Results 1 to 6 of 6
  1. #1
    Join Date
    Nov 2005
    Posts
    503
    Plugin Contributions
    6

    Default New admin configuration value is having <br> replaced with &lt;br;gt;

    Zen Cart version 1.5.7c

    I added a new menu item in admin configuration, but whenever I save the content, any html code such as a <br> or <p> is being changed to html entities.

    Assuming this was related to admin sanitise, I added the relevant configuration key to admin/includes/init_includes/init_sanitize.php after line 265.

    The problem didn't go away.

    What else can I do to prevent this from happening?

  2. #2
    Join Date
    Feb 2006
    Location
    Tampa Bay, Florida
    Posts
    7,991
    Plugin Contributions
    109

    Default Re: New admin configuration value is having <br> replaced with &lt;br;gt;

    Are you certain you spelled the key correctly? You can double check the value of configuration_key for your new configuration variable by going to

    admin/index.php?cmd=configuration&gID=6

    and setting "Admin configuration_key shows" to 1, and then going to the config group that holds your new value.
    That Software Guy. My Store: Zen Cart Modifications
    Available for hire - See my ad in Services
    Plugin Moderator, Documentation Curator, Chief Cook and Bottle-Washer.

  3. #3
    Join Date
    Jul 2012
    Posts
    16,043
    Plugin Contributions
    17

    Default Re: New admin configuration value is having <br> replaced with &lt;br;gt;

    Don't forget to include a val_function characteristic for your field that is being added to the configuration menu. It *may* be possible to add a specific designation to only filter the one entry and not all configuration entries, but it is more than just the configuration_key designation.
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...

  4. #4
    Join Date
    Nov 2005
    Posts
    503
    Plugin Contributions
    6

    Default Re: New admin configuration value is having <br> replaced with &lt;br;gt;

    Quote Originally Posted by swguy View Post
    Are you certain you spelled the key correctly? You can double check the value of configuration_key for your new configuration variable by going to

    admin/index.php?cmd=configuration&gID=6

    and setting "Admin configuration_key shows" to 1, and then going to the config group that holds your new value.
    Confirmed this is correct.

    Sanitize debug shows
    Code:
    Aug-07-2021 10:07:28
    =================================
    
    Incoming GET Request Array
    (
        [cmd] => configuration
        [gID] => 33
        [cID] => 911
        [action] => save
        [store_config_table] => 0
    )
    
    
    Incoming POST Request Array
    (
        [securityToken] => 87264a1d7fbc7ec4f7343c1ecd8ee9ba
        [configuration_key] => RCS_CRON_EMAIL_TEXT_BODY_FOOTER
        [configuration_value] => We are always interested in knowing what happened and if there was a reason that you decided not to purchase on this occasion. If you would be so kind as to let us know if you had any issues or concerns, we would appreciate it. We are asking for feedback from you and others so we can improve your experience at our online store.<br /><br />PLEASE NOTE: If you believe you completed the transaction and are wondering why it was not delivered, this email is an indication that your order was NOT completed, and that you have NOT been charged! Please return to the store in order to complete your order.<br /><br />Please accept our apologies if you already completed your purchase - we try not to send these messages in those cases, but sometimes it is hard for us to tell depending on individual circumstances.<br /><br />Again, thank you for your time and consideration in helping us improve our website.<br /><br /><b>If you are still in the process of adding items to your shopping cart, please disregard this reminder and we look forward to receiving your completed order.</b>
        [submitRCS_CRON_EMAIL_TEXT_BODY_FOOTER] => 
    )
    
    
    Running Admin Sanitizers
    
    PROCESSING SIMPLE_ALPHANUM_PLUS(GET) == action
    
    PROCESSING SIMPLE_ALPHANUM_PLUS(GET) == cID
    
    PROCESSING SIMPLE_ALPHANUM_PLUS(GET) == gID
    
    PROCESSING STRICT_SANITIZE_VALUES == securityToken
    
    PROCESSING STRICT_SANITIZE_VALUES == configuration_key
    
    PROCESSING STRICT_SANITIZE_VALUES == configuration_value
    
    PROCESSING STRICT_SANITIZE_VALUES == submitRCS_CRON_EMAIL_TEXT_BODY_FOOTER
    
    PROCESSING STRICT_SANITIZE_VALUES == cmd
    
    PROCESSING STRICT_SANITIZE_VALUES == store_config_table
    
    PROCESSING WORDS_AND_SYMBOLS_REGEX (POST) == configuration_value
    
    Outgoing GET Request Array
    (
        [cmd] => configuration
        [gID] => 33
        [cID] => 911
        [action] => save
        [store_config_table] => 0
    )
    
    
    Outgoing POST Request Array
    (
        [securityToken] => 87264a1d7fbc7ec4f7343c1ecd8ee9ba
        [configuration_key] => RCS_CRON_EMAIL_TEXT_BODY_FOOTER
        [configuration_value] => We are always interested in knowing what happened and if there was a reason that you decided not to purchase on this occasion. If you would be so kind as to let us know if you had any issues or concerns, we would appreciate it. We are asking for feedback from you and others so we can improve your experience at our online store.&lt;br /&gt;&lt;br /&gt;PLEASE NOTE: If you believe you completed the transaction and are wondering why it was not delivered, this email is an indication that your order was NOT completed, and that you have NOT been charged! Please return to the store in order to complete your order.&lt;br /&gt;&lt;br /&gt;Please accept our apologies if you already completed your purchase - we try not to send these messages in those cases, but sometimes it is hard for us to tell depending on individual circumstances.&lt;br /&gt;&lt;br /&gt;Again, thank you for your time and consideration in helping us improve our website.&lt;br /&gt;&lt;br /&gt;&lt;b&gt;If you are still in the process of adding items to your shopping cart, please disregard this reminder and we look forward to receiving your completed order.&lt;/b&gt;
        [submitRCS_CRON_EMAIL_TEXT_BODY_FOOTER] => 
    )
    Last edited by strelitzia; 7 Aug 2021 at 09:13 PM.

  5. #5
    Join Date
    Nov 2005
    Posts
    503
    Plugin Contributions
    6

    Default Re: New admin configuration value is having <br> replaced with &lt;br;gt;

    Quote Originally Posted by mc12345678 View Post
    Don't forget to include a val_function characteristic for your field that is being added to the configuration menu. It *may* be possible to add a specific designation to only filter the one entry and not all configuration entries, but it is more than just the configuration_key designation.
    I see the relevant section of init_sanitize.php handles !empty val_function results with NULL_ACTION, and the others with WORDS_AND_SYMBOLS_REGEX.

    Isn't the latter (which is the one used in my circumstances) the one required to handle my data input? If not, how does it differ from NULL_ACTION?

  6. #6
    Join Date
    Jul 2012
    Posts
    16,043
    Plugin Contributions
    17

    Default Re: New admin configuration value is having <br> replaced with &lt;br;gt;

    Quote Originally Posted by strelitzia View Post
    I see the relevant section of init_sanitize.php handles !empty val_function results with NULL_ACTION, and the others with WORDS_AND_SYMBOLS_REGEX.

    Isn't the latter (which is the one used in my circumstances) the one required to handle my data input? If not, how does it differ from NULL_ACTION?
    So, in the further development of sanitization, this issue ("over sanitization") was identified as applied to configuration settings in the admin that by base design should not have had specific over sanitization. Further as part of that process, it was determined that in "development" of new configuration options, that it may be possible to apply specific sanitization to the new/alternate configuration option or even to possibly override the pre-determined sanitization.

    So, a list of "known" configurations was made that would be simply handled with WORDS_AND_SYMBOLS_REGEX. That list is provided in admin/includes/init_includes/init_sanitize.php

    But, if a configuration option has a specific sanitization "process" to be applied, then at the point of processing this file, no action (NULL_ACTION) is taken, with the expectation that the *real* sanitization will occur at a different point. That alternate point actually occurs in admin/configuration.php when a value is being saved. The presence of a val_function is checked and if it exists, then admin/includes/functions/configuration_checks.php is used to determine if the configuration data is valid. If it is not valid, then the value is not stored and the configuration screen is shown again. If it is valid, then processing continues.

    So, yes, while the file mentioned in the response post will take no action if val_function is used, the configuration file will attempt to process the configuration option based on the function file I just mentioned.

    How you go forwards from here really is up to you. The recommendation would be to modify the database setting of val_function for your configuration option unless you anticipate and want to update the admin/includes/init_includes/init_sanitize.php every time you upgrade.

    One of the benefits of applying a val_function is that it is possible to also provide a message to the admin about any issue associated with the filtering/sanitization of the data. Another though is that the feature will remain a part of the store during each upgrade as the information will remain in the database that is expected to be used/reused in the upgraded store.
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...

 

 

Similar Threads

  1. Replies: 6
    Last Post: 2 Dec 2013, 08:26 PM
  2. Replies: 20
    Last Post: 18 Aug 2013, 06:24 PM
  3. missing configuration in admin with new install
    By pageblair in forum Upgrading from 1.3.x to 1.3.9
    Replies: 1
    Last Post: 2 Jun 2010, 04:19 PM
  4. I' a novice & having issues with IE7
    By CG26301 in forum Templates, Stylesheets, Page Layout
    Replies: 4
    Last Post: 7 Oct 2008, 06:35 PM
  5. CSS button CONSTANT not replaced by value
    By jfriesen in forum Discounts/Coupons, Gift Certificates, Newsletters, Ads
    Replies: 0
    Last Post: 10 Jan 2007, 06:43 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR