Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XSS securtiy report issue after upgrading Magento 2.2.6 up to 2.3.2

‎07-02-2019 02:55 AM
‎07-02-2019 02:55 AM

XSS securtiy report issue after upgrading Magento 2.2.6 up to 2.3.2

Magento Security Report tell us some problems with our Magento version 2.2.6.
After upgrading Magento via composer to version 2.3.2 one problem still exists.
xss-securtity-scan.jpg

 

 

 

 

 

 

After upgrading from Magento 2.2.6 to 2.3.2 all patches should be appied or do we have to install every single patch?
Is there a possibility to download the single patch APPSEC-2143? Google shows no useful results.

 

With best regards
Martin

Reply
6 REPLIES 6
‎07-02-2019 01:06 PM
‎07-02-2019 01:06 PM

Re: XSS securtiy report issue after upgrading Magento 2.2.6 up to 2.3.2

@gstorHey,

 

You should be good in terms of security patches. Issue you are seeing is must be due to the custom code which is not using standard Magento. You must need to review the code to see if you are not spitting a JS/HTML code without using Magento standard.

 

Problem solved? Please give 'Kudos' and accept 'Answer as Solution'.

- Tarandeep
Problem solved?Please give 'Kudos' and accept 'Answer as Solution'.
Reply
‎07-09-2019 02:06 AM
‎07-09-2019 02:06 AM

Re: XSS securtiy report issue after upgrading Magento 2.2.6 up to 2.3.2

Did you resolve problem with patch/?

0 Kudos
Reply
‎07-09-2019 11:07 AM
‎07-09-2019 11:07 AM

Re: XSS securtiy report issue after upgrading Magento 2.2.6 up to 2.3.2

I have the Same Issue.

Did you find the solution ?

 

Thank you

Think about what you can give , not what you can get !
0 Kudos
Reply
‎07-14-2019 10:55 PM
‎07-14-2019 10:55 PM

Re: XSS securtiy report issue after upgrading Magento 2.2.6 up to 2.3.2

Hi,

The problem still exists. I think it is an extension or my theme, because I have installed Magento 2.3.2 from scratch, imported my database, upgraded the database schema and installed the extensions and theme. But the XSS issue is still there.

 

 

0 Kudos
Reply
‎08-12-2019 03:42 AM
‎08-12-2019 03:42 AM

Re: XSS securtiy report issue after upgrading Magento 2.2.6 up to 2.3.2

Hello @gstor  @p4pravin  @tomasz_pałkiewicz 

 

I am able to fix by below patch

 

diff --git a/vendor/magento/module-swagger/view/frontend/templates/swagger-ui/index.phtml b/vendor/magento/module-swagger/view/frontend/templates/swagger-ui/index.phtml
index b20da68..26ef484 100644
--- a/vendor/magento/module-swagger/view/frontend/templates/swagger-ui/index.phtml
+++ b/vendor/magento/module-swagger/view/frontend/templates/swagger-ui/index.phtml
@@ -58,7 +58,7 @@ $schemaUrl = $block->getSchemaUrl();
     <div class="swagger-ui-wrap">
         <a id="logo" href="http://swagger.io">swagger</a>
         <form id='api_selector'>
-            <input id="input_baseUrl" type="hidden" value="<?= /* @escapeNotVerified */ $schemaUrl ?>"/>
+            <input id="input_baseUrl" type="hidden" value="<?= $block->escapeUrl($schemaUrl) ?>"/>
             <div class='input'><input placeholder="api_key" id="input_apiKey" name="apiKey" type="text"/></div>
             <div class='input'><a id="explore" href="#" data-sw-translate>apply</a></div>
         </form>

Problem solved? Click Kudos & Accept as Solution!
Sunil Patel
Magento 2 Certified Professional Developer & Frontend Developer
0 Kudos
Reply
‎08-12-2019 03:42 AM
‎08-12-2019 03:42 AM

Re: XSS securtiy report issue after upgrading Magento 2.2.6 up to 2.3.2

Hello @gstor  @p4pravin  @tomasz_pałkiewicz 

 

I am able to fix by below patch

 

diff --git a/vendor/magento/module-swagger/view/frontend/templates/swagger-ui/index.phtml b/vendor/magento/module-swagger/view/frontend/templates/swagger-ui/index.phtml
index b20da68..26ef484 100644
--- a/vendor/magento/module-swagger/view/frontend/templates/swagger-ui/index.phtml
+++ b/vendor/magento/module-swagger/view/frontend/templates/swagger-ui/index.phtml
@@ -58,7 +58,7 @@ $schemaUrl = $block->getSchemaUrl();
     <div class="swagger-ui-wrap">
         <a id="logo" href="http://swagger.io">swagger</a>
         <form id='api_selector'>
-            <input id="input_baseUrl" type="hidden" value="<?= /* @escapeNotVerified */ $schemaUrl ?>"/>
+            <input id="input_baseUrl" type="hidden" value="<?= $block->escapeUrl($schemaUrl) ?>"/>
             <div class='input'><input placeholder="api_key" id="input_apiKey" name="apiKey" type="text"/></div>
             <div class='input'><a id="explore" href="#" data-sw-translate>apply</a></div>
         </form>

Hope it will help you,

if works then mark as solution

 


Problem solved? Click Kudos & Accept as Solution!
Sunil Patel
Magento 2 Certified Professional Developer & Frontend Developer
0 Kudos
Reply