Couponcode adminhtml updated pull

[seansan]

Couponcode adminhtml updated pull

• added string
• added %s
• added to translation files
  no squash merge here otherwise would have bundled in 1

[pocallaghan]

Whilst I haven't investigated, how the values pass through the system, both $_order->getCouponCode() and $_order->getDiscountDescription() should likely be escaped before passing them to translate. Off the top of my head, I don't think a frontend user can insert an arbitrary value, so it's probable that you'd require admin access to exploit, but it's always good practice to escape such data. It's possible that with access to a limited administrative account, privileges could be escalated through use of persistent XSS in these fields.

[seansan]

If it doesn’t break anything why not add the change? Please edit the change Also In some advanced cases more than 1 code can be applied. So maybe check for multiple values too for these exotic cases

…

On Wed, 14 Mar 2018 at 22:04, pocallaghan ***@***.***> wrote: Whilst I haven't investigated, how the values pass through the system, both $_order->getCouponCode() and $_order->getDiscountDescription() should likely be escaped before passing them to translate. Off the top of my head, I don't think a frontend user can insert an arbitrary value, so it's probable that you'd require admin access to exploit, but it's always good practice to escape such data. It's possible that with access to a limited administrative account, privileges could be escalated through use of persistent XSS in these fields. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#447 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAn0a8C9gwkLRCNkNGZ6o9bmkao0Hokbks5teYXQgaJpZM4R-WCv> .

[colinmollenhour]

Good observation, @pocallaghan. PR updated. Thanks!

[tbaden]

thanks for the work 👍
I did a code review: LGTM

[tbaden]

@Flyingmana