Skip to content

Commit 7e2c52e

Browse files
mfilipcblanc
mfilip
authored and
cblanc
committed
fix(security): add proper escaping to template variables to prevent XSS vulnerabilities
1 parent 8e25dde commit 7e2c52e

File tree

2 files changed

+32
-32
lines changed

2 files changed

+32
-32
lines changed

view/adminhtml/templates/admin.phtml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -4,12 +4,12 @@ $helper = $this->helper('Idealpostcodes\Ukaddresssearch\Helper\Data');
44
<?php if(!isset($secureRenderer)) { ?>
55
<script type="text/javascript">
66
document.addEventListener('DOMContentLoaded', function() {
7-
var apiKey = "<?= $helper->getAdminConfig('api_key') ?>";
8-
var autocomplete = <?= $helper->getAdminConfig('addressAutocomplete') ?>;
9-
var removeOrganisation = <?= $helper->getAdminConfig('removeOrganisation') ?>;
10-
var populateCounty = <?= $helper->getAdminConfig('requireCounty') ?>;
11-
var enabled = <?= $helper->getAdminConfig('enabled') ?>;
12-
var customFields = <?= trim(preg_replace("/\r|\n/", "", $helper->getAdminConfig('customFields'))) ?>;
7+
var apiKey = "<?= $block->escapeJsQuote($helper->getAdminConfig('api_key')) ?>";
8+
var autocomplete = <?= $block->escapeJs($helper->getAdminConfig('addressAutocomplete')) ?>;
9+
var removeOrganisation = <?= $block->escapeJs($helper->getAdminConfig('removeOrganisation')) ?>;
10+
var populateCounty = <?= $block->escapeJs($helper->getAdminConfig('requireCounty')) ?>;
11+
var enabled = <?= $block->escapeJs($helper->getAdminConfig('enabled')) ?>;
12+
var customFields = <?= $block->escapeJs(trim(preg_replace("/\r|\n/", "", $helper->getAdminConfig('customFields')))) ?>;
1313
// Exit early if disabled
1414
if (enabled === false) return;
1515
window.idpcConfig = {
@@ -27,12 +27,12 @@ $helper = $this->helper('Idealpostcodes\Ukaddresssearch\Helper\Data');
2727
<?php } else {
2828
echo $secureRenderer->renderTag('script', [], '
2929
document.addEventListener("DOMContentLoaded", function() {
30-
var apiKey = "' . $helper->getAdminConfig('api_key') . '";
31-
var autocomplete = ' . $helper->getAdminConfig('addressAutocomplete') . ';
32-
var removeOrganisation = ' . $helper->getAdminConfig('removeOrganisation') . ';
33-
var populateCounty = ' . $helper->getAdminConfig('requireCounty') . ';
34-
var enabled = ' . $helper->getAdminConfig('enabled') . ';
35-
var customFields = ' . trim(preg_replace("/\r|\n/", "", $helper->getAdminConfig('customFields'))) . ';
30+
var apiKey = "' . $block->escapeJsQuote($helper->getAdminConfig('api_key')) . '";
31+
var autocomplete = ' . $block->escapeJs($helper->getAdminConfig('addressAutocomplete')) . ';
32+
var removeOrganisation = ' . $block->escapeJs($helper->getAdminConfig('removeOrganisation')) . ';
33+
var populateCounty = ' . $block->escapeJs($helper->getAdminConfig('requireCounty')) . ';
34+
var enabled = ' . $block->escapeJs($helper->getAdminConfig('enabled')) . ';
35+
var customFields = ' . $block->escapeJs(trim(preg_replace("/\r|\n/", "", $helper->getAdminConfig('customFields')))) . ';
3636
// Exit early if disabled
3737
if (enabled === false) return;
3838
window.idpcConfig = {

view/frontend/templates/store.phtml

Lines changed: 20 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -4,16 +4,16 @@ $helper = $this->helper('Idealpostcodes\Ukaddresssearch\Helper\Data');
44
<?php if(!isset($secureRenderer)) { ?>
55
<script type="text/javascript" name="Ideal_Postcodes">
66
document.addEventListener('DOMContentLoaded', function() {
7-
var apiKey = "<?php echo $helper->getConfig('api_key'); ?>";
8-
var postcodeLookup = <?php echo $helper->getConfig('postcodeLookup'); ?>;
9-
var autocomplete = <?php echo $helper->getConfig('addressAutocomplete'); ?>;
10-
var removeOrganisation = <?php echo $helper->getConfig('removeOrganisation'); ?>;
11-
var hoistCountry = <?php echo $helper->getConfig('hoistCountryField'); ?>;
12-
var populateCounty = <?php echo $helper->getConfig('requireCounty'); ?>;
13-
var autocompleteOverride = <?php echo $helper->getConfig('autocompleteOverride'); ?>;
14-
var postcodeLookupOverride = <?php echo $helper->getConfig('postcodeLookupOverride'); ?>;
15-
var enabled = <?php echo $helper->getConfig('enabled'); ?>;
16-
var customFields = <?php echo trim(preg_replace('/\r|\n/', '', $helper->getConfig('customFields'))); ?>;
7+
var apiKey = "<?= $block->escapeJsQuote($helper->getConfig('api_key')) ?>";
8+
var postcodeLookup = <?= $block->escapeJs($helper->getConfig('postcodeLookup')) ?>;
9+
var autocomplete = <?= $block->escapeJs($helper->getConfig('addressAutocomplete')) ?>;
10+
var removeOrganisation = <?= $block->escapeJs($helper->getConfig('removeOrganisation')) ?>;
11+
var hoistCountry = <?= $block->escapeJs($helper->getConfig('hoistCountryField')) ?>;
12+
var populateCounty = <?= $block->escapeJs($helper->getConfig('requireCounty')) ?>;
13+
var autocompleteOverride = <?= /* @noEscape */ $helper->getConfig('autocompleteOverride') ?>;
14+
var postcodeLookupOverride = <?= /* @noEscape */ $helper->getConfig('postcodeLookupOverride') ?>;
15+
var enabled = <?= $block->escapeJs($helper->getConfig('enabled')) ?>;
16+
var customFields = <?= /* @noEscape */ trim(preg_replace('/\r|\n/', '', $helper->getConfig('customFields'))) ?>;
1717
// Exit early if disabled
1818
if (enabled === false) return;
1919
window.idpcConfig = {
@@ -33,16 +33,16 @@ document.addEventListener('DOMContentLoaded', function() {
3333
<?php } else {
3434
echo $secureRenderer->renderTag('script', [], '
3535
document.addEventListener("DOMContentLoaded", function() {
36-
var apiKey = "' . $helper->getConfig('api_key') . '";
37-
var postcodeLookup = ' . $helper->getConfig('postcodeLookup') . ';
38-
var autocomplete = ' . $helper->getConfig('addressAutocomplete') . ';
39-
var removeOrganisation = ' . $helper->getConfig('removeOrganisation') . ';
40-
var hoistCountry = ' . $helper->getConfig('hoistCountryField') . ';
41-
var populateCounty = ' . $helper->getConfig('requireCounty') . ';
42-
var autocompleteOverride = ' . $helper->getConfig('autocompleteOverride') . ';
43-
var postcodeLookupOverride = ' . $helper->getConfig('postcodeLookupOverride') . ';
44-
var enabled = ' . $helper->getConfig('enabled') . ';
45-
var customFields = ' . trim(preg_replace('/\r|\n/', '', $helper->getConfig('customFields'))) . ';
36+
var apiKey = "' . $block->escapeJsQuote($helper->getConfig('api_key')) . '";
37+
var postcodeLookup = ' . $block->escapeJs($helper->getConfig('postcodeLookup')) . ';
38+
var autocomplete = ' . $block->escapeJs($helper->getConfig('addressAutocomplete')) . ';
39+
var removeOrganisation = ' . $block->escapeJs($helper->getConfig('removeOrganisation')) . ';
40+
var hoistCountry = ' . $block->escapeJs($helper->getConfig('hoistCountryField')) . ';
41+
var populateCounty = ' . $block->escapeJs($helper->getConfig('requireCounty')) . ';
42+
var autocompleteOverride = ' . /* @noEscape */ $helper->getConfig('autocompleteOverride') . ';
43+
var postcodeLookupOverride = ' . /* @noEscape */ $helper->getConfig('postcodeLookupOverride') . ';
44+
var enabled = ' . $block->escapeJs($helper->getConfig('enabled')) . ';
45+
var customFields = ' . /* @noEscape */ trim(preg_replace('/\r|\n/', '', $helper->getConfig('customFields'))) . ';
4646
// Exit early if disabled
4747
if (enabled === false) return;
4848
window.idpcConfig = {

0 commit comments

Comments
 (0)