From a212c04ace16d36d063f0a678e903ffbe6cc889b Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Wed, 15 May 2024 11:55:51 +1000
Subject: [PATCH 1/3] Minor fixes for filters

---
 app/Export/CSV/ProductSalesExport.php | 10 ++++++++--
 app/Filters/InvoiceFilters.php        |  8 +++++++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/app/Export/CSV/ProductSalesExport.php b/app/Export/CSV/ProductSalesExport.php
index 9a0fed92a0..db33e31135 100644
--- a/app/Export/CSV/ProductSalesExport.php
+++ b/app/Export/CSV/ProductSalesExport.php
@@ -146,9 +146,15 @@ class ProductSalesExport extends BaseExport
               ->each(function ($invoice) use($product_keys) {
                   foreach ($invoice->line_items as $item) {
 
-                     if($product_keys && in_array($item->product_key, $product_keys))
+                    if($product_keys)
+                    {
+                     if(in_array($item->product_key, $product_keys))
                         $this->csv->insertOne($this->buildRow($invoice, $item));
-
+                    }
+                    else {
+                        $this->csv->insertOne($this->buildRow($invoice, $item));
+                    }
+                    
                   }
               });
 
diff --git a/app/Filters/InvoiceFilters.php b/app/Filters/InvoiceFilters.php
index 906afa3acf..5f307de307 100644
--- a/app/Filters/InvoiceFilters.php
+++ b/app/Filters/InvoiceFilters.php
@@ -227,7 +227,13 @@ class InvoiceFilters extends QueryFilters
         if (is_numeric($date)) {
             $date = Carbon::createFromTimestamp((int)$date);
         } else {
-            $date = Carbon::parse($date);
+
+            try{
+                $date = Carbon::parse($date);
+            }
+            catch(\Exception $e){
+                return $this->builder;
+            }
         }
 
         return $this->builder->where('date', '>=', $date);

From f7fb20a7ec2a11bc97ac7f4320287264f4ba109f Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Wed, 15 May 2024 20:57:40 +1000
Subject: [PATCH 2/3] Add purpose code if available

---
 app/Helpers/Epc/EpcQrGenerator.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/Helpers/Epc/EpcQrGenerator.php b/app/Helpers/Epc/EpcQrGenerator.php
index 07bfc9080c..e0899f61ff 100644
--- a/app/Helpers/Epc/EpcQrGenerator.php
+++ b/app/Helpers/Epc/EpcQrGenerator.php
@@ -82,13 +82,22 @@ class EpcQrGenerator
             $this->company->present()->name(),
             isset($this->company?->custom_fields?->company1) ? $this->company->settings->custom_value1 : '',
             $this->formatMoney($this->amount),
-            $this->sepa['purpose'],
+            $this->getPurposeCode(),
             substr($this->invoice->number, 0, 34),
             '',
             ' '
         ]), "\n");
     }
 
+    private function getPurposeCode(): string
+    {
+        if(isset($this->invoice->client->id_number) && strlen($this->invoice->client->id_number) > 2)
+            return $this->invoice->client->id_number;
+        
+        return $this->sepa['purpose'];
+
+    }
+    
     private function validateFields()
     {
         if (Ninja::isSelfHost() && isset($this->company?->custom_fields?->company2)) {

From 7940f9c3b7ac68a436b0200ad58c5c7440bb3980 Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Thu, 16 May 2024 10:20:54 +1000
Subject: [PATCH 3/3] Updates for twig

---
 .../Requests/Company/UpdateCompanyRequest.php |  2 +-
 app/Services/Template/TemplateService.php     | 26 ++++++-------------
 app/Utils/TemplateEngine.php                  |  2 +-
 app/Utils/Traits/MakesInvoiceHtml.php         |  1 +
 4 files changed, 11 insertions(+), 20 deletions(-)

diff --git a/app/Http/Requests/Company/UpdateCompanyRequest.php b/app/Http/Requests/Company/UpdateCompanyRequest.php
index e53dade24d..4cdd76bddc 100644
--- a/app/Http/Requests/Company/UpdateCompanyRequest.php
+++ b/app/Http/Requests/Company/UpdateCompanyRequest.php
@@ -137,7 +137,7 @@ class UpdateCompanyRequest extends Request
         }
 
         if (isset($settings['email_style_custom'])) {
-            $settings['email_style_custom'] = str_replace(['{!!','!!}','{{','}}','@dd', '@dump', '@if', '@if(','@endif','@isset','@unless','@auth','@empty','@guest','@env','@section','@switch', '@foreach', '@while', '@include', '@each', '@once', '@push', '@use', '@forelse', '@verbatim', '<?php', '@php', '@for','@class','</s','<s','html;base64'], '', $settings['email_style_custom']);
+            $settings['email_style_custom'] = str_replace(['{!!','!!}','{{','}}','@checked','@dd', '@dump', '@if', '@if(','@endif','@isset','@unless','@auth','@empty','@guest','@env','@section','@switch', '@foreach', '@while', '@include', '@each', '@once', '@push', '@use', '@forelse', '@verbatim', '<?php', '@php', '@for','@class','</sc','<sc','html;base64', '@elseif', '@else', '@endunless', '@endisset', '@endempty', '@endauth', '@endguest', '@endproduction', '@endenv', '@hasSection', '@endhasSection', '@sectionMissing', '@endsectionMissing', '@endfor', '@endforeach', '@empty', '@endforelse', '@endwhile', '@continue', '@break', '@includeIf', '@includeWhen', '@includeUnless', '@includeFirst', '@component', '@endcomponent', '@endsection', '@yield', '@show', '@append', '@overwrite', '@stop', '@extends', '@endpush', '@stack', '@prepend', '@endprepend', '@slot', '@endslot', '@endphp', '@method', '@csrf', '@error', '@enderror', '@json', '@endverbatim', '@inject'], '', $settings['email_style_custom']);
         }
 
         if(isset($settings['company_logo']) && strlen($settings['company_logo']) > 2)
diff --git a/app/Services/Template/TemplateService.php b/app/Services/Template/TemplateService.php
index 429a565cab..89482765fa 100644
--- a/app/Services/Template/TemplateService.php
+++ b/app/Services/Template/TemplateService.php
@@ -100,6 +100,7 @@ class TemplateService
         $this->twig->addExtension(new IntlExtension());
         $this->twig->addExtension(new \Twig\Extension\DebugExtension());
 
+
         $function = new \Twig\TwigFunction('img', function ($string, $style = '') {
             return '<img src="' . $string . '" style="' . $style . '"></img>';
         });
@@ -122,25 +123,14 @@ class TemplateService
 
         $this->twig->addFilter($filter);
 
-        $filter = new \Twig\TwigFilter('filter', function ($array, $arrow){
+        $allowedTags = ['if', 'for', 'set', 'filter'];
+        $allowedFilters = ['escape', 'e', 'upper', 'lower', 'capitalize', 'filter', 'length', 'merge','format_currency','map', 'join', 'first', 'date','sum'];
+        $allowedFunctions = ['range', 'cycle', 'constant', 'date',];
+        $allowedProperties = [];
+        $allowedMethods = ['img','t'];
 
-            if(is_string($arrow) && in_array($arrow, ['popen','exec','shell_exec','system','passthru','proc_open','pcntl_exec','sleep','escapeshellcmd','escapeshellarg']))
-                throw new RuntimeError("Attempt to access command line");
-
-            if (!is_iterable($array)) {
-                throw new RuntimeError(sprintf('The "filter" filter expects an array or "Traversable", got "%s".', \is_object($array) ? \get_class($array) : \gettype($array)));
-            }
-
-            if (\is_array($array)) {
-                return array_filter($array, $arrow, \ARRAY_FILTER_USE_BOTH);
-            }
-
-            // the IteratorIterator wrapping is needed as some internal PHP classes are \Traversable but do not implement \Iterator
-            return new \CallbackFilterIterator(new \IteratorIterator($array), $arrow);
-
-        });
-
-        $this->twig->addFilter($filter);
+        $policy = new \Twig\Sandbox\SecurityPolicy($allowedTags, $allowedFilters, $allowedFunctions, $allowedProperties, $allowedMethods);
+        $this->twig->addExtension(new \Twig\Extension\SandboxExtension($policy, true));
 
         return $this;
     }
diff --git a/app/Utils/TemplateEngine.php b/app/Utils/TemplateEngine.php
index 94adf01c02..ba3ad307e8 100644
--- a/app/Utils/TemplateEngine.php
+++ b/app/Utils/TemplateEngine.php
@@ -255,7 +255,7 @@ class TemplateEngine
 
             /*If no custom design exists, send back a blank!*/
             if (strlen($wrapper) > 1) {
-                $wrapper = $this->renderView($wrapper, $data);
+                // $wrapper = $this->renderView($wrapper, $data);
             } else {
                 $wrapper = '';
             }
diff --git a/app/Utils/Traits/MakesInvoiceHtml.php b/app/Utils/Traits/MakesInvoiceHtml.php
index 33868b0a3d..afbd4afe8d 100644
--- a/app/Utils/Traits/MakesInvoiceHtml.php
+++ b/app/Utils/Traits/MakesInvoiceHtml.php
@@ -36,6 +36,7 @@ trait MakesInvoiceHtml
      * @param string $string The Blade file string
      * @param array $data The array of template variables
      * @return string         The return HTML string
+     * @deprecated // not needed!
      * @throws FatalThrowableError
      */
     public function renderView($string, $data = []): string