Magento – SUPEE-11295: Potential Issues

magento-1.9

Magento has released a SUPEE-11295 patch.

Description of vulnerabilities here:
https://helpx.adobe.com/security/products/magento/apsb20-02.html

Can be downloaded here: https://magento.com/tech-resources/download

Please share any issue that you have found with this patch!

Best Answer

Updated 3/9/2020 - scroll down for IE11 issue

This is an easy one for a change! I applied the full upgrade on both EE and CE (M1). Both upgrades went smoothly and no third-party extensions or other customizations were affected. 

EE 1.14.4.3 -> 1.14.4.4
CE 1.9.4.3 -> 1.9.4.4

Fair warning if you're doing the full upgrade - the copyright year changed in nearly every single file! Here is a list of files I found with actual code changes:

CE 1.9.4.4

app\code\core\Mage\Adminhtml\Block\Catalog\Product\Helper\Form\Gallery\Content.php
app\code\core\Mage\Adminhtml\Block\Cms\Wysiwyg\Images\Content\Uploader.php
app\code\core\Mage\Compiler\Block\Process.php
app\code\core\Mage\Compiler\controllers\Adminhtml\Compiler\ProcessController.php
app\code\core\Mage\Compiler\Model\Process.php
app\code\core\Mage\Core\Model\Input\Filter\MaliciousCode.php
app\design\adminhtml\default\default\template\forgotpassword.phtml
app\design\adminhtml\default\default\template\login.phtml
app\design\adminhtml\default\default\template\page\head.phtml
app\design\adminhtml\default\default\template\resetforgottenpassword.phtml
app\locale\en_US\Mage_Compiler.csv
errors\default\images\logo.gif
js\varien\js.js
lib\Mage\Connect\Command\Install.php
lib\Mage\Connect\Package.php

EE 1.14.4.4

app\code\core\Mage\Adminhtml\Block\Catalog\Product\Helper\Form\Gallery\Content.php
app\code\core\Mage\Adminhtml\Block\Cms\Wysiwyg\Images\Content\Uploader.php
app\code\core\Mage\Compiler\Block\Process.php
app\code\core\Mage\Compiler\controllers\Adminhtml\Compiler\ProcessController.php
app\code\core\Mage\Compiler\Model\Process.php
app\code\core\Mage\Core\Model\Input\Filter\MaliciousCode.php
app\design\adminhtml\default\default\template\forgotpassword.phtml
app\design\adminhtml\default\default\template\login.phtml
app\design\adminhtml\default\default\template\page\head.phtml
app\design\adminhtml\default\default\template\resetforgottenpassword.phtml
app\locale\en_US\Mage_Compiler.csv
js\varien\js.js
lib\Mage\Connect\Command\Install.php
lib\Mage\Connect\Package.php

IE11 bug discovered weeks after deployment

Add-to-cart functionality, navigation hover menus, or other JS things might be broken in IE11.

File: /js/varien/js.js

New Method Added by Magento:

function buttonDisabler() {
    const buttons = document.querySelectorAll('button.save');
    buttons.forEach(button => button.disabled = true);
}

Patch for IE11 compatibility:

function buttonDisabler() {
    const buttons = document.querySelectorAll('button.save');
    buttons.forEach(function(button) {button.disabled = true;});
}
Related Topic