Skip to content

fix: Critical/High XSS and open redirect vulnerabilities (no data migration)#726

Draft
KrzysztofPajak with Copilot wants to merge 3 commits into
developfrom
copilot/security-audit-code
Draft

fix: Critical/High XSS and open redirect vulnerabilities (no data migration)#726
KrzysztofPajak with Copilot wants to merge 3 commits into
developfrom
copilot/security-audit-code

Conversation

Copilot AI commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

User-controlled fields were injected raw into Vue.js data initialization blocks, enabling stored XSS. Payment and download redirect URLs lacked protocol validation, enabling javascript:/data: URI injection.

XSS — Html.Raw() in JavaScript context (7 views)

Fields like FirstName, Email, Address, Enquiry etc. were embedded in JS string literals without encoding:

// Before — XSS: FirstName: 'Smith\', XSS=alert(1)//'
FirstName: '@Html.Raw(Model.FirstName)',

// After — safe JSON encoding
FirstName: @Json.Serialize(Model.FirstName),

Affected views: Account/Info, Account/Register, Account/Partials/EditSubAccount, Account/Partials/CreateSubAccount, Contact/Index, Shared/Partials/CreateOrUpdateAddress, MerchandiseReturn/MerchandiseReturn.

Open Redirect — payment & download URLs (3 controllers)

PostRedirectPayment() and stored download URLs were redirected to without scheme validation. Added Uri.TryCreate + http/https-only guard — payment provider external URLs continue to work.

// Before
return Redirect(redirectUrl);

// After
if (Uri.TryCreate(redirectUrl, UriKind.Absolute, out var uri) &&
    (uri.Scheme == Uri.UriSchemeHttp || uri.Scheme == Uri.UriSchemeHttps))
    return Redirect(redirectUrl);

Affected: OrderController.RePostPayment, CheckoutController.CompleteRedirectionPayment, DownloadController.DownloadFile.

No data migration required. No changes to Grand.Web.Store.CustomerController.

Copilot AI and others added 2 commits July 5, 2026 12:02
…e is off

Co-authored-by: KrzysztofPajak <16772986+KrzysztofPajak@users.noreply.github.com>
Co-authored-by: KrzysztofPajak <16772986+KrzysztofPajak@users.noreply.github.com>
Copilot AI changed the title Restore backward compatibility in store customer panel when per-store mode is disabled Restore backward compatibility in Store Customer panel when per-store identity is disabled Jul 5, 2026
Copilot AI requested a review from KrzysztofPajak July 5, 2026 12:04
…ect)

Co-authored-by: KrzysztofPajak <16772986+KrzysztofPajak@users.noreply.github.com>
Copilot AI changed the title Restore backward compatibility in Store Customer panel when per-store identity is disabled fix: Critical/High XSS and open redirect vulnerabilities (no data migration) Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants