Closed Neavium closed 3 weeks ago
nopCommerce version: release-4.70.2 and in develop branch
Steps to reproduce the problem:
<script>alert(1)</script>
Exact location of the vulnerability:
/src/Presentation/Nop.Web/Areas/Admin/Views/Order/List.cshtml
Line: 418
return `${row.CustomerFullName}<br /><a href="${link}">${data}</a>`;
How to fix:
use the textrenderer to show the CustomerFullName and probably the data (email) too:
var textRenderer = $.fn.dataTable.render.text().display; return `${textRenderer(row.CustomerFullName)}<br /><a href="${link}">${textRenderer(data)}</a>`;
var textRenderer = $.fn.dataTable.render.text().display;
return `${textRenderer(row.CustomerFullName)}<br /><a href="${link}">${textRenderer(data)}</a>`;
Closed 7230
Why allowing customer name to have Githubissues.
nopCommerce version: release-4.70.2 and in develop branch
Steps to reproduce the problem:
<script>alert(1)</script>
Exact location of the vulnerability:
/src/Presentation/Nop.Web/Areas/Admin/Views/Order/List.cshtml
Line: 418
return `${row.CustomerFullName}<br /><a href="${link}">${data}</a>`;
How to fix:
use the textrenderer to show the CustomerFullName and probably the data (email) too:
var textRenderer = $.fn.dataTable.render.text().display;
return `${textRenderer(row.CustomerFullName)}<br /><a href="${link}">${textRenderer(data)}</a>`;