Merge pull request PrestaShop#7087 from mickaelandrieu/fixed-1841

Protect translations display against XSS injections
hwdnoz · Dec 5, 2016 · 698a399 · 698a399
2 parents 93da545 + c80f23c
commit 698a399
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/classes/module/Module.php b/classes/module/Module.php
@@ -3102,6 +3102,7 @@ public function getTranslator()
 
     protected function trans($id, array $parameters = array(), $domain = null, $locale = null)
     {
+        $parameters['legacy'] = 'htmlspecialchars';
         return $this->getTranslator()->trans($id, $parameters, $domain, $locale);
     }
 }

diff --git a/config/smartyadmin.config.inc.php b/config/smartyadmin.config.inc.php
@@ -61,7 +61,7 @@ function smartyTranslate($params, &$smarty)
     $isInModule = isset($params['mod']) && !empty($params['mod']);
     $sprintf = isset($params['sprintf']) ? $params['sprintf'] : array();
 
-    if ($htmlEntities ||  $addSlashes) {
+    if (($htmlEntities || $addSlashes) && is_array($sprintf) && !empty($sprintf)) {
         $sprintf['legacy'] = $htmlEntities ? 'htmlspecialchars': 'addslashes';
     }
 

diff --git a/src/PrestaShopBundle/Translation/PrestaShopTranslatorTrait.php b/src/PrestaShopBundle/Translation/PrestaShopTranslatorTrait.php
@@ -40,10 +40,9 @@ public function trans($id, array $parameters = array(), $domain = null, $locale
 
         if (!$this->isSprintfString($id) || empty($parameters)) {
             $translated = parent::trans($id, $parameters, $domain, $locale);
-            if (isset($parameters['legacy'])) {
-                $translated = call_user_func($parameters['legacy'],$translated);
-            }
-        }else {
+            $parameters['legacy'] = 'htmlspecialchars';
+            $translated = call_user_func($parameters['legacy'], $translated);
+        } else {
             $translated = vsprintf(parent::trans($id, array(), $domain, $locale), $parameters);
         }