AC-12738: Cart update api fix

Deepak Tiwari · Deepak Tiwari · commit 9a9f1327a7f5 · 2024-09-27T15:52:32.000+05:30
diff --git a/lib/internal/Magento/Framework/Webapi/ServiceInputProcessor.php b/lib/internal/Magento/Framework/Webapi/ServiceInputProcessor.php
@@ -333,6 +333,14 @@ protected function _createFromArray($className, $data)
                             )
                         );
                     }
+                    if (is_string($setterValue) && $this->containsXSS($setterValue)) {
+                        throw new InputException(
+                            new Phrase(
+                                '"%field_name" contains potentially harmful content.',
+                                ['field_name' => $propertyName]
+                            )
+                        );
+                    }
                     $this->serviceInputValidator->validateEntityValue($object, $propertyName, $setterValue);
                     $object->{$setterName}($setterValue);
                 }
@@ -348,6 +356,19 @@ protected function _createFromArray($className, $data)
         return $object;
     }
 
+    /**
+     * Check if input value contains any XSS vector
+     *
+     * @param string $value
+     * @return bool
+     */
+    private function containsXSS(string $value)
+    {
+        // Check for <script> tags or any common XSS vectors
+        return preg_match('/<script\b[^>]*>(.*?)<\/script>/is', $value) ||
+            preg_match('/[<>]/', $value);
+    }
+
     /**
      * Convert custom attribute data array to array of AttributeValue Data Object
      *
