Skip to content

Prevent XSS on checkout #18487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 12, 2018
Merged

Prevent XSS on checkout #18487

merged 3 commits into from
Oct 12, 2018

Conversation

@samgranger
Copy link
Contributor

@samgranger samgranger commented Oct 9, 2018
edited
Loading

Description

The State/Province field (when selecting a country like The Netherlands) gives the user an input field (in checkout/account address). When filling <script>alert('hello world')</script>, the user will experience self xss in the next step of the checkout.

Fixed Issues (if relevant)

Bugcrowd reference cd8d0c3b57686f09cde51c4afaa2f0e70e51f9093121fb7140e3b7f26a89b7fd (which got marked as "won't fix")

Manual testing scenarios

See description/ (bugcrowd for video)

Contribution checklist

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • All automated tests passed successfully (all builds on Travis CI are green)

@magento-cicd2
Copy link
Contributor

magento-cicd2 commented Oct 9, 2018
edited
Loading

CLA assistant check
All committers have signed the CLA.

@samgranger samgranger changed the title Remove XSS on checkout Prevent XSS on checkout Oct 9, 2018
@sidolov
Copy link
Contributor

sidolov commented Oct 9, 2018

Hi @samgranger , please, sign CLA, otherwise, we can't process your pull request

@samgranger
Copy link
Contributor Author

samgranger commented Oct 9, 2018
edited
Loading

CLA signed!

@magento-engcom-team magento-engcom-team added this to the Release: 2.3.1 milestone Oct 10, 2018
@magento-engcom-team
Copy link
Contributor

magento-engcom-team commented Oct 10, 2018

Hi @sidolov, thank you for the review.
ENGCOM-3145 has been created to process this Pull Request

@magento-engcom-team
Copy link
Contributor

magento-engcom-team commented Oct 10, 2018

@samgranger thank you for contributing. Please accept Community Contributors team invitation here to gain extended permissions for this repository.

@samgranger
Copy link
Contributor Author

samgranger commented Oct 10, 2018

I'm not sure if I already have the permissions you mentioned, I don't see any pending invitations when visiting the given link.

@magento-engcom-team magento-engcom-team merged commit f9bde40 into magento:2.3-develop Oct 12, 2018
magento-engcom-team pushed a commit that referenced this pull request Oct 12, 2018
ENGCOM-3145: Prevent XSS on checkout #18487
47877e8
@magento-engcom-team
Copy link
Contributor

magento-engcom-team commented Oct 12, 2018

Hi @samgranger. Thank you for your contribution.
We will aim to release these changes as part of 2.3.1.
Please check the release notes for final confirmation.

@dmytro-ch dmytro-ch mentioned this pull request Oct 13, 2018
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sidolov sidolov sidolov approved these changes

Assignees

@sidolov sidolov

Labels

Area: Frontend Component: Checkout Partner: We Provide partners-contribution Pull Request is created by Magento Partner Progress: accept Release Line: 2.3

Projects

None yet

Milestone

Release: 2.3.1

Development

Successfully merging this pull request may close these issues.

5 participants

@samgranger @magento-cicd2 @sidolov @magento-engcom-team @ihor-sviziev