News:

Support the VirtueMart project and become a member

Main Menu

Weird character generation

Started by slavonec, April 28, 2015, 23:13:52 PM

Previous topic - Next topic

slavonec

Hi there,

When I create product category or a product VM generates also 2 sets of additional characters on each side of the title. See attached image.
How can I fix that?

I'm using:
Joomla! 3.4.1
PHP Version 5.4.39
VirtueMart 3.0.8


Thank you in advance.

jenkinhill

Did you copy and paste the title from Word or similar?
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Jörgen

Hello slavonec

I suspect the same that Kelvyn does, You have got cut and paste with some extra features ;)
Looks like You have some carriage return (#13) and line feed (#10) inserted in Your text.
Just delete the strange characters and You will be fine.

regards

Jörgen @ Kreativ Fotografi
Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

lindapowers

#3
Dont know if this is related:



When storing the product name:

Oli d'oliva verge extra 250 ml

gets stored as:

Oli d' oliva verge extra 250 ml

The apostrophe is not welcomed. Strangely the product name appears correctly written everywhere except in the dropdown for the childs.


vm 3.08 j 3.4.1

slavonec

Well, in the beginning I thought that exactly what happened (copy and paste), but then I TYPED THE WORDS - same outcome!

I then, deleted all I created, flushed the database, reinstall VM fresh - same problem. My database charset us UTF-8, but just to stay safe I forced it also with my .htaccess - the problem persist.

So, put aside COPY & PASTE lets rethink what could have happen. I do not have idea.

Could it be that JCE editor is messing with VM?! Or something else.

Thank you

GJC Web Design

have u tried a different or no editor?
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

Milbo

#6
Lindapowers, it is correctly stored that way, the question is now, why it does not show correcty in your dropdown. I assume you use the multivariant? and you do not work as superadmin? There is an ACL which allows you to use raw as input. Just enable it for your admins
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

slavonec

Solved!

JCE Full Page Editing is inserting [prefix="og: http://ogp.me/ns#"]

More here: https://www.joomlacontenteditor.net/support/forum/jce-inserts-unneeded-html-tags

Thank you for the prompt action guys.


Thank you

lindapowers

#8
Quote from: Milbo on April 29, 2015, 22:21:44 PM
Lindapowers, it is correctly stored that way, the question is now, why it does not show correcty in your dropdown. I assume you use the multivariant? and you do not work as superadmin? There is an ACL which allows you to use raw as input. Just enable it for your admins


Hello

I work as superadmin. In this case we are using generic child variants. I checked the ACL and the setting was allowed for admins also superadmins.

Regards

Jörgen

#9
@Milbo

This is a bug fix regarding the first issue, not the linda powers issue, but it could depend on the same code missing. If You have a better solution, please say.  I suggest this should be added to the next update. The text is not rendered properly when shown in the category view. (Joomla! 3.4.1, VM 3.0.6.4)

@slavonec

I see this in my backend to. But only with newly saved text. the JCE-editor seems to save the text html safe. This will not render good in the VM back end. This will make the text independent of how the editor stores the text :)

I have made an override for the category view:

administrator/components/com_virtuemart/views/category/tmpl/default.php

Copy the file to:
administrator/templates/your-adm-template/html/com_virtuemart/category/default.php  (in my case ISIS)

Find line 131

echo shopFunctionsF::limitStringByWord(JFilterOutput::cleanText($cat->category_description),200); ?>


And replace with

echo shopFunctionsF::limitStringByWord(htmlspecialchars_decode(JFilterOutput::cleanText($cat->category_description)),200); ?>


There will probably be lots of other places where the htmlspecialchars_decode() should be added.

regards

Jörgen @ Kreativ Fotografi



Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

Jörgen

I have found more places for the htmlspecialchars_decode(). In the view orderstatus:

change line 97:
<?php echo vmText::_($row->order_status_description); ?>
to
<?php echo htmlspecialchars_decode(vmText::_($row->order_status_description)); ?>

Make an override as suggested in my previous post until the VM team has corrected this.
As soon as I find more I will append them here.

regards

Jörgen @ Kreativ Fotografi


Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

Milbo

#11
No, this is wrong technic. Vm stores encrypted, when you do an encode => you open your vm for persistent XSS attacks!

The topic is very, very complex. It starts with that you cannot use your browser to understand what is going on, because your browser IS usually directly translating html entities. What is the trick with it?
Lets explain it that way. Assume a + is a dangerous sign, then VM stores the + as a cross, looks like the +, but has not the effect of it.

Btw, I just tested it. In my case the ' and ö remains. Maybe the ACL is not correctly set in your case (migrated). The idea is that admins are allowed to store raw or html filtered, but others not. Then it is directly stored encoded. Therefore the output must not be encoded or decoded. Except the js, but that is another story. JS has the nasty effect to interprete a "cross" as "plus"


Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Jörgen

#12
@Milbo

Thanks for Yor reply.

The places where I applied the fix are in the back end, but OK I can see Your concern with XSS.

I have messed around and tried with different editors and now the characters seem to save as UTF-8 and nothing else. This is strange and I have not been able to replicate the earlier behaviour. The issue with translated å,ä,ö has somehow magically vanished.

The remaining problem, for me anyway, seems to be the JFilterOutput::cleanText() function that gives me the &#13;(CR), &#10;(LF), &#9;.
I don´t seem to get rid of them. I tried tinyMCE and JCE editor. It looks like the text has a lot of CR,LF and using the JCE editor also gets tabular characters stored. They get translated by the JFilterOutput::cleanText() which is calling htmlspecialchars() that comes up with the decoded text.

Since the JFilterOutput::cleanText() isn´t beeing called in the front end there is no issue in the frontend, only in the back end. Front end looks fine.

Stripping out the &#13;, &#10; and &#9; in the back end works of course and this would absolutely not translate into any XSS vulnerability.

If I insert category descriptions that has in the Virtuemart live demo (3.0.8.0) I get &#13;&#10; for each linefeed so if there is some problem with the editor. The editor used in the latest Virtuemart demo certainly has the same issue.

Grateful for any suggestions.

regards

Jörgen @ Kreativ Fotografi
Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

Jörgen

Hello

This is what I have done. Hopefully it will help anyone who gets the &#13;, &#10; and &#9; characters stored and don´t want to see these in the backend. This should not give any XSS issues. I simply remove the characters except #13 which I replace with a space for clarity.

For line 97 in the admin view orderstatus
find
<?php echo vmText::_($row->order_status_description); ?>

replace with
<?php echo str_replace(["&amp;#13;","&amp;#10;","&amp;#9;"],[" ","",""], vmText::_($row->order_status_description)); 

For line 131 in the admin view category
find
echo shopFunctionsF::limitStringByWord(JFilterOutput::cleanText($cat->category_description),200);

replace with
echo shopFunctionsF::limitStringByWord(str_replace(["&amp;#13;","&amp;#10;","&amp;#9;"],[" ","",""],JFilterOutput::cleanText($cat->category_description)),200);

regards

Jörgen @ Kreativ Fotografi
Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

toocool

I have the same problem!

Only in VM. (3.0.8.) In admin weird, in the page source code weird. Only in the browser good.