News:

Support the VirtueMart project and become a member

Main Menu

Possible bug: Table "_virtuemart_order_histories"

Started by EsSa55, July 30, 2018, 16:57:07 PM

Previous topic - Next topic

EsSa55

A bug or the way in which html is handled in v3.2.14

php: 5.6.36
jm:  3.8.10
vm: 3.2.14

I have re-checked and the following issue does not occur in v3.2.12

Until we updated to the latest version, comments, including html, were properly formatted:

e.g.

A comment such as:

Tracking link: <a href="https://www.royalmail.com/track-your-item?trackNumber=FR123456789GB">FR123456789GB</a>

would appear in the table Comments field as above, and visually in the backend order Comments box as

Tracking link: FR964332376GB

with the consignment number clickable.

Since updating, the same code will appear in the table Comments field as:

Tracking link: &#60;a href=&#34;https://www.royalmail.com/track-your-item?trackNumber=FR123456789GB&#34;&#62;FR123456789GB&#60;/a&#62;

and visually in the backend order Comments box as

Tracking link: <a href="https://www.royalmail.com/track-your-item?trackNumber=FR123456789GB">FR123456789GB</a>

The same applies to any html included in this field.

I hope this is an easy to resolve issue as we use the field to send tracking links to customers.

TIA

Studio 42

I have see that the team added escaping for some fields(or all?).
I think it's why you have now this.
I hope that my own Vm extensions are not affected.

EsSa55

"I have see that the team added escaping for some fields(or all?)."

Which files have been changed?

Milbo

We could only allow it per hidden config, or an acl. From my point of view it was a vulnerability. Means it could lead to leak, the way now is safer.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Studio 42

Max only double quotes need to be escaped, not all special chars.
If you use db->quote, i think it use right escaping for all database to prevent vulnerabilities.
To prevent other vulnerabilities as injected javascript, it don't change something, because you have to revert the change you do when you need to display it in some case(eg if you edit it)
So yes double quotes need to be escaped, i already modifed it for a VM shop, because customer needed it to add double quotes in some product fields.
But i never had any problems with other special chars.

EsSa55

I am interested just in the Order->Comments field, so which edits do I need to make to present html correctly?

I notice that if I paste the code directly into the table field it then displays correctly but that is not a practical solution.

TIA

GJC Web Design

Hi Eddie,

try surrounding the comment in the email template with

htmlspecialchars_decode($str, ENT_COMPAT);

<?php echo vmText::sprintf('COM_VIRTUEMART_MAIL_SHOPPER_QUESTION',nl2br(htmlspecialchars_decode($this->orderDetails['details']['BT']->customer_note, ENT_COMPAT))) ?>

or maybe    ENT_QUOTES
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

EsSa55

Hello John

Thanks for the reply.

The issue is actually in the backend Order Status/Comments field.

See attached screenshots.

The 'correct' one is VM 3.2.12; the 'incorrect' one is 3.2.14.

Best

Eddie

Jörgen

This view is possible to override, administrator/templates/isis/html/com_virtuemart/orders

regards

Jörgen @ Kreativ Fotografi.se
Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

EsSa55

Thank You, Jörgen.

However, there is currently no such folder as:

"administrator/templates/isis/html/com_virtuemart/orders"

Or, should I copy over the same folder from another location?

Best

Eddie




GJC Web Design

yep .. copy from
administrator\components\com_virtuemart\views\orders\tmpl\order_item.php

to

administrator/templates/isis/html/com_virtuemart/orders/order_item.php
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

EsSa55

Phew!

Thanks John and Everyone Else.....

Best

Eddie

EsSa55

Except and unfortunately, that makes no difference to the resulting format.

GJC Web Design

hmmmm...

really don't think it matters how it displays in the admin

more the problem is the client email is not rendered as a link

if u change in

templates\gjc_j3_v5\html\com_virtuemart\invoice\mail_html_shopper.php

to

echo vmText::sprintf('COM_VIRTUEMART_MAIL_SHOPPER_QUESTION',nl2br(htmlspecialchars_decode($this->orderDetails['history'][$nb-1]->comments, ENT_COMPAT)));

I get a proper link in the email






GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

EsSa55

Ah! being a lay-person, at best, it is difficult not to react to visual differences.

This is what I have in my template file: "mail_html_shopper.php":

<?php echo vmText::sprintf('COM_VIRTUEMART_MAIL_SHOPPER_QUESTION',nl2br($this->orderDetails['details']['BT']->customer_note)) ?>

Ok to replace from 'echo' to '))' with your command?

Best

Eddie