Stored XSS in Product Custom Receipt Field

Vulnerability: Stored Cross-Site Scripting (XSS)

Location: Receipt generation (Web and Email)

Source: Link.custom_receipt field (controllable by product sellers).

Sink:

1. /app/app/presenters/receipt_presenter/item_info.rb#custom_receipt_note retrieves purchase.link.custom_receipt and processes it with simple_format and Rinku.auto_link. Neither sanitizes HTML.
2. /app/app/views/customer_mailer/receipt/_item.html.erb:23 renders this processed value using <%= raw item_props[:custom_receipt_note] %>.
3. This partial is included in the receipt email generated by CustomerMailer.receipt.
4. The same email content is rendered directly to the browser via render html: message.html_part.body.raw_source.html_safe in /app/app/controllers/purchases_controller.rb:343 (the receipt action).

Exploitation:

1. A seller creates or edits a product.
2. In the "Custom Receipt" field for the product, the seller enters an XSS payload, e.g., <img src=x onerror=alert('XSS-Receipt')>.
3. A user purchases this product.
4. When the user views the receipt (either the web version at /purchases/:id/receipt or the email receipt), the malicious script executes.

Impact: Allows sellers to execute arbitrary JavaScript in the context of users viewing receipts for their products. This can lead to session hijacking, phishing, or other attacks against buyers.

Recommendation: Sanitize the custom_receipt content using a robust HTML sanitizer (like Rails' sanitize helper with appropriate configuration) before passing it to simple_format or Rinku.auto_link and before rendering it with raw or html_safe. Ensure only safe HTML tags and attributes are allowed.

[msrkp]

in email

[msrkp]

    def custom_receipt_note
      return if purchase.link.custom_receipt.blank?
      return if purchase.is_gift_receiver_purchase && purchase.gift_note.present?

      Rinku.auto_link(simple_format(purchase.link.custom_receipt))
    end``` 

and also simple_format santiizes in other endpoint