Reflected Cross-Site Scripting (XSS) Vulnerabilities #92
Comments
|
@koentjeh Dat is correct. But escaping all fields in that form leads to problems with urls in some rare cases. Thats why we've added the tw_hash field. This should prevent xss atacks in that form. Do you still have xss issues with that form? |
|
Hi @ah-net , from the minimal information shared in #101 it seems to be related, yet neither of the issues mention any plan to remediate this issue. Could you explain what makes "escaping all fields in that form" so difficult? Maybe the cheat sheet from OWASP that provides guidance to prevent XSS vulnerabilities. could be of help. |
|
#101 is not related to this issue because the xss issue is in een different part. And that part is actually already escaped in the html. I've not fixed this issue, because i'm not convinced it is still an issue here. There is an xss check for changed variables with an hash field on that form. I've you can give an example it's still an issue in the latest version than i will fix this issue. I've you don't want to share an example here you can send it to [email protected] and mention it's an xss issue in the magento plugin. The problem was that escaping some url values caused the ajax request to fail or make some filters not selectable. I can't seem to reproduce this problem anymore (a lot of changes where made to the filtering in the meantime) but I'm not sure if the problem is fixed in all cases (depends on different settings) |
|
Hi @ah-net , thanks for your extensive explanation, good to hear this does not relate to #101 :) At time of writing my colleague is working on a patch to block reflected XSS, the issue we got from a security scan performed on one of our shops. If applicable I'll try to share it with you if it's ready and working. In the meantime I'll forward the uncovered issue to [email protected] so you can determine if it really originates from this module. |
|
@arnoschoon Thx for the report. I can reproduce the xss issue locally. We will investigate the issue futher and see if it really originates in our module or if it's an theme issue. |
We found that some templates in the Tweakwise modules are vulnerable to XSS attacks.
Magento has strategies within the dev docs that could help prevent these attacks: https://devdocs.magento.com/guides/v2.3/extension-dev-guide/xss-protection.html
One found example is wrapping the $variables within
$block->escapeHtml().Magento2Tweakwise/view/frontend/templates/layer/view.phtml
Line 47 in e737cf5
The text was updated successfully, but these errors were encountered: