mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-04-15 17:24:10 +00:00
1fb5886d06
Closes the residual surface from the three published SSRF advisories (GHSA-pc5v-8xwc-v9xq, GHSA-38hf-fq8x-q49r, GHSA-q9wx-ggwq-mcgh / CVE-2026-34365 to 34367) that the original 2.2.0 fix only covered for the Notes field. The same blade templates render company/billing/shipping address fields with {!! !!} via Invoice/Estimate/Payment::getCompanyAddress(), getCustomerBillingAddress(), getCustomerShippingAddress() — and those flow through GeneratesPdfTrait::getFormattedString() which did not call PdfHtmlSanitizer.
Customer-controlled fields (name, street, phone, custom-field values) are substituted into address templates via getFieldsArray() without HTML-escaping, so a malicious customer name like "Acme <img src='http://attacker/probe'>" reaches Dompdf as raw HTML through the address path. Today this is blocked only by the secondary defense of dompdf's enable_remote=false; if a self-hoster sets DOMPDF_ENABLE_REMOTE=true for legitimate remote logos, the address surface immediately re-opens.
Move PdfHtmlSanitizer::sanitize() into the chokepoint at GeneratesPdfTrait::getFormattedString() so all four sinks — notes plus the three address fields, on all three models — get the same treatment via a single call site. v3.0's models (Invoice, Estimate, Payment) already had the simpler getNotes() shape (no per-method PdfHtmlSanitizer wrapper), so the trait edit alone is sufficient — no model edits required on this branch. Verified getFormattedString() is only called from PDF code paths (no email body callers, which use strtr() directly).
This is the v3.0 counterpart to master's f387e751. Re-implemented directly on v3.0 instead of cherry-picked because the import-block divergence from the larger v3.0 refactor produced four merge conflicts that were noisier than just porting the chokepoint change manually.
Extends tests/Unit/PdfHtmlSanitizerTest.php with three new cases covering the address-template scenario, iframe/link tag stripping, and on* event handler removal. All 8 tests pass via vendor/bin/pest tests/Unit/PdfHtmlSanitizerTest.php.
Introduction
InvoiceShelf is an open-source web app that helps you track expenses, record payments, and create professional invoices and estimates. It is self-hosted, multi-tenant, and built for individuals and small businesses that want to keep their books on their own infrastructure.
The web application is built with Laravel and Vue 3.
To get started using Docker Compose, follow the Installation guide.
Table of Contents
Documentation
System Requirements
- PHP 8.4+ is required (since v2.2.0, when InvoiceShelf moved to Laravel 13).
- Database: MySQL, MariaDB, PostgreSQL, or SQLite.
- Before updating from inside the app, verify your server meets the target version's PHP and extension requirements.
- The in-app updater verifies requirements and refuses to proceed if they are not met.
Download
Discord
Join the discussion on the InvoiceShelf Discord: Invite Link
Roadmap
Rough roadmap of things to come, not in any specific order:
- Automatic Update
- Email Configuration
- Installation Wizard
- Address Customisation & Default Notes
- Edit Email before Sending Invoice
- Available as a Docker image
- Performance Improvements
- Customer View Page
- Custom Fields on Invoices & Estimates
- Multiple Companies
- Recurring Invoices
- Customer Portal
- Decoupled system settings from company settings (v3.0)
- Proper multi-tenancy system (v3.0)
- Company member invitations with custom roles (v3.0)
- Dark mode (v3.0)
- Full TypeScript refactor of the frontend (v3.0)
- Improved backend architecture (v3.0)
- Security hardening (v3.0)
- Reworked installation wizard (v3.0)
- Module Directory (v3.0)
- Rewritten Payments module (v3.0)
- Accept Payments (Stripe integration)
- Improved template system for invoices and estimates
Translate
Help us translate InvoiceShelf into your language: https://crowdin.com/project/invoiceshelf
Star History
License
InvoiceShelf is released under the GNU Affero General Public License v3.0. See LICENSE for the full text.