InvoicePlane

---

What's New in Version 1.7.0

InvoicePlane 1.7.0 brings PHP 8.2+ compatibility and critical security enhancements to keep your financial data safe.

Major Improvements

• PHP 8.2+ Compatibility: Full support for modern PHP versions (8.1, 8.2, 8.3+)
• Enhanced Security: Multiple security vulnerabilities have been addressed:
  • Fixed Cross-Site Scripting (XSS) vulnerabilities across templates and user inputs
  • Resolved Local File Inclusion (LFI) vulnerabilities in PDF generation
  • Patched log poisoning vulnerability in file upload handling
• SVG Logo Protection: SVG uploads are now blocked to prevent embedded script execution (see details below)
• Updated Dependencies: All PHP packages updated for compatibility and security

Issues Fixed in Version 1.7.0

Security Fixes:

• #1433 - Local File Inclusion (LFI) vulnerabilities in PDF template handling (Post-v1.7.0 tag)
• #1388, #1387 - Unsafe jQuery plugin vulnerabilities (Code scanning alerts)
• #1383 - File access vulnerabilities across all controllers
• Security fixes for XSS vulnerabilities (multiple fields sanitized - see CHANGELOG.md)
• Security fix for log poisoning in file upload handling

Bug Fixes and Improvements:

• #1389 - Workflow permissions in GitHub Actions
• #1381 - E-invoicing field migration and version checking
• #1380 - Dependency update (qs package bump)
• #1377 - QR code image width reduced to 100px
• #1375 - Email address verification now supports comma and semicolon separators
• #1373 - Removed deprecated library dependencies
• #1367, #1368 - Various bug fixes

Fields Sanitized for Security

The following fields have been sanitized to prevent XSS attacks:

• Quote and invoice number fields (all templates)
• Tax rate names
• Payment method names
• Custom field labels
• Client addresses
• Sumex observations
• Quote notes and passwords
• Email template content
• File names in upload logging (prevents log poisoning)

Upgrading from Version 1.6.x

If you're upgrading from InvoicePlane 1.6.x:

1. Backup your data - Create a full backup of your database and files
2. Check PHP version - Ensure your server runs PHP 8.1 or higher
3. Update files - Replace all application files with the new version
4. Run migrations - Visit /index.php/setup to apply database updates
5. Review logo settings - If using an SVG logo, convert it to PNG/JPG (see SVG notice below)

For detailed upgrade instructions, visit the InvoicePlane Wiki.

Full Release Notes: See CHANGELOG.md for a complete list of changes, security fixes, and improvements.

---

Key Features

• Invoice & Quote Management: Create, send, and manage professional invoices and quotes effortlessly.
• Client Management: Maintain detailed client records, including contact information and transaction history.
• Payment Tracking: Monitor payments, set up reminders, and integrate with multiple payment gateways.
• Customization: Tailor templates, themes, and settings to match your brand preferences.
• Reporting: Generate insightful reports to track your financial performance.

---

Getting Started

To get started with InvoicePlane, you have several options depending on your needs:

Quick Start with Docker (Recommended for Development)

The easiest way to get InvoicePlane running locally is with Docker:

# Clone the repository
git clone https://github.com/InvoicePlane/InvoicePlane.git
cd InvoicePlane

# Install dependencies
composer install
yarn install
yarn build

# Configure the application
cp ipconfig.php.example ipconfig.php
# Edit ipconfig.php to set your database connection (use settings from docker-compose.yml)

# Start Docker containers (PHP 8.2, MariaDB, nginx, phpMyAdmin)
docker-compose up -d

# Access the application
# InvoicePlane: http://localhost
# phpMyAdmin: http://localhost:8081

Production Installation

For production deployments:

1. Download the Latest Version:

   • Visit the InvoicePlane website to download the latest release.

2. Extract and Upload:

   • Extract the downloaded package and upload the files to your web server or hosting environment.

3. Configuration:

   • Duplicate ipconfig.php.example and rename it to ipconfig.php.
   • Open ipconfig.php in a text editor and set your base URL and database credentials.

4. Run the Installer:

   • Navigate to http://your-domain.com/index.php/setup in your browser and follow the on-screen instructions to complete the installation.

For a detailed installation guide, including prerequisites and troubleshooting tips, refer to INSTALLATION.md.

---

Removing index.php from URLs (Optional)

To remove index.php from your URLs:

1. Enable mod_rewrite:

   • Ensure the mod_rewrite module is enabled on your web server.

2. Update Configuration:

   • Set REMOVE_INDEXPHP to true in your ipconfig.php file.

3. Rename .htaccess:

   • Rename the htaccess file in the root directory to .htaccess.

Note: If you experience issues after making these changes, revert to the default settings by undoing the steps above.

---

Container Deployment

[!WARNING] The container always uses the new calculation.

A pre-built container image is available. Configuration is provided entirely through environment variables — no ipconfig.php file is needed. The entrypoint generates the configuration and runs any pending database migrations automatically on startup.

Required environment variables

Variable	Description
IP_URL	Public base URL without trailing slash, e.g. https://invoices.example.com
DB_HOSTNAME	Database host
DB_USERNAME	Database user
DB_PASSWORD	Database password
DB_DATABASE	Database name
ENCRYPTION_KEY	Secret key for encrypted data — generate with openssl rand -base64 32

Optional environment variables

Variable	Default	Description
DB_PORT	3306	Database port
CI_ENV	production	Set to development to show all PHP errors
ENABLE_DEBUG	false	Enable advanced debug logging
CUSTOM_TEMPLATES_FOLDER	/var/www/html/templates/	Absolute path to a directory of custom invoice/quote templates. Mount a volume at the chosen path and set this variable to point at it. The directory should mirror the built-in structure: invoice_templates/pdf/, invoice_templates/public/, quote_templates/pdf/, quote_templates/public/. Templates here are listed alongside the built-in ones and take precedence when they share a name.
SESS_EXPIRATION	864000	Session lifetime in seconds (0 = expire on browser close)
SESS_MATCH_IP	true	Tie sessions to the client IP address
SESS_REGENERATE_DESTROY	false	Destroy the old session on regeneration
X_FRAME_OPTIONS	SAMEORIGIN	Value for the X-Frame-Options response header
ENABLE_X_CONTENT_TYPE_OPTIONS	true	Send the X-Content-Type-Options: nosniff header
LEGACY_CALCULATION	false	Use the classic tax/discount calculation mode. Set to false for simple per-item tax calculation (required for valid e-invoice XML output)
ENABLE_INVOICE_DELETION	false	Allow invoices to be deleted
DISABLE_READ_ONLY	false	Disable the read-only mode for sent invoices
PASSWORD_RESET_IP_MAX_ATTEMPTS	5	Max password reset attempts per IP within the time window
PASSWORD_RESET_IP_WINDOW_MINUTES	60	Time window in minutes for IP-based reset rate limiting
PASSWORD_RESET_EMAIL_MAX_ATTEMPTS	3	Max password reset attempts per email within the time window
PASSWORD_RESET_EMAIL_WINDOW_HOURS	1	Time window in hours for email-based reset rate limiting
SUMEX_SETTINGS	false	Enable Swiss medical invoice (Sumex) customizations
SUMEX_URL	—	URL to post Sumex XML to in order to receive a generated PDF
ENCRYPTION_CIPHER	AES-256	Cipher used for encrypted data

Default admin user

On first startup, if no users exist in the database, the entrypoint automatically creates an admin account. The credentials can be set via environment variables; any omitted value falls back to a safe default.

Variable	Default	Description
DEFAULT_LANGUAGE	english	Default language for the application (e.g. english, german, french). Only applied on fresh installs; changing it after the first run has no effect.
DEFAULT_ADMIN_EMAIL	admin@localhost	Email address for the default admin account
DEFAULT_ADMIN_PASSWORD	(random)	Password for the default admin account. If unset, a random 24-character password is generated and printed to the container log on first startup.
DEFAULT_ADMIN_NAME	admin	Display name for the default admin account

Note: User creation is skipped on every subsequent startup once at least one user exists, so changing these variables after the initial run has no effect.

Persistent volumes

Mount volumes for any data that must survive container restarts:

Path	Contents
/var/www/html/uploads	Client files, logos, and imported documents
/var/www/html/storage	Framework cache and log files

---

Community and Support

Join our vibrant community for support, discussions, and contributions:

• Community Forums: InvoicePlane Forums - Ask questions, share knowledge, and get help from the community.
• Discord: Join our Discord - Chat with users, developers, and contributors in real time.
• Issue Tracker: GitHub Issues - Report bugs and request features.
• Wiki & Documentation: InvoicePlane Wiki - Find guides, FAQs, and detailed setup instructions.

InvoicePlane is developed and maintained by a dedicated team of volunteers. Support is provided by the community on a best-effort basis.

---

Contributing

We welcome contributions from the community! To get involved:

• Report Issues: Use the Issue Tracker to report bugs or request features.

• Submit Pull Requests: Fork the repository, make your changes, and submit a pull request for review.

• Translate InvoicePlane: Help translate the application into your language. Also see Translations.md

For detailed contribution guidelines, please see CONTRIBUTING.md.

Developer Resources

• Development Guidelines - Comprehensive guide for developers
• Copilot Instructions - GitHub Copilot context and patterns
• Docker Setup - Docker configuration and usage guide

---

Security Vulnerabilities

If you discover a security vulnerability, please email mail@invoiceplane.com before disclosing it publicly. We will address all security concerns promptly.

Important Security Notice: SVG Logo Files

As of this version, SVG (Scalable Vector Graphics) files are no longer supported for logo uploads due to security concerns.

Why were SVG files disabled?

SVG files can contain embedded JavaScript code that could be exploited to perform Cross-Site Scripting (XSS) attacks. Since InvoicePlane handles sensitive financial data, we have taken a proactive security measure by blocking SVG uploads entirely.

What file formats are supported?

You can upload logos in the following safe image formats:

• PNG (recommended for logos with transparency)
• JPG/JPEG (recommended for photographs)
• GIF (recommended for simple graphics)

What happens to my existing SVG logo?

If you previously uploaded an SVG logo:

• It will not display in the application (blocked for security)
• A warning message will appear in the settings page
• You can easily remove it and upload a replacement in a supported format

How do I convert my SVG logo?

You can convert your SVG logo to PNG using free tools:

1. Online converters:

   • CloudConvert
   • Convertio

2. Desktop software:

   • Inkscape (free, open-source)
   • Adobe Illustrator
   • GIMP

3. Conversion steps in Inkscape:

   • Open your SVG file in Inkscape
   • Go to File → Export PNG Image
   • Set your desired resolution (300 DPI recommended)
   • Click Export

Need help?

If you have questions about logo formats or need assistance, please visit our Community Forums.

---

License & Copyright

InvoicePlane is licensed under the MIT License.

The InvoicePlane name and logo are copyrighted by Kovah.de and InvoicePlane.com. Usage is restricted. For more information, visit license & copyright.