Description:
Similar to the cart and deals pages, the wishlist.js script renders product objects into HTML without escaping. It dynamically injects product.brand and product.name into card.innerHTML.
Actual Behavior:
Malicious HTML payloads stored in a product's brand or name are parsed as executable code when a user views their wishlist page.
Expected Behavior:
The frontend should utilize AppUtils.escapeHTML(product.name) and AppUtils.escapeHTML(product.brand) to neutralize any HTML tags before rendering them in the DOM.
Steps to Reproduce:
- Create a product with a brand containing an XSS payload (e.g.,
MaliciousBrand<svg onload=alert(1)>).
- Add the product to a user's wishlist.
- Navigate to the user's dashboard and open the Wishlist tab.
- The payload executes silently on page load.
File(s):
frontend/scripts/wishlist.js
Description:
Similar to the cart and deals pages, the
wishlist.jsscript renders product objects into HTML without escaping. It dynamically injectsproduct.brandandproduct.nameintocard.innerHTML.Actual Behavior:
Malicious HTML payloads stored in a product's brand or name are parsed as executable code when a user views their wishlist page.
Expected Behavior:
The frontend should utilize
AppUtils.escapeHTML(product.name)andAppUtils.escapeHTML(product.brand)to neutralize any HTML tags before rendering them in the DOM.Steps to Reproduce:
MaliciousBrand<svg onload=alert(1)>).File(s):
frontend/scripts/wishlist.js