0

I intend to allow user customize their product before add to cart by a custom route (eg: example.com/customize/id/123).

I use POST method. Data will be added to order attributes.

I wonder if Magento escape data behind the scenes or I have to do that myself?

Thanks.

Tran Dinh Khanh
  • 724
  • 1
  • 9
  • 19

1 Answers1

1

You will have to escape data yourself, as it's coming from URL and anyone can append anything malicious.

$id = $this->getRequest()->getParam('id');
if(is_numeric($id)) { 
    //do your stuff
} else {
    //id is not numeric, be cautious
}

To escape html, you can use Mage::helper('core')->htmlEscape('html here');

UPDATE: No, Magento doesn't escape it for you.

public function setData($key, $value=null)
    {
        $this->_hasDataChanges = true;
        if(is_array($key)) {
            $this->_data = $key;
            $this->_addFullNames();
        } else {
            $this->_data[$key] = $value; //check this...
            if (isset($this->_syncFieldsMap[$key])) {
                $fullFieldName = $this->_syncFieldsMap[$key];
                $this->_data[$fullFieldName] = $value;
            }
        }
        return $this;
    }
Kalpesh
  • 2,325
  • 25
  • 33
  • Of course I have to check id (or something require to continue working), in my question, I meant product/quote/order attributes, eg: $order->setMyCustomAttribute('abcxyz'), so in this statement, does magento escape data behind the scenes? – Tran Dinh Khanh Sep 19 '14 at 17:20