Skip to content

[Backport] Prevent XSS on checkout #18587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 17, 2018
Merged

[Backport] Prevent XSS on checkout #18587

merged 3 commits into from
Oct 17, 2018

Conversation

@dmytro-ch
Copy link
Contributor

@dmytro-ch dmytro-ch commented Oct 13, 2018

Original Pull Request

#18487

Description

The State/Province field (when selecting a country like The Netherlands) gives the user an input field (in checkout/account address). When filling <script>alert('hello world')</script>, the user will experience self xss in the next step of the checkout.

Fixed Issues (if relevant)

Bugcrowd reference cd8d0c3b57686f09cde51c4afaa2f0e70e51f9093121fb7140e3b7f26a89b7fd (which got marked as "won't fix")

Manual testing scenarios

See description/ (bugcrowd for video)

Contribution checklist

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • All automated tests passed successfully (all builds on Travis CI are green)

@magento-engcom-team magento-engcom-team added Partner: Atwix Pull Request is created by partner Atwix partners-contribution Pull Request is created by Magento Partner labels Oct 13, 2018
@magento-engcom-team
Copy link
Contributor

magento-engcom-team commented Oct 13, 2018

Hi @dmytro-ch. Thank you for your contribution
Here is some useful tips how you can test your changes using Magento test environment.
Add the comment under your pull request to deploy test or vanilla Magento instance:

  • @magento-engcom-team give me test instance - deploy test instance based on PR changes
  • @magento-engcom-team give me $VERSION instance - deploy vanilla Magento instance

For more details, please, review the Magento Contributor Assistant documentation

@dmytro-ch dmytro-ch requested a review from rogyar October 13, 2018 11:44
@magento-engcom-team magento-engcom-team added this to the Release: 2.2.8 milestone Oct 13, 2018
@magento-engcom-team
Copy link
Contributor

magento-engcom-team commented Oct 13, 2018

Hi @sidolov, thank you for the review.
ENGCOM-3182 has been created to process this Pull Request

@magento-engcom-team magento-engcom-team merged commit fca4023 into magento:2.2-develop Oct 17, 2018
magento-engcom-team pushed a commit that referenced this pull request Oct 17, 2018
ENGCOM-3182: [Backport] Prevent XSS on checkout #18587
77d82e1
@magento-engcom-team
Copy link
Contributor

magento-engcom-team commented Oct 17, 2018

Hi @dmytro-ch. Thank you for your contribution.
We will aim to release these changes as part of 2.2.8.
Please check the release notes for final confirmation.

Please, consider to port this solution to 2.3 release line.
You may use Porting tool to port commits automatically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sidolov sidolov sidolov approved these changes

@rogyar rogyar Awaiting requested review from rogyar

Assignees

@sidolov sidolov

Labels

Area: Frontend Component: Checkout Partner: Atwix Pull Request is created by partner Atwix partners-contribution Pull Request is created by Magento Partner Progress: accept Release Line: 2.2

Projects

None yet

Milestone

Release: 2.2.8

Development

Successfully merging this pull request may close these issues.

5 participants

@dmytro-ch @magento-engcom-team @sidolov @rogyar @samgranger