Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add escaping of js translation version #10904

Merged
merged 1 commit into from
Sep 17, 2017
Merged

Add escaping of js translation version #10904

merged 1 commit into from
Sep 17, 2017

Conversation

ihor-sviziev
Copy link
Contributor

@ihor-sviziev ihor-sviziev commented Sep 16, 2017
edited by ishakhsuvarov
Loading

As it was discussed in #10378 (comment) - we need to escape js translation version.

Description

Previously value of $version variable was always sha1, that can be not escaped, but from now it uses raw value from public method, that could be overridden by plugin.

Fixed Issues (if relevant)

N/A

Manual testing scenarios

  1. Put following code to getTranslationFileVersion method (directly or via plugin):
return "' || alert(1) || '";
  1. Go to any page

Actual result:

  1. Alert with message 1 is shown

Expected result:

  1. Alert mustn't be shown

Contribution checklist

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • All automated tests passed successfully (all builds on Travis CI are green)

@ihor-sviziev ihor-sviziev mentioned this pull request Sep 16, 2017
Merged
4 tasks
@orlangur
Copy link
Contributor

Sorry, does not sound reasonable to me :) One can put some alert into plugin, but why?

Such approach means we shall escape output of EVERY public non-final method as it can be pluginized.

I'll tell you more, escapeJsQuote can be pluginized as well. Magento is pretty flexible thus if somebody really wants to shoot in the foot we cannot prevent it.

Cc: @ishakhsuvarov @hostep since you liked the idea, please share your thoughts. I may be a bit out of context.

@hostep
Copy link
Contributor

hostep commented Sep 16, 2017
edited
Loading

@orlangur: I think if a value is outputted in a javascript string, it should be escaped, so if the value contains single quotes, it won't break the javascript.

This is not really to prevent injecting other javascript code to be executed, but in this case, so that the $version can contain single quotes in itself. Suppose someone (for some reason) wants to use a different hashing method that can contain single quotes in the hash, then those single quotes should be escaped in the output, otherwise the javascript code will break.

@orlangur
Copy link
Contributor

@hostep ok, thanks, that's a bit closer to reality, just I'm not sure if there are actually some hash functions with single quotes in output. Generally I'm a bigger fan of "escape everything by default" approach, like Twig does, not sure why Magento picked up an opposite approach.

@ishakhsuvarov ishakhsuvarov self-assigned this Sep 17, 2017
@ishakhsuvarov ishakhsuvarov added this to the September 2017 milestone Sep 17, 2017
@magento-team magento-team merged commit f2c8a75 into magento:develop Sep 17, 2017
magento-team pushed a commit that referenced this pull request Sep 17, 2017
@ishakhsuvarov
MAGETWO-75309: Add escaping of js translation version #10904
24144f3
magento-team pushed a commit that referenced this pull request Sep 17, 2017
@ishakhsuvarov
Merge pull request #1496 from magento-engcom/develop-prs
1b6d536 
[EngCom] Public Pull Requests
 - MAGETWO-75310 Fixed Typo Mistake in comment. #10905
 - MAGETWO-75309 Add escaping of js translation version #10904
 - MAGETWO-72341 enable universal use of modal and tab_group #10789
@ihor-sviziev ihor-sviziev deleted the patch-8 branch September 17, 2017 18:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orlangur orlangur orlangur approved these changes

Assignees

@ishakhsuvarov ishakhsuvarov

Labels
Progress: accept
Projects
None yet
Milestone
September 2017
Development

Successfully merging this pull request may close these issues.
5 participants
@ihor-sviziev @orlangur @hostep @magento-team @ishakhsuvarov