Merge pull request #157 from zendesk/yfernando/xss-fix

[PEGASUS-934] Escape user input when generating autocompelete list HTML to avoid XSS attacks
agnostack · Jun 25, 2020 · ebe4973 · ebe4973
2 parents 8e8b89f + f102bd3
commit ebe4973
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/src/app/code/community/Zendesk/Zendesk/controllers/Adminhtml/ZendeskController.php b/src/app/code/community/Zendesk/Zendesk/controllers/Adminhtml/ZendeskController.php
@@ -415,9 +415,9 @@ public function autocompleteAction()
         $output = '<ul>';
         if($customers->getSize()) {
             foreach($customers as $customer) {
-                $id = $customer->getId();
-                $name = $customer->getName();
-                $email = $customer->getEmail();
+                $id = htmlspecialchars($customer->getId(), ENT_COMPAT, 'UTF-8');
+                $name = htmlspecialchars($customer->getName(), ENT_COMPAT, 'UTF-8');
+                $email = htmlspecialchars($customer->getEmail(), ENT_COMPAT, 'UTF-8');
                 $output .= '<li id="customer-' . $id . '" data-email="' . $email . '" data-name="' . $name . '">' . $name . ' &lt;' . $email . '&gt;</li>';
             }
         }