Merge pull request #157 from zendesk/yfernando/xss-fix

thekindofme · web-flow · commit ebe4973d424e · 2020-06-25T11:06:35.000+10:00
[PEGASUS-934] Escape user input when generating autocompelete list HTML to avoid XSS attacks
diff --git a/src/app/code/community/Zendesk/Zendesk/controllers/Adminhtml/ZendeskController.php b/src/app/code/community/Zendesk/Zendesk/controllers/Adminhtml/ZendeskController.php
@@ -415,9 +415,9 @@ public function autocompleteAction()
         $output = '<ul>';
         if($customers->getSize()) {
             foreach($customers as $customer) {
-                $id = $customer->getId();
-                $name = $customer->getName();
-                $email = $customer->getEmail();
+                $id = htmlspecialchars($customer->getId(), ENT_COMPAT, 'UTF-8');
+                $name = htmlspecialchars($customer->getName(), ENT_COMPAT, 'UTF-8');
+                $email = htmlspecialchars($customer->getEmail(), ENT_COMPAT, 'UTF-8');
                 $output .= '<li id="customer-' . $id . '" data-email="' . $email . '" data-name="' . $name . '">' . $name . ' &lt;' . $email . '&gt;</li>';
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -415,9 +415,9 @@ public function autocompleteAction()`
`415`	`415`	`$output = '<ul>';`
`416`	`416`	`if($customers->getSize()) {`
`417`	`417`	`foreach($customers as $customer) {`
`418`		`- $id = $customer->getId();`
`419`		`- $name = $customer->getName();`
`420`		`- $email = $customer->getEmail();`
	`418`	`+ $id = htmlspecialchars($customer->getId(), ENT_COMPAT, 'UTF-8');`
	`419`	`+ $name = htmlspecialchars($customer->getName(), ENT_COMPAT, 'UTF-8');`
	`420`	`+ $email = htmlspecialchars($customer->getEmail(), ENT_COMPAT, 'UTF-8');`
`421`	`421`	`$output .= '<li id="customer-' . $id . '" data-email="' . $email . '" data-name="' . $name . '">' . $name . ' <' . $email . '></li>';`
`422`	`422`	`}`
`423`	`423`	`}`