fix: prevent HTML input in the form field "name" for order templates and wishlists #1385
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR Type
[x] Bugfix
[ ] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no API changes)
[ ] Build-related changes
[ ] CI-related changes
[ ] Documentation content changes
[ ] Application / infrastructure changes
[ ] Other:
What Is the Current Behavior?
If a user inserts the following code
><img src onerror=alert(document.cookie)>
as the name of an order template or a wishlist in the according dialog and saves it, the code is executed:
Steps to reproduce:
><img src onerror=alert(document.cookie)>
as the name of the wishlist / order templateIssue Number: Closes 83582
What Is the New Behavior?
The fix adds a form validation which prevents the two special characters "<" and ">" to avoid the usage of HTML tags like
><img src onerror=alert(document.cookie)>
Now, an error message is shown if the user inserts "<" or ">".
The fix is applied at two places:
Does this PR Introduce a Breaking Change?
[ ] Yes
[x] No
AB#84372