Originally Posted by
lat9
That processing is the result of line #49 (ZC 1.5.5a) in /includes/modules/pages/checkout_confirmation/header_php.php
Code:
$_SESSION['comments'] = zen_output_string_protected($_POST['comments']);
The code was changed based on the
Trustwave Security Patch. My initial thought is to change that to call
zen_clean_html instead, since it's a <script></script> injection that the code's looking to prevent.
Unfortunately, the zen_clean_html function's "over-achieving", too, since it's stripping all the CR/LF sequences from the comments, rendering:
Code:
Here's some "comments" &
other stuff
into
Code:
Here's some "comments" & other stuff
Perhaps, it would be appropriate to add another input to the function (present in /includes/functions/functions_general.php) to specify that CR, LF and TAB characters should remain:
Code:
function zen_clean_html($clean_it, $extraTags = '', $keep_new_lines = false) {
if (!is_array($extraTags)) $extraTags = array($extraTags);
// remove any embedded javascript
$clean_it = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $clean_it);
if (!$keep_new_lines) {
$clean_it = preg_replace('/\r/', ' ', $clean_it);
$clean_it = preg_replace('/\t/', ' ', $clean_it);
$clean_it = preg_replace('/\n/', ' ', $clean_it);
$clean_it= nl2br($clean_it);
// update breaks with a space for text displays in all listings with descriptions
$clean_it = preg_replace('~(<br ?/?>|</?p>)~', ' ', $clean_it);
}
// temporary fix more for reviews than anything else
$clean_it = str_replace('<span class="smallText">', ' ', $clean_it);
$clean_it = str_replace('</span>', ' ', $clean_it);
// clean general and specific tags:
$taglist = array('strong','b','u','i','em');
$taglist = array_merge($taglist, (is_array($extraTags) ? $extraTags : array($extraTags)));
foreach ($taglist as $tofind) {
if ($tofind != '') $clean_it = preg_replace("/<[\/\!]*?" . $tofind . "[^<>]*?>/si", ' ', $clean_it);
}
// remove any double-spaces created by cleanups:
$clean_it = preg_replace('/[ ]+/', ' ', $clean_it);
// remove other html code to prevent problems on display of text
$clean_it = strip_tags($clean_it);
return $clean_it;
}
Once that function's been updated, that line in the checkout_confirmation header file would be changed to:
Code:
$_SESSION['comments'] = zen_clean_html($_POST['comments'], '', true);
Bookmarks