Cannot modify header information - headers already sent

[mc12345678]

Well, there might be a little bit of the issue of why the provided code isn't improving things. If I remember correctly when 1.5.5 first came out, the new sanitization features were added, but there were a few "fields" that needed some work. Those have been improved. In fact I thought one of the issues was that html inside a product description would respond like what you are seeing.

Please update/verify updated the files referenced at: https://www.zen-cart.com/showthread.php?219732 post #2. And keep the file "installed" that I described/provided earlier.

[Nick1973]

Well, there might be a little bit of the issue of why the provided code isn't improving things. If I remember correctly when 1.5.5 first came out, the new sanitization features were added, but there were a few "fields" that needed some work. Those have been improved. In fact I thought one of the issues was that html inside a product description would respond like what you are seeing.

Please update/verify updated the files referenced at: https://www.zen-cart.com/showthread.php?219732 post #2. And keep the file "installed" that I described/provided earlier.

It's fixed it. Thanks very much for this as I didn't know about those fixes. I will save them in my bookmarks for future use just in case. Really appreciate your help on this as its been causing a headache for a while.

[mc12345678]

It's fixed it. Thanks very much for this as I didn't know about those fixes. I will save them in my bookmarks for future use just in case. Really appreciate your help on this as its been causing a headache for a while.

Great! Now, very important question. (meaning could save a bit of time related to testing.) if you "remove" the file I suggested adding to your file path, and again attempt to add something that has html in it, does it now work as expected or is it back to square one?

I put the word remove in quotes because all you have to do to prevent it from loading is rename the extension from php to some other ending. It only affects entry of information in the admin so there should be no negative effect other than the possibility of html being displayed again.

Anyways, thought is, verify that with the latest updated sanitizer and without the specialized sanitizer code for the plugin that there remains a problem when html is entered/present.

For what it's worth, I had also gone ahead and tried to apply the sanitization I suggested for ZC code to a store then enter in say a product's name with html and without further modification of other parts of the ZC store I'd say that the sanitization didn't exactly help anything. For example the manufacturers name when added to the dropdown list will show the html because the dropdown list itself is coded to show the html. My test was to apply a bold and/or italic html property around the text. (yes I know css is preferred for some things like this, but the point is/was to see the effect of incorporating html into the parts of the process. The other thing that didn't look "right" was the information in the browser tab which also displayed the html. So, my point being, I'm not so sure that the few ZC suggested corrections truly provide a useful benefit to anyone other than the few that have modified standard operation of the above discussed or beyond objects. Those individuals either are likely to already have a similar specialized sanitizer file or have directed modification of the core ZC files. Point being, i could be wrong, but seems like there is not a current need for everyone to have the additional ZC sanitizer rules in the core code because entry of information that it doesn't filter out upon saving still gets overly "sanitized" later during operation pretty much by necessity.

Okay, back to the point: please verify that the provided file is what fixed the issue when applied against a system with updated sanitizer rules. :)

[Nick1973]

Great! Now, very important question. (meaning could save a bit of time related to testing.) if you "remove" the file I suggested adding to your file path, and again attempt to add something that has html in it, does it now work as expected or is it back to square one?

I put the word remove in quotes because all you have to do to prevent it from loading is rename the extension from php to some other ending. It only affects entry of information in the admin so there should be no negative effect other than the possibility of html being displayed again.

Anyways, thought is, verify that with the latest updated sanitizer and without the specialized sanitizer code for the plugin that there remains a problem when html is entered/present.

For what it's worth, I had also gone ahead and tried to apply the sanitization I suggested for ZC code to a store then enter in say a product's name with html and without further modification of other parts of the ZC store I'd say that the sanitization didn't exactly help anything. For example the manufacturers name when added to the dropdown list will show the html because the dropdown list itself is coded to show the html. My test was to apply a bold and/or italic html property around the text. (yes I know css is preferred for some things like this, but the point is/was to see the effect of incorporating html into the parts of the process. The other thing that didn't look "right" was the information in the browser tab which also displayed the html. So, my point being, I'm not so sure that the few ZC suggested corrections truly provide a useful benefit to anyone other than the few that have modified standard operation of the above discussed or beyond objects. Those individuals either are likely to already have a similar specialized sanitizer file or have directed modification of the core ZC files. Point being, i could be wrong, but seems like there is not a current need for everyone to have the additional ZC sanitizer rules in the core code because entry of information that it doesn't filter out upon saving still gets overly "sanitized" later during operation pretty much by necessity.

Okay, back to the point: please verify that the provided file is what fixed the issue when applied against a system with updated sanitizer rules. :)

Interesting - as soon as I renamed the file you suggested adding called manufacturers_all_about_sanitize.php it went straight back to square one. So it needs that file to sanitize.

[mc12345678]

Interesting - as soon as I renamed the file you suggested adding called manufacturers_all_about_sanitize.php it went straight back to square one. So it needs that file to sanitize.

That's good to know. And actually now that I have thought about it again, it appears that at least the manufacturers_url needs to be sanitized in the base ZC code as outlined in that additional code even if the name could possibly be left alone.

I'll propose a PR to the ZC team for the ZC items in that file which will cause an update to one of the three files that you downloaded/updated. Then as necessary an update to the admin/manufacturers.php file, though as memory serves from earlier this week's review I don't think there was anything to do, but I could be wrong (hence as necessary :) ).

Thank you for that test.

Also, it would seem that at least the rules applicable to the plugin should be incorporated into the plugin/posted to that forum thread.

[Nick1973]

That's good to know. And actually now that I have thought about it again, it appears that at least the manufacturers_url needs to be sanitized in the base ZC code as outlined in that additional code even if the name could possibly be left alone.

I'll propose a PR to the ZC team for the ZC items in that file which will cause an update to one of the three files that you downloaded/updated. Then as necessary an update to the admin/manufacturers.php file, though as memory serves from earlier this week's review I don't think there was anything to do, but I could be wrong (hence as necessary :) ).

Thank you for that test.

Also, it would seem that at least the rules applicable to the plugin should be incorporated into the plugin/posted to that forum thread.

Ok no worries. I was going to suggest incorporating the update into the plugin as well. It does appear to be used by a quite few people so it would make sense and it is a very useful module. It's totally up to you, you can do it or I can do it and upload it to Zen Cart as an update, which after all, you gave me the answers so really I'd have thought it should be you. Let me know what you want to do.

[mc12345678]

Ok no worries. I was going to suggest incorporating the update into the plugin as well. It does appear to be used by a quite few people so it would make sense and it is a very useful module. It's totally up to you, you can do it or I can do it and upload it to Zen Cart as an update, which after all, you gave me the answers so really I'd have thought it should be you. Let me know what you want to do.

Actually, the proper order of things is to try to reach out to the original author/last updater and speak with them about it. Then to keep things on the up and up, to provide proper credit and possibly a link to where the issue is addressed. Of course if a response is not reached within a reasonable time, to go ahead and make the changes which include updating the documentation. In particular to reference the post to which I sent you unless the provided code gets some sort of bypass applied to it to not "break" the code if none of those files are present on the system.

[Nick1973]

Interesting mc12345678

Got a similar problem when using this module https://www.zen-cart.com/downloads.php?do=file&id=1957

[mc12345678]

Interesting mc12345678

Got a similar problem when using this module https://www.zen-cart.com/downloads.php?do=file&id=1957

Suggestion would be to go to that forum, and begin discussing what sanitization is necessary/appropriate because of the sanitization rules imposed by the changes discussed in the thread that had the three files. I do recall seeing some discussion of problems seen with that plugin as incorporated into templates, but I don't recall the solution that others imposed other than to use install sql patches to directly enter the content. (which of course bypasses the sanitization rules to a possible fault.)