If you don't know what an XSS (Cross-Site Scripting) flaw is, I recommend that you do a quick search on the Internet.
The most common XSS error is using GET or POST values in templates. Here is an example of unprotected Smarty code:
{if $smarty.get.param}{$smarty.get.param}{/if}
And here is a way to exploit it:
index.php?param=<script>alert("BOOOOOM !")</script>
In this case, the JavaScript code passed in the URL will be executed when the page loads. A simple alert message is not really dangerous, but it would be possible for example to display a form (whose action attribute would point to a site owned by the person trying to exploit the flaw) which would invite visitors to authenticate.
In order to avoid this type of problem, use the native escape method. Refer to the official documentation for more details: http://www.smarty.net/docsv2/en/language.
{if $smarty.get.param} {$smarty.get.param|escape:'htmlall'}
{/if}
New in PrestaShop 1.7Starting from PrestaShop 1.7, all Smarty variables are automatically "escaped" if you use the fetch method. It is therefore no longer necessary to add |escape:'htmlall'. On the other hand, to display HTML code, you will need to add |nofilter.
For more information on the subject, I invite you to read the following article: http://build.prestashop.com/news/prestashop-17-beta2/
You should always protect all data coming from users, and even from webservices. For example, the webservice we use in our module could be compromised. Indeed, you can never be sure of the security of the data sent by a third-party API.
