XSS Ticket Subject Fix

maxmi · maxmi · commit 61df06431b6f · 2015-04-02T10:11:46.000+02:00
diff --git a/src/app/code/community/Zendesk/Zendesk/Helper/Data.php b/src/app/code/community/Zendesk/Zendesk/Helper/Data.php
@@ -281,7 +281,7 @@ public function getTicketUrl($row, $link = false)
         
         $subject = $row['subject'] ? $row['subject'] : $this->__('No Subject');
 
-        return '<a href="' . $url . '" target="_blank">' .  $subject. '</a>';
+        return '<a href="' . $url . '" target="_blank">' .  Mage::helper('core')->escapeHtml($subject) . '</a>';
     }
     
     public function getStatusMap()

Original file line number	Diff line number	Diff line change
`@@ -281,7 +281,7 @@ public function getTicketUrl($row, $link = false)`
`281`	`281`
`282`	`282`	`$subject = $row['subject'] ? $row['subject'] : $this->__('No Subject');`
`283`	`283`
`284`		`- return '<a href="' . $url . '" target="_blank">' . $subject. '</a>';`
	`284`	`+ return '<a href="' . $url . '" target="_blank">' . Mage::helper('core')->escapeHtml($subject) . '</a>';`
`285`	`285`	`}`
`286`	`286`
`287`	`287`	`public function getStatusMap()`