From e88fa79de7b5903fb58ddbc231130b04d937d79e Mon Sep 17 00:00:00 2001
From: aryaantony92 <97134765+aryaantony92@users.noreply.github.com>
Date: Wed, 19 Apr 2023 18:41:58 +0200
Subject: [PATCH] Fix XSS in name parameter of Pricing Rules (#14969)

---
 .../PricingManager/Rule.php                   |  5 ++--
 .../public/js/pricing/config/panel.js         | 26 +++++++++++--------
 2 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/bundles/EcommerceFrameworkBundle/PricingManager/Rule.php b/bundles/EcommerceFrameworkBundle/PricingManager/Rule.php
index a77df2d2613..eeda721eb21 100644
--- a/bundles/EcommerceFrameworkBundle/PricingManager/Rule.php
+++ b/bundles/EcommerceFrameworkBundle/PricingManager/Rule.php
@@ -24,7 +24,7 @@
 use Pimcore\Logger;
 use Pimcore\Model\AbstractModel;
 use Pimcore\Model\Exception\NotFoundException;
-
+use Pimcore\Security\SecurityHelper;
 /**
  * @method Dao getDao()
  */
@@ -204,8 +204,7 @@ public function getName()
      */
     public function setName($name, $locale = null)
     {
-        $this->name = $name;
-
+        $this->name = SecurityHelper::convertHtmlSpecialChars($name);
         return $this;
     }
 
diff --git a/bundles/EcommerceFrameworkBundle/Resources/public/js/pricing/config/panel.js b/bundles/EcommerceFrameworkBundle/Resources/public/js/pricing/config/panel.js
index 26c3fd30281..dc207448c90 100644
--- a/bundles/EcommerceFrameworkBundle/Resources/public/js/pricing/config/panel.js
+++ b/bundles/EcommerceFrameworkBundle/Resources/public/js/pricing/config/panel.js
@@ -295,17 +295,21 @@ pimcore.bundle.EcommerceFramework.pricing.config.panel = Class.create({
      * delete existing rule
      */
     deleteRule: function (tree, record) {
-        pimcore.helpers.deleteConfirm(t('bundle_ecommerce_pricing_rule'), record.data.text, function () {
-            Ext.Ajax.request({
-                url: Routing.generate('pimcore_ecommerceframework_pricing_delete'),
-                method: 'DELETE',
-                params: {
-                    id: record.id
-                },
-                success: function () {
-                    this.refresh(this.tree.getRootNode());
-                }.bind(this)
-            });
+        const decodedName = Ext.util.Format.htmlDecode(record.data.text);
+        pimcore.helpers.deleteConfirm(
+            t('bundle_ecommerce_pricing_rule'),
+            Ext.util.Format.htmlEncode(decodedName),
+            function () {
+                Ext.Ajax.request({
+                    url: Routing.generate('pimcore_ecommerceframework_pricing_delete'),
+                    method: 'DELETE',
+                    params: {
+                        id: record.id
+                    },
+                    success: function () {
+                        this.refresh(this.tree.getRootNode());
+                    }.bind(this)
+                });
         }.bind(this));
 
     },