Escape user input when generating autocompelete list HTML to avoid XSS attacks

thekindofme · thekindofme · commit f102bd3a59e9 · 2020-06-22T13:16:58.000+10:00
diff --git a/src/app/code/community/Zendesk/Zendesk/controllers/Adminhtml/ZendeskController.php b/src/app/code/community/Zendesk/Zendesk/controllers/Adminhtml/ZendeskController.php
@@ -417,9 +417,9 @@ public function autocompleteAction()
         $output = '<ul>';
         if($customers->getSize()) {
             foreach($customers as $customer) {
-                $id = $customer->getId();
-                $name = $customer->getName();
-                $email = $customer->getEmail();
+                $id = htmlspecialchars($customer->getId(), ENT_COMPAT, 'UTF-8');
+                $name = htmlspecialchars($customer->getName(), ENT_COMPAT, 'UTF-8');
+                $email = htmlspecialchars($customer->getEmail(), ENT_COMPAT, 'UTF-8');
                 $output .= '<li id="customer-' . $id . '" data-email="' . $email . '" data-name="' . $name . '">' . $name . ' &lt;' . $email . '&gt;</li>';
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -417,9 +417,9 @@ public function autocompleteAction()`
`417`	`417`	`$output = '<ul>';`
`418`	`418`	`if($customers->getSize()) {`
`419`	`419`	`foreach($customers as $customer) {`
`420`		`- $id = $customer->getId();`
`421`		`- $name = $customer->getName();`
`422`		`- $email = $customer->getEmail();`
	`420`	`+ $id = htmlspecialchars($customer->getId(), ENT_COMPAT, 'UTF-8');`
	`421`	`+ $name = htmlspecialchars($customer->getName(), ENT_COMPAT, 'UTF-8');`
	`422`	`+ $email = htmlspecialchars($customer->getEmail(), ENT_COMPAT, 'UTF-8');`
`423`	`423`	`$output .= '<li id="customer-' . $id . '" data-email="' . $email . '" data-name="' . $name . '">' . $name . ' <' . $email . '></li>';`
`424`	`424`	`}`
`425`	`425`	`}`