Headline
CVE-2022-0954: Update SaveOptionApiController.php · microweber/microweber@955471c
Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop’s Other Settings, Shop’s Autorespond E-mail Settings and Shops’ Payments Methods in GitHub repository microweber/microweber prior to 1.2.11.
@@ -6,18 +6,30 @@
class SaveOptionApiController
{
public function saveOption(Request $request) {
public $whitelistedGroupKeys = [
‘website’ => [
'website_head’,
‘website_footer’
]
];
public function saveOption(Request $request)
{
$cleanFromXss = true;
$option = $request->all();
// Allow for this keys
// Allow for this keys and groups
if (isset($option[‘option_key’])) {
if ($option[‘option_key’] == ‘website_head’) {
$cleanFromXss = false;
}
if ($option[‘option_key’] == ‘website_footer’) {
$cleanFromXss = false;
foreach ($this->whitelistedGroupKeys as $group => $keys) {
if ($option[‘option_group’] == $group) {
foreach ($keys as $key) {
if ($option[‘option_key’] == $key) {
$cleanFromXss = false;
break;
}
}
}
}
}