This repository has been archived by the owner on Jul 12, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 61
3.3.3 Fix PCI vulnerability in search field
Kevin Ottley edited this page Jun 27, 2016
·
1 revision
It was discovered that the search field contained a cross-site scripting vulnerability. This has been fixed in version 3.3.3, but merchants with custom themes may need to make some code changes to ensure the fix propagates to your site.
Supports themes copied from Brooklyn and Brooklyn2014.
Look for the following file in your directory structure of your theme:
views/site/_search.php
Search for the following code:
'source' => 'js:function (query, process) {
$.get("' . Yii::app()->controller->createUrl("search/live") . '",{q: query},function(jsdata) {
response = $.parseJSON(jsdata);
var data = new Array();
data.push("' . Yii::app()->controller->createUrl("search/results") . '?q="+query+"|search for "+query);
for(var key in response.options)
data.push(key+"|"+response.options[key]);
process(data);
});}',Replace the source value with the following code:
'source' => 'js:function (query, process) {
$.get("' . Yii::app()->controller->createUrl("search/live") . '",
{q: query},
function(jsdata) {
query = query
.replace(/&/g, "&")
.replace(/</g, "<")
.replace(/>/g, ">")
.replace(/"/g, """);
response = $.parseJSON(jsdata);
var data = new Array();
data.push("' . Yii::app()->controller->createUrl("search/results") . '?q="+query+"|search for "+query);
for(var key in response.options)
data.push(key+"|"+response.options[key]);
process(data);
});
}',