Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix issues with JS and Prestashop Vulnerabilities #163

Merged
merged 3 commits into from
Aug 17, 2023

Conversation

Sambhav1403
Copy link

@Sambhav1403 Sambhav1403 commented Jul 18, 2023

  1. Adds Display Error Support to show incase of rendering issues
  2. Replaces nofilter prestashop's filter with decodeEscapedHtml to handle decoding on client side js.

@Sambhav1403 Sambhav1403 changed the title fix template issues Fix issues with JS and Prestashop Vulnerabilities Jul 18, 2023
var blockonomics_data = JSON.stringify({
time_period: {$time_period},
crypto: JSON.parse('{json_encode($crypto) nofilter}'),
crypto: JSON.parse(decodeEscapedHtml('{json_encode($crypto)}')),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using DOMParser works, however it looks like we are avoiding escaping the data. We can use the following in the smarty template:
JSON.parse('{$crypto|@json_encode|escape: 'javascript'}'.replaceAll('"', '"'))

@@ -28,6 +28,12 @@
<div class="bnomics-spinner"></div>
</div>

<!-- Display Error -->
<div class="bnomics-display-error">
<h2>{l s='Display Error' mod='blockonomics'}{$id_order}</h2>
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can escape all outputs to avoid security warnings in the prestashop validator
PrestaShop-Validator (1)
{$id_order|escape:'htmlall'}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright.

@DarrenWestwood DarrenWestwood merged commit f84a308 into blockonomics:1.7 Aug 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants