Fixed inventory sorting XSS

nfourtythree · nfourtythree · commit 094d69df24b9 · 2026-01-05T17:09:25.000Z
diff --git a/src/controllers/InventoryController.php b/src/controllers/InventoryController.php
@@ -254,6 +254,25 @@ public function actionInventoryLevelsTableData(): Response
             $field = $sort[0]['sortField'];
             $direction = $sort[0]['direction'];
 
+            // Validate the sorting inputs
+            if (!in_array($direction, ['asc', 'desc']) ||
+                !in_array($field, [
+                    'item',
+                    'sku',
+                    'reservedTotal',
+                    'damagedTotal',
+                    'safetyTotal',
+                    'qualityControlTotal',
+                    'committedTotal',
+                    'availableTotal',
+                    'onHandTotal',
+                    'incomingTotal',
+                ])) {
+
+                $field = null;
+                $direction = null;
+            }
+
             if ($field && $direction) {
                 if ($field == 'sku') {
                     $field = 'purchasables.sku';
