Fix XSS in name parameter of Pricing Rules (#14969)

bundles/EcommerceFrameworkBundle/PricingManager/Rule.php

@@ -24,7 +24,7 @@
 use Pimcore\Logger;
 use Pimcore\Model\AbstractModel;
 use Pimcore\Model\Exception\NotFoundException;
-
+use Pimcore\Security\SecurityHelper;
 /**
  * @method Dao getDao()
  */
@@ -204,8 +204,7 @@ public function getName()
      */
     public function setName($name, $locale = null)
     {
-        $this->name = $name;
-
+        $this->name = SecurityHelper::convertHtmlSpecialChars($name);
         return $this;
     }
 

bundles/EcommerceFrameworkBundle/Resources/public/js/pricing/config/panel.js

@@ -295,17 +295,21 @@ pimcore.bundle.EcommerceFramework.pricing.config.panel = Class.create({
      * delete existing rule
      */
     deleteRule: function (tree, record) {
-        pimcore.helpers.deleteConfirm(t('bundle_ecommerce_pricing_rule'), record.data.text, function () {
-            Ext.Ajax.request({
-                url: Routing.generate('pimcore_ecommerceframework_pricing_delete'),
-                method: 'DELETE',
-                params: {
-                    id: record.id
-                },
-                success: function () {
-                    this.refresh(this.tree.getRootNode());
-                }.bind(this)
-            });
+        const decodedName = Ext.util.Format.htmlDecode(record.data.text);
+        pimcore.helpers.deleteConfirm(
+            t('bundle_ecommerce_pricing_rule'),
+            Ext.util.Format.htmlEncode(decodedName),
+            function () {
+                Ext.Ajax.request({
+                    url: Routing.generate('pimcore_ecommerceframework_pricing_delete'),
+                    method: 'DELETE',
+                    params: {
+                        id: record.id
+                    },
+                    success: function () {
+                        this.refresh(this.tree.getRootNode());
+                    }.bind(this)
+                });
         }.bind(this));
 
     },