JSON loading should follow OWASP reccomendation #257
Comments
|
@ldusan84, thank you for the issue and sorry for the delay! There is a ticket in the backlog. We will notify you once the team resolves this issue. |
* Service layer updates: * Implemented API for the CatalogInventory module * Refactored the external usages of the CatalogInventory module to service * Fixed bugs: * Fixed an issue where a coupon usage option was not comprehensible enough * Fixed an issue where products selection for adding to a bundle option was lost when switching between pages with product grids * Fixed an issue where Google Content was not sending the correct 'description' attribute * Fixed an issue where custom attributes were not displayed in layered navigation after a product import * Fixed an issue where the Category URL keys did not work correctly after saving * Fixed an issue where an admin could not create a Target rule with a certain Products to Display condition * Fixed a jQuery error on a product page in the Admin panel, which appeared when switching between product tabs * Framework Improvements: * Created ProductsCustomOptions Service API for Catalog module * Created DownloadableLink Service API for Catalog module * GitHub requests: * [#257] JSON loading should follow OWASP recommendation
|
@ldusan84, we have fixed the issue that you reported and released the fix in dev85. Thank you again for contributing to Magento quality! We are closing this issue. |
|
@ldusan84, I saw your tweet that you did not find the code we released in dev85 in scope of this issue. I investigated to find out if there was a mistake and the code was not included, but nope, the developer confirmed his code changes are there. He made an assumption that his implementation was different from what you might have expected. Here is what he suggested:
Please let us know if this explains everything or you would still like to get more information. If yes, please note what exactly leaves you puzzled here and I will try to connect you and the developer to make sure you receive all the answers. |
|
Hi @verklov Thanks for your effort on this issue. My concern was mainly regarding that the mime type on script tags that output json should be "application/json" and not "text/javascript". I realize it's a minor issue and that this vulnerability is not likely to be exploited, but I think it's a good practice to follow OWASP standards. Let me know what you think. Thanks |
|
Hi @ldusan84, I will let the developer know of your concerns tomorrow. If this requires some changes in the code to correspond to the OWASP standards, we will definitely initiate this change. Let me get back to you once I have the decision made. Best regards, |
|
@ldusan84, I got a response from the developer to your latest comment in this thread:
Once again, thank you for your input. |
|
Hi @verklov Thanks for the response. In the meantime I have investigated this a bit and it seems that mime type on script tag is not really that important, so I think that's good the way it is. I really like the way this issue has been resolved, thanks again. Regards |
[GoInc] MAGETWO-33527 M2 GitHub Update (version 0.74.0-beta6)
Stories: * MAGETWO-24139: Resolve TODO's related to Customer Service or create stories to resolve them * MAGETWO-56007: Initialize default values in customer custom attributes metadata * MAGETWO-56008: Moving getStoreByWebsite to Store Module
Accepted Community Pull Requests: - #28210: #257: create new id_v2 option (by @mmezhensky)
I think that JSON loading should follow OWASP reccomendation on that:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.233.1_-_HTML_escape_JSON_values_in_an_HTML_context_and_read_the_data_with_JSON.parse
The text was updated successfully, but these errors were encountered: