Merge pull request #571 from bigcapitalhq/remove-controller-escape

fix: Remove the request body escape.
2026-02-18 22:00:31 +00:00 · 2024-08-08 16:12:31 +02:00
parent d43d46ebec 8da89ebe8b
commit fb58ab8cc1
30 changed files with 101 additions and 200 deletions
--- a/packages/server/src/api/controllers/Accounts.ts
+++ b/packages/server/src/api/controllers/Accounts.ts
@@ -103,24 +103,20 @@ export default class AccountsController extends BaseController {
      check('name')
        .exists()
        .isLength({ min: 3, max: DATATYPES_LENGTH.STRING })
-        .trim()
+        .trim(),
        .escape(),
      check('code')
        .optional({ nullable: true })
        .isLength({ min: 3, max: 6 })
-        .trim()
+        .trim(),
        .escape(),
      check('currency_code').optional(),
      check('account_type')
        .exists()
        .isLength({ min: 3, max: DATATYPES_LENGTH.STRING })
-        .trim()
+        .trim(),
        .escape(),
      check('description')
        .optional({ nullable: true })
        .isLength({ max: DATATYPES_LENGTH.TEXT })
-        .trim()
+        .trim(),
        .escape(),
      check('parent_account_id')
        .optional({ nullable: true })
        .isInt({ min: 0, max: DATATYPES_LENGTH.INT_10 })
@@ -136,23 +132,19 @@ export default class AccountsController extends BaseController {
      check('name')
        .exists()
        .isLength({ min: 3, max: DATATYPES_LENGTH.STRING })
-        .trim()
+        .trim(),
        .escape(),
      check('code')
        .optional({ nullable: true })
        .isLength({ min: 3, max: 6 })
-        .trim()
+        .trim(),
        .escape(),
      check('account_type')
        .exists()
        .isLength({ min: 3, max: DATATYPES_LENGTH.STRING })
-        .trim()
+        .trim(),
        .escape(),
      check('description')
        .optional({ nullable: true })
        .isLength({ max: DATATYPES_LENGTH.TEXT })
-        .trim()
+        .trim(),
        .escape(),
      check('parent_account_id')
        .optional({ nullable: true })
        .isInt({ min: 0, max: DATATYPES_LENGTH.INT_10 })
--- a/packages/server/src/api/controllers/Authentication.ts
+++ b/packages/server/src/api/controllers/Authentication.ts
@@ -90,27 +90,23 @@ export default class AuthenticationController extends BaseController {
        .exists()
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('last_name')
        .exists()
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('email')
        .exists()
        .isString()
        .isEmail()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('password')
        .exists()
        .isString()
        .isLength({ min: 6 })
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
    ];
  }
@@ -150,7 +146,7 @@ export default class AuthenticationController extends BaseController {
   * @returns {ValidationChain[]}
   */
  private get sendResetPasswordSchema(): ValidationChain[] {
-    return [check('email').exists().isEmail().trim().escape()];
+    return [check('email').exists().isEmail().trim()];
  }
  /**
@@ -158,7 +154,11 @@ export default class AuthenticationController extends BaseController {
   * @param {Request} req
   * @param {Response} res
   */
-  private async login(req: Request, res: Response, next: Function): Response {
+  private async login(
    req: Request,
    res: Response,
    next: Function
  ): Promise<Response | null> {
    const userDTO: ILoginDTO = this.matchedBodyData(req);
    try {
--- a/packages/server/src/api/controllers/Cashflow/NewCashflowTransaction.ts
+++ b/packages/server/src/api/controllers/Cashflow/NewCashflowTransaction.ts
@@ -112,12 +112,11 @@ export default class NewCashflowTransactionController extends BaseController {
  public get newTransactionValidationSchema() {
    return [
      check('date').exists().isISO8601().toDate(),
-      check('reference_no').optional({ nullable: true }).trim().escape(),
+      check('reference_no').optional({ nullable: true }).trim(),
      check('description')
        .optional({ nullable: true })
        .isLength({ min: 3 })
-        .trim()
+        .trim(),
        .escape(),
      check('transaction_type').exists(),
      check('amount').exists().isFloat().toFloat(),
--- a/packages/server/src/api/controllers/Contacts/Contacts.ts
+++ b/packages/server/src/api/controllers/Contacts/Contacts.ts
@@ -56,7 +56,7 @@ export default class ContactsController extends BaseController {
   */
  get autocompleteQuerySchema() {
    return [
-      query('column_sort_by').optional().trim().escape(),
+      query('column_sort_by').optional().trim(),
      query('sort_order').optional().isIn(['desc', 'asc']),
      query('stringified_filter_roles').optional().isJSON(),
@@ -122,32 +122,27 @@ export default class ContactsController extends BaseController {
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('first_name')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('last_name')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('company_name')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('display_name')
        .exists()
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('email')
@@ -165,120 +160,101 @@ export default class ContactsController extends BaseController {
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('personal_phone')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('billing_address_1')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('billing_address_2')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('billing_address_city')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('billing_address_country')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('billing_address_email')
        .optional({ nullable: true })
        .isString()
        .isEmail()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('billing_address_postcode')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('billing_address_phone')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('billing_address_state')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('shipping_address_1')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('shipping_address_2')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('shipping_address_city')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('shipping_address_country')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('shipping_address_email')
        .optional({ nullable: true })
        .isString()
        .isEmail()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('shipping_address_postcode')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('shipping_address_phone')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('shipping_address_state')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('note')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.TEXT }),
      check('active').optional().isBoolean().toBoolean(),
    ];
--- a/packages/server/src/api/controllers/Contacts/Customers.ts
+++ b/packages/server/src/api/controllers/Contacts/Customers.ts
@@ -106,11 +106,7 @@ export default class CustomersController extends ContactsController {
   */
  get customerDTOSchema() {
    return [
-      check('customer_type')
+      check('customer_type').exists().isIn(['business', 'individual']).trim(),
        .exists()
        .isIn(['business', 'individual'])
        .trim()
        .escape(),
    ];
  }
@@ -123,7 +119,6 @@ export default class CustomersController extends ContactsController {
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: 3 }),
    ];
  }
@@ -133,7 +128,7 @@ export default class CustomersController extends ContactsController {
   */
  get validateListQuerySchema() {
    return [
-      query('column_sort_by').optional().trim().escape(),
+      query('column_sort_by').optional().trim(),
      query('sort_order').optional().isIn(['desc', 'asc']),
      query('page').optional().isNumeric().toInt(),
--- a/packages/server/src/api/controllers/Contacts/Vendors.ts
+++ b/packages/server/src/api/controllers/Contacts/Vendors.ts
@@ -106,7 +106,6 @@ export default class VendorsController extends ContactsController {
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ min: 3, max: 3 }),
    ];
  }
--- a/packages/server/src/api/controllers/Currencies.ts
+++ b/packages/server/src/api/controllers/Currencies.ts
@@ -67,7 +67,7 @@ export default class CurrenciesController extends BaseController {
  }
  get currencyParamSchema(): ValidationChain[] {
-    return [param('currency_code').exists().trim().escape()];
+    return [param('currency_code').exists().trim()];
  }
  get listSchema(): ValidationChain[] {
@@ -187,11 +187,13 @@ export default class CurrenciesController extends BaseController {
      }
      if (error.errorType === 'currency_code_exists') {
        return res.boom.badRequest(null, {
-          errors: [{
+          errors: [
-            type: 'CURRENCY_CODE_EXISTS',
+            {
-            message: 'The given currency code is already exists.',
+              type: 'CURRENCY_CODE_EXISTS',
-            code: 200,
+              message: 'The given currency code is already exists.',
-           }],
+              code: 200,
            },
          ],
        });
      }
      if (error.errorType === 'CANNOT_DELETE_BASE_CURRENCY') {
--- a/packages/server/src/api/controllers/Expenses/Expenses.ts
+++ b/packages/server/src/api/controllers/Expenses/Expenses.ts
@@ -89,7 +89,6 @@ export class ExpensesController extends BaseController {
      check('reference_no')
        .optional({ nullable: true })
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('payment_date').exists().isISO8601().toDate(),
      check('payment_account_id')
@@ -123,7 +122,6 @@ export class ExpensesController extends BaseController {
      check('categories.*.description')
        .optional()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('categories.*.landed_cost').optional().isBoolean().toBoolean(),
      check('categories.*.project_id')
@@ -144,7 +142,6 @@ export class ExpensesController extends BaseController {
      check('reference_no')
        .optional({ nullable: true })
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('payment_date').exists().isISO8601().toDate(),
      check('payment_account_id')
@@ -179,7 +176,6 @@ export class ExpensesController extends BaseController {
      check('categories.*.description')
        .optional()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('categories.*.landed_cost').optional().isBoolean().toBoolean(),
      check('categories.*.project_id')
--- a/packages/server/src/api/controllers/FinancialStatements/BaseFinancialReportController.ts
+++ b/packages/server/src/api/controllers/FinancialStatements/BaseFinancialReportController.ts
@@ -1,9 +1,7 @@
 import { query } from 'express-validator';
-import BaseController from "../BaseController";
+import BaseController from '../BaseController';
 export default class BaseFinancialReportController extends BaseController {
  get sheetNumberFormatValidationSchema() {
    return [
      query('number_format.precision')
@@ -19,8 +17,7 @@ export default class BaseFinancialReportController extends BaseController {
      query('number_format.negative_format')
        .optional()
        .isIn(['parentheses', 'mines'])
-        .trim()
+        .trim(),
        .escape(),
    ];
  }
 }
--- a/packages/server/src/api/controllers/FinancialStatements/InventoryDetails/index.ts
+++ b/packages/server/src/api/controllers/FinancialStatements/InventoryDetails/index.ts
@@ -51,8 +51,7 @@ export default class InventoryDetailsController extends BaseController {
      query('number_format.negative_format')
        .optional()
        .isIn(['parentheses', 'mines'])
-        .trim()
+        .trim(),
        .escape(),
      query('from_date').optional(),
      query('to_date').optional(),
--- a/packages/server/src/api/controllers/FinancialStatements/JournalSheet.ts
+++ b/packages/server/src/api/controllers/FinancialStatements/JournalSheet.ts
@@ -36,7 +36,7 @@ export default class JournalSheetController extends BaseFinancialReportControlle
    return [
      query('from_date').optional().isISO8601(),
      query('to_date').optional().isISO8601(),
-      query('transaction_type').optional().trim().escape(),
+      query('transaction_type').optional().trim(),
      query('transaction_id').optional().isInt().toInt(),
      oneOf(
        [
--- a/packages/server/src/api/controllers/FinancialStatements/TransactionsByReference/index.ts
+++ b/packages/server/src/api/controllers/FinancialStatements/TransactionsByReference/index.ts
@@ -40,8 +40,7 @@ export default class TransactionsByReferenceController extends BaseController {
      query('number_format.negative_format')
        .optional()
        .isIn(['parentheses', 'mines'])
-        .trim()
+        .trim(),
        .escape(),
    ];
  }
--- a/packages/server/src/api/controllers/Inventory/InventoryAdjustments.ts
+++ b/packages/server/src/api/controllers/Inventory/InventoryAdjustments.ts
@@ -86,7 +86,7 @@ export default class InventoryAdjustmentsController extends BaseController {
   */
  get validateListQuerySchema() {
    return [
-      query('column_sort_by').optional().trim().escape(),
+      query('column_sort_by').optional().trim(),
      query('sort_order').optional().isIn(['desc', 'asc']),
      query('page').optional().isNumeric().toInt(),
--- a/packages/server/src/api/controllers/InviteUsers.ts
+++ b/packages/server/src/api/controllers/InviteUsers.ts
@@ -25,7 +25,7 @@ export default class InviteUsersController extends BaseController {
    router.post(
      '/send',
      [
-        body('email').exists().trim().escape(),
+        body('email').exists().trim(),
        body('role_id').exists().isNumeric().toInt(),
      ],
      this.validationResult,
@@ -57,7 +57,7 @@ export default class InviteUsersController extends BaseController {
    );
    router.get(
      '/invited/:token',
-      [param('token').exists().trim().escape()],
+      [param('token').exists().trim()],
      this.validationResult,
      asyncMiddleware(this.invited.bind(this)),
      this.handleServicesError
@@ -72,10 +72,10 @@ export default class InviteUsersController extends BaseController {
   */
  private get inviteUserDTO() {
    return [
-      check('first_name').exists().trim().escape(),
+      check('first_name').exists().trim(),
-      check('last_name').exists().trim().escape(),
+      check('last_name').exists().trim(),
-      check('password').exists().trim().escape().isLength({ min: 5 }),
+      check('password').exists().trim().isLength({ min: 5 }),
-      param('token').exists().trim().escape(),
+      param('token').exists().trim(),
    ];
  }
--- a/packages/server/src/api/controllers/ItemCategories.ts
+++ b/packages/server/src/api/controllers/ItemCategories.ts
@@ -73,13 +73,11 @@ export default class ItemsCategoriesController extends BaseController {
      check('name')
        .exists()
        .trim()
        .escape()
        .isLength({ min: 0, max: DATATYPES_LENGTH.STRING }),
      check('description')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.TEXT }),
      check('sell_account_id')
        .optional({ nullable: true })
@@ -101,9 +99,8 @@ export default class ItemsCategoriesController extends BaseController {
   */
  get categoriesListValidationSchema() {
    return [
-      query('column_sort_by').optional().trim().escape(),
+      query('column_sort_by').optional().trim(),
-      query('sort_order').optional().trim().escape().isIn(['desc', 'asc']),
+      query('sort_order').optional().trim().isIn(['desc', 'asc']),
      query('stringified_filter_roles').optional().isJSON(),
    ];
  }
@@ -207,14 +204,12 @@ export default class ItemsCategoriesController extends BaseController {
    };
    try {
-      const {
+      const { itemCategories, filterMeta } =
-        itemCategories,
+        await this.itemCategoriesService.getItemCategoriesList(
-        filterMeta,
+          tenantId,
-      } = await this.itemCategoriesService.getItemCategoriesList(
+          itemCategoriesFilter,
-        tenantId,
+          user
-        itemCategoriesFilter,
+        );
        user
      );
      return res.status(200).send({
        item_categories: itemCategories,
        filter_meta: this.transfromToResponse(filterMeta),
--- a/packages/server/src/api/controllers/Items/Items.ts
+++ b/packages/server/src/api/controllers/Items/Items.ts
@@ -96,13 +96,11 @@ export default class ItemsController extends BaseController {
        .exists()
        .isString()
        .trim()
        .escape()
        .isIn(['service', 'non-inventory', 'inventory']),
      check('code')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      // Purchase attributes.
      check('purchasable').optional().isBoolean().toBoolean(),
@@ -141,13 +139,11 @@ export default class ItemsController extends BaseController {
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.TEXT }),
      check('purchase_description')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.TEXT }),
      check('sell_tax_rate_id').optional({ nullable: true }).isInt().toInt(),
      check('purchase_tax_rate_id')
@@ -162,7 +158,6 @@ export default class ItemsController extends BaseController {
        .optional()
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.TEXT }),
      check('active').optional().isBoolean().toBoolean(),
@@ -184,7 +179,7 @@ export default class ItemsController extends BaseController {
   */
  private get validateListQuerySchema() {
    return [
-      query('column_sort_by').optional().trim().escape(),
+      query('column_sort_by').optional().trim(),
      query('sort_order').optional().isIn(['desc', 'asc']),
      query('page').optional().isNumeric().toInt(),
--- a/packages/server/src/api/controllers/ManualJournals.ts
+++ b/packages/server/src/api/controllers/ManualJournals.ts
@@ -94,25 +94,21 @@ export default class ManualJournalsController extends BaseController {
        .optional()
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('journal_type')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('reference')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.STRING }),
      check('description')
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape()
        .isLength({ max: DATATYPES_LENGTH.TEXT }),
      check('branch_id').optional({ nullable: true }).isNumeric().toInt(),
      check('publish').optional().isBoolean().toBoolean(),
@@ -163,7 +159,7 @@ export default class ManualJournalsController extends BaseController {
      query('page_size').optional().isNumeric().toInt(),
      query('custom_view_id').optional().isNumeric().toInt(),
-      query('column_sort_by').optional().trim().escape(),
+      query('column_sort_by').optional().trim(),
      query('sort_order').optional().isIn(['desc', 'asc']),
      query('stringified_filter_roles').optional().isJSON(),
--- a/packages/server/src/api/controllers/Media.ts
+++ b/packages/server/src/api/controllers/Media.ts
@@ -61,15 +61,14 @@ export default class MediaController extends BaseController {
  get uploadValidationSchema() {
    return [
-      // check('attachment'),
+      check('model_name').optional().trim(),
-      check('model_name').optional().trim().escape(),
+      check('model_id').optional().isNumeric(),
      check('model_id').optional().isNumeric().toInt(),
    ];
  }
  get linkValidationSchema() {
    return [
-      check('model_name').exists().trim().escape(),
+      check('model_name').exists().trim(),
      check('model_id').exists().isNumeric().toInt(),
    ]
  }
--- a/packages/server/src/api/controllers/Organization.ts
+++ b/packages/server/src/api/controllers/Organization.ts
@@ -62,7 +62,7 @@ export default class OrganizationController extends BaseController {
  private get commonOrganizationValidationSchema(): ValidationChain[] {
    return [
      check('name').exists().trim(),
-      check('industry').optional({ nullable: true }).isString().trim().escape(),
+      check('industry').optional({ nullable: true }).isString().trim(),
      check('location').exists().isString().isISO31661Alpha2(),
      check('base_currency').exists().isISO4217(),
      check('timezone').exists().isIn(moment.tz.names()),
@@ -87,11 +87,7 @@ export default class OrganizationController extends BaseController {
  private get updateOrganizationValidationSchema(): ValidationChain[] {
    return [
      ...this.commonOrganizationValidationSchema,
-      check('tax_number')
+      check('tax_number').optional({ nullable: true }).isString().trim(),
        .optional({ nullable: true })
        .isString()
        .trim()
        .escape(),
    ];
  }
--- a/packages/server/src/api/controllers/Purchases/Bills.ts
+++ b/packages/server/src/api/controllers/Purchases/Bills.ts
@@ -100,8 +100,8 @@ export default class BillsController extends BaseController {
   */
  private get billValidationSchema() {
    return [
-      check('bill_number').exists().trim().escape(),
+      check('bill_number').exists().trim(),
-      check('reference_no').optional().trim().escape(),
+      check('reference_no').optional().trim(),
      check('bill_date').exists().isISO8601(),
      check('due_date').optional().isISO8601(),
@@ -112,7 +112,7 @@ export default class BillsController extends BaseController {
      check('branch_id').optional({ nullable: true }).isNumeric().toInt(),
      check('project_id').optional({ nullable: true }).isNumeric().toInt(),
-      check('note').optional().trim().escape(),
+      check('note').optional().trim(),
      check('open').default(false).isBoolean().toBoolean(),
      check('is_inclusive_tax').default(false).isBoolean().toBoolean(),
@@ -126,10 +126,7 @@ export default class BillsController extends BaseController {
        .optional({ nullable: true })
        .isNumeric()
        .toFloat(),
-      check('entries.*.description')
+      check('entries.*.description').optional({ nullable: true }).trim(),
        .optional({ nullable: true })
        .trim()
        .escape(),
      check('entries.*.landed_cost')
        .optional({ nullable: true })
        .isBoolean()
@@ -141,7 +138,6 @@ export default class BillsController extends BaseController {
      check('entries.*.tax_code')
        .optional({ nullable: true })
        .trim()
        .escape()
        .isString(),
      check('entries.*.tax_rate_id')
        .optional({ nullable: true })
@@ -158,8 +154,8 @@ export default class BillsController extends BaseController {
   */
  private get billEditValidationSchema() {
    return [
-      check('bill_number').optional().trim().escape(),
+      check('bill_number').optional().trim(),
-      check('reference_no').optional().trim().escape(),
+      check('reference_no').optional().trim(),
      check('bill_date').exists().isISO8601(),
      check('due_date').optional().isISO8601(),
@@ -170,7 +166,7 @@ export default class BillsController extends BaseController {
      check('branch_id').optional({ nullable: true }).isNumeric().toInt(),
      check('project_id').optional({ nullable: true }).isNumeric().toInt(),
-      check('note').optional().trim().escape(),
+      check('note').optional().trim(),
      check('open').default(false).isBoolean().toBoolean(),
      check('entries').isArray({ min: 1 }),
@@ -184,10 +180,7 @@ export default class BillsController extends BaseController {
        .optional({ nullable: true })
        .isNumeric()
        .toFloat(),
-      check('entries.*.description')
+      check('entries.*.description').optional({ nullable: true }).trim(),
        .optional({ nullable: true })
        .trim()
        .escape(),
      check('entries.*.landed_cost')
        .optional({ nullable: true })
        .isBoolean()
@@ -222,8 +215,8 @@ export default class BillsController extends BaseController {
  private get dueBillsListingValidationSchema() {
    return [
-      query('vendor_id').optional().trim().escape(),
+      query('vendor_id').optional().trim(),
-      query('payment_made_id').optional().trim().escape(),
+      query('payment_made_id').optional().trim(),
    ];
  }
--- a/packages/server/src/api/controllers/Purchases/BillsPayments.ts
+++ b/packages/server/src/api/controllers/Purchases/BillsPayments.ts
@@ -113,10 +113,10 @@ export default class BillsPayments extends BaseController {
      check('amount').exists().isNumeric().toFloat(),
      check('payment_account_id').exists().isNumeric().toInt(),
-      check('payment_number').optional({ nullable: true }).trim().escape(),
+      check('payment_number').optional({ nullable: true }).trim(),
      check('payment_date').exists(),
-      check('statement').optional().trim().escape(),
+      check('statement').optional().trim(),
-      check('reference').optional().trim().escape(),
+      check('reference').optional().trim(),
      check('branch_id').optional({ nullable: true }).isNumeric().toInt(),
      check('entries').exists().isArray(),
--- a/packages/server/src/api/controllers/Purchases/VendorCredit.ts
+++ b/packages/server/src/api/controllers/Purchases/VendorCredit.ts
@@ -156,13 +156,10 @@ export default class VendorCreditController extends BaseController {
      check('vendor_id').exists().isNumeric().toInt(),
      check('exchange_rate').optional().isFloat({ gt: 0 }).toFloat(),
-      check('vendor_credit_number')
+      check('vendor_credit_number').optional({ nullable: true }).trim(),
-        .optional({ nullable: true })
+      check('reference_no').optional().trim(),
        .trim()
        .escape(),
      check('reference_no').optional().trim().escape(),
      check('vendor_credit_date').exists().isISO8601().toDate(),
-      check('note').optional().trim().escape(),
+      check('note').optional().trim(),
      check('open').default(false).isBoolean().toBoolean(),
      check('warehouse_id').optional({ nullable: true }).isNumeric().toInt(),
@@ -178,10 +175,7 @@ export default class VendorCreditController extends BaseController {
        .optional({ nullable: true })
        .isNumeric()
        .toFloat(),
-      check('entries.*.description')
+      check('entries.*.description').optional({ nullable: true }).trim(),
        .optional({ nullable: true })
        .trim()
        .escape(),
      check('entries.*.warehouse_id')
        .optional({ nullable: true })
        .isNumeric()
@@ -202,13 +196,10 @@ export default class VendorCreditController extends BaseController {
      check('vendor_id').exists().isNumeric().toInt(),
      check('exchange_rate').optional().isFloat({ gt: 0 }).toFloat(),
-      check('vendor_credit_number')
+      check('vendor_credit_number').optional({ nullable: true }).trim(),
-        .optional({ nullable: true })
+      check('reference_no').optional().trim(),
        .trim()
        .escape(),
      check('reference_no').optional().trim().escape(),
      check('vendor_credit_date').exists().isISO8601().toDate(),
-      check('note').optional().trim().escape(),
+      check('note').optional().trim(),
      check('warehouse_id').optional({ nullable: true }).isNumeric().toInt(),
      check('branch_id').optional({ nullable: true }).isNumeric().toInt(),
@@ -223,10 +214,7 @@ export default class VendorCreditController extends BaseController {
        .optional({ nullable: true })
        .isNumeric()
        .toFloat(),
-      check('entries.*.description')
+      check('entries.*.description').optional({ nullable: true }).trim(),
        .optional({ nullable: true })
        .trim()
        .escape(),
      check('entries.*.warehouse_id')
        .optional({ nullable: true })
        .isNumeric()
--- a/packages/server/src/api/controllers/Resources.ts
+++ b/packages/server/src/api/controllers/Resources.ts
@@ -18,9 +18,7 @@ export default class ResourceController extends BaseController {
    router.get(
      '/:resource_model/meta',
-      [
+      [param('resource_model').exists().trim()],
        param('resource_model').exists().trim().escape()
      ],
      this.asyncMiddleware(this.resourceMeta.bind(this)),
      this.handleServiceErrors
    );
@@ -48,9 +46,7 @@ export default class ResourceController extends BaseController {
        resourceModel
      );
      return res.status(200).send({
-        resource_meta: this.transfromToResponse(
+        resource_meta: this.transfromToResponse(resourceMeta),
          resourceMeta,
        ),
      });
    } catch (error) {
      next(error);
--- a/packages/server/src/api/controllers/Sales/CreditNotes.ts
+++ b/packages/server/src/api/controllers/Sales/CreditNotes.ts
@@ -210,9 +210,9 @@ export default class PaymentReceivesController extends BaseController {
      check('credit_note_date').exists().isISO8601().toDate(),
      check('reference_no').optional(),
-      check('credit_note_number').optional({ nullable: true }).trim().escape(),
+      check('credit_note_number').optional({ nullable: true }).trim(),
-      check('note').optional().trim().escape(),
+      check('note').optional().trim(),
-      check('terms_conditions').optional().trim().escape(),
+      check('terms_conditions').optional().trim(),
      check('open').default(false).isBoolean().toBoolean(),
      check('warehouse_id').optional({ nullable: true }).isNumeric().toInt(),
@@ -228,10 +228,7 @@ export default class PaymentReceivesController extends BaseController {
        .optional({ nullable: true })
        .isNumeric()
        .toFloat(),
-      check('entries.*.description')
+      check('entries.*.description').optional({ nullable: true }).trim(),
        .optional({ nullable: true })
        .trim()
        .escape(),
      check('entries.*.warehouse_id')
        .optional({ nullable: true })
        .isNumeric()
--- a/packages/server/src/api/controllers/Sales/PaymentReceives.ts
+++ b/packages/server/src/api/controllers/Sales/PaymentReceives.ts
@@ -154,8 +154,8 @@ export default class PaymentReceivesController extends BaseController {
      check('payment_date').exists(),
      check('reference_no').optional(),
      check('deposit_account_id').exists().isNumeric().toInt(),
-      check('payment_receive_no').optional({ nullable: true }).trim().escape(),
+      check('payment_receive_no').optional({ nullable: true }).trim(),
-      check('statement').optional().trim().escape(),
+      check('statement').optional().trim(),
      check('branch_id').optional({ nullable: true }).isNumeric().toInt(),
@@ -176,7 +176,6 @@ export default class PaymentReceivesController extends BaseController {
  private get validatePaymentReceiveList(): ValidationChain[] {
    return [
      query('stringified_filter_roles').optional().isJSON(),
      query('view_slug').optional({ nullable: true }).isString().trim(),
      query('column_sort_by').optional(),
--- a/packages/server/src/api/controllers/Sales/SalesEstimates.ts
+++ b/packages/server/src/api/controllers/Sales/SalesEstimates.ts
@@ -155,7 +155,7 @@ export default class SalesEstimatesController extends BaseController {
      check('estimate_date').exists().isISO8601().toDate(),
      check('expiration_date').exists().isISO8601().toDate(),
      check('reference').optional(),
-      check('estimate_number').optional().trim().escape(),
+      check('estimate_number').optional().trim(),
      check('delivered').default(false).isBoolean().toBoolean(),
      check('exchange_rate').optional().isFloat({ gt: 0 }).toFloat(),
@@ -170,8 +170,7 @@ export default class SalesEstimatesController extends BaseController {
      check('entries.*.rate').exists().isNumeric().toFloat(),
      check('entries.*.description')
        .optional({ nullable: true })
-        .trim()
+        .trim(),
        .escape(),
      check('entries.*.discount')
        .optional({ nullable: true })
        .isNumeric()
@@ -181,9 +180,9 @@ export default class SalesEstimatesController extends BaseController {
        .isNumeric()
        .toInt(),
-      check('note').optional().trim().escape(),
+      check('note').optional().trim(),
-      check('terms_conditions').optional().trim().escape(),
+      check('terms_conditions').optional().trim(),
-      check('send_to_email').optional().trim().escape(),
+      check('send_to_email').optional().trim(),
      check('attachments').isArray().optional(),
      check('attachments.*.key').exists().isString(),
--- a/packages/server/src/api/controllers/Sales/SalesInvoices.ts
+++ b/packages/server/src/api/controllers/Sales/SalesInvoices.ts
@@ -200,12 +200,12 @@ export default class SaleInvoicesController extends BaseController {
      check('customer_id').exists().isNumeric().toInt(),
      check('invoice_date').exists().isISO8601().toDate(),
      check('due_date').exists().isISO8601().toDate(),
-      check('invoice_no').optional().trim().escape(),
+      check('invoice_no').optional().trim(),
-      check('reference_no').optional().trim().escape(),
+      check('reference_no').optional().trim(),
      check('delivered').default(false).isBoolean().toBoolean(),
-      check('invoice_message').optional().trim().escape(),
+      check('invoice_message').optional().trim(),
-      check('terms_conditions').optional().trim().escape(),
+      check('terms_conditions').optional().trim(),
      check('exchange_rate').optional().isFloat({ gt: 0 }).toFloat(),
@@ -226,12 +226,10 @@ export default class SaleInvoicesController extends BaseController {
        .toFloat(),
      check('entries.*.description')
        .optional({ nullable: true })
-        .trim()
+        .trim(),
        .escape(),
      check('entries.*.tax_code')
        .optional({ nullable: true })
        .trim()
        .escape()
        .isString(),
      check('entries.*.tax_rate_id')
        .optional({ nullable: true })
--- a/packages/server/src/api/controllers/Sales/SalesReceipts.ts
+++ b/packages/server/src/api/controllers/Sales/SalesReceipts.ts
@@ -130,8 +130,8 @@ export default class SalesReceiptsController extends BaseController {
      check('deposit_account_id').exists().isNumeric().toInt(),
      check('receipt_date').exists().isISO8601(),
-      check('receipt_number').optional().trim().escape(),
+      check('receipt_number').optional().trim(),
-      check('reference_no').optional().trim().escape(),
+      check('reference_no').optional().trim(),
      check('closed').default(false).isBoolean().toBoolean(),
      check('warehouse_id').optional({ nullable: true }).isNumeric().toInt(),
@@ -150,14 +150,13 @@ export default class SalesReceiptsController extends BaseController {
        .toInt(),
      check('entries.*.description')
        .optional({ nullable: true })
-        .trim()
+        .trim(),
        .escape(),
      check('entries.*.warehouse_id')
        .optional({ nullable: true })
        .isNumeric()
        .toInt(),
-      check('receipt_message').optional().trim().escape(),
+      check('receipt_message').optional().trim(),
-      check('statement').optional().trim().escape(),
+      check('statement').optional().trim(),
      check('attachments').isArray().optional(),
      check('attachments.*.key').exists().isString(),
    ];
--- a/packages/server/src/api/controllers/Settings/Settings.ts
+++ b/packages/server/src/api/controllers/Settings/Settings.ts
@@ -52,10 +52,7 @@ export default class SettingsController extends BaseController {
   * Retrieve the application options from the storage.
   */
  private get getSettingsSchema() {
-    return [
+    return [query('key').optional().trim(), query('group').optional().trim()];
      query('key').optional().trim().escape(),
      query('group').optional().trim().escape(),
    ];
  }
  /**
--- a/packages/server/src/api/controllers/Views.ts
+++ b/packages/server/src/api/controllers/Views.ts
@@ -32,7 +32,7 @@ export default class ViewsController extends BaseController {
   * Custom views list validation schema.
   */
  get viewsListSchemaValidation() {
-    return [param('resource_model').exists().trim().escape()];
+    return [param('resource_model').exists().trim()];
  }
  /**