So, looking at the OPC files, here's what I'd do:
1. includes/modules/pages/order_status/header_php.php
Change from
Code:
$statuses_query =
"SELECT os.orders_status_name, osh.date_added, osh.comments
FROM " . TABLE_ORDERS_STATUS . " os
INNER JOIN " . TABLE_ORDERS_STATUS_HISTORY . " osh
ON osh.orders_status_id = os.orders_status_id
AND osh.orders_id = :ordersID
AND osh.customer_notified >= 0
WHERE os.language_id = :languagesID
ORDER BY osh.date_added";
to
Code:
$statuses_query =
"SELECT os.orders_status_name, osh.date_added, osh.comments, osh.updated_by
FROM " . TABLE_ORDERS_STATUS . " os
INNER JOIN " . TABLE_ORDERS_STATUS_HISTORY . " osh
ON osh.orders_status_id = os.orders_status_id
AND osh.orders_id = :ordersID
AND osh.customer_notified >= 0
WHERE os.language_id = :languagesID
ORDER BY osh.date_added";
Then, copy includes/templates/template_default/templates/tpl_order_status_default.php to includes/templates/YOUR_TEMPLATE/templates/tpl_order_status_default.php and make the following change on line 124:
Change from:
Code:
<td><?php echo (empty($statuses['comments']) ? ' ' : nl2br(zen_output_string_protected($statuses['comments']))); ?></td>
to
Code:
<td><?php echo (empty($statuses['comments']) ? ' ' : (zen_not_null($statuses['updated_by']) ? nl2br(zen_output_string($statuses['comments'])) : nl2br(zen_output_string_protected($statuses['comments'])))); ?></td>
It's based on what I mentioned in post #8 - updated_by is never empty if updated by admin, and it's always empty for customer so there's no risk of HTML injection.
Bookmarks