Page 6 of 8 FirstFirst ... 45678 LastLast
Results 51 to 60 of 77
  1. #51
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    12,399
    Plugin Contributions
    87

    Default Re: AdminRequestSanitizer Error Log

    @wilt, is there a way to stop the unwanted htmlentities' conversions? If I order the product A Bug's Life "Multi Pak" Special 2003 Collectors Edition
    and then edit that order (simply pressing the "Update" button), the name changes to A Bug's Life "Multi Pak" Special 2003 Collectors Editi ... with the double-quotes converted to " and the name getting truncated due to the additional characters.

    The same thing happens if I enter a text attribute that uses special characters, e.g. Here's some text … gets converted to Here's some text … -- and it just gets worse each time that order is updated since each & is converted to &.

  2. #52
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,896
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: AdminRequestSanitizer Error Log

    Have you defined any extra sanitizers.

    I'm about to update the docs regarding this.

    Quote Originally Posted by lat9 View Post
    @wilt, is there a way to stop the unwanted htmlentities' conversions? If I order the product A Bug's Life "Multi Pak" Special 2003 Collectors Edition
    and then edit that order (simply pressing the "Update" button), the name changes to A Bug's Life "Multi Pak" Special 2003 Collectors Editi ... with the double-quotes converted to " and the name getting truncated due to the additional characters.

    The same thing happens if I enter a text attribute that uses special characters, e.g. Here's some text … gets converted to Here's some text … -- and it just gets worse each time that order is updated since each & is converted to &.

  3. #53
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,896
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: AdminRequestSanitizer Error Log

    Just to be clear here.

    If you want to test latest code, you need to pull in the changes from my https://github.com/zcwilt/zc-v1-seri...itizer-updates branch

    and there are 3 files

    admin/includes/auto_loaders/config.adminSanitize.php
    admin/includes/classes/AdminRequestSanitizer.php
    admin/includes/init_includes/init_sanitize.php

    Even pulling these in won't fix edit_orders as you then need to add your own sanitizers
    as a simple test I created

    /admin/includes/extra_datafiles/edit_orders_sanitize.php that contained

    PHP Code:
    <?php
    /**
     * Created by PhpStorm.
     * User: wilt
     * Date: 07/04/16
     * Time: 20:45
     */
    $sanitizer AdminRequestSanitizer::getInstance();
    $group = array(
        
    'id' => array('sanitizerType' => 'NULL_ACTION''method' => 'both''pages' => array('edit_orders'), 'params' => array()));
    $sanitizer->addComplexSanitization($group);
    $group = array(
        
    'update_products' => array('sanitizerType' => 'NULL_ACTION''method' => 'both''pages' => array('edit_orders'), 'params' => array()));
    $sanitizer->addComplexSanitization($group);
    and that fixed htmlentities problems

    Now of course, those should only be considered temporary fixes as they basically ignore sanitization for id and update_products, whereas what should be added is
    a MULTI_DIMENSIONAL sanitizer

  4. #54
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    12,399
    Plugin Contributions
    87

    Default Re: AdminRequestSanitizer Error Log

    I'll pull your most recent updates down for my test setup. It seems like the product's name and attribute name/value pairs will all need the NULL_ACTION sanitization -- is that correct?

  5. #55
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    12,399
    Plugin Contributions
    87

    Default Re: AdminRequestSanitizer Error Log

    Should there be a general sanitizer group for floats? The qty value that is included in the EO POST variables is a floating-point value, not an int.

  6. #56
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    12,399
    Plugin Contributions
    87

    Default Re: AdminRequestSanitizer Error Log

    Here's what I've come up with (so far) for the EO sanitizer; please let me know if there's a better way. This approach gets the product's name and text attributes to not get &amp;'d to death:
    Code:
        $eo_sanitizer = AdminRequestSanitizer::getInstance();
        $eo_group = array(
            'update_products' => array(
                'sanitizerType' => 'MULTI_DIMENSIONAL',
                'method' => 'post',
                'pages' => array('edit_orders'),
                'params' => array(
                    'update_products' => array('sanitizerType' => 'CONVERT_INT'),
                    'qty' => array('sanitizerType' => 'CONVERT_INT'),  //-This one should really be a float
                    'name' => array('sanitizerType' => 'PRODUCT_DESC_REGEX'),
                    'onetime_charges' => array('sanitizerType' => 'CURRENCY_VALUE_REGEX'),
                    'attr' => array(
                        'sanitizerType' => 'MULTI_DIMENSIONAL',
                        'params' => array(
                            'attr' => array('sanitizerType' => 'CONVERT_INT'),
                            'value' => array('sanitizerType' => 'PRODUCT_DESC_REGEX'),
                            'type' => array('sanitizerType' => 'CONVERT_INT')
                        )
                    ),
                    'model' => array('sanitizerType' => 'WORDS_AND_SYMBOLS_REGEX'),
                    'tax' => array('sanitizerType' => 'CURRENCY_VALUE_REGEX'),
                    'final_price' => array('sanitizerType' => 'CURRENCY_VALUE_REGEX'),
                )
            )
        );
        $eo_sanitizer->addComplexSanitization ($eo_group);
    Last edited by lat9; 7 Apr 2016 at 11:00 PM. Reason: Correct 'attr' values

  7. #57
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,896
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: AdminRequestSanitizer Error Log

    Quote Originally Posted by lat9 View Post
    Should there be a general sanitizer group for floats? The qty value that is included in the EO POST variables is a floating-point value, not an int.
    Will add this :)

  8. #58
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,896
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: AdminRequestSanitizer Error Log

    Quote Originally Posted by lat9 View Post
    Here's what I've come up with (so far) for the EO sanitizer; please let me know if there's a better way. This approach gets the product's name and text attributes to not get &'d to death:
    [
    So I've pushed up a change to my testing branch to add a FLOAT_VALUE_REGEX

    I guess that probably 'tax' and 'final_price' should strictly speaking be floats.

    In fact I think the CURRENCY_VALUE_REGEX may be unnecessary.

    I'm not quite ready to push my testing branch to a full blown PR against core code as I want to make sure the unit tests cover some edge cases first.

  9. #59
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    12,399
    Plugin Contributions
    87

    Default Re: AdminRequestSanitizer Error Log

    Just checking in to see where the Zen Cart base code is on this issue. So far, my tests with the eo_sanitizer supplied above and the April 7 version of the Zen Cart changes looks sound.

    One request: When Zen Cart is updated with these sanitizer changes, pretty-please make it a formal release for either Zen Cart 1.5.5a or 1.5.6 so that EO can determine the environment in which it's loading/installing and guide the installer to the proper version if plain-old-original Zen Cart 1.5.5 is currently being used.

  10. #60
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,896
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: AdminRequestSanitizer Error Log

    Quote Originally Posted by lat9 View Post
    Just checking in to see where the Zen Cart base code is on this issue. So far, my tests with the eo_sanitizer supplied above and the April 7 version of the Zen Cart changes looks sound.

    One request: When Zen Cart is updated with these sanitizer changes, pretty-please make it a formal release for either Zen Cart 1.5.5a or 1.5.6 so that EO can determine the environment in which it's loading/installing and guide the installer to the proper version if plain-old-original Zen Cart 1.5.5 is currently being used.
    Hi
    I just pushed some final changes to the code, this shouldn't affect anything you have been testing as it mainly revolves around custom sanitizers and unit testing.
    Will do the PR against core tonight.
    Your comment regarding release numbering is noted and this will be what happens.

 

 
Page 6 of 8 FirstFirst ... 45678 LastLast

Similar Threads

  1. v155 [Done v155a and v155b] AdminRequestSanitizer Problem
    By JRGoold in forum Bug Reports
    Replies: 15
    Last Post: 12 Dec 2016, 01:16 PM
  2. v151 Filename cannot be empty error in error log
    By woodlandsprite in forum General Questions
    Replies: 2
    Last Post: 29 Nov 2012, 06:03 AM
  3. Site down, getting error in debug error log
    By rcrosier in forum General Questions
    Replies: 3
    Last Post: 25 Mar 2009, 03:01 PM
  4. Replies: 6
    Last Post: 7 Dec 2007, 03:42 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR