Closed o-psi closed 7 months ago
Test these changes at: https://v015866.pr-review.itflow.org
(automatic message)
Test these changes at: https://v015866.pr-review.itflow.org
(automatic message)
The SonarCloud Quality Gate passed, but some issues were introduced.
2 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code
@o-psi Today Im going to go through the mails codes and make sure all the mail vars are escaped before it passes to the mail function. therefore the mail function should not escape passed vars, as this can lead to double escaping which can lead to further security issues and data corruption. ill update this thread when completed and tested
@o-psi, I've completed reviewing the entire mail code. It's important to ensure that POST variables are properly sanitized. Notably, the Body and Subject are no longer sanitized before being sent to the mail function, as the POST variables that are included in the Body and Subject are already sanitized.
However, there are still some scenarios where you may need to manually escape certain characters in the body or subject, especially if you encounter a single quotation mark ('), which should be escaped as \'
This should resolve any issues related to mixed variables that are unsanitized and sanitized, making it much easier to diagnose and read the mail queue.
We implemented some of these changes manually and did some things a little differently to make use of the configurable stripe fees and stripe account expense if client pays is off. This can be closed
Small changes for unbilled tickets report, and clean up for passing stripe fees.