Search:

We are pleased to announce the release of Zen Cart v1.5.7d

Download available here: https://github.com/zencart/zencart/archive/refs/tags/v1.5.7d.zip

Minimum Requirements
Zen Cart v1.5.7...

Thanks Scott.

Thanks also to those who have supported Zen Cart not just monetarily, but supporting here on the forums and with github.

Only thing I could find on this is
https://www.avalara.com/vatlive/en/vat-news/uk-post-brexit-vat-on-e-commerce-b2c-imports.html

The inbuilt DisplayLogs plugin contains an example of using an Installer Class

e.g. zc_plugins/DisplayLogs/v3.0.0/Installer/ScriptedInstaller.php

Hi,

As mentioned already, for v157 there is not that much support for plugins are used catalog side, that will come in v158.

Note also that code within the zc_plugin directory is protected by...

One of the main reasons that SESSION_FORCE_COOKIE_USE fails is some incorrect server configuration.
Usually a mismatch between your websites domain and it's actual host address.

You say that...

We were recently notified of a security vulnerabilty regarding the sanitization of the 'notify' parameter used in Zen Cart to add product notifications to a user account.

The proof of concept...

With the release of Zen Cart 1.5.6b, Zen Cart is now fully compatible with PHP 7.3 and MySQL 5.7. We don't anticipate a Zen Cart 1.5.6c release, but there may be a small one if a high priority bug...

As the only core team member residing in the EU, thought I would offer my thoughts here.

First, as mentioned in a previous post, be wary of scaremongers, especially when they are consultants...

Note.

Have also opened a github issue.
https://github.com/zencart/zencart/issues/1348

Hi

There is some documentation about customizing the sanitizers here

However, to make your life easier, here is what to do.

Create a new file in [admin]/includes/extra_datafiles/

I...

You may want to take a look at
[admin]/includes/classes/split_page_results_new.php
while this has different method signatures from the legacy split_page_results class it does allow for passing in...

What ZC version are you using
and is this admin or catalog side code

Hi so have done an initial PR for v1.6

https://github.com/zcwilt/zc-v1-series/commit/285288132585e6034754f86c51a076103a726f40

This should fix the problem of seeing the session timeout page...

Hi Mark.

Have been doing some digging and testing regarding this after some discussions with DrByte.

Firstly regarding your suggestion


if (isset($_POST[zen_session_name()])) {
...

This wasn't what I asked :)

What I asked is whether demo data had been loaded.

e.g whether products table had been populated

Another thing to check, which will give some indication of how far the install progress got, is to check the contents of the
products table (assuming you asked for demo data to be installed)
Are...

Hi Mark

Do you have settings in Apache to do any kind of redirects.
Also would you mind telling us who your host is.

Hi

Currently hoping there aren't any. I updated our functional test suite recently, just to test this. The changes did not break any of the tests relating to tax calculations.

Hi all

This is in fact a problem with core code, and not really related to any plugins.

The reviews code passes a 'products_name' hidden field which in this context is a string.
However in...

Also thanks to Scott(swguy) for reminding me to do that :)

Did a quick test on my v155 branch.
Copy/pasted a chevron into a description.
saved OK and displays OK in admin/catalog

Hmmm

product description is probably the most permissive field as far as admin sanitizer is concerned.

How do you enter the chevron. As an html entity ?

Hi

I tried this a clean install of v155 and could not see any problems.

Here is what I did.

Clean Install
Admin set DISPLAY_PRICE_WITH_TAX = true
Created Tax Class called 'Shipping...

drbyte suggests

(int)(PROJECT_VERSION_MAJOR . '.' . PROJECT_VERSION_MINOR <= '1.5.5');

The problem is this test
if (defined ('PROJECT_VERSION_MAJOR') && version_compare (PROJECT_VERSION_MAJOR . '.' . PROJECT_VERSION_MINOR, '1.5.5', '>=') && class_exists ('AdminRequestSanitizer') &&...

This should work.



I note that if I add $sanitizer->setDebug(true); to the end of admin/includes/init_includes/init_sanitize.php I get Sanitize logs

HI

On the other hand we need to consider what the TEXT attribute was meant for.

Assume you have a T-Shirt shop where the customer can define the text that appears on the T-Shirt

Using...

Hi

That does in fact seem like a cool solution, although DrByte and I were talking and think PRODUCT_NAME_DEEP_REGEX is better than PRODUCT_DESC_REGEX as it is less permissive.

Hi,

grrrr.

I guess as a quick fix you could assign a NULL_ACTION to the value parameter as part of a MULTI_DIMENSIONAL sanitizer.

Fortunately you caught me at a point where I was preparing...

Hi

Can you provide info regarding your server setup

e.g. php version, mysql version etc.

your admin/server_info.php will provide this info

Or put a file on your server like this: ...

Fix pushed here
https://github.com/zencart/zencart/pull/894/commits/3e07484bb9abc7f1dafe8cdd8916edf14a41984d

Hi
I just pushed some final changes to the code, this shouldn't affect anything you have been testing as it mainly revolves around custom sanitizers and unit testing.
Will do the PR against core...

So I've pushed up a change to my testing branch to add a FLOAT_VALUE_REGEX

I guess that probably 'tax' and 'final_price' should strictly speaking be floats.

In fact I think the...

Will add this :)

Just to be clear here.

If you want to test latest code, you need to pull in the changes from my https://github.com/zcwilt/zc-v1-series/tree/adminsanitizer-updates branch

and there are 3 files ...

Have you defined any extra sanitizers.

I'm about to update the docs regarding this.

I'm working on updated documentation, and probably some expanded tests.

Will post here once done.

So I think I am close to a finished solution now

https://github.com/zcwilt/zc-v1-series/commit/8b1d302b0ea3c17f2526f4b1e6aee0cdd95199cb

Just a couple of things left to do

Add some more unit...

:D

Hoping to finish the code for this tonight.

The data structure for defining the sanitization would be


$group = array(
'update_products' => array(
...

So at the moment there is no way of defining sanitization except at a top level basis,

so I can't add sanitizers at a sub level at the moment

However again, I'm currently working on a...

Hi

So yes there is hope :)

I would forget about changing id -> attr_info, especially if it is likely to break other code.

The new version of the adminSanitizer class i'm currently working...

Hi.

In one way, yes it would.

Changing the parameter name to something that does not already have a sanitizer assigned will force that parameter to be sanitized
by the...

So one of the reasons Edit Orders is broken with reference to the sanitizer
is when attempting to add a new product to the order(as has been mentioned elsewhere in the thread) .

It breaks...

This is not what is happening

We are not going to put code into core that adds sanitization for specific Edit Order code parameters
Although I might suggest how EO might work better with core.
...

The traverseStricSanitize function passes $item by reference, and for the initial entry point uses either $_POST or $_GET and these will always be arrays whether empty or not.

The problem is that...

Hi

I do have a pending commit that uses recursion.
https://github.com/zencart/zencart/pull/886/files

Hi

You said



Just to clarify. Are you saying that using force cookie fixes the problem as well?

Hi

I guess I should also point you to https://github.com/zencart/sagepay

Also regarding



Yes, but then don't the other versions (jsweb, nixak) do that?

Hi

I would say that the in built code was 'inspired' by the nixak module. I have however rewritten large portions of the code. The main reason for the rewrite was to allow for more easily adding...