Update js.phtml DOM text reinterpreted as HTML

[Shivam7-1]

Description (*)

By using innerText, it will avoid the risk of HTML injection, as these properties automatically escape any HTML special characters in the provided text. This helps prevent cross-site scripting (XSS) vulnerabilities by treating the input as plain text rather than interpreted HTML.

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
• All automated tests passed successfully (all builds are green)

Resolved issues:

1. resolves [Issue] Update js.phtml DOM text reinterpreted as HTML #38821: Update js.phtml DOM text reinterpreted as HTML

[m2-assistant]

Hi @Shivam7-1. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.

Add the comment under your pull request to deploy test or vanilla Magento instance:

• @magento give me test instance - deploy test instance based on PR changes
• @magento give me 2.4-develop instance - deploy vanilla Magento instance

❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

---

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

[Shivam7-1]

@magento run all tests

[engcom-Charlie]

@magento create issue

[m2-assistant]

Hi @Shivam7-1. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

---

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

[Shivam7-1]

Hii @engcom-Charlie it's not yet Merged
If possible Could Team Reviews this As Soon As possible

Thanks

[Shivam7-1]

Hii @engcom-Charlie , @engcom-Dash @engcom-Bravo and @engcom-Hotel Could You Please Review This PR
As Soon As Possible Because its pending for Review since many months

Thanks & Regards

[Shivam7-1]

Hii @engcom-Hotel Could You Please Review This PR
As Soon As Possible Because its pending for Review since many months

Thanks & Regards

[engcom-Hotel]

@magento run all tests

[Shivam7-1]

Hii @engcom-Hotel any update on this PR ?
Regards

[engcom-Dash]

@magento run all tests

[engcom-Dash]

@magento run all tests

[engcom-Dash]

Hi @Shivam7-1

Thanks for your PR. I have tested the changes using custom script and everything seems to be working fine from that angle.

Custom Script:

However, I am just curious to identify the exact area in the Magento admin where this code would have a direct impact. Could you please share some manual testing scenarios or specific place in the admin where this can be verified? That would really help ensure thorough testing.

Also, the static tests are failing because ot the PR changes. Let me know if you are working on them. If not, Can I take care of the static failures?

Appreciate you help!

[Shivam7-1]

Hii @engcom-Dash

Thank you for testing the changes and for your valuable feedback!

Regarding your question about the Magento admin, the change I made to innerText instead of innerHTML primarily impacts areas where dynamic content is injected into the DOM, such as in product descriptions, CMS pages, or any input that may render user-provided HTML. This will help prevent potential XSS vulnerabilities by treating the content as plain text. You can verify the change by testing these areas—specifically by submitting content with HTML special characters in places like product descriptions or custom CMS pages.

If you prefer to take care of the static failures, please feel free to do

Thanks

[Shivam7-1]

Hii @engcom-Dash any update on this PR?
Is it ready to merge ?

[engcom-Dash]

Hii @engcom-Dash

Thank you for testing the changes and for your valuable feedback!

Regarding your question about the Magento admin, the change I made to innerText instead of innerHTML primarily impacts areas where dynamic content is injected into the DOM, such as in product descriptions, CMS pages, or any input that may render user-provided HTML. This will help prevent potential XSS vulnerabilities by treating the content as plain text. You can verify the change by testing these areas—specifically by submitting content with HTML special characters in places like product descriptions or custom CMS pages.

If you prefer to take care of the static failures, please feel free to do

Thanks

Hello @Shivam7-1,

Thank you for your reply!

I have tested the changes by adding the content with HTML special character, script in the product description and CMS Pages. Even after injecting a script with XSS vulnerabilities on product description or CMS page the script still renders instead of being treated as plain text. In case of HTML tag there is no visible difference on 2.4-develop & PR branch.

It looks like the PR file changes doesn't have any visible effect on the product description or CMS page. Just to make sure I am validating the relevant functionality could you please share the exact manual test scenarios/steps and where this file is getting executed?

Please find below screenshot with or without PR changes for product description:
On develop Branch: 2.4-develop

On PR Branch: patch-3

Thank You

[Shivam7-1]

Hii @engcom-Dash I saw the feedback about no visible change. Just to clarify — the change from innerHTML to innerText is intentional for XSS prevention. we should keep such security updates even if they don’t result in visible UI changes
Thanks

[engcom-Dash]

@magento run all tests

[engcom-Dash]

Hi @Shivam7-1,

Thanks for the clarification! I understand that the change from innerHTML to innerText is intentional for XSS prevention. We actually tried addressing that via a custom script as well.

I am just curious to know where exactly this file is getting rendered in the admin as it would help us better assess the impact of the change in various scenarios. Otherwise, applying this change alone might not have any practical effect.

Appreciate your efforts on improving security!

I have fixed the static test failures and since the functional test is failing moving this PR to Extended Testing.

Thanks!

[Shivam7-1]

Hii @engcom-Dash Thanks For Reviewing and Continous Support on this

[engcom-Dash]

@magento run all tests

[engcom-Dash]

@magento run Functional Tests B2B, Functional Tests EE, Functional Tests CE, Integration Tests