Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: sanitize potentially dangerous values in order template... #1551

Merged
merged 1 commit into from
Dec 12, 2023
Merged

fix: sanitize potentially dangerous values in order template... #1551

merged 1 commit into from
Dec 12, 2023

Conversation

SGrueber
Copy link
Collaborator

@SGrueber SGrueber commented Dec 11, 2023
edited by azure-boards bot
Loading

…and wishlist titles

PR Type

[x] Bugfix
[ ] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no API changes)
[ ] Build-related changes
[ ] CI-related changes
[ ] Documentation content changes
[ ] Application / infrastructure changes
[ ] Other:

What Is the Current Behavior?

It is not possible to add a malicious script (XXS) to the order template/wishlist title.
But if there is a XSS in the order template or wishlist title it is executed after the user adds a product to this order template/wishlist.

Issue Number: Closes #

What Is the New Behavior?

After fetching the order templates/wishlists from the server any malicious script will be removed from the title field. This scrips is not executed any more.

Does this PR Introduce a Breaking Change?

[ ] Yes
[x] No

Other Information

AB#92013

@SGrueber SGrueber requested a review from shauke December 11, 2023 17:11
@SGrueber SGrueber self-assigned this Dec 11, 2023
@SGrueber SGrueber added the bug Something isn't working label Dec 11, 2023
@SGrueber SGrueber added this to the 5.0 milestone Dec 11, 2023
@shauke shauke merged commit 4602463 into develop Dec 12, 2023
21 checks passed
@shauke shauke deleted the bugfix/order_template_title branch December 12, 2023 20:56
@shauke shauke mentioned this pull request May 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shauke shauke shauke approved these changes

Assignees

@SGrueber SGrueber

Labels
bug Something isn't working
Projects
None yet
Milestone
5.0
Development

Successfully merging this pull request may close these issues.
2 participants
@SGrueber @shauke