Re: AdminRequestSanitizer Error Log
@wilt, is there a way to stop the unwanted htmlentities' conversions? If I order the product A Bug's Life "Multi Pak" Special 2003 Collectors Edition
and then edit that order (simply pressing the "Update" button), the name changes to A Bug's Life "Multi Pak" Special 2003 Collectors Editi ... with the double-quotes converted to " and the name getting truncated due to the additional characters.
The same thing happens if I enter a text attribute that uses special characters, e.g. Here's some text … gets converted to Here's some text … -- and it just gets worse each time that order is updated since each & is converted to &.
Re: AdminRequestSanitizer Error Log
Have you defined any extra sanitizers.
I'm about to update the docs regarding this.
Quote:
Originally Posted by
lat9
@wilt, is there a way to stop the unwanted htmlentities' conversions? If I order the product A Bug's Life "Multi Pak" Special 2003 Collectors Edition
and then edit that order (simply pressing the "Update" button), the name changes to A Bug's Life "Multi Pak" Special 2003 Collectors Editi ... with the double-quotes converted to " and the name getting truncated due to the additional characters.
The same thing happens if I enter a text attribute that uses special characters, e.g. Here's some text … gets converted to Here's some text … -- and it just gets worse each time that order is updated since each & is converted to &.
Re: AdminRequestSanitizer Error Log
Just to be clear here.
If you want to test latest code, you need to pull in the changes from my https://github.com/zcwilt/zc-v1-seri...itizer-updates branch
and there are 3 files
admin/includes/auto_loaders/config.adminSanitize.php
admin/includes/classes/AdminRequestSanitizer.php
admin/includes/init_includes/init_sanitize.php
Even pulling these in won't fix edit_orders as you then need to add your own sanitizers
as a simple test I created
/admin/includes/extra_datafiles/edit_orders_sanitize.php that contained
PHP Code:
<?php
/**
* Created by PhpStorm.
* User: wilt
* Date: 07/04/16
* Time: 20:45
*/
$sanitizer = AdminRequestSanitizer::getInstance();
$group = array(
'id' => array('sanitizerType' => 'NULL_ACTION', 'method' => 'both', 'pages' => array('edit_orders'), 'params' => array()));
$sanitizer->addComplexSanitization($group);
$group = array(
'update_products' => array('sanitizerType' => 'NULL_ACTION', 'method' => 'both', 'pages' => array('edit_orders'), 'params' => array()));
$sanitizer->addComplexSanitization($group);
and that fixed htmlentities problems
Now of course, those should only be considered temporary fixes as they basically ignore sanitization for id and update_products, whereas what should be added is
a MULTI_DIMENSIONAL sanitizer
Re: AdminRequestSanitizer Error Log
I'll pull your most recent updates down for my test setup. It seems like the product's name and attribute name/value pairs will all need the NULL_ACTION sanitization -- is that correct?
Re: AdminRequestSanitizer Error Log
Should there be a general sanitizer group for floats? The qty value that is included in the EO POST variables is a floating-point value, not an int.
Re: AdminRequestSanitizer Error Log
Here's what I've come up with (so far) for the EO sanitizer; please let me know if there's a better way. This approach gets the product's name and text attributes to not get &'d to death:
Code:
$eo_sanitizer = AdminRequestSanitizer::getInstance();
$eo_group = array(
'update_products' => array(
'sanitizerType' => 'MULTI_DIMENSIONAL',
'method' => 'post',
'pages' => array('edit_orders'),
'params' => array(
'update_products' => array('sanitizerType' => 'CONVERT_INT'),
'qty' => array('sanitizerType' => 'CONVERT_INT'), //-This one should really be a float
'name' => array('sanitizerType' => 'PRODUCT_DESC_REGEX'),
'onetime_charges' => array('sanitizerType' => 'CURRENCY_VALUE_REGEX'),
'attr' => array(
'sanitizerType' => 'MULTI_DIMENSIONAL',
'params' => array(
'attr' => array('sanitizerType' => 'CONVERT_INT'),
'value' => array('sanitizerType' => 'PRODUCT_DESC_REGEX'),
'type' => array('sanitizerType' => 'CONVERT_INT')
)
),
'model' => array('sanitizerType' => 'WORDS_AND_SYMBOLS_REGEX'),
'tax' => array('sanitizerType' => 'CURRENCY_VALUE_REGEX'),
'final_price' => array('sanitizerType' => 'CURRENCY_VALUE_REGEX'),
)
)
);
$eo_sanitizer->addComplexSanitization ($eo_group);
Re: AdminRequestSanitizer Error Log
Quote:
Originally Posted by
lat9
Should there be a general sanitizer group for floats? The qty value that is included in the EO POST variables is a floating-point value, not an int.
Will add this :)
Re: AdminRequestSanitizer Error Log
Quote:
Originally Posted by
lat9
Here's what I've come up with (so far) for the EO sanitizer; please let me know if there's a better way. This approach gets the product's name and text attributes to not get &'d to death:
[
So I've pushed up a change to my testing branch to add a FLOAT_VALUE_REGEX
I guess that probably 'tax' and 'final_price' should strictly speaking be floats.
In fact I think the CURRENCY_VALUE_REGEX may be unnecessary.
I'm not quite ready to push my testing branch to a full blown PR against core code as I want to make sure the unit tests cover some edge cases first.
Re: AdminRequestSanitizer Error Log
Just checking in to see where the Zen Cart base code is on this issue. So far, my tests with the eo_sanitizer supplied above and the April 7 version of the Zen Cart changes looks sound.
One request: When Zen Cart is updated with these sanitizer changes, pretty-please make it a formal release for either Zen Cart 1.5.5a or 1.5.6 so that EO can determine the environment in which it's loading/installing and guide the installer to the proper version if plain-old-original Zen Cart 1.5.5 is currently being used.
Re: AdminRequestSanitizer Error Log
Quote:
Originally Posted by
lat9
Just checking in to see where the Zen Cart base code is on this issue. So far, my tests with the eo_sanitizer supplied above and the April 7 version of the Zen Cart changes looks sound.
One request: When Zen Cart is updated with these sanitizer changes, pretty-please make it a formal release for either Zen Cart 1.5.5a or 1.5.6 so that EO can determine the environment in which it's loading/installing and guide the installer to the proper version if plain-old-original Zen Cart 1.5.5 is currently being used.
Hi
I just pushed some final changes to the code, this shouldn't affect anything you have been testing as it mainly revolves around custom sanitizers and unit testing.
Will do the PR against core tonight.
Your comment regarding release numbering is noted and this will be what happens.