Okay to continue on in my adventure of compiling a fully patched version of Super Orders, I have run into a challenge, and I was hoping that I could get a hand..

While I personally do not think that the "Edit Status History" feature is a particularly useful feature of Super Orders, (I think it creates an audit/accountability issue to allow the editing of order notes/comments) it's here and I suppose that folks are using it, but it is not working as it should. This particular problem also goes back to 2006, and has not been fully resolved/addressed even in the latest version of Super Orders. It is my understanding that this particular issue is another one of the security flaws within Super Orders that Phillip has been so good to point out to the community..

Apparently the issue is this:
The problem you experienced with the tags being displayed improperly in status update comments is due to the comments not being properly scrubbed before inserting them into the DB.
The following posts which helped me fix the issue in the super_order.php and super_batch_status.php files.

http://www.zen-cart.com/forum/showpo...&postcount=220
http://www.zen-cart.com/forum/showpo...&postcount=621

(So that it's clear to anyone reading this, the fix I applied was based largely on the 1st post, the second post includes an incorrect fix, but gave me a clue where a second change needed to be made..)

I made the following change around line 125 in super_orders.php:
Code:
        //$comments = zen_db_scrub_in($_POST['comments']);  // replaced line
        $comments = zen_db_scrub_in($_POST['comments'], true);
I made the following change around line 69 in super_batch_status.php:
Code:
    //$notify_comments = $_POST['notify_comments'];  // replaced line
    $notify_comments = zen_db_scrub_in($_POST['notify_comments'], true);
So now I'm down to how to fix the stripping issue in the super_edit.php file.. I've tried variations of the fixes I found in the two previous referenced posts to no avail.. Since I don't know PHP, I am GUESSING right now how to fix the super_edit.php file (logical guesses.. but WRONG guesses), and I was hoping that someone here would take pity and give me a hand..

The "Edit Status History" feature injects HTML line breaks and ASCII line breaks into the database, and these line breaks are displayed when the customer views their order history from "Status History & Comments". For example:
New test.. I want to see if the HTML line breaks are added to the comments.\r\n\r\nIf this works, when I edit the comments, the line breaks end up with these weird characters after them..\r\n\r\nDon\'t understand why this code is broken..
I am fairly certain that it's this section of the super_edit.php code that needs to be corrected - around line 433:
Code:
          $this_status = $_POST['status_' . $this_history_id];
          $this_comments = zen_db_scrub_in($_POST['comments_' . $this_history_id]);
          $this_delete = $_POST['delete_' . $this_history_id];
          $change_exists = false;
I am plum out of guesses (logical and otherwise) as to what I need to change..

Now all that said, is this even a USEFUL feature.. because the EASIEST fix is to hide the "Edit Status History" link..