Admin Adding Sanitisation to existing page

**brittainmark** · 8 Apr 2020, 10:40 PM

Zen cart 1.5.6c, PHP 7.3.6 , mysql 5.6.43

I have read through the developer documentation and wanted to understand below.

I would like to know how I would add sanitisation for a field that I add to say product details. So I add a field called product location which I want to be SIMPLE_ALPHANUM_PLUS.
Should I create a file in /admin/includes/extra_datafiles/ say called product_details.php
and include the code.

PHP Code:


<?php

$sanitizer = AdminRequestSanitizer::getInstance();

$group = array(

'id' => array('sanitizerType' => 'SIMPLE_ALPHANUM_PLUS', 'method' => 'both', 'pages' => array('products_details'), 'params' => array()),

);

$sanitizer->addComplexSanitization($group);

Is it really that simple?
I assume that I would also have to include some validation in the updateproduct module etc. or is it ok to just assume that the sanitiser has done the job?

I have also added fields into shipping/and packing gID=7 at the moment they contain html and are altered to &lt etc so i update via database. But was wondering if this routine could be used in the future versions of zen cart to do the sanitisation?
Sorry if that is two things in one question. And i do know that there have been many questions on html fields being changed and that you are looking into a solution going forward. If you need me to split it please let me know.

**mc12345678** · 9 Apr 2020, 02:10 AM

Unfortunately it's been a while since I've written sanitizer code, but what is provided above appears correct at least in "spirit" be sure to test it out by attempting to input something that is to be filtered out and validate that it does get filtered out then do the same thing with content that is expected to remain "safe".

As to validation, we'll, the sanitizer is to remove the content that is to be a problem. If you wanted to say be sure that the text fit a specific pattern (every other character is a dash) then yes you would need some sort of additional validation. There may be other reasons as well, but to confirm that the sanitizer sanitized? It's like checking a true statement to validate that it is not false. It's not exactly necessary.

As to filtering on specific configuration setting's. There is code that has been added for ZC 1.5.7 that makes it more possible... it too is tied to the sanitizer class as well as entries in the database. Otherwise, it may be possible to use a condition like above to at least in part filter on a specific configuration value/field. It's open source and you can always make things work the way you want them to...

**brittainmark** · 9 Apr 2020, 06:32 PM

Thanks I'll give it a go!

**brittainmark** · 26 Jun 2020, 04:20 PM

Finally tested this out. I used

PHP Code:


$sanitizer = AdminRequestSanitizer::getInstance();
$group = array(
    'products_location' => array('sanitizerType' => 'ALPHANUM_DASH_UNDERSCORE', 'method' => 'post'),
);
$sanitizer->addComplexSanitization($group);

where products_location is the field name. It does not produce an error but it does strip out invalid characters like <>