Add session ID handling and shop name to payment form template#156
Add session ID handling and shop name to payment form template#156BushraAsif wants to merge 4 commits into
Conversation
shahbaz-mehar
left a comment
shahbaz-mehar
left a comment
There was a problem hiding this comment.
Changes have been reviewed.
| 'stylingclass' => $payment_style, | ||
| 'amount' => $postData['amount'], | ||
| 'shop_logo' => _PS_IMG_ . Configuration::get('PS_LOGO'), | ||
| 'shop_name' => Configuration::get('PS_SHOP_NAME'), |
There was a problem hiding this comment.
We are pushing the shop name to the frontend, which potentially can do XSS if not sanitised.
Is the ShopName sanitised when being inserted in the configuration?
Or even better, maybe we should sanitise it now to ensure how it is stored does not open us for this vulnerability?
There was a problem hiding this comment.
@emicha , here we are only reading the value from configuration and sending it to the template.
In PrestaShop, the standard approach is to escape at output depending on the context, which is already done here with {$shop_name|escape:'html').
views/templates/front/payment_form_independent.tpl
If we sanitize it in PHP here, it could cause issues like double escaping or problems in other contexts.
I agree it would be better to validate the shop name when it is saved in configuration, so it is safe everywhere.
4 participants
No description provided.