Author Topic: Add to cart not working with jHackGuard from SiteGround  (Read 4070 times)

Globacide Solutions

  • 3rd party VirtueMart Developer
  • Jr. Member
  • *
  • Posts: 63
  • Globacide Solutions
    • Joomla & VirtueMart Affiliate Component/Extension
Add to cart not working with jHackGuard from SiteGround
« on: December 30, 2011, 19:42:11 pm »
SiteGround automatically installs a plugin called jHackGuard that is supposed to protect your Joomla! site. It is automatically installed and published when using their automatic installer.

This plugin seems to detect weird characters in the Add To Cart button's AJAX request, and return an "Illegal key characters in global data" error, causing the process to stop, and nothing getting added to the cart at all, and no message being displayed.

Simplest way is to disable the jHackGuard plugin altogether, although workarounds might be found.

Thought this might help someone with the same issue, and also alert the dev team, since those weird characters in the URL, caused by a bad and unnecessary (no offense) encoding of the parameters, is not a good technique.

Thank you!
Emilian Manolache
Globacide Solutions
VirtueMart Affiliate

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10400
  • VirtueMart Version: 3+
Re: Add to cart not working with jHackGuard from SiteGround
« Reply #1 on: December 30, 2011, 20:22:39 pm »
do you know whats triggering it?
J3.9+ VM 3.4.2
Slowest Page Speed Score (88) (Category)
Fastest Page Speed Score (94-96) (productdetails)

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10018
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Add to cart not working with jHackGuard from SiteGround
« Reply #2 on: December 30, 2011, 20:23:48 pm »
hmm we use json_encode
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Globacide Solutions

  • 3rd party VirtueMart Developer
  • Jr. Member
  • *
  • Posts: 63
  • Globacide Solutions
    • Joomla & VirtueMart Affiliate Component/Extension
Re: Add to cart not working with jHackGuard from SiteGround
« Reply #3 on: December 31, 2011, 00:10:13 am »
It's caused by the encodeURIComponent() JS function, in "components/com_virtuemart/assets/js/vmprices.js", line 43.

It seems the form contains a couple of fields that are "array" values, such as quantity[]. When using form.serialize(), above that line, the square brackets [] are automatically "URL-encoded". When doing the second URL encode, by calling encodeURIComponent, the hex codes for the square brackets get re-encoded, causing an unrecognized parameter (%255B%255D), which jHackGuard considers weird (you can't blame it).

The fix would be to replace the line 43:
$.getJSON(siteurl+'index.php?option=com_virtuemart&nosef=1&view=cart&task=addJS&format=json',encodeURIComponent(datas),

with

$.getJSON(siteurl+'index.php?option=com_virtuemart&nosef=1&view=cart&task=addJS&format=json',datas,

thus passing the serialized form data directly, since it has already been url encoded by the "form.serialize()" function.

The same goes for the same behavior in many other functions throughout VM.
Emilian Manolache
Globacide Solutions
VirtueMart Affiliate

Svetlio

  • Jr. Member
  • **
  • Posts: 141
Re: Add to cart not working with jHackGuard from SiteGround
« Reply #4 on: January 03, 2012, 14:35:28 pm »
Hello,

Indeed, as Mr. Emilian Manolache has explained the problem is caused by the duplicate usage of the URL encoding function in the components/com_virtuemart/assets/js/vmprices.js file. This functionality encodes already encoded characters and produces unexpected characters in the corresponding query. The jHackGuard plugin recognized these characters as suspicious and filters them.

Still, we have found other extensions with similar problems.

Thus, in order to make our jHackGuard plugin compatible with more extensions our Joomla extensions developer has disabled the corresponding check in the last version.

This means that the last version of jHackGuard will work with VirtueMart even without the manual code modifications in the components/com_virtuemart/assets/js/vmprices.js file.

You can download it from the following location:

http://www.siteground.com/joomla-hosting/joomla-extensions/ver1.5/jhack.htm

SiteGround Technical Support Team Member. Check out our special VirtueMart hosting package

Globacide Solutions

  • 3rd party VirtueMart Developer
  • Jr. Member
  • *
  • Posts: 63
  • Globacide Solutions
    • Joomla & VirtueMart Affiliate Component/Extension
Re: Add to cart not working with jHackGuard from SiteGround
« Reply #5 on: January 03, 2012, 15:39:20 pm »
That's great, @Svetlio!

Seems like a happy ending! :)
Emilian Manolache
Globacide Solutions
VirtueMart Affiliate

McRui

  • Guest
Re: Add to cart not working with jHackGuard from SiteGround
« Reply #6 on: September 04, 2012, 02:08:50 am »
It's caused by the encodeURIComponent() JS function, in "components/com_virtuemart/assets/js/vmprices.js", line 43.

It seems the form contains a couple of fields that are "array" values, such as quantity[]. When using form.serialize(), above that line, the square brackets [] are automatically "URL-encoded". When doing the second URL encode, by calling encodeURIComponent, the hex codes for the square brackets get re-encoded, causing an unrecognized parameter (%255B%255D), which jHackGuard considers weird (you can't blame it).

The fix would be to replace the line 43:
$.getJSON(siteurl+'index.php?option=com_virtuemart&nosef=1&view=cart&task=addJS&format=json',encodeURIComponent(datas),

with

$.getJSON(siteurl+'index.php?option=com_virtuemart&nosef=1&view=cart&task=addJS&format=json',datas,

thus passing the serialized form data directly, since it has already been url encoded by the "form.serialize()" function.

The same goes for the same behavior in many other functions throughout VM.


Yes, that's the solution, although there are two lines with the "encodeURIComponent". To make it work, the "encodeURIComponent" must be replaces on both lines. That's how I solved my problem thanks to Globacide Solutions post. Thank you for the insight!