XSS on product's short description (Nop4.4)

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
2 anos atrás
I just created a total new instance of Nop4.4 with a void database.
Then I created a product with "<script>alert("🏴‍☠️Just Hacked by XSS🏴‍☠️");</script>" in short description and enabled the "Show on home page" checkbox.
Then for every user that goes on the homepage, the script starts running.
That also works with an Excel import.

Is it a real security issue or not ?
-1
2 anos atrás
It's by design. We allow a store owner to enter any information because it would be weird if a store owner wants to hack his own store. But anyway if you want to avoid such behavior, please open this file and replace
@Html.Raw(Model.ShortDescription)

with
@Model.ShortDescription
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
-1
2 anos atrás
Thanks a lot for your answer.
I think too that  it would be weird if a store owner tries to hack his own store. But I was thinking about allowing a vendor (maybe a tiers person) to introduce scripts via the catalog.

Best regards and thanks again for your responsiveness
-1
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.