developers tool kit disfunctionality

[pixelpadre]

Fresh install php 7.0.11 zc1.56

I was searching for <div id="logo"> in admin developer tools and I got zero results. In my zc1.55 site, I got the expected results.

maddening

[lat9]

Ah, the Zen Cart admin sanitizer strikes again. If you enter <div id="logo"> as the search criteria, by the time the search reaches the developer's tool kit it's been changed to &lt;div id=&quot;logo&quot;&gt;... which is why no match is returned.

[pixelpadre]

well thats no good.....

[mc12345678]

Sure you didn't comment out the section in admin/includes/init_includes/init_sanitize.php that does strict sanitization of configuration_key in your ZC 1.5.5 install?

Because of that sanitization the quotes and <> symbols are converted to their html entities.

[pixelpadre]

1.55 and 1.56 have vastly different sanitize files. Both are in original unedited condition.

[PanZC2020]

While not truly related to Developers Tool Kit, but the issue is related to it.

I think admin sanitizer had over done it now with 1.5.6a.
It's not only on DTK.
But also in stuffs like for attributes in Options Value Manager...

For example,
I typed in...

39" Bed Width

What I seen in database is...

39&quot; Bed Width

Then, this "&quot;" does show up when I try to do database export to CSV and try to do some data filters related to it! Those HTML stuffs can make data filtering a bit more headache..

It maybe good, but I think this may lead to users can put less characters as "&quot;" will counts as 6 characters against varchar(64) type limit in SQL table of products_options_values instead of just one for quotation mark!

So, admin sanitizer file was overdoing it in 1.5.6a file version...

[mc12345678]

While not truly related to Developers Tool Kit, but the issue is related to it.

I think admin sanitizer had over done it now with 1.5.6a.
It's not only on DTK.
But also in stuffs like for attributes in Options Value Manager...

For example,
I typed in...

What I seen in database is...


Then, this "&quot;" does show up when I try to do database export to CSV and try to do some data filters related to it! Those HTML stuffs can make data filtering a bit more headache..

It maybe good, but I think this may lead to users can put less characters as "&quot;" will counts as 6 characters against varchar(64) type limit in SQL table of products_options_values instead of just one for quotation mark!

So, admin sanitizer file was overdoing it in 1.5.6a file version...

Personally, I understand both sides. The goal seemed to be to address the potential consequences of displaying the raw data from the database if it contained malicious code. By sanitizing the data going to the database, one could display the raw data without considering some level of sanitization which generally works for the "masses". The alternative would be to sanitize everything coming out of the database which means that far more code has to be modified to ensure that the data coming out is cleansed before display with that cleansing occurring every time a page is displayed by anyone (heavier load on the server) instead of the one time sanitization that was done on storage.
For users of the database, well, then there are issues that are being discussed. Obviously there are a few ways to address what is being seen. On sanitization, some select values for select fields could be left alone (what's the harm of repeated use of ", ', and & possibly?), the field(s) could be extended to have a longer length, all of the display points could be updated to do the cleansing with the sanitizer disabled/removed, or possibly the sanitizer be removed and the site subject to the issue(s) that lead to its creation. Perhaps there are other "solutions". Point being that there was an approach taken to address an issue. It can be made better through healthy considerate discussion and identification of issues and hopefully proposed solutions.

[pixelpadre]

Maybe this will stop all of the modsecurity false positives on my classifieds sites.