—

Why it Matters

When values are printed into templates without escaping, attackers can insert malicious JavaScript (XSS). This allows them to steal sessions, modify pages, or run harmful code in the customer’s browser.

Escaping output ensures that user-provided data is shown as plain text instead of being executed as code. Magento provides helper functions to safely escape HTML, attributes, and JavaScript. Using these functions protects both customers and admin users from cross-site scripting attacks.

Verification Steps

# Look for direct echo of variables in PHTML files
grep -R "<?=" app/design app/code

# Check if they are wrapped with escape functions
$block->escapeHtml($var)
$block->escapeHtmlAttr($var)
$block->escapeJs($var)

Remediation / Fix Guidance

1. Always use Magento’s escape functions when printing variables in templates.
2. Use escapeHtml() for normal output, escapeHtmlAttr() for attributes, and escapeJs() for JavaScript context.
3. Avoid <?= $var ?> without escaping, especially if the variable comes from user input.
4. Review all custom themes and extensions for unescaped output.

Examples

<?= $_GET['name'] ?>
# Prints user input directly, unsafe

<?= $block->escapeHtml($_GET['name']) ?>
# Escapes special characters, safe

References

• OWASP Top 10 — A03: Injection
• OWASP — Cross Site Scripting (XSS)