MC-13922: [Sec] XSS Injection in Admin For Map Location Attributes, Image Caption, Slide Name

davemacaulay · davemacaulay · commit 2fa7173bf6da · 2019-02-09T11:57:28.000+01:00
- Resolve XSS in slider, image &amp; map
diff --git a/app/code/Magento/PageBuilder/view/adminhtml/pagebuilder/content_type/image.xml b/app/code/Magento/PageBuilder/view/adminhtml/pagebuilder/content_type/image.xml
@@ -63,7 +63,7 @@
                     </element>
                     <element name="empty_link"/>
                     <element name="caption">
-                        <html name="image_caption"/>
+                        <html name="image_caption" converter="Magento_PageBuilder/js/converter/html/tag-escaper"/>
                     </element>
                 </elements>
                 <converters>
diff --git a/app/code/Magento/PageBuilder/view/adminhtml/web/template/content-type/column/full-height/preview.html b/app/code/Magento/PageBuilder/view/adminhtml/web/template/content-type/column/full-height/preview.html
@@ -26,7 +26,7 @@
         </if>
     </div>
     <div class="pagebuilder-display-label"
-         html="displayLabel().toUpperCase()">
+         text="displayLabel().toUpperCase()">
     </div>
     <div class="pagebuilder-empty-container"
          css="{visible: parent.children().length == 0}"
diff --git a/app/code/Magento/PageBuilder/view/adminhtml/web/template/content-type/slider/default/preview.html b/app/code/Magento/PageBuilder/view/adminhtml/web/template/content-type/slider/default/preview.html
@@ -30,7 +30,7 @@
                 <span if="preview.previewData.slide_name() !== ''"
                       class="tooltip-content"
                       role="tooltip"
-                      html="preview.previewData.slide_name()">
+                      text="preview.previewData.slide_name()">
                 </span>
             </div>
         </div>
diff --git a/app/code/Magento/PageBuilder/view/base/web/js/utils/map.js b/app/code/Magento/PageBuilder/view/base/web/js/utils/map.js
@@ -108,16 +108,16 @@ define([
              */
             if (newMarkers && newMarkers.length) {
                 newMarkers.forEach(function (newMarker) {
-                    var location = newMarker['location_name'] || '',
+                    var location = _.escape(newMarker['location_name']) || '',
                     comment = newMarker.comment ?
-                        '<p>' + newMarker.comment.replace(/(?:\r\n|\r|\n)/g, '<br/>') + '</p>'
+                        '<p>' + _.escape(newMarker.comment).replace(/(?:\r\n|\r|\n)/g, '<br/>') + '</p>'
                         : '',
-                    phone = newMarker.phone ? '<p>Phone: ' + newMarker.phone + '</p>' : '',
-                    address = newMarker.address ? newMarker.address + '<br/>' : '',
-                    city = newMarker.city || '',
-                    country = newMarker.country ? newMarker.country : '',
-                    state = newMarker.state ? newMarker.state + ' ' : '',
-                    zipCode = newMarker.zipcode ? newMarker.zipcode : '',
+                    phone = newMarker.phone ? '<p>Phone: ' + _.escape(newMarker.phone) + '</p>' : '',
+                    address = newMarker.address ? _.escape(newMarker.address) + '<br/>' : '',
+                    city = _.escape(newMarker.city) || '',
+                    country = newMarker.country ? _.escape(newMarker.country) : '',
+                    state = newMarker.state ? _.escape(newMarker.state) + ' ' : '',
+                    zipCode = newMarker.zipcode ? _.escape(newMarker.zipcode) : '',
                     cityComma = city !== '' && (zipCode !== '' || state !== '') ? ', ' : '',
                     lineBreak = city !== '' || zipCode !== '' ? '<br/>' : '',
                     contentString =
