Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 37
  1. #21
    Join Date
    Feb 2009
    Location
    UK
    Posts
    1,042
    Plugin Contributions
    0

    Default Re: Raw HTML in Order History Comments

    Quote Originally Posted by balihr View Post
    This is yet another plugin, so of course the modifications mentioned above wouldn't have any effect. What was described above would apply to index.php?main_page=account_history_info which is a stock Zen Cart page. Which plugin are you using that adds this page? I'm pretty sure the modifications mentioned above could be applied in either includes/modules/pages/order_status/header_php.php or includes/templates/YOUR_TEMPLATE/templates/tpl_order_status_default.php
    The order status page is part of the Guest Checkout of OPC, to resolve the issue on that page I had removed

    Code:
    zen_output_string_protected
    from
    Code:
    <td><?php echo (empty($statuses['comments']) ? '&nbsp;' : nl2br(zen_output_string_protected($statuses['comments']))); ?></td>
    I'll try using the modifications mentioned above, as you suggest.
    Simon

  2. #22
    Join Date
    Oct 2008
    Location
    Croatia
    Posts
    1,418
    Plugin Contributions
    16

    Default Re: Raw HTML in Order History Comments

    Quote Originally Posted by simon1066 View Post
    The order status page is part of the Guest Checkout of OPC
    Being a huge fan of OPC, now I feel ashamed for not knowing this...
    But, maybe just replacing it with zen_output_string should be enough. Not sure, best if @lat9 confirms it...
    Zen Cart Point of Sale? Sure: ZX POS - v2 released
    My site - Pro ZC Help | My portfolio | My plugins

  3. #23
    Join Date
    Feb 2009
    Location
    UK
    Posts
    1,042
    Plugin Contributions
    0

    Default Re: Raw HTML in Order History Comments

    Quote Originally Posted by balihr View Post
    Being a huge fan of OPC, now I feel ashamed for not knowing this...
    But, maybe just replacing it with zen_output_string should be enough. Not sure, best if @lat9 confirms it...
    Yes, I had forgotten about the change I made to that file otherwise I would have posted in the OPC thread. Not sure if changing to zen_output_string would be enough - it might leave customer comments open to HTML injection.
    Simon

  4. #24
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    8,630
    Plugin Contributions
    9

    Default Re: Raw HTML in Order History Comments

    I might not have been very clear in my original statement but I did mention that....
    Quote Originally Posted by dbltoe View Post
    When a customer (with account or having used guest checkout) logs in to see their account history, their status shows the raw HTML versus fromatted code.

    Both areas are filling a TR with the ID myAccountStatusComments but I can't find where to force the formatting of the code.
    It is practically impossible to view an order from this site that was not made through guest checkout. They are getting over fifty orders a day with over forty of those as Guest.

    It took me most of the afternoon to find a registered user's order that had anything other than "Your order has been shipped."

    There's so many posssibilities being presented that I'm hesitant to put something in that does not work. And, I'm not sure where simon1066 is proposing a change.

    I'll just stand by for testing if needed.

    THANX everyone for the assistance.

  5. #25
    Join Date
    Feb 2009
    Location
    UK
    Posts
    1,042
    Plugin Contributions
    0

    Default Re: Raw HTML in Order History Comments

    Quote Originally Posted by dbltoe View Post
    And, I'm not sure where simon1066 is proposing a change..
    Yes sorry, my change was in templates/tpl_order_status_default.php but there will be a better method I'm sure.
    Simon

  6. #26
    Join Date
    Oct 2008
    Location
    Croatia
    Posts
    1,418
    Plugin Contributions
    16

    Default Re: Raw HTML in Order History Comments

    So, looking at the OPC files, here's what I'd do:

    1. includes/modules/pages/order_status/header_php.php
    Change from
    Code:
    $statuses_query = 
                "SELECT os.orders_status_name, osh.date_added, osh.comments
                   FROM " . TABLE_ORDERS_STATUS . " os 
                        INNER JOIN " . TABLE_ORDERS_STATUS_HISTORY . " osh
                            ON osh.orders_status_id = os.orders_status_id
                           AND osh.orders_id = :ordersID
                           AND osh.customer_notified >= 0
                  WHERE os.language_id = :languagesID
               ORDER BY osh.date_added";
    to
    Code:
    $statuses_query = 
                "SELECT os.orders_status_name, osh.date_added, osh.comments, osh.updated_by
                   FROM " . TABLE_ORDERS_STATUS . " os 
                        INNER JOIN " . TABLE_ORDERS_STATUS_HISTORY . " osh
                            ON osh.orders_status_id = os.orders_status_id
                           AND osh.orders_id = :ordersID
                           AND osh.customer_notified >= 0
                  WHERE os.language_id = :languagesID
               ORDER BY osh.date_added";
    Then, copy includes/templates/template_default/templates/tpl_order_status_default.php to includes/templates/YOUR_TEMPLATE/templates/tpl_order_status_default.php and make the following change on line 124:
    Change from:
    Code:
    <td><?php echo (empty($statuses['comments']) ? '&nbsp;' : nl2br(zen_output_string_protected($statuses['comments']))); ?></td>
    to
    Code:
    <td><?php echo (empty($statuses['comments']) ? '&nbsp;' : (zen_not_null($statuses['updated_by']) ? nl2br(zen_output_string($statuses['comments'])) : nl2br(zen_output_string_protected($statuses['comments'])))); ?></td>
    It's based on what I mentioned in post #8 - updated_by is never empty if updated by admin, and it's always empty for customer so there's no risk of HTML injection.
    Zen Cart Point of Sale? Sure: ZX POS - v2 released
    My site - Pro ZC Help | My portfolio | My plugins

  7. #27
    Join Date
    Feb 2006
    Location
    Tampa Bay, Florida
    Posts
    8,836
    Plugin Contributions
    118

    Default Re: Raw HTML in Order History Comments

    Quote Originally Posted by dbltoe View Post
    It is practically impossible to view an order from this site that was not made through guest checkout. They are getting over fifty orders a day with over forty of those as Guest.
    @lat9 - I wonder if OPC would benefit from adding a column to the admin/orders page listing that shows STANDARD/GUEST for the order?

    @dbltoe - In the absence of a UI hint, you could just do this using SQL:

    SELECT orders_id FROM orders WHERE is_guest_order = 1 ORDER BY orders_id DESC LIMIT 3;
    That Software Guy. My Store: Zen Cart Modifications
    Available for hire - See my ad in Services
    Plugin Moderator, Documentation Curator, Chief Cook and Bottle-Washer.
    Do you benefit from Zen Cart? Then please support the project.

  8. #28
    Join Date
    Feb 2009
    Location
    UK
    Posts
    1,042
    Plugin Contributions
    0

    Default Re: Raw HTML in Order History Comments

    Quote Originally Posted by swguy View Post
    @lat9 - I wonder if OPC would benefit from adding a column to the admin/orders page listing that shows STANDARD/GUEST for the order?
    There already is an icon next to the order id that indicates whether the order was placed via guest-checkout.
    Simon

  9. #29
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    11,311
    Plugin Contributions
    80

    Default Re: Raw HTML in Order History Comments

    I've opened this (https://github.com/lat9/one_page_checkout/issues/338) OPC tracking issue for the orders_status page.

  10. #30
    Join Date
    Feb 2006
    Location
    Tampa Bay, Florida
    Posts
    8,836
    Plugin Contributions
    118

    Default Re: Raw HTML in Order History Comments

    > There already is an icon next to the order id that indicates whether the order was placed via guest-checkout.

    Ah, sure enough!
    @dbltoe does your orders page not show this? It's a little black figure that looks like the spy-vs-spy character from Mad Magazine. :)
    That Software Guy. My Store: Zen Cart Modifications
    Available for hire - See my ad in Services
    Plugin Moderator, Documentation Curator, Chief Cook and Bottle-Washer.
    Do you benefit from Zen Cart? Then please support the project.

 

 
Page 3 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. v157 Comments field in right pane of admin orders shows raw html
    By strelitzia in forum Bug Reports
    Replies: 10
    Last Post: 2 Feb 2022, 04:24 AM
  2. v154 Order Status History and Comments are missing
    By roberttimmons in forum Managing Customers and Orders
    Replies: 0
    Last Post: 28 Feb 2019, 11:46 PM
  3. Order Status History & Comments
    By dmagic in forum Basic Configuration
    Replies: 3
    Last Post: 21 May 2015, 01:06 PM
  4. Order Status History & Comments
    By dmagic in forum Customization from the Admin
    Replies: 1
    Last Post: 21 May 2015, 10:06 AM
  5. My Order History and Order History Details - how do I get order comments in both?
    By trisha1581 in forum Templates, Stylesheets, Page Layout
    Replies: 0
    Last Post: 29 Nov 2007, 06:37 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR