From 9a964771dc9afdc1d7375c56c42beb0a31669a75 Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Tue, 3 Jun 2025 12:57:37 +1000
Subject: [PATCH] Improvements for template service parsing and appending xml
 segments with protected content %< etc

---
 app/Services/Invoice/InvoiceService.php   |  2 +-
 app/Services/Template/TemplateService.php | 11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/Services/Invoice/InvoiceService.php b/app/Services/Invoice/InvoiceService.php
index 8c8b7151e1..88763d9fc8 100644
--- a/app/Services/Invoice/InvoiceService.php
+++ b/app/Services/Invoice/InvoiceService.php
@@ -205,7 +205,7 @@ class InvoiceService
         return (new CreateRawPdf($invitation))->handle();
     }
 
-    public function getInvoiceDeliveryNote(Invoice $invoice, \App\Models\ClientContact $contact = null)
+    public function getInvoiceDeliveryNote(Invoice $invoice, ?\App\Models\ClientContact $contact = null)
     {
         return (new GenerateDeliveryNote($invoice, $contact))->run();
     }
diff --git a/app/Services/Template/TemplateService.php b/app/Services/Template/TemplateService.php
index 3f30afcbd0..82fc174a55 100644
--- a/app/Services/Template/TemplateService.php
+++ b/app/Services/Template/TemplateService.php
@@ -354,7 +354,16 @@ class TemplateService
             $f = $this->document->createDocumentFragment();
 
             // $template = htmlspecialchars($template, ENT_XML1, 'UTF-8'); //2025-02-07 double encoding the entities = bad
-            $f->appendXML(str_ireplace("<br>", "<br/>", html_entity_decode($template)));
+            //2025-06-03 - we changed this to use CDATA INSTEAD so that we can support characters such as & when decoding.
+            //$f->appendXML(str_ireplace("<br>", "<br/>", html_entity_decode($template)));
+
+            $decoded_template = str_ireplace("<br>", "<br/>", html_entity_decode($template));
+            $f->appendXML('<![CDATA[' . $decoded_template . ']]>');
+
+            // Alternative solution: Proper XML escaping instead of CDATA
+            // $decoded_template = str_ireplace("<br>", "<br/>", html_entity_decode($template));
+            // $escaped_template = htmlspecialchars($decoded_template, ENT_XML1 | ENT_COMPAT, 'UTF-8');
+            // $f->appendXML($escaped_template);
 
             $replacements[] = $f;