New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dangerous tags allowed in infoArray #49

Open

webian opened this issue Aug 14, 2019 · 1 comment

Labels

Contributor

webian commented Aug 14, 2019 •

edited

Loading

If there are no use cases that need html tags in $infoArray, it is better to not allow any tags.

tt_products/view/class.tx_ttproducts_info_view.php

Line 109 in bb56f05

$allowedTags = '<br><a><b><td><tr><div>';

By instance, allowing A tag, a user could send a malicious link in the note field of an order.

Owner

franzholz commented Aug 15, 2019

The shop admin should not click on the links which he receives from the order emails.

However it could be made configurable which tags are allowed for the info fields.

franzholz added the enhancement label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment