Skip to content

Commit f8174ac

Browse files
danmooney2danmooney2
committed
MC-5835: [Sec] XSS in Page Builder
Encode/decode greater than and less than symbols (cherry picked from commit 7966311)
1 parent d4d31a7 commit f8174ac

File tree

2 files changed

+8
-4
lines changed

2 files changed

+8
-4
lines changed

app/code/Magento/PageBuilder/view/adminhtml/web/js/content-type/products/mass-converter/widget-directive.js

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/code/Magento/PageBuilder/view/adminhtml/web/ts/js/content-type/products/mass-converter/widget-directive.ts

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,9 @@ export default class WidgetDirective extends BaseWidgetDirective {
6060
return content.replace(/\{/g, "^[")
6161
.replace(/\}/g, "^]")
6262
.replace(/"/g, "`")
63-
.replace(/\\/g, "|");
63+
.replace(/\\/g, "|")
64+
.replace(/</g, "&lt;")
65+
.replace(/>/g, "&gt;");
6466
}
6567

6668
/**
@@ -71,6 +73,8 @@ export default class WidgetDirective extends BaseWidgetDirective {
7173
return content.replace(/\^\[/g, "{")
7274
.replace(/\^\]/g, "}")
7375
.replace(/`/g, "\"")
74-
.replace(/\|/g, "\\");
76+
.replace(/\|/g, "\\")
77+
.replace(/&lt;/g, "<")
78+
.replace(/&gt;/g, ">");
7579
}
7680
}

0 commit comments

Comments
 (0)