[Closed] FEEDBACK ON BETA of v1.5.5

[lat9]

Proceeding on to the products' entry. I've got customers who use styling in their product names:

Code:

<span style="font-family: Roboto;">#</span>Product Name

... which results in a preview display of that name as:

Code:

<span stylfont-family: Roboto;">#</span>Product Name

If it wasn't bad enough that the HTML is now displayed as (er) HTML, the processing has removed characters from the HTML itself! Clicking the "back" button from the preview keeps the malformed HTML.

[DrByte]

Proceeding on to the products' entry. I've got customers who use styling in their product names:

Code:

<span style="font-family: Roboto;">#</span>Product Name

... which results in a preview display of that name as:

Code:

<span stylfont-family: Roboto;">#</span>Product Name

If it wasn't bad enough that the HTML is now displayed as (er) HTML, the processing has removed characters from the HTML itself! Clicking the "back" button from the preview keeps the malformed HTML.

That's part of the admin sanitization improvements to mitigate against XSS.

Why exactly are they putting [span]s in the product name? Is this just to insert some icon?

[DrByte]

Using a 155 version downloaded at around 2:20 pm EST today.

In the admin-console, with a two-language store (English and Spanish), there's a white-on-white component so that the selected language (while selected in the HTML) doesn't display the associated text. The <select> tag and its <option> tags are properly formed; it's an issue with the CSS (that I'm having trouble finding).

I can't seem to recreate this. Not finding any white-on-white.

[DrByte]

The overall admin-page padding seems to be "off" (or non-existent). Take a look at the Customers->Orders page, for example:
- The buttons use the default colors.
- The text butts up to end-of-screen on both the right and left
- There is no padding/margin for the orders-status-history table
- There is no padding between the order totals text/value pairs

Padding issues addressed here: https://github.com/zencart/zencart/pull/848/files?w=0

[lat9]

That's part of the admin sanitization improvements to mitigate against XSS.

Why exactly are they putting [span]s in the product name? Is this just to insert some icon?

They're using the <span> to have a different font for the hash-symbol.

The problem shows up also in the demo products (Test Examples->Test Three), as that product "demonstrates" the use of HTML tags in a product's name (uses <strong> and <br />). The only difference there is that the processing doesn't mangle the HTML associated with the product like it did the <span> with HTML attributes).

To me, it seems like the mitigation is removing a feature that's been around from the get-go.

[lat9]

Padding issues addressed here: https://github.com/zencart/zencart/pull/848/files?w=0

That helped with the padding; the order-navigation buttons on the top of Customers->Orders still "leave a lot to be desired".

[lat9]

I can't seem to recreate this. Not finding any white-on-white.

The language-changer in the header's upper-left corner. It's only visible when multiple languages are defined in the store/admin.

[DrByte]

That helped with the padding; the order-navigation buttons on the top of Customers->Orders still "leave a lot to be desired".

Lol ... those came directly from the Edit Orders mod.

Will have to look at those separately.

[DrByte]

They're using the <span> to have a different font for the hash-symbol.

This should help with that: https://github.com/zencart/zencart/pull/847

To me, it seems like the mitigation is removing a feature that's been around from the get-go.

Unfortunately security analysts would call it a flaw, not a feature.

Trying to find the balance ...

[DrByte]

The language-changer in the header's upper-left corner. It's only visible when multiple languages are defined in the store/admin.

I know what you're referring to.
I added another dummy language so that the box would show, and it shows up just fine: