Vulnerability: Stored Cross-Site Scripting (XSS)
Location: Receipt generation (Product Questions Note)
Source: User.name field (controllable by users/sellers via profile settings, e.g., /settings/profile).
Sink:
- The
display_name method in /app/app/models/user.rb:408 returns the user's name if present.
- The
product_questions_note method in /app/app/presenters/receipt_presenter/charge_info.rb:34 interpolates seller.display_name into a string containing a mail_to link.
- This entire string is marked
html_safe ("#{question} #{action}".html_safe).
- The result is assigned to
charge_info.product_questions_note.
- This note is rendered without escaping using
<%= charge_info.product_questions_note %> in /app/app/views/customer_mailer/receipt/sections/_items.html.erb:11, which is part of the receipt email/web view.
Exploitation:
- A seller goes to their profile settings.
- They set their 'Name' field to an XSS payload, e.g.,
<img src=x onerror=alert('XSS-DisplayName')>.
- A user purchases a product from this seller.
- When the user views the receipt (web or email), the 'Questions about this product?' section renders the seller's name unsanitized, executing the script.
Impact: Allows sellers to execute arbitrary JavaScript in the context of users viewing receipts for their products. This can lead to session hijacking, phishing, or other attacks against buyers.
Recommendation: HTML-escape the seller.display_name before interpolating it into the string in charge_info.rb, or ensure the output of product_questions_note is escaped where it's rendered in the view (e.g., use h() or remove the .html_safe). Escaping the name before interpolation is generally safer.
Vulnerability: Stored Cross-Site Scripting (XSS)
Location: Receipt generation (Product Questions Note)
Source:
User.namefield (controllable by users/sellers via profile settings, e.g.,/settings/profile).Sink:
display_namemethod in/app/app/models/user.rb:408returns the user'snameif present.product_questions_notemethod in/app/app/presenters/receipt_presenter/charge_info.rb:34interpolatesseller.display_nameinto a string containing amail_tolink.html_safe("#{question} #{action}".html_safe).charge_info.product_questions_note.<%= charge_info.product_questions_note %>in/app/app/views/customer_mailer/receipt/sections/_items.html.erb:11, which is part of the receipt email/web view.Exploitation:
<img src=x onerror=alert('XSS-DisplayName')>.Impact: Allows sellers to execute arbitrary JavaScript in the context of users viewing receipts for their products. This can lead to session hijacking, phishing, or other attacks against buyers.
Recommendation: HTML-escape the
seller.display_namebefore interpolating it into the string incharge_info.rb, or ensure the output ofproduct_questions_noteis escaped where it's rendered in the view (e.g., useh()or remove the.html_safe). Escaping the name before interpolation is generally safer.