Problem: HTML being displayed as text

[Feznizzle]

Hi,

I have a zc155e using a clone of the Responsive Classic template.

I recently added an updated version of the Manufacturers Description & Metadata Merge plugin to my site.

The plugin...
1. Creates a page to list off all manufacturers:
https://002mc.justmedical.biz/index....ufacturers_all
2. Allows you to add meta tags and a description to individual manufacturer list pages:
https://002mc.justmedical.biz/index....acturers_id=10

If you click on the second link, you will see my problem. The HTML I entered as a "description" for the page is being treated literally. It would appear that a "htmlspecialchars" or "zen_output_string_protected" is being applied somewhere, but I can't find it anywhere!

I'm relatively certain that is *not* being caused by the mod itself for two reasons:
#1. I have this exact mod working perfectly on a zc154. My version of the mod is cleanly marked, making all merges super easy.
#2. Before using this mod, I tried this one instead. Instead of adding individual manufacturer descriptions to the existing page (which is what I wanted), it created a new page for the manufacturer. The new page created had the same problem (HTML being displayed as text).

I checked the /admin/manufacturers.php for "htmlspecialchars" and "zen_output_string_protected" references. The only thing I found was:

Code:

 $manufacturer_desc_string .= zen_draw_textarea_field('manufacturers_description[' . $languages[$i]['id'] . ']', 'soft', '100%', '20', zen_output_string_protected($data['mfg_description']),  'class="editorHook"');

I deleted that line, then refreshed the page where HTML was displayed as text... no change.

I'm totally stumped here. I can't figure out what's causing the HTML to be treated as text.

Can somebody point me in the right direction?

Thanks!

[mc12345678]

Hi,

I have a zc155e using a clone of the Responsive Classic template.

I recently added an updated version of the Manufacturers Description & Metadata Merge plugin to my site.

The plugin...
1. Creates a page to list off all manufacturers:
https://002mc.justmedical.biz/index....ufacturers_all
2. Allows you to add meta tags and a description to individual manufacturer list pages:
https://002mc.justmedical.biz/index....acturers_id=10

If you click on the second link, you will see my problem. The HTML I entered as a "description" for the page is being treated literally. It would appear that a "htmlspecialchars" or "zen_output_string_protected" is being applied somewhere, but I can't find it anywhere!

I'm relatively certain that is *not* being caused by the mod itself for two reasons:
#1. I have this exact mod working perfectly on a zc154. My version of the mod is cleanly marked, making all merges super easy.
#2. Before using this mod, I tried this one instead. Instead of adding individual manufacturer descriptions to the existing page (which is what I wanted), it created a new page for the manufacturer. The new page created had the same problem (HTML being displayed as text).

I checked the /admin/manufacturers.php for "htmlspecialchars" and "zen_output_string_protected" references. The only thing I found was:

Code:

 $manufacturer_desc_string .= zen_draw_textarea_field('manufacturers_description[' . $languages[$i]['id'] . ']', 'soft', '100%', '20', zen_output_string_protected($data['mfg_description']),  'class="editorHook"');

I deleted that line, then refreshed the page where HTML was displayed as text... no change.

I'm totally stumped here. I can't figure out what's causing the HTML to be treated as text.

Can somebody point me in the right direction?

Thanks!

Two things. One your ZC 1.5.4 site is not up-to-date as it does not include the sanitization function(s) that were posted to be included with ZC 1.5.x.

The other is that the sanitization rule(s) have not been incorporated/included with the installation. I don't recall which manufacturer plugin, but I thought that there had been a sanitization file "posted" to the forum that another user found functionally successful.

[mc12345678]

I believe this thread has the solution sought: https://www.zen-cart.com/showthread....s-already-sent

Yes the title doesn't quite match the final solution.

[Feznizzle]

Thanks, MC.

For anyone else who stumbles in, here is the solution.
1. Create a new file: /admin/includes/extra_datafiles/manufacturers_description_sanitizer_rules.php
2. Add this as the file's content:

Code:

<?php
// NOTE: Requires ZC v1.5.5
// All the 'manufacturers_description' field to contain HTML as it is processed during input sanitization
$sanitizer = AdminRequestSanitizer::getInstance();
$group = array(
    'manufacturers_description' => array(
        'sanitizerType' => 'PRODUCT_DESC_REGEX', 
        'method' => 'post', 
        'pages' => array('manufacturers'),
    ),
);
$sanitizer->addComplexSanitization($group);

3. Go to admin, re-edit the page, and save.

And Bob's your uncle!!!

[mc12345678]

Thanks, MC.

For anyone else who stumbles in, here is the solution.
1. Create a new file: /admin/includes/extra_datafiles/manufacturers_about_sanitizer_rules.php
2. Add this as the file's content:

Code:

<?php
// All the 'manufacturers_description' field to contain HTML as it is processed during input sanitization
$sanitizer = AdminRequestSanitizer::getInstance();
$group = array(
    'manufacturers_description' => array(
        'sanitizerType' => 'PRODUCT_DESC_REGEX', 
        'method' => 'post', 
        'pages' => array('manufacturers'),
    ),
);
$sanitizer->addComplexSanitization($group);

3. Go to admin, re-edit the page, and save.

And Bob's your uncle!!!

Note that as written, this should only be applied when the sanitizer class is loaded to the store (which it is advised to be installed to all ZC 1.5.x versions), otherwise "blindly" applying this code will result in an error attempting to access the admin. Ie. If this was placed on the ZC 1.5.4 system as it was when testing the difference(s) the admin would not have loaded. A method to apply this code and not disrupt operation was provided in the referenced code along with a gentle notification that the code/system should be updated allowing backwards compatibility and notification of the change that should be applied.

[Feznizzle]

Indeed, sir!

The solution I provided above was specifically to get this mod working (cause html not to be treated as text) on a zc155e.

FYI, the latest ZC distributed version of the Manufacturers Description & Metadata Merge plugin is for zc153.

Two years ago, the mod was updated for my zc154 with some forward looking compatibility (to make it easier to upgrade for zc155). That included a class.base.php file, an auto loader config file, and an observer file. The updated mod is still functioning perfectly and being used on the zc154 it was designed for.

That site does not need/use the code provided in my solution above (manufacturers_about_sanitizer_rules.php) in order to display html as html. I added that specifically to get it to work on my current zc155e.

Does this additional information explain the issue better?

More importantly, are you suggesting that the solution I provided will become problematic on a zc155e?

[DrByte]

The sanitizer code above is for v1.5.5 only.

Ref: http://docs.zen-cart.com/Developer_D...n_sanitization

No other "special advice" required.