0

In Magento security scan I got the below message for my Magento instance:

XS Vulnerability - Failed. XSS Patch not detected (APPSEC-2143)

I am using Magento 2.2.3

How could I resolve this?

Is anyone have an idea about it?

asked Aug 3, 2019 at 7:01

2 Answers 2

1

I am able to fix by below patch

diff --git a/vendor/magento/module-swagger/view/frontend/templates/swagger-ui/index.phtml b/vendor/magento/module-swagger/view/frontend/templates/swagger-ui/index.phtml index b20da68..26ef484 100644 --- a/vendor/magento/module-swagger/view/frontend/templates/swagger-ui/index.phtml +++ b/vendor/magento/module-swagger/view/frontend/templates/swagger-ui/index.phtml @@ -58,7 +58,7 @@ $schemaUrl = $block->getSchemaUrl(); <div class="swagger-ui-wrap"> <a id="logo" href="http://swagger.io">swagger</a> <form id='api_selector'> - <input id="input_baseUrl" type="hidden" value="<?= /* @escapeNotVerified */ $schemaUrl ?>"/> + <input id="input_baseUrl" type="hidden" value="<?= $block->escapeUrl($schemaUrl) ?>"/> <div class='input'><input placeholder="api_key" id="input_apiKey" name="apiKey" type="text"/></div> <div class='input'><a id="explore" href="#" data-sw-translate>apply</a></div> </form>

Hope it will help some one

answered Aug 12, 2019 at 10:41
3
  • Thanks for your help. I tried the same in my instance and again check it with Magento Scanner but it is giving the same error. is there any other way? Commented Aug 14, 2019 at 6:37
  • have you confirm that patch applied? Commented Aug 14, 2019 at 8:12
  • Thanks for this answer, I spent 6 hours debugging the issue and finally fixed it. By the way I'm using Magento 2.2.5 this will help future Magento fellow people that you should patch this Magento swagger file and update the value to <?= $block->escapeUrl($schemaUrl) ?>. Thanks! Commented Sep 16, 2019 at 13:47
0

This is fixed in 2.2.7 so have you considered an upgrade?

Although a custom theme can also cause this. Therefore you could go through an upgrade and still get the warning.

Try the upgrade on a public dev store if you can and try and scan this store first.

answered Aug 3, 2019 at 7:44
1
  • Thanks, @Dominic Xigen for your response, but we do not wanna upgrade version, is there any other way? Commented Aug 14, 2019 at 6:41

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.