VDB
KO
HIGH 8.1

GHSA-xgpm-q3mq-46rq

PrestaShop some attribute not escaped in Validate::isCleanHTML method

Details

### Description Some event attributes are not detected by the isCleanHTML method

### Impact Some modules using the isCleanHTML method could be vulnerable to xss

### Patches 8.1.3, 1.7.8.11

### Workarounds The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.

### Reporters

Reported by Antonio Russo (@Antonio-R1 on GitHub) and Antonio Rocco Spataro (@antoniospataro on GitHub).

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / prestashop/prestashop
Introduced in: 8.0.0-beta.1 Fixed in: 8.1.3
Fix composer require prestashop/prestashop:^8.1.3
Packagist / prestashop/prestashop
Introduced in: 0 Fixed in: 1.7.8.11
Fix composer require prestashop/prestashop:^1.7.8.11

References