Update details.js DOM text reinterpreted as HTML #38757
Conversation
|
Hi @Shivam7-1. Thank you for your contribution! Add the comment under your pull request to deploy test or vanilla Magento instance:
❗ Automated tests can be triggered manually with an appropriate comment:
Allowed build names are:
You can find more information about the builds here For more details, review the Code Contributions documentation. |
|
@magento run all tests |
|
@magento run all tests |
|
@magento create issue |
|
Hi @Shivam7-1. Thank you for your contribution!
Allowed build names are:
You can find more information about the builds here For more details, review the Code Contributions documentation. |
|
Hii @engcom-Charlie , @engcom-Dash @engcom-Bravo and @engcom-Hotel Could You Please Review This PR Thanks & Regards |
|
Hii @engcom-Charlie , @engcom-Dash @engcom-Bravo and @engcom-Hotel Could You Please Review This PR Thanks & Regards |
|
@magento run all tests |
app/code/Magento/Checkout/view/frontend/web/js/view/summary/item/details.js
Show resolved
Hide resolved
|
Hii @engcom-Hotel Thanks For Review But I think yes Using textContent is more beneficial here as it automatically ensures text is safely handled without risking HTML injection, unlike innerHTML. |
|
Hii @engcom-Hotel Could you please Review this PR again |
|
Hii @engcom-Hotel @engcom-Dash Thanks For Reviewing PR |
|
Hello @Shivam7-1, At this stage, no action is required from your side. The PR is currently in the testing bucket and will be progressed based on priority. We appreciate your patience. Thanks |
|
Hii @engcom-Hotel Thanks For Response If possible Could Team Fastrack the Process |
|
Hii @engcom-Hotel Could you Please ping tester here for testing and get merge this PR So it will get merge Soon |
|
Hii @engcom-Hotel Could you Assign or ping anyone from Team to Test this PR |
|
Hii @engcom-Hotel Just Follow Up on this PR |
|
Hi @Shivam7-1, Thanks for the collaboration & contribution! ❌ : QA FAILEDBefore: ✖️ ❌ Actual result After Fix The results were same even after taking the PR changes.Could you Please let us know if we are missing anything and elaborate the expected and actual results. Thanks. |
|
Hii @engcom-Bravo Thanks For Reviewing above it's working fine you can check this comments here #38757 (comment) |
|
Hii @engcom-Bravo Thanks For Testing Anything else is Required from my side |
|
Hi @Shivam7-1, Thanks for your Update. Could you please let us know the aim of the PR and the issue that is solving here with the help of this PR.As per this comment #38757 (comment) before and after PR changes there is no change as such. Kindly provide us detailed manual testing scenario to proceed further. Thanks. |
|
Hii @engcom-Bravo The aim of this PR is to mitigate the potential risk of HTML injection, particularly related to XSS (Cross-Site Scripting) vulnerabilities. In the original code, we were using By switching to Regarding the manual testing, here are the scenarios which could be tested to ensure functionality:
The changes mainly affect the way the input is handled in terms of security. While it might seem like there’s no visible change, this update significantly improves the security posture by preventing potential XSS attacks. Please let me know if you need further clarifications or additional tests! Thanks, |
|
Hii @engcom-Bravo anything else is required from my side for this PR |
|
Hii @engcom-Bravo anything else is required from my side for this PR |
|
Hii @engcom-Charlie , @engcom-Dash @engcom-Bravo and @engcom-Hotel Team now this PR is ready to merge i think since 1.5 month could team look into this Thanks |
|
Hi @Shivam7-1, Currently, no action is required from your side. The PR is currently in the testing bucket and team will pick this PR for further processing based on priority. Thank you for your patience. |
|
Hii @engcom-Charlie Thanks |
|
Hi @Shivam7-1, Team is currently working on the other priority board. Currently this PR is in Ready for Testing bucket and as mentioned above, no action is required from your end here. Team will pick it in future as per the priority. Thank you! |
|
@magento run all tests |
|
Hello @Shivam7-1 Thanks for your PR addressing XSS concerns. I wanted to share some findings from my testing: To reproduce the issue and validate the fix, I temporarily removed the escaper.escapeHtml logic in the function. However, even without the escaper, Content Security Policy (CSP) is still blocking the output when it's bound using Knockout's html: binding. This is because CSP restricts inline scripts or HTML that could potentially execute malicious JavaScript If we take a look at app/code/Magento/Security/view/base/web/js/escaper.js "escapeHtml" function is specifically designed to escape a string for safe injection into HTML, converting characters like <, >, &, and " into their respective HTML entities. This ensures that any potentially dangerous content in quoteItem.name is rendered as plain text in the browser, rather than being interpreted as HTML or JavaScript. please find below text where script rendered as plain text: In this case, the content is not being rendered directly it's being escaped first. So the change doesn’t add any additional security benefit. |
Description (*)
By using textContent , it will avoid the risk of HTML injection, as these properties automatically escape any HTML special characters in the provided text. This helps prevent cross-site scripting (XSS) vulnerabilities by treating the input as plain text rather than interpreted HTML.
To help with the testing you can use the following manual testing scenarios:
Check if HTML tags are correctly escaped:
Add a product with various HTML tags (e.g.,
<b>bold</b>,<script>alert("test")</script>) in the cart, then verify that these are displayed correctly without being interpreted as HTML on the checkout page.Check edge cases with special characters:
Add products with special characters in their names (e.g.,
&,<,>,"). Ensure that these characters are correctly sanitized and displayed as expected.Contribution checklist (*)
Resolved issues: