fix: prevent PII disclosure in appointment reschedule flow

Whitelist customer data fields before inlining into HTML to prevent
unauthorized access to sensitive information (email, phone, address, etc).

- Filter customer record to id, first_name, last_name only
- Matches existing pattern used for provider data filtering
- Fixes information disclosure vulnerability via appointment hash

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: alextselegidis

CHANGELOG.md

@@ -7,7 +7,7 @@ developers to maintain and readjust their custom modifications on the main proje
 
 ### Fixed
 
-- Fixed insufficient client-side validation on the installation page (`assets/js/pages/installation.js`); the form now validates all fields before submitting and matches the server-side rules in `application/controllers/Installation.php`: required fields (including the language `<select>`), max length per `maxlength` attribute, no HTML tags in name/company-name fields, username pattern (`3-50` chars, `[a-zA-Z0-9_@.\-]`), minimum password length raised from 7 to 8, password confirmation, valid admin and company emails, and a valid http(s) company link URL
+- Fixed PII disclosure vulnerability in appointment reschedule flow (`application/controllers/Booking.php`): customer data was being inlined into the HTML response without field whitelisting, exposing email, phone, address, timezone, custom fields, and other sensitive information to any user in possession of the appointment hash. Customer record is now filtered to only expose necessary fields (id, first_name, last_name) before being embedded in the page
 - Fixed the page header showing a hardcoded blue border on Bootswatch themes that style `.navbar.bg-primary` with a fixed `border-color` (e.g. Cosmo/Lumen) when a custom company color is configured; the company color override now also forces `border-color: var(--bs-primary)` on `#header`, `#book-appointment-wizard #header` and `#frame-footer .backend-link`
 - Fixed the dynamic company color style overriding direct CSS properties on Bootstrap components (buttons, forms, navs, dropdowns, alerts, list groups) which was breaking the look of the active theme (including Bootswatch themes); the company color override is now restricted to setting Bootstrap CSS variables (`--bs-btn-bg`, `--bs-nav-link-color`, `--bs-pagination-active-bg`, etc.) so themes keep full control of the actual styles. App-specific selectors (header, booking wizard, filter records, existing customers list) are kept as-is. The previous direct Bootstrap component rules are commented out for now to allow testing before final removal
 - Replaced the visible "Booking Link" text next to the link icon on the providers and services backend pages with a Bootstrap tooltip shown on hover, so the icon-only link looks cleaner while still surfacing the label

application/controllers/Booking.php

@@ -280,6 +280,7 @@ public function index(): void
                 return;
             }
             $customer = $this->customers_model->find($appointment['id_users_customer']);
+            $this->customers_model->only($customer, $this->allowed_customer_fields);
             $customer_token = md5(uniqid(mt_rand(), true));
 
             // Cache the token for 10 minutes.