Skip to content

Commit 654ecbc

Browse files
danmooney2danmooney2
committed
MC-15375: XSS Injection via nested link in Banner
Use positive lookahead to eliminate all inner content between starting anchor tag and first instance of ending anchor tag
1 parent c303a47 commit 654ecbc

File tree

2 files changed

+2
-2
lines changed

2 files changed

+2
-2
lines changed

app/code/Magento/PageBuilder/view/adminhtml/web/js/utils/nesting-link-dialog.js

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/code/Magento/PageBuilder/view/adminhtml/web/ts/js/utils/nesting-link-dialog.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ export default function nestingLinkDialog(
2828
const dataStoreContent = dataStore.getState() as DataObject;
2929
const inlineMessage = dataStoreContent[inlineMessageField] as string;
3030
const linkUrl = dataStoreContent[linkUrlField] as FieldDefaultsInterface;
31-
const aLinkRegex = /<a[\s]+([^>]+)>|<a>|<\/a>/igm;
31+
const aLinkRegex = /(<a[\s]+[^>]+).+(?=<\/a>)<\/a>/igm;
3232
if (wysiwyg &&
3333
inlineMessage.match(aLinkRegex) &&
3434
linkUrl &&

0 commit comments

Comments
 (0)