magento < 1.9 xss vulnerability fix description-vulnerability warning-the black bar safety net

2016-02-22T00:00:00
ID MYHACK58:62201671916
Type myhack58
Reporter 佚名
Modified 2016-02-22T00:00:00

Description

magento XSSthe vulnerability description did not say Baidu about everywhere

Here a simple record handling process, and compare the rough, whether effective not yet verification

Edit

app/design/adminhtml/default/default/template/sales/order/view/info. phtml

File

Search getCustomerEmail

There are two at the output of the call

Use the htmlentities method of the filtration treatment can be as follows:

|

1

2

3

4

5

6

7

|

<td class="value">

<a href="mailto:<? php echo htmlentities($_order->getCustomerEmail()); ?& gt;">

<strong>

<? php echo htmlentities($_order->getCustomerEmail()); ?& gt;

</strong>

</a>

</td>

---|---

PS: main is cloud ECS old prompt security issues, so the processing after the annoying prompt is gone, as to whether effective available, the need can be verified, as there is not welcome to shoot the bricks :)