J.2.5.1
VM 2.0.1.N+ (dev file _VirtueMart2.zip)
I examined the code and found the reason:
administrator/components/com_virtuemart/controllers/product.php function save(){
$data = JRequest::get('post');
if(!class_exists('Permissions')) require(JPATH_VM_ADMINISTRATOR.DS.'helpers'.DS.'permissions.php');
if(Permissions::getInstance()->check('admin')){
$data['product_desc'] = JRequest::getVar('product_desc','','post','STRING',2);
$data['product_s_desc'] = JRequest::getVar('product_s_desc','','post','STRING',2);
}
parent::save($data);
}
This means, that the user has to be VM
admin to save HTML tags. I don't think it's obivious.
So I have several notes
- I believe, that at least storeadmins should have permissions to save non-stripped HTML also, so this line
if(Permissions::getInstance()->check('admin')){should be replaced with
if(Permissions::getInstance()->check('admin') || Permissions::getInstance()->check('storeadmin')){
[/li]
- VM saves disregarding joomla text filters settings. At least my tests show it. I don't know if it's the expected behavour, a bug, or a "no care" issue
- If a user is allowed to edit a product, and VM ignores joomla text filter settings, why then to strip HTML at all? A user who can edit products is a trusted user. And if we speak of security, which a trusted user can broke by mistakenly pasting some html with JS, iframes and so on, then we have to use those joomla text filters which purpose is to make html safe.
So my suggestion is either at least allow storeadmins to save HTML, or (better) remove this check at all (only trusted users can edit products anyway). Or, if you have an opportunity, explaine me why the check must be there.
Thanks.