Merge pull request #234 from EmicoEcommerce/bug/xss-issues

Bug/xss issues
EmicoEcommerce · Mar 22, 2022 · 5ea7cde · 5ea7cde
2 parents fd5b60b + 7687780
commit 5ea7cde
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/Model/Catalog/Layer/Url/Strategy/PathSlugStrategy.php b/Model/Catalog/Layer/Url/Strategy/PathSlugStrategy.php
@@ -305,7 +305,11 @@ public function getOriginalUrl(MagentoHttpRequest $request): string
             if ($mode) {
                 $query['product_list_mode'] = $mode;
             }
-            return $this->magentoUrl->getDirectUrl($twOriginalUrl, ['_query' => $query]);
+
+            return filter_var(
+                $this->magentoUrl->getDirectUrl($twOriginalUrl, ['_query' => $query]),
+                FILTER_SANITIZE_URL
+            );
         }
 
         return $this->getCurrentUrl();

diff --git a/Model/Catalog/Layer/Url/Strategy/QueryParameterStrategy.php b/Model/Catalog/Layer/Url/Strategy/QueryParameterStrategy.php
@@ -126,7 +126,7 @@ protected function getCurrentQueryUrl(MagentoHttpRequest $request, array $query)
         $params['_escape'] = false;
 
         if ($originalUrl = $request->getQuery('__tw_original_url')) {
-            return $this->url->getDirectUrl($originalUrl, $params);
+            return $this->url->getDirectUrl(filter_var($originalUrl, FILTER_SANITIZE_ENCODED), $params);
         }
         return $this->url->getUrl('*/*/*', $params);
     }

diff --git a/Model/FilterFormInputProvider/ToolbarInputProvider.php b/Model/FilterFormInputProvider/ToolbarInputProvider.php
@@ -24,6 +24,10 @@ class ToolbarInputProvider implements FilterFormInputProviderInterface
         Toolbar::PAGE_PARM_NAME
     ];
 
+    public const TOOLBAR_INPUTS_NO_ENCODING = [
+        Toolbar::ORDER_PARAM_NAME
+    ];
+
     /**
      * @var MagentoHttpRequest
      */
@@ -46,7 +50,11 @@ public function getFilterFormInput()
         $input = [];
         foreach (self::TOOLBAR_INPUTS as $toolbarInput) {
             if ($toolbarInputValue = $this->request->getParam($toolbarInput)) {
-                $input[$toolbarInput] = $toolbarInputValue;
+                if (in_array($toolbarInput, self::TOOLBAR_INPUTS_NO_ENCODING)) {
+                    $input[$toolbarInput] = $toolbarInputValue;
+                    continue;
+                }
+                $input[$toolbarInput] = filter_var($toolbarInputValue, FILTER_SANITIZE_ENCODED);
             }
         }