematically applied htmlsc() and _htmlsc() escaping to all dynamic content rendering (invoice numbers, client names, tax rates, unit names, custom fields) across 30+ view files to prevent XSS injection.
SVG Security Hardening application/helpers/invoice_helper.php, application/modules/sessions/views/session_login.php, application/modules/settings/controllers/Settings.php, application/modules/settings/views/partial_settings*.php, application/language/english/ip_lang.php	Added SVG file blocking for logo uploads and display; implemented check_svg_logos() method for scanning existing SVG logos; added security validation on upload; added new language strings for SVG security warnings and error messages.
Input Validation & Sanitization application/modules/invoices/controllers/Ajax.php, application/modules/invoices/models/Mdl_invoices_recurring.php, application/modules/quotes/models/Mdl_quotes.php, application/modules/clients/Enums/ClientTitleEnum.php, application/libraries/MY_Form_validation.php	Added regex validation for invoice and quote numbers to restrict allowed characters; sanitized sumex-related fields; refactored enum constant visibility; minor formatting improvements.
Controller Updates for Template Validation application/modules/invoices/controllers/Invoices.php, application/modules/quotes/controllers/Quotes.php, application/modules/guest/controllers/Invoices.php, application/modules/guest/controllers/Quotes.php, application/modules/guest/controllers/View.php	Updated PDF generation flows to load template helper and validate template names before usage; added security checks to prevent template path traversal.
Session & Authentication application/modules/sessions/controllers/Sessions.php	Enhanced bot detection with expanded signature list using mb_strtolower() and str_contains(); refactored referer validation using str_starts_with(); improved consistency in empty/null checks.
mPDF & PDF Template Updates application/helpers/mpdf_helper.php, application/views/invoice_templates/pdf/InvoicePlane.php, application/views/quote_templates/pdf/InvoicePlane.php	Added HTML footer initialization to prevent PHP 8.3+ undefined key errors; added escaping for user details in QR code sections; removed duplicate discount column rendering in quote template.
Public Web Templates application/views/invoice_templates/public/InvoicePlane_Web.php, application/views/quote_templates/public/InvoicePlane_Web.php	Comprehensive refactor of invoice and quote public web templates with HTML escaping throughout; restructured quote template layout for improved UX with two-column headers and consistent indentation; added proper table structures for items and summary sections.
Additional View & Helper Fixes application/helpers/e-invoice_helper.php, application/helpers/mailer_helper.php, application/helpers/pager_helper.php, application/modules/clients/controllers/Clients.php, application/modules/clients/models/Mdl_clients.php, application/modules/clients/views/view.php, application/modules/email_templates/views/template-tags*.php, application/modules/guests/controllers/Get.php, application/modules/guest/controllers/gateways/Stripe.php, application/modules/reports/*, application/modules/upload/*, application/modules/setup/*, application/third_party/MX/*	Formatting improvements, escaping of dynamic fields, refactored string checks using modern PHP functions (str_starts_with() replacing strpos()), whitespace normalization, and minor output sanitization across multiple modules.
Frontend & JavaScript assets/core/js/jquery-ui.js, assets/core/js/scripts.js	Enhanced jQuery UI selector resolution for string-based option handling; improved CSS selector escaping including backslash handling; added encodeHtml() and sanitize_email_template_html() JavaScript functions with HTML parsing and safe tag whitelisting for email template preview.
Dependency Management composer.json, package.json, index.php	Updated PHP dependencies: CodeIgniter to pocketarc/codeigniter (3.3), added setasign/fpdi, updated mPDF, Composer, and security packages; updated Node.js sass to ^1.97; updated system path reference in front controller.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant View as View/Form
    participant Admin as Admin_Controller
    participant Sanitizer as sanitize_array()
    participant Logger as Log Service
    participant Database as Database

    User->>View: Submit form with user input
    View->>Admin: filter_input($_POST)
    Admin->>Admin: Check bypass list
    Admin->>Sanitizer: sanitize_array($data, $bypass_keys)
    Sanitizer->>Sanitizer: Recursive traversal of nested arrays
    Sanitizer->>Sanitizer: Apply xss_clean & strip_tags
    Sanitizer->>Sanitizer: Track modifications in $xss_detected
    Sanitizer->>Admin: Return sanitized data & detection flag
    Admin->>Admin: Update $_POST with sanitized values
    alt XSS Detected
        Admin->>Admin: Compose context payload (timestamp, user_id, URI, IP, user_agent)
        Admin->>Logger: Log error with XSS attempt details
        Logger->>Logger: Record to error log
    else No XSS
        Admin->>Database: Proceed with normal flow
    end
    Database->>View: Return result
    View->>User: Render response

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related issues

• Inconsistent Language Files in English #1249: Custom language file documentation clarification directly addresses confusion about custom_lang.php overriding ip_lang.php by adding explicit documentation explaining the extension relationship while maintaining the empty array structure.

Possibly related PRs

• Fix Local File Inclusion (LFI) vulnerabilities in InvoicePlane 1.7.0 #1433: Both PRs implement identical template validation logic (validate_template_name, validate_pdf_template) and update controllers to use these new validators for template-based PDF generation across invoices and quotes.
• Fix stored XSS vulnerabilities in multiple views (19 total) #1455: Both PRs apply overlapping XSS output-escaping fixes across the same view templates (invoice templates, view_sumex, client views, email templates) to prevent HTML/JavaScript injection.
• v164 to master #1386: Both PRs modify shared CI/CD infrastructure files (.github/workflows/*) and the same security helper files (file_security_helper.php) with related code-level changes.

Poem

🐰 A rabbit hops through code with glee,
SVGs blocked, XSS-free!
Templates validated, logs now clean,
The cleanest version we've ever seen!
With workflows humming and escaping bright,
InvoicePlane shines ever more secure and right! 🔒✨

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch tagged/v171

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}