Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: prevent HTML input in the form field "name" for order templates and wishlists #1385

Merged
merged 5 commits into from
Mar 15, 2023

Conversation

andreassteinmann
Copy link
Collaborator

@andreassteinmann andreassteinmann commented Mar 10, 2023

PR Type

[x] Bugfix
[ ] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no API changes)
[ ] Build-related changes
[ ] CI-related changes
[ ] Documentation content changes
[ ] Application / infrastructure changes
[ ] Other:

What Is the Current Behavior?

If a user inserts the following code
><img src onerror=alert(document.cookie)>
as the name of an order template or a wishlist in the according dialog and saves it, the code is executed:
image

Steps to reproduce:

  1. login in B2C or B2B storefrent
  2. navigate to a PDP
  3. click on "Add to wishlist" in B2C or "Add to order template" in B2B
  4. insert the code ><img src onerror=alert(document.cookie)> as the name of the wishlist / order template
  5. click save
  6. the alert is shown

Issue Number: Closes 83582

What Is the New Behavior?

The fix adds a form validation which prevents the two special characters "<" and ">" to avoid the usage of HTML tags like
><img src onerror=alert(document.cookie)>

Now, an error message is shown if the user inserts "<" or ">".

The fix is applied at two places:

  • name of an order template (PDP and My Account)
  • name of a wishlist (PDP and My Account)

Does this PR Introduce a Breaking Change?

[ ] Yes
[x] No

AB#84372

@andreassteinmann andreassteinmann marked this pull request as ready for review March 10, 2023 15:38
@github-actions
Copy link

Azure Demo Servers are available:

@SGrueber SGrueber requested review from schadii and removed request for shauke March 13, 2023 10:40
SGrueber
SGrueber previously approved these changes Mar 13, 2023
@SGrueber SGrueber removed the request for review from schadii March 13, 2023 12:41
Copy link
Contributor

@marschmidt89 marschmidt89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added translations.

@andreassteinmann andreassteinmann merged commit b990b3b into develop Mar 15, 2023
@andreassteinmann andreassteinmann deleted the fix/prevent-html-input-in-form-field branch March 15, 2023 08:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants