Stop admin product update and preview from stripping characters from image path

[mikeel100]

Can anyone please tell me what file sanitizes the image path during product update or review?

Using Zencart v1.5.5a and trying to get my images to show up from an external https source...suppliers requirement.

It has taken me all day to figure out why they are not showing up...reading many forum post and php files.

But, I don't know how to fix it.

In html_output.html I added:

Code:

  function zen_image($src, $alt = '', $width = '', $height = '', $parameters = '') {
    global $template_dir, $zco_notifier;
	
	
//MIKE - for http external image links
    if (strstr($src, 'http')) {
	  $src = str_replace('images/', '', $src);
	  return zen_image_OLD($src, $alt, $width, $height, $parameters);
   }
//END MIKE

Then I manually changed my test product image path in the database via phpMyAdmin.

Walah! My test product image showed up perfectly in all the listings and product pages...thought I had it licked.

When I edited my test product in admin, I discovered that the preview and update buttons strip characters from the image path input fields and changed what was in the db.

Specifically, it stripped : ? = from my image path.

So, I manually changed my path in the db again and retested 3 times to make sure it was really happening.

I've used the admin developers tool kit to try and find anything like htmlspecialchars that may be causing this but I'm coming up empty.

I did notice in one of the php files that there are certain cases where the stripping of data is protected. Is there any way to do this with the image path?

I understand the need to sanitize input boxes to prevent injection. It should only be happening when there is actually something in the input box...not during preview or update of non image related data. If the image text box has an html link in it, then any special characters used in html links should be allowed...in my case :?=

Thanks.

[mikeel100]

http://docs.zen-cart.com/Developer_D...n_sanitization

I did find this but it is all French to me...LOL. So, I tried to find the regex code with the developers tool kit but none had all three of the symbols (?:=) I need to make an exception on.

Still looking...

[mikeel100]

Tried this but it didn't stop the prolem...

TEMPORARILY Disabling Strict Sanitization
If you find that some of your admin plugins are no longer working properly then you should look first to see if new versions of those plugins are available, ie: that support the new v1.5.5 sanitization.

If new versions are not available, or you need to keep your current admin working while you update, then you can disable the strict(default) sanitization by doing the following:

Create a new disable_strict_sanitize.php file in your /admin/includes/extra_configures/ directory. The contents of this file should be

PHP Code:

<?php
  define('DO_STRICT_SANITIZATION', false);

We encourage you to NOT do that unless truly necessary, and even then only as a temporary measure until your affected plugins have written their own custom sanitizers as described later in this document.

[mc12345678]

Not sure which sanitizer is the issue, but in your case the image field that is being sanitized is already defined and so disabling the strict sanitizer as done above would not rectify the issue.

So, one thing about it all, it appears that you already detect if the uri is "off-site" is there any reconstructive work you could do at that point to restore the expected operation? Ie. Find a remaining string and substitute something in its place, etc.?

Otherwise you may want to rename the image field and add some sort of sanitization for it or just keep searching for where the sanitization is applied for the field being used to hold the products_image as it is passed along the process.

[mikeel100]

Not sure which sanitizer is the issue, but in your case the image field that is being sanitized is already defined and so disabling the strict sanitizer as done above would not rectify the issue.

So, one thing about it all, it appears that you already detect if the uri is "off-site" is there any reconstructive work you could do at that point to restore the expected operation? Ie. Find a remaining string and substitute something in its place, etc.?

Otherwise you may want to rename the image field and add some sort of sanitization for it or just keep searching for where the sanitization is applied for the field being used to hold the products_image as it is passed along the process.

Yes, that is the conclusion I came to last night after 14 hours of trying to figure this out.

Where to deconstruct and reconstruct is going to be as hard to figure out as where the sanitizing is taking place....starting day 2. LOL.

My image file names look like this (x and spaces added to keep it from displaying as a url):

htxxs: // cdn.shopify.com/s/files/1/1132/5812/products/736211060587.jpeg?v=1464209789

The image name, 736211060587.jpeg, is available as a separate field. So, I suppose I could assign
"?v=1464209789" and "https://cdn.shopify.com/s/files/1/1132/5812/products/" to separate variables then recombine them at the first instance of $products_image.

It's not a show stopper for doing automated product imports.

I simply can not use the Zencart product editor or it will boogger up my products image file...all product edits will have to be done directly in the db.

If anyone finds where the sanitizing is happening or an easier way to handle this, please let me know.

Thanks.

[mc12345678]

So the file admin/includes/init_includes/init_sanitize.php
Line 181 is doing/directing the sanitizing that you are seeing.

Perhaps you would rather have it treated as a url such as PRODUCT_URL_REGEX instead of FILE_DIR_REGEX.

Or possibly to modify admin/includes/classes/AdminRequestSanitizer.php
And change the function filterFileDirRegex to respond differently.

Or even create one of your own and assign it to those fields.

[mikeel100]

Found it....

init_sanitze.php

PHP Code:

$group = array('img_dir', /*'products_previous_image',*/ 'products_image_manual', 'products_attributes_filename'); 


After i commented out 'products_previous_image', preview and update no longer removed the characters! Thanks for your insight and help.

[mikeel100]

Found it....

init_sanitze.php

PHP Code:

$group = array('img_dir', /*'products_previous_image',*/ 'products_image_manual', 'products_attributes_filename'); 


After i commented out 'products_previous_image', preview and update no longer removed the characters! Thanks for your insight and help.

I added it to the 'PRODUCT_URL_REGEX' group and all works well.

PHP Code:

$group = array('products_url', 'products_previous_image'/*MIKE ADDED 'products_previous_image'*/);
$sanitizer->addSimpleSanitization('PRODUCT_URL_REGEX', $group);