Merge pull request #16 from mageplaza/2.4-develop

fix XSS bugs

Author: Tuvpt

Helper/Data.php

@@ -51,8 +51,14 @@ public function ajaxEnabled($storeId = null)
      */
     public function getLayerConfiguration($filters)
     {
-        $filterParams = $this->_getRequest()->getParams();
-
+        $params       = $this->_getRequest()->getParams();
+        $filterParams = [];
+        foreach ($params as $key => $param) {
+            if ($key === 'amp;dimbaar') {
+                continue;
+            }
+            $filterParams[$this->escapeJs(htmlentities($key))] = $this->escapeJs(htmlentities($param));
+        }
         $config = new DataObject([
             'active' => array_keys($filterParams),
             'params' => $filterParams,
@@ -61,4 +67,32 @@ public function getLayerConfiguration($filters)
 
         return self::jsonEncode($config->getData());
     }
+
+    /**
+     * from Magento Core
+     *
+     * @param string $string
+     *
+     * @return string|null
+     */
+    public function escapeJs($string)
+    {
+        if ($string === '' || ctype_digit($string)) {
+            return $string;
+        }
+
+        return preg_replace_callback(
+            '/[^a-z0-9,\._]/iSu',
+            function ($matches) {
+                $chr = $matches[0];
+                if (strlen($chr) != 1) {
+                    $chr = mb_convert_encoding($chr, 'UTF-16BE', 'UTF-8');
+                    $chr = ($chr === false) ? '' : $chr;
+                }
+
+                return sprintf('\\u%04s', strtoupper(bin2hex($chr)));
+            },
+            $string
+        );
+    }
 }

composer.json

@@ -5,7 +5,7 @@
     "mageplaza/module-core": "^1.4.5"
   },
   "type": "magento2-module",
-  "version": "4.0.0",
+  "version": "4.1.0",
   "license": "proprietary",
   "authors": [
     {