Return Authorization Module (RMA)

**rbarbour** · 8 May 2013, 07:02 PM

Originally Posted by dw08gm

Clyde added a whole lot of things more to satisfy requests from individuals rather than as great leaps forwards. The error messaging and required options thingies should also be considered personal choice things, as neither really improved existing functionality. As I am not into change for change sake, and prefer simplicity over bells and whistles, I begrudgingly had to spend a few days restoring the latest offerings of this mod to what I had and liked with RMA 2.3.2/2.3.3.

After looking at a dozen or so RMA Request forms, IMHO, I would say Clyde nailed it with his choices as to which fields needed to be required and which should be optional.

Originally Posted by dw08gm

One thing I would like to know, however, is whether the following highlighted code is entirely necessary, as I cannot recall exactly where it came from, except that it was around 139h days.

Code:

<label class="inputLabel" for="contactname"><?php echo ENTRY_NAME . '<span class="reqd">' . ENTRY_REQUIRED_SYMBOL . '</span>'; ?></label>
<?php echo zen_draw_input_field('contactname', zen_output_string_protected($name), ' size="46" id="contactname" onchange="capitalize(this,1);"'); ?>

I don't recall ever seeing that code in any version.

**DivaVocals** · 8 May 2013, 07:22 PM

Originally Posted by dw08gm

Clyde added a whole lot of things more to satisfy requests from individuals rather than as great leaps forwards. The error messaging and required options thingies should also be considered personal choice things, as neither really improved existing functionality.

Respectfully I do disagree with you..

Clyde had had solid knowledge of what makes for good usability. It is reflected in his choice to make the validation errors appear at the field level instead of the message stack.

In form validation it IMPROVES usability if you INFORM users of WHICH fields they missed in filling out a form.. Your proposed changes will REMOVE that functionality leaving them to GUESS which field they missed.. There are 10 required fields on an RMA form.. Adding multiple error messages to the message stack is not a good option from a usability POV. Highlighting the MISSED fields with a clear on-screen message is following good usability practices. I believe this is what Clyde was attempting to achieve. Your suggested code not only removes the usability aspect, but it leaves the customer guessing which field is the offending field. Do not assume that it's OBVIOUS. It's only somewhat obvious which fields are required.. what's not obvious is which field failed the validation.. and without a specific error message guiding the end user, this will lead to a frustrating user experience..

Clearly you do not agree, and that's fine..

Originally Posted by dw08gm

As I am not into change for change sake, and prefer simplicity over bells and whistles, I begrudgingly had to spend a few days restoring the latest offerings of this mod to what I had and liked with RMA 2.3.2/2.3.3.

It's your choice of course..

Originally Posted by dw08gm

Yes, Capitalize_Signup_Fields is entirely optional. It was only included in my post because it was already in my code. I tend to fill out and send forms all in lowercase, and find auto-capitalisation helpful in scanning for input errors.

Right.. again it's a seperate mod and if someone really wants the feature, they should install the mod..

Originally Posted by dw08gm

One thing I would like to know, however, is whether the following highlighted code is entirely necessary, as I cannot recall exactly where it came from, except that it was around 139h days.

Code:

<label class="inputLabel" for="contactname"><?php echo ENTRY_NAME . '<span class="reqd">' . ENTRY_REQUIRED_SYMBOL . '</span>'; ?></label>
<?php echo zen_draw_input_field('contactname', zen_output_string_protected($name), ' size="46" id="contactname" onchange="capitalize(this,1);"'); ?>

Cheers

At work.. can't see this.. don't recall this code specifically..

**DivaVocals** · 9 May 2013, 12:28 AM

Originally Posted by dw08gm

One thing I would like to know, however, is whether the following highlighted code is entirely necessary, as I cannot recall exactly where it came from, except that it was around 139h days.

Code:

<label class="inputLabel" for="contactname"><?php echo ENTRY_NAME . '<span class="reqd">' . ENTRY_REQUIRED_SYMBOL . '</span>'; ?></label>
<?php echo zen_draw_input_field('contactname', zen_output_string_protected($name), ' size="46" id="contactname" onchange="capitalize(this,1);"'); ?>

Cheers

I've looked at both v2.3.3 and v2.3.3a and v2.3.2. This code doesn't exist in any of these versions.. Given that you cherrypicked out the changes you wanted and customized RMA, it's seems likely that this is possibly code you introduced into your files..

**dw08gm** · 10 May 2013, 07:34 AM

Re: zen_output_string_protected

The function has to do with averting "sql-injection" and "XSS vulnerability" in Zen Cart.

The function is still widely used in 151 on both admin and catalog sides, including a small number of header_php.php and tpl_whatever_default.php files on catalog side, including tpl_account_history_info_default.php.

However I remain unsure whether it should be applied to the RMA files, or any form-producing files for that matter, but suspect it should where inputs are extracted from or written to the database by the form files, or where other interacting files or mod, such as tpl_account_history or Email_Archive_Manager, are involved. However, its presence does not seem to affect the processing of the forms.

I found this thread dating from 25 October 2008, although it is unclear to me whether the parts highlighted are relevant to RMA.
http://www.zen-cart.com/showthread.p...ring_protected
Post 3 Dr Byte

If the customer has entered text information for an attribute field such as a filename or a text-input field, if that information is to be displayed again for verification/edit, you certainly want that information sanitized before it's displayed.

Would the redisplay of inputs (eg info inserted into RMA form fields from database, eg oID, name), say in going from the account_history_info_default to the RMA page, or proceeding from input to error checking to error correction in the RMA page, constitute a "displayed again for verification/edit" case?

Post 7 Dr Byte

I would think that the output-protected approach should be run anytime the content of user-collected data is being re-displayed, so that if any sql-injection or other attack would be averted.

Would the redisplay of inputs (eg info inserted into RMA form fields from database, eg oID, name), say in going from the account_history_info_default to the RMA page, or proceeding from input to error checking to error correction in the RMA page, constitute an "output-protected approach should be run anytime the content of user-collected data is being re-displayed" case?

Post 9 Dr Byte

Will have to do some further investigation. Here's a related post: http://www.zen-cart.com/forum/showthread.php?t=64115

This last thread dates from 25 April 2007 and specifically refers to XSS vulnerability in and provides fixes for Zen Cart 1.3.7 (and prior versions).

Re: error messaging
I found displaying error messaging within the form, as opposed to displaying same within a message stack, disrupts the layout of the form - with longer error messages causing greater disruption - which can make the overall form difficult to rescan for errors or alterations.

As online forms and associated error message stacks have been around for ages, I am sure the majority of internet users are quite familiar with navigating their way through them. So from my long experience, displaying error messaging within the form is just a change for change sake.

Let us not lose sight of the fact that we are only talking about a Returns form that is applied post-purchase. Sure, it may be convenient for customer relations, but displaying error messaging within a form does not provide for greater sales.

cheers

**DivaVocals** · 10 May 2013, 08:13 AM

Originally Posted by dw08gm

As online forms and associated error message stacks have been around for ages, I am sure the majority of internet users are quite familiar with navigating their way through them. So from my long experience, displaying error messaging within the form is just a change for change sake.

Let us not lose sight of the fact that we are only talking about a Returns form that is applied post-purchase. Sure, it may be convenient for customer relations, but displaying error messaging within a form does not provide for greater sales.

cheers

It does provide for BETTER usability.. It's a frustrating user experience to fill out a form only to find out that it's missing data, and to have NO indication what the issue is... You cannot assume that people will just KNOW and figure it out because you assume that they SHOULD know.

Again we'll have to agree to disagree.. A returns form by it's very nature isn't helping sales, so I fail to see how providing the end user some indication that the form is not filled out correctly correlates to sales.. Displaying a generic validation message without ANY indication where the error in fact lies is not a great user experience.. In my long experience working in software development, when a form is submitted without all the required information you do need to display some indication to the end user where that error lies.. You call it change for change sake, but improving user experience is not in my opinion a bad thing..

Again clearly you do not agree with this logic..

**rbarbour** · 10 May 2013, 08:44 AM

Whether it be via message-stack or inline form error messages, these error messages need to be displayed one way or another (if you want required fields).

This mod uses inline error messages, IMHO, i do not think this was change for change sake, with so many forms using CSS tool-tips and jQuery to display inline error messages, I think it was to give the form a more up-to-date presence.

If one chooses to convert to message-stack by all means, try my MessageStack LightAlert Light Box.

I have to agree with @DivaVocals, the inline error messages do provide better usability hence all the new CSS tool-tips and jQuery form builders.

A Return form DOES help sales and confidence with a customer IMHO.

**dw08gm** · 10 May 2013, 08:46 AM

Originally Posted by DivaVocals

you do need to display some indication to the end user where that error lies

But error messages should provide for that:

eg Postcode input requires a minimum of 3 characters,

where "Postcode", in this instance, is the name of the input field.

Cheers

**dw08gm** · 10 May 2013, 08:51 AM

post duplicated

**dw08gm** · 10 May 2013, 09:03 AM

Originally Posted by rbarbour

A Return form DOES help sales and confidence with a customer IMHO.

We are not disputing the value of Return forms, but rather only where the error messages in the updated mod are to be placed.

My comment regarding form layout dirsuption seems to have been overlooked.

cheers

**DivaVocals** · 10 May 2013, 09:07 AM

Originally Posted by dw08gm

But error messages should provide for that:

eg Postcode input requires a minimum of 3 characters,

where "Postcode", in this instance, is the name of the input field.

Cheers

and those error messages are what is displayed in the current RMA form.. Why is this a BAD thing???:
Name: RMAValidationMsgs.jpg
Views: 137
Size: 45.5 KB