Site icon EcomPlugins Blog

How to prevent magento create order with such a potentially harmful or malformed billing address

The placeholder {{var this.getTemp%00lateFilter().filter(firstname)}} in Magento indicates an attempted injection attack or a misconfiguration. To prevent Magento from creating orders with such a potentially harmful or malformed billing address, you can implement several security measures:

1. Input Validation and Sanitization:

2. Template and Variable Injection Prevention:

3. Server-Side Validation:

4. Magento Configuration:

To prevent orders with specific conditions in Magento 2, such as preventing an order from being created when the billing address contains a particular pattern or string, you typically need to work within Magento’s module system. Specifically, you would modify or create an Observer or Plugin that hooks into the order creation process.

Create an Observer to Prevent Order Creation:

You’ll need to observe the sales_model_service_quote_submit_before event, which is triggered before the order is submitted.

See full example to handle Billing / Shipping Address

 

<?php

namespace Techgroup\Addon\Observer;

use Magento\Framework\Event\ObserverInterface;
use Magento\Framework\Event\Observer;

class QuoteSubmitBefore implements ObserverInterface
{
    /**
     * {{var this.getTemp%00lateFilter().filter(firstname)}}
     * {@inheritDoc}
     * @see \Magento\Framework\Event\ObserverInterface::execute()
     */
    public function execute(Observer $observer)
    {
        $quote           = $observer->getEvent()->getQuote();
        $billingAddress  = $quote->getBillingAddress();
        $shippingAddress = $quote->getShippingAddress();
        
        if($billingAddress)
        {
            $billingAddressArr = $billingAddress->getData();
            unset($billingAddressArr['extension_attributes']);
            
            $error = $this->formDataValidation($billingAddressArr);
            if($error){
                throw new \Exception($error);
            }
        }
        
        if($shippingAddress)
        {
            $shippingAddressArr = $shippingAddress->getData();
            unset($shippingAddressArr['extension_attributes']);
            
            $error = $this->formDataValidation($shippingAddressArr);
            if($error){
                throw new \Exception($error);
            }
        }
    }
    
    /**
     * validate data
     *
     * @param array $data
     * @return string
     */
    public function formDataValidation($data)
    {
        if(!$data || !is_array($data)){
            return false;
        }
        
        $error = "";
        foreach($data as $item => $value){
            if(!is_string($value)){
                continue;
            }
            
            if(!in_array($item, ['firstname', 'lastname', 'city', 'street', 'region', 'telephone', 'company', 'postcode', 'region_id'])){
                continue;
            }
            
            if($value && preg_match("/[\[^\'£$%^&*()}{@:\!'~?><>;@\|\\\=\+\¬\`\]]/", $value))
            {
                $error .= $item.", ";
            }
        }
        
        if($error){
            $error = substr('Please use only letters (a-z or A-Z), numbers (0-9), spaces and "- _ # , ." in fields '.$error, 0, -2);
        }
        
        return $error;
    }
}

 

Exit mobile version