From fea5d5dbcdefecec6e7e21a9d096e4b8a77a8611 Mon Sep 17 00:00:00 2001
From: Quentin Aupetit <qaupetit@gmail.com>
Date: Mon, 16 Feb 2026 15:32:29 +0100
Subject: [PATCH] add reach5SupportedSocialNames as site preferencies and check
 that ReachFivesocialName param match one of this values to avoid XSS attack
 issue

---
 .../meta/system-objecttype-extensions.xml     |  8 ++++++
 .../sites/RefArch/preferences.xml             | 25 +++++++++++++++++++
 .../cartridge/models/reachfiveSettings.js     |  4 +++
 .../controllers/ReachFiveController.js        |  7 ++++--
 .../controllers/ReachFiveController.js        | 11 +++++++-
 5 files changed, 52 insertions(+), 3 deletions(-)

diff --git a/Metadata/site_template/meta/system-objecttype-extensions.xml b/Metadata/site_template/meta/system-objecttype-extensions.xml
index 6800085..de03b7e 100644
--- a/Metadata/site_template/meta/system-objecttype-extensions.xml
+++ b/Metadata/site_template/meta/system-objecttype-extensions.xml
@@ -216,6 +216,13 @@
                 <mandatory-flag>false</mandatory-flag>
                 <externally-managed-flag>false</externally-managed-flag>
             </attribute-definition>
+            <attribute-definition attribute-id="reach5SupportedSocialNames">
+                <display-name xml:lang="x-default">Supported ReachFive Social Provider Names</display-name>
+                <description xml:lang="x-default">Whitelist of allowed social provider names.</description>
+                <type>set-of-string</type>
+                <mandatory-flag>true</mandatory-flag>
+                <externally-managed-flag>false</externally-managed-flag>
+            </attribute-definition>
             <attribute-definition attribute-id="reach5UiSdkUrl">
                 <display-name xml:lang="x-default">Web UI SDK Url</display-name>
                 <description xml:lang="x-default">ReachFive Web UI SDK Url.</description>
@@ -471,6 +478,7 @@
                 <attribute attribute-id="reach5CoreSdkUrl"/>
                 <attribute attribute-id="reach5SupportedLanguageCodes"/>
                 <attribute attribute-id="reach5DefaulLanguageCode"/>
+                <attribute attribute-id="reach5SupportedSocialNames"/>
                 <attribute attribute-id="reachFiveCheckCredentials"/>
                 <attribute attribute-id="load-social-connect"/>
                 <attribute attribute-id="load-social-connect2"/>
diff --git a/Metadata/site_template/sites/RefArch/preferences.xml b/Metadata/site_template/sites/RefArch/preferences.xml
index 18a4083..7c11ec0 100644
--- a/Metadata/site_template/sites/RefArch/preferences.xml
+++ b/Metadata/site_template/sites/RefArch/preferences.xml
@@ -49,6 +49,31 @@
                 <value>it</value>
                 <value>nl</value>
             </preference>
+            <preference preference-id="reach5SupportedSocialNames">
+                <value>akamai</value>
+                <value>amazon</value>
+                <value>apple</value>
+                <value>bconnect</value>
+                <value>facebook</value>
+                <value>franceconnect</value>
+                <value>google</value>
+                <value>kakaotalk</value>
+                <value>line</value>
+                <value>linkedin</value>
+                <value>mailru</value>
+                <value>microsoft</value>
+                <value>naver</value>
+                <value>okta</value>
+                <value>oney</value>
+                <value>paypal</value>
+                <value>ping</value>
+                <value>qq</value>
+                <value>tiktok</value>
+                <value>twitter</value>
+                <value>vkontakte</value>
+                <value>wechat</value>
+                <value>weibo</value>
+            </preference>
             <preference preference-id="authenticated">sdkUiClient.showSocialAccounts({
                             accessToken: accessToken,
                             container: 'social-accounts-container'
diff --git a/cartridges/int_reachfive/cartridge/models/reachfiveSettings.js b/cartridges/int_reachfive/cartridge/models/reachfiveSettings.js
index fa2a743..9260332 100644
--- a/cartridges/int_reachfive/cartridge/models/reachfiveSettings.js
+++ b/cartridges/int_reachfive/cartridge/models/reachfiveSettings.js
@@ -25,6 +25,7 @@ var LOGGER = require('dw/system/Logger').getLogger('loginReachFive');
  * @property {string} reach5CoreSdkUrl - Web Core SDK Url
  * @property {Array} reach5SupportedLanguageCodes - Supported ReachFive LanguageCodes
  * @property {string} reach5DefaulLanguageCode - Default ReachFive LanguageCode
+ * @property {Array} reach5SupportedSocialNames - Supported ReachFive Social Provider Names
  * @property {string} reachFiveCheckCredentials - Check credentials method
  * @property {boolean} isReachFiveEmailAsLogin - Create profile with login as an email
  * @property {boolean} isReachFiveReturnProviderToken - Retrieve the provider token in the SFCC session
@@ -103,6 +104,9 @@ function Settings() {
         reach5DefaulLanguageCode: {
             get: function () { return currentSite.getCustomPreferenceValue('reach5DefaulLanguageCode'); }
         },
+        reach5SupportedSocialNames: {
+            get: function () { return currentSite.getCustomPreferenceValue('reach5SupportedSocialNames'); }
+        },
         reachFiveCheckCredentials: {
             get: function () {
                 var prefEnum = currentSite.getCustomPreferenceValue('reachFiveCheckCredentials');
diff --git a/cartridges/int_reachfive_sfra/cartridge/controllers/ReachFiveController.js b/cartridges/int_reachfive_sfra/cartridge/controllers/ReachFiveController.js
index a27dee7..ed8f7fa 100644
--- a/cartridges/int_reachfive_sfra/cartridge/controllers/ReachFiveController.js
+++ b/cartridges/int_reachfive_sfra/cartridge/controllers/ReachFiveController.js
@@ -254,6 +254,7 @@ server.get(
     'InitLinkAccount',
     csrfProtection.generateToken,
     function (req, res, next) {
+        var reachfiveSettings = require('*/cartridge/models/reachfiveSettings');
         var userName, rememberMe, ReachFivesocialName;
         // Prefill login form if the user is registered
         if (req.querystring.email) {
@@ -261,8 +262,10 @@ server.get(
             rememberMe = true;
         }
 
-        if (req.querystring.ReachFivesocialName) {
-            ReachFivesocialName = req.querystring.ReachFivesocialName;
+        var inputSocialName = req.querystring.ReachFivesocialName;
+        var supportedSocialNames = reachfiveSettings.reach5SupportedSocialNames || [];
+        if (inputSocialName && supportedSocialNames.indexOf(inputSocialName) !== -1) {
+            ReachFivesocialName = inputSocialName;
         }
 
         var rurl = req.querystring.rurl || '1';
diff --git a/cartridges/int_reachfive_sg/cartridge/controllers/ReachFiveController.js b/cartridges/int_reachfive_sg/cartridge/controllers/ReachFiveController.js
index c670746..3d87a38 100644
--- a/cartridges/int_reachfive_sg/cartridge/controllers/ReachFiveController.js
+++ b/cartridges/int_reachfive_sg/cartridge/controllers/ReachFiveController.js
@@ -350,10 +350,19 @@ function initLinkAccount() {
         loginForm.setValue('rememberme', true);
     }
 
+    var reachfiveSettings = require('*/cartridge/models/reachfiveSettings');
+    var validatedSocialName;
+
+    var inputSocialName = request.httpParameterMap.ReachFivesocialName.stringValue;
+    var supportedSocialNames = reachfiveSettings.reach5SupportedSocialNames || [];
+    if (inputSocialName && supportedSocialNames.indexOf(inputSocialName) !== -1) {
+        validatedSocialName = inputSocialName;
+    }
+
     // Prepare view and render
     app.getView({
         RegistrationStatus: false,
-        ReachFivesocialName: request.httpParameterMap.ReachFivesocialName.stringValue,
+        ReachFivesocialName: validatedSocialName,
         ShowStandardLoginToLinkAccount: true,
         ContinueURL: URLUtils.https('ReachFiveController-HandleLinkForm')
     }).render('account/login/reachfivelinkform');