Light cross-site scripting vulnerability fix

[abantecart]

Light cross-site scripting vulnerability has been detected in AbanteCart.
Detected vulnerability does not cause any harm to AbanteCart or content.
To fix the problem, please read below.

Effected versions: Up to 1.1.3

About Risk:  This is a low risk cross-site scripting vulnerability. Not potential harm to code, database or server structure.

About the fix:
Fix is only 1 file that can be replaces or change manually
Option 1 (version 1.1.3):
Locate file: /core/engine/html.php  and replace with attached file

Option 2 (prior to version 1.1.3)
Locate and open file: /core/engine/html.php    
Locate  below code (about line # 114)

Code Select Expand

public function removeQueryVar($url, $vars) {
list($url_part, $q_part) = explode('?', $url);
parse_str($q_part, $q_vars);
if (!is_array($vars)) {
$vars = array( $vars );
}
foreach ($vars as $v)
unset($q_vars[ $v ]);

$new_qs = urldecode(http_build_query($q_vars));
return $url_part . '?' . $new_qs;
}


Replace with below code:

Code Select Expand

public function removeQueryVar($url, $vars) {
list($url_part, $q_part) = explode('?', $url);
parse_str($q_part, $q_vars);
if (!is_array($vars)) {
$vars = array( $vars );
}
foreach ($vars as $v)
unset($q_vars[ $v ]);

foreach ($q_vars as $key => $value)
$q_vars[$key] = $this->request->clean($value);

$new_qs = urldecode(http_build_query($q_vars));
return $url_part . '?' . $new_qs;
}

This issue is toughly addressed and eliminated in coming version of AbanteCart

[DamonPadilla]

Light cross-site scripting vulnerability has been detected in AbanteCart.
Detected vulnerability does not cause any harm to AbanteCart or content.
To fix the problem, please read below.

Thanks for sharing the code.. I am facing similar vulnerability and now I think my problem is solved.. Thanks again