Quote Originally Posted by BlindSide View Post
@wickedklown et. al.
The problem you experienced with the tags being displayed improperly in status update comments is due to the comments not being properly scrubbed before inserting them into the DB. "Scrubbing" is the act of prepping the data for DB insert. The stock zen uses two functions -- zen_db_input() and zen_db_prepare_input() -- to complete this task. I combined the two and went a few steps further with the zen_db_scrub_in() function.

The important part for this problem is that we also do a conversion from <br> tags to newline returns (aka the br2nl() function). This process is then reversed when the status is outputted on the page (nl2br(), new lines become <br> tags again). Since the code isn't doing it on the way in, the output gets kinda screwy.

I know that it was there at some point, but it was probably edited/moved/removed and never re-added in the course of writing the file. My apologies. Here's how to fix it. Find this line near the top of super_batch_status.php...
Code:
$notify_comments = $_POST['notify_comments'];
Adjust the line to read as follows...
Code:
$notify_comments = zen_db_scrub_in($_POST['notify_comments'], true);
That will prevent the problem from occuring further. To correct already affected comments, go to the Orders Detail page for the affected order and click "edit status history" beneath the status history table. Edit the comments as necessary and click "Submit" (this file does perform the scrubbing correctly)

For those of you who do not use Admin > Customers > Batch Status Update, I still strongly recommend you perform the above fix, as not scrubbing the input leaves you vulnerable to SQL injections. Fortunately, since it's an admin file, the problem is only on the admin side, so access is extremely limited. Still, always better to be safe than sorry.
This problem didnt have to do with batch status. it was just when doing order status via super orders. I rarly use batch status update, or any of those batch's.

should i still preform this fix, and will it fix my current problem?