Attribs zen_output_string_protected

[ses707]

What is the safety reason that attribs are zen_output_string_protected? I linked my attribs to product pages so customers can get additional information (and used fual slimbox to open the link on the same page). Just want to make sure I'm not overlooking a possible serious issue.

[ses707]

Is Ajeh on vacation or sumthin?

[DrByte]

I think it depends on which attributes you're referring to.
If the customer has entered text information for an attribute field such as a filename or a text-input field, if that information is to be displayed again for verification/edit, you certainly want that information sanitized before it's displayed.

[ses707]

I have yet to setup any store where a user input text or a file so I have not specifically looked at that input/output. What I was looking at is I had to change in the admin option values name manager to allow me to edit <a href> linking and then I had to edit the shopping cart as well, removing the zen_output_string_protected for options value name. What I found odd is that the product_info page the output was not protected. Protect in the admin and the shopping cart but not on the product info page?

[DrByte]

Are you saying there's a specific inconsistency somewhere?

[ses707]

The specific inconsistency is that
includes/modules/attibutes.php does not zen_output_string_protected the options_values_name which serves attribs on the product page
but
includes/modules/pages/shopping_cart/header.php does.

Code:

$attrArray[$option]['products_options_values_name'] = zen_output_string_protected($attr_value) ;

This actually helped me realize that in
admin/options_values_manager.php
I could:

Code:

$inputs .= $languages[$i]['code'] . ':&nbsp;<input type="text" name="value_name[' . $languages[$i]['id'] . ']" ' . zen_set_field_length(TABLE_PRODUCTS_OPTIONS_VALUES, 'products_options_values_name', 25) . ' value="' . zen_output_string_protected($value_name->fields['products_options_values_name']) . '">&nbsp;<br />';

This allows me to edit <a href> links in the admin. Before I could always enter links but editing them required 2 edits, one to clear the html that was hanging it up the first time and once to replace the <a href> with the change.

It always seemed strange to me that no one else linked their options values to a page with more info (or the product that attrib represents).

It's like 2am so I take no responsibility if that's jacked and you don't understand...

Edit: Basically you want to see html code in the admin so it should be zen_output_string_protected, however the customer should never see the html so anything they see should not be zen_output_string_protected.

[DrByte]

hmmm ... I would think that the output-protected approach should be run anytime the content of user-collected data is being re-displayed, so that if any sql-injection or other attack would be averted.

[ses707]

It's options_values_name which is input on the admin side only?

[DrByte]

Will have to do some further investigation. Here's a related post: http://www.zen-cart.com/forum/showthread.php?t=64115