-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolve Message at Frontend has No HTML format issue25162 #25163
Resolve Message at Frontend has No HTML format issue25162 #25163
Conversation
Hi @edenduong. Thank you for your contribution
For more details, please, review the Magento Contributor Guide documentation. |
@magento give me test instance |
Hi @kalpmehta. Thank you for your request. I'm working on Magento instance for you |
Hi @kalpmehta, here is your new Magento instance. |
this.cookieMessages.forEach(function (value) { | ||
value.text = _.unescape(value.text); | ||
value.text = value.text.replace(SCRIPT_REGEX, ""); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@edenduong Instead of unescaping message and removing script tags, I think whitelisting only anchor tag with href attribute would be more painless and secure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kalpmehta: I have solved it. Please check it again. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@edenduong Thanks! Do you think this can be supported with tests?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kalpmehta : I just cover it by MFTF Test. Please check it. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this has no place in core Magento because it's a really dirty hack. I don't see the commit where a
tag is whitelisted instead
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AlexMaxHorkun Thanks! Do you have suggestion to render only a
tag and also ensure it's secure?
b885f3c
to
9f41b3d
Compare
@kalpmehta : I just cover it by MFTF Test. Please check it. Thanks! |
Hi @edenduong, thank you for your contribution! |
Description (*)
Fixed Issues (if relevant)
Manual testing scenarios (*)
"Allow Guest Subscription" is "No"
4. Go to frontend
5. Enter the email "[email protected]" , press "Subscribe" at the bottom.
6. Look the message:
Questions or comments
Contribution checklist (*)