v1.7.1

[nielsdrost7]

v1.7.1

InvoicePlane v1.7.1

Hash Format	Hash
MD5	987184eeea87ff2fada0abd7af1f5f2b
SHA-256	ca3bb70cd14b33b2891e0616133538dabf88a22d450631dab5bab5905857c471

Many thanks to @IamLeandrooooo, @SonNTB21DCAT164, and @lukasz-rybak for their contributions.

---

Security Improvements

This release addresses several potential XSS (Cross-Site Scripting) concerns by properly sanitizing and escaping key fields across the application. These changes improve security without affecting user workflow.

Fields now properly sanitized and escaped:

• Client address fields – safe display ensured
• Custom field labels – protected in all custom field views
• Invoice numbers – escaped in all templates and views
• Payment method names – sanitized on input, escaped on output
• Quote numbers – escaped in all templates and views
• Quote passwords – sanitized on input
• Quote notes – sanitized on input
• Sumex observations – sanitized on input
• Tax rate names – sanitized on input, escaped on output

Additional improvements:

• Email template content – HTML properly escaped
• Uploaded file names – sanitized to prevent log poisoning

Most XSS vulnerabilities have been mitigated through proper input sanitization and output escaping (htmlsc) on the affected fields.

---

Bug Fixes and Improvements

• [IP-1376]: Reduce QR code image width to 100px #1377 – QR code image width reduced to 100px
• Fix email address verification to allow both comma and semicolon separators #1375 – Email address verification now supports comma and semicolon separators

---

Important Security Notice: SVG Logo Files

SVG logo uploads have been disabled due to security risks. SVG files can contain embedded scripts that could be exploited for XSS attacks. Only safe image formats are supported:

• PNG (supports transparency)
• JPG/JPEG (photographs)
• GIF (simple graphics)

Impact on existing SVG logos:

• Existing SVG logos will be blocked in the application
• A warning message will appear in the settings page
• Users can remove them and upload replacements in supported formats

Conversion options:

1. Online converters:

   • CloudConvert
   • Convertio

2. Desktop software:

   • Inkscape (free, open-source)
   • Adobe Illustrator
   • GIMP

3. Inkscape conversion steps:

   • Open your SVG file in Inkscape
   • Go to File → Export PNG Image
   • Set your desired resolution (300 DPI recommended)
   • Click Export

---

Full Changelog: v1.7.0 → v1.7.1

---

This discussion was created from the release v1.7.1.