Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS Vulnerability when filtering PLP #1211

Closed
giraclion opened this issue Nov 30, 2018 · 3 comments
Closed

XSS Vulnerability when filtering PLP #1211

giraclion opened this issue Nov 30, 2018 · 3 comments
Labels
bug

Comments

@giraclion
Copy link

giraclion commented Nov 30, 2018
edited
Loading

In combination with Magento 2 unescaped HTML code in layered navigation state PHTML template, the Smile ElasitSuite feature, where multiple filter attributes are represented as human readable values in the URL - you can perform an XSS attack.

Preconditions

Magento Version: v2.2.5
ElasticSuite Version: 5.5
Environment: Production
Third party modules: None

Steps to reproduce

  1. Open Firefox (Chrome blocks XSS attack attempt)
  2. Go to http://demo.magento-elastic-suite.io/men/tops-men/tanks-men.html?material=Polyester%20%22%20onmouseover=%22alert(%27XSS%27)
  3. You will be able to reproduce XSS Vulnerability this way:
    image

Expected result

Inside vendor/magento/module-layered-navigation/view/frontend/templates/layer/state.phtml PHTML template the filter value and filter name must be escaped:

<?php $_filters = $block->getActiveFilters() ?>
<?php if (!empty($_filters)): ?>
<div class="filter-current" data-mage-init='{"collapsible":{"openedState": "active", "collapsible": true, "active": false }}'>
    <strong class="block-subtitle filter-current-subtitle"
            role="heading"
            aria-level="2"
            data-role="title"
            data-count="<?= count($_filters) ?>"><?= /* @escapeNotVerified */ __('Now Shopping by') ?></strong>
    <ol class="items">
        <?php foreach ($_filters as $_filter): ?>
            <li class="item">
                <span class="filter-label"><?= $block->escapeHtml(__($_filter->getName())) ?></span>
                /**
                 * Added escaping to filter name to prevent XSS from URL
                 *
                 * @customization START
                 */
                <span class="filter-value"><?= /* @escapeNotVerified */ $block->escapeHtml($block->stripTags($_filter->getLabel())) ?></span>
                 /** @customization END */
                <?php
                $clearLinkUrl = $_filter->getClearLinkUrl();
                /**
                 * Added escaping to filter name to prevent XSS from URL
                 *
                 * @customization START
                 */
                $currentFilterName = $block->escapeHtml(__($_filter->getName() . " " . $block->stripTags($_filter->getLabel())));
                /** @customization END */
                if ($clearLinkUrl):
                    ?>
                    <a class="action previous" href="<?= /* @escapeNotVerified */ $_filter->getRemoveUrl() ?>"
                       title="<?= /* @escapeNotVerified */ __('Previous') ?>">
                        <span><?= /* @escapeNotVerified */ __('Previous') ?></span>
                    </a>
                    <a class="action remove"
                       title="<?= $block->escapeHtml($_filter->getFilter()->getClearLinkText()) ?>"
                       href="<?= /* @escapeNotVerified */ $clearLinkUrl ?>">
                        <span><?= $block->escapeHtml($_filter->getFilter()->getClearLinkText()) ?></span>
                    </a>
                <?php else: ?>
                    <a class="action remove" href="<?= /* @escapeNotVerified */ $_filter->getRemoveUrl() ?>"
                       title="<?= /* @escapeNotVerified */ $block->escapeHtml(__('Remove')) . " " . $currentFilterName ?>">
                        <span><?= /* @escapeNotVerified */ __('Remove This Item') ?></span>
                    </a>
                <?php endif; ?>
            </li>
        <?php endforeach; ?>
    </ol>
</div>
<?php endif; ?>
@giraclion giraclion changed the title XSS Valuarability when filtering PLP XSS Vulnerability when filtering PLP Nov 30, 2018
@romainruaud
Copy link
Collaborator

Hello @giraclion

Thanks for submitting it,

Something is unclear for me, if the problematic file is vendor/magento/module-layered-navigation/view/frontend/templates/layer/state.phtml it's not Elasticsuite responsibility, since this file is coming directly from Magento.

Do you have the same error on legacy Magento installation without Elasticsuite ?

Regards

@giraclion
Copy link
Author

Hi @romainruaud I put the example of XSS on your Elastic Suite demo site =) So it is ElasticSuite responsibility.

@romainruaud romainruaud mentioned this issue Jan 17, 2019
Merged
@romainruaud
Copy link
Collaborator

Fixed by #1271

Will be part of next 2.6.x and 2.7.x minor releases. We'll also update the demo website once they'll be published.

Regards

@rbayet rbayet mentioned this issue Nov 17, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@giraclion @romainruaud