Environment:Affected browsers: Mozilla Firefox, Google Chrome and Apple Safari latest versions.
When installing and analyzing PrestaShop on a secure environment I discovered that it's possible to bypass isCleanHtml() function, used in many places, specially in Contact Form.
A user could use this vulnerability, a Persistent Cross-site Scripting, to execute malicious payloads on admins message box.
Proof of concept:
In the message field a user could write:
<embed src='data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIndlYnNlZ3VyYS5uZXQgeHNzIik7PC9zY3JpcHQ+PC9zdmc+' type='image/svg+xml' AllowScriptAccess='always'></embed>
Both Base64 strings are mainly <script>alert()</script> encoded.
Those XSS vectors bypass the filter on isCleanHtml() and execute automatically when the admin check the messages on the admin area. This is critical and could be used a lot causing bad scenarios.
Keep in mind that on some webmail variations, the code is also executed. A user can even play with heading <h1> and other HTML on message box.
I think that in this case in particular, HTML should be stripped out because it has no meaning in my opinion on the contact form. Of course, other solution is to sanitize user input improving the isCleanHtml() function.
Hope this information helps you guys to keep PrestaShop more secure.
By the way, nice job on PrestaShop. It's a easy and a reliable CMS to install and maintain. Keep up.