MAGETWO-45292: XSS Payload in website's translation table

slopukhov · slopukhov · commit 111f943b5838 · 2015-11-11T16:43:09.000+02:00
diff --git a/app/code/Magento/Translation/Model/ResourceModel/StringUtils.php b/app/code/Magento/Translation/Model/ResourceModel/StringUtils.php
@@ -210,6 +210,7 @@ public function saveTranslate($string, $translate, $locale = null, $storeId = nu
     {
         $connection = $this->getConnection();
         $table = $this->getMainTable();
+        $translate = htmlspecialchars($translate, ENT_QUOTES);
 
         if ($locale === null) {
             $locale = $this->_localeResolver->getLocale();

Original file line number	Diff line number	Diff line change
`@@ -210,6 +210,7 @@ public function saveTranslate($string, $translate, $locale = null, $storeId = nu`
`210`	`210`	`{`
`211`	`211`	`$connection = $this->getConnection();`
`212`	`212`	`$table = $this->getMainTable();`
	`213`	`+ $translate = htmlspecialchars($translate, ENT_QUOTES);`
`213`	`214`
`214`	`215`	`if ($locale === null) {`
`215`	`216`	`$locale = $this->_localeResolver->getLocale();`