From 70b7897edaf5e431fc0113e5abb8b4baeb9b5b04 Mon Sep 17 00:00:00 2001
From: Paul Morales <paul.morales@bigcommerce.com>
Date: Fri, 25 Jan 2019 13:09:51 -0800
Subject: [PATCH] fix(storefront): STRF-5948 Cleanup and XSS fix on Cart page.

---
 CHANGELOG.md                            |  1 +
 templates/components/cart/content.html  | 23 +++--------------------
 templates/components/cart/preview.html  | 13 -------------
 templates/pages/account/add-return.html |  2 +-
 4 files changed, 5 insertions(+), 34 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bab7b64001..aa87ed8e32 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## Draft
 
 - Ensure SKU and UPC display correctly for Variants on PDP. [#1431](https://github.com/bigcommerce/cornerstone/pull/1431)
+- Cleanup and XSS fix on Cart page. [#1434](https://github.com/bigcommerce/cornerstone/pull/1434)
 
 ## 3.1.1 (2019-01-23)
 
diff --git a/templates/components/cart/content.html b/templates/components/cart/content.html
index 31a0d66d52..0d4c229f73 100644
--- a/templates/components/cart/content.html
+++ b/templates/components/cart/content.html
@@ -26,39 +26,22 @@ <h4 class="cart-item-name"><a href="{{url}}">{{name}}</a></h4>
                         <p>({{release_date}})</p>
                     {{/if}}
 
-                    {{#if configurable_fields}}
-                        <dl class="definitionList">
-                            {{#each configurable_fields}}
-                                <dt class="definitionList-key">{{name}}:</dt>
-                                <dd class="definitionList-value">
-                                    {{#if is_file}}
-                                        <a href="/viewfile.php?prodfield={{../id}}&cartitem={{../../id}}">{{{value}}}</a>
-                                    {{else}}
-                                        {{{value}}}
-                                    {{/if}}
-                                </dd>
-                            {{/each}}
-                        </dl>
-                    {{/if}}
-
                     {{#if options}}
                         <dl class="definitionList">
                             {{#each options}}
                                 <dt class="definitionList-key">{{name}}:</dt>
                                 <dd class="definitionList-value">
                                     {{#if is_file}}
-                                        <a href="/viewfile.php?attributeId={{../id}}&cartitem={{../../id}}">{{{value}}}</a>
+                                        <a href="/viewfile.php?attributeId={{../id}}&cartitem={{../../id}}">{{value}}</a>
                                     {{else}}
-                                        {{{value}}}
+                                        {{value}}
                                     {{/if}}
                                 </dd>
                             {{/each}}
                         </dl>
-                    {{/if}}
 
-                    {{#or options configurable_fields}}
                         <a href="#" data-item-edit="{{id}}">{{lang 'cart.checkout.change'}}</a>
-                    {{/or}}
+                    {{/if}}
 
                     {{#if type '==' 'GiftCertificate'}}
                         <a href="{{edit_url}}">{{lang 'cart.checkout.change'}}</a>
diff --git a/templates/components/cart/preview.html b/templates/components/cart/preview.html
index f4424b15f0..4d571448ea 100644
--- a/templates/components/cart/preview.html
+++ b/templates/components/cart/preview.html
@@ -81,19 +81,6 @@ <h4 class="productView-title">
                         {{/or}}
                     </div>
 
-                    {{#each configurable_fields}}
-                        <dl class="productView-info">
-                            <dt class="productView-info-name">
-                                {{name}}
-                            </dt>
-                            {{#if is_file}}
-                                <a href="/viewfile.php?prodfield={{../id}}&cartitem={{../../id}}">{{{value}}}</a>
-                            {{else}}
-                                {{{value}}}
-                            {{/if}}
-                        </dl>
-                    {{/each}}
-
                     {{#each options}}
                         <dl class="productView-info">
                             <dt class="productView-info-name">
diff --git a/templates/pages/account/add-return.html b/templates/pages/account/add-return.html
index 9e62213bb4..3f9de598b8 100644
--- a/templates/pages/account/add-return.html
+++ b/templates/pages/account/add-return.html
@@ -37,7 +37,7 @@ <h3 class="account-heading">{{lang 'account.returns.from_order' id=forms.return.
                                             <dl class="definitionList">
                                                 {{#each options}}
                                                 <dt class="definitionList-label">{{name}}:</dt>
-                                                <dd class="definitionList-description">{{{value}}}</dd>
+                                                <dd class="definitionList-description">{{value}}</dd>
                                                 {{/each}}
                                             </dl>
                                             {{/if}}