A bug or the way in which html is handled in v3.2.14
php: 5.6.36
jm: 3.8.10
vm: 3.2.14
I have re-checked and the following issue does not occur in v3.2.12
Until we updated to the latest version, comments, including html, were properly formatted:
e.g.
A comment such as:
Tracking link: <a href="https://www.royalmail.com/track-your-item?trackNumber=FR123456789GB">FR123456789GB</a>
would appear in the table Comments field as above, and visually in the backend order Comments box as
Tracking link: FR964332376GB
with the consignment number clickable.
Since updating, the same code will appear in the table Comments field as:
Tracking link: <a href="https://www.royalmail.com/track-your-item?trackNumber=FR123456789GB">FR123456789GB</a>
and visually in the backend order Comments box as
Tracking link: <a href="https://www.royalmail.com/track-your-item?trackNumber=FR123456789GB">FR123456789GB</a>
The same applies to any html included in this field.
I hope this is an easy to resolve issue as we use the field to send tracking links to customers.
TIA
I have see that the team added escaping for some fields(or all?).
I think it's why you have now this.
I hope that my own Vm extensions are not affected.
"I have see that the team added escaping for some fields(or all?)."
Which files have been changed?
We could only allow it per hidden config, or an acl. From my point of view it was a vulnerability. Means it could lead to leak, the way now is safer.
Max only double quotes need to be escaped, not all special chars.
If you use db->quote, i think it use right escaping for all database to prevent vulnerabilities.
To prevent other vulnerabilities as injected javascript, it don't change something, because you have to revert the change you do when you need to display it in some case(eg if you edit it)
So yes double quotes need to be escaped, i already modifed it for a VM shop, because customer needed it to add double quotes in some product fields.
But i never had any problems with other special chars.
I am interested just in the Order->Comments field, so which edits do I need to make to present html correctly?
I notice that if I paste the code directly into the table field it then displays correctly but that is not a practical solution.
TIA
Hi Eddie,
try surrounding the comment in the email template with
htmlspecialchars_decode($str, ENT_COMPAT);
<?php echo vmText::sprintf('COM_VIRTUEMART_MAIL_SHOPPER_QUESTION',nl2br(htmlspecialchars_decode($this->orderDetails['details']['BT']->customer_note, ENT_COMPAT))) ?>
or maybe ENT_QUOTES
Hello John
Thanks for the reply.
The issue is actually in the backend Order Status/Comments field.
See attached screenshots.
The 'correct' one is VM 3.2.12; the 'incorrect' one is 3.2.14.
Best
Eddie
This view is possible to override, administrator/templates/isis/html/com_virtuemart/orders
regards
Jörgen @ Kreativ Fotografi.se
Thank You, Jörgen.
However, there is currently no such folder as:
"administrator/templates/isis/html/com_virtuemart/orders"
Or, should I copy over the same folder from another location?
Best
Eddie
yep .. copy from
administrator\components\com_virtuemart\views\orders\tmpl\order_item.php
to
administrator/templates/isis/html/com_virtuemart/orders/order_item.php
Phew!
Thanks John and Everyone Else.....
Best
Eddie
Except and unfortunately, that makes no difference to the resulting format.
hmmmm...
really don't think it matters how it displays in the admin
more the problem is the client email is not rendered as a link
if u change in
templates\gjc_j3_v5\html\com_virtuemart\invoice\mail_html_shopper.php
to
echo vmText::sprintf('COM_VIRTUEMART_MAIL_SHOPPER_QUESTION',nl2br(htmlspecialchars_decode($this->orderDetails['history'][$nb-1]->comments, ENT_COMPAT)));
I get a proper link in the email
Ah! being a lay-person, at best, it is difficult not to react to visual differences.
This is what I have in my template file: "mail_html_shopper.php":
<?php echo vmText::sprintf('COM_VIRTUEMART_MAIL_SHOPPER_QUESTION',nl2br($this->orderDetails['details']['BT']->customer_note)) ?>
Ok to replace from 'echo' to '))' with your command?
Best
Eddie
Really max, why you dont check to find a better solution?
I dont think that escaping all special char is needed, else Joomla and wordpress had more vulnerability about this.
If you save JSON, this need only to escape the double quotes too.
Your solution have many drawback, eg if you need to compare or search an encoded string.
yes.. but replace the "comments"
next tr up
the customer_note is only if the shopper left an original comment -- the code below is the last comment left by the admin when changing the status etc
echo vmText::sprintf('COM_VIRTUEMART_MAIL_SHOPPER_QUESTION',nl2br(htmlspecialchars_decode($this->orderDetails['history'][$nb-1]->comments, ENT_COMPAT)));
So,
<?php $nb=count($this->orderDetails['history']);
if($this->orderDetails['history'][$nb-1]->customer_notified && !(empty($this->orderDetails['history'][$nb-1]->comments))) { ?>
<tr>
<td width="580" colspan="3" style="border: 1px solid #CCCCCC;">
<?php echo vmText::sprintf('COM_VIRTUEMART_MAIL_SHOPPER_QUESTION',nl2br(htmlspecialchars_decode($this->orderDetails['history'][$nb-1]->comments, ENT_COMPAT))); ?>
</td>
</tr>
<?php } ?>
<?php if(!empty($this->orderDetails['details']['BT']->customer_note)){ ?>
<tr>
<td width="580" colspan="3" style="border: 1px solid #CCCCCC;">
<?php echo vmText::sprintf('COM_VIRTUEMART_MAIL_SHOPPER_QUESTION',nl2br($this->orderDetails['details']['BT']->customer_note)) ?>
</td>
</tr>
ES-> ?
I know this is a bit out of date but I had the same problem on a client site when suddenly their html customer email messages that came from Status Updates in an Order weren't rendering and just came out as flat text, no line breaks or anything. Unfortunately the htmlspecialchars_decode fix did not work and I wound up using html_entity_decode for this.
<?php echo html_entity_decode($this->orderDetails['history'][$nb-1]->comments); ?>
I would not recommend that for customer comments but in my case this is only for the Admin order updates to customers that my client just copy/pastes in with shipping link/info. Also since this isn't the customer comments the earlier replies did not really use the right language constant. I am not sure what it should be since I just used the bare echo here.
hi Eddie
yes
use
<?php echo vmText::sprintf('COM_VIRTUEMART_MAIL_SHOPPER_QUESTION',nl2br(htmlspecialchars_decode($this->orderDetails['history'][$nb-1]->comments, ENT_COMPAT))); ?>
Hi,
I tried the code on VirtueMart 3.6.2 10159 and it doesn't seems to work. Was there any more changes since V3.2.14.?
Any ideas?
Thanks
As mentionned by dstockman, html_entity_decode is working fine for me too.
<?php echo vmText::sprintf('COM_VIRTUEMART_MAIL_SHOPPER_QUESTION',nl2br(html_entity_decode($this->orderDetails['history'][$nb-1]->comments))); ?>
Quote from: holanpan7 on November 19, 2019, 17:15:12 PM
As mentionned by dstockman, html_entity_decode is working fine for me too.
<?php echo vmText::sprintf('COM_VIRTUEMART_MAIL_SHOPPER_QUESTION',nl2br(html_entity_decode($this->orderDetails['history'][$nb-1]->comments))); ?>
Where did you put that code ?
front end?
then templates\xxxx\html\com_virtuemart\invoice\mail_html_shopper.php
Quote from: GJC Web Design on March 01, 2019, 16:04:56 PM
hi Eddie
yes
use
<?php echo vmText::sprintf('COM_VIRTUEMART_MAIL_SHOPPER_QUESTION',nl2br(htmlspecialchars_decode($this->orderDetails['history'][$nb-1]->comments, ENT_COMPAT))); ?>
thanks it help me a lot ...
Quick question, how can i do the same with details_history.php --- <?php echo $_hist->comments; ?>
Is it possible ?
go it thanks so much