HTML no longer allowed in CATEGORY DESCRIPTION in ADMIN SIDE

[travbacon]

I upgraded tp 1.57c. I used to be able to add html amd text, now when I do, it updates blank.

[Carbonless]

1.5.7 has a built in CKEditor. Goto Tools>Define Pages editor and from the Text Editor in the upper right corner, change from Text to CKEditor. This should activate the html editor for your categories.

[mc12345678]

When you say it "updates blank" can you describe what you mean?

Are you saying that if you newly create a category, you add html to it (while in source mode with ckeditor or when using plain text) save it and then come back to view it that what was entered is completely gone?

Or are you saying that if you open a category's description that had previously been entered that there is nothing there when viewing?

Regardless, it would really help to understand how the system came to have the problem it is having. Answering the posting tips issues (each time an issue is initiated) would offer some perspective of why the issue might be occurring. 1.5.7 has been out for a long time and this "basic" issue hasn't been repetitively called out, so not expecting it to be a design issue.

[travbacon]

So I read this which lead me to searching more for an answer at 3 am.

Let me correct myself. If I enter html code and/or text and save, it comes out everything as text, all the <br><img> whatever, shows up as text. If I go to a previously saved category description before the upgrade and make changes, it will come out as complete text. So as long as I don't make any changes, we are good, but if I do, it screws it all up.

I noticed this does it in some old plugins that have not been updated where it also has these same fields allowing HTML and text and I assumed it was because it was not updated for the latest version of ZC. But I don't think ZC took this functionality out of this on the admin side for the stock out of the box ZC?

So I did some researching

https://docs.zen-cart.com/dev/code/admin_sanitization/

I did this

Create a new disable_strict_sanitize.php file in your /admin/includes/extra_configures/

Now my old plugins work and the admin side category description now saves correctly.

My question is then, I can understand it not working for some old plugins, but in the newest version of ZC, was this functionality taken out because of security reasons?
Also after I make my changes, I FTP to the santitze file and change the ext to .bak. But is it okay to leave it as .php or is this a security risk?

[mc12345678]

So, it wasn't taken out of the new version, though there may be an issue with the install... if there is this issue with category description then I would expect the same problem with the product description and several others especially because it works if the sanitization is basically set to off... that at least indicates that it (admin sanitization) is at play even if I thought perhaps it wasn't even installed... it seems like instead that possibly admin/includes/init_includes/init_sanitize.php may have been modified, is otherwise problematic or perhaps is overridden by admin/includes/init_includes/overrides/init_sanitize.php.

As to the file name changes and such. Will say this about nth degree of security. Any code that remains accessible on the server runs the risk of becoming informative and assistive to someone wanting to be malicious. It is popular to change the file extension to .bak or perhaps .old or any number of other popular extensions. If the code is not to be accessible it should just be removed from the server. It's one thing to rename for a few minutes of testing, but understand a few minutes of testing now, then called away for something and perhaps it remains in place for a really long time.

Its not super difficult to correct such sanitization for "older" plugins. Recognize what fields are used/populated to support the plugin, then what type of data they should support and apply a filter to manage that software. Yes, in development it could be good to disable the sanitization but there is/was a real risk identified that needed to be addressed. Perhaps could have been done differently sure as some of the core team have said, but it is a functional system that does what was desired of the time.

[travbacon]

fark, i guess i was wrong, even in ckeditor, it will not take, the category description remains blank.