From c4aa6aabfd1a2395192aada23d15a22a5784d462 Mon Sep 17 00:00:00 2001
From: Focuslinkstech <45756999+Focuslinkstech@users.noreply.github.com>
Date: Sun, 14 Jul 2024 09:55:25 +0100
Subject: [PATCH] Update settings.php

Prevent Special Characters in custom tax rate
---
 system/controllers/settings.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/system/controllers/settings.php b/system/controllers/settings.php
index 4096a8d7..e0d88bdb 100644
--- a/system/controllers/settings.php
+++ b/system/controllers/settings.php
@@ -111,9 +111,12 @@ switch ($action) {
             _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard");
         }
         $company = _post('CompanyName');
+        $custom_tax_rate = filter_var(_post('custom_tax_rate'), FILTER_SANITIZE_SPECIAL_CHARS);
+        if (preg_match('/[^0-9.]/', $custom_tax_rate)) {
+            r2(U . 'settings/app', 'e', 'Special characters are not allowed in tax rate');
+            return;
+        }
         run_hook('save_settings'); #HOOK
-
-
         if (!empty($_FILES['logo']['name'])) {
             if (function_exists('imagecreatetruecolor')) {
                 if (file_exists($UPLOAD_PATH . DIRECTORY_SEPARATOR . 'logo.png')) unlink($UPLOAD_PATH . DIRECTORY_SEPARATOR . 'logo.png');
@@ -141,6 +144,9 @@ switch ($action) {
             }
             // Save all settings including tax system
             foreach ($_POST as $key => $value) {
+                $key = filter_var($key, FILTER_SANITIZE_SPECIAL_CHARS);
+                $value = filter_var($value, FILTER_SANITIZE_SPECIAL_CHARS);
+
                 $d = ORM::for_table('tbl_appconfig')->where('setting', $key)->find_one();
                 if ($d) {
                     $d->value = $value;