Can anyone please tell me what file sanitizes the image path during product update or review?
Using Zencart v1.5.5a and trying to get my images to show up from an external https source...suppliers requirement.
It has taken me all day to figure out why they are not showing up...reading many forum post and php files.
But, I don't know how to fix it.
In html_output.html I added:
Code:
function zen_image($src, $alt = '', $width = '', $height = '', $parameters = '') {
global $template_dir, $zco_notifier;
//MIKE - for http external image links
if (strstr($src, 'http')) {
$src = str_replace('images/', '', $src);
return zen_image_OLD($src, $alt, $width, $height, $parameters);
}
//END MIKE
Then I manually changed my test product image path in the database via phpMyAdmin.
Walah! My test product image showed up perfectly in all the listings and product pages...thought I had it licked.
When I edited my test product in admin, I discovered that the preview and update buttons strip characters from the image path input fields and changed what was in the db.
Specifically, it stripped : ? = from my image path.
So, I manually changed my path in the db again and retested 3 times to make sure it was really happening.
I've used the admin developers tool kit to try and find anything like htmlspecialchars that may be causing this but I'm coming up empty.
I did notice in one of the php files that there are certain cases where the stripping of data is protected. Is there any way to do this with the image path?
I understand the need to sanitize input boxes to prevent injection. It should only be happening when there is actually something in the input box...not during preview or update of non image related data. If the image text box has an html link in it, then any special characters used in html links should be allowed...in my case :?=
Thanks.
Bookmarks