[Done v155a and v155b] AdminRequestSanitizer Problem

[wilt]

Hi all

This is in fact a problem with core code, and not really related to any plugins.

The reviews code passes a 'products_name' hidden field which in this context is a string.
However in general 'products_name' is expected to be an array (e.g. to account for language translations)
Hence the sanitizer complaining it's not an array.

Will push a fix up shortly

[JRGoold]

Hello Wilt,

I discovered the Admin Sanitizer documentation http://docs.zen-cart.com/Developer_D...n_sanitization. That allowed me to turn on sanitizer debugging messages. I matched the date-time stamp of one of the error logs to one for a debug message.

You undoubtedly have found the real problem. I did notice, however, that in the debug message, the admin sanitizer has changed the value of the "type_name" variable (stripping out spaces and a slash — but leaving a dash). This can be seen in the posted sanitizer debug message.

This is only a problem because I display the type_name. I created additional product types as the subject site deals exclusively in downloadable products: e-books and software (which can be thought of as “interactive e-books”). I am going to resolve this problem by making sure the type_name is a single word (I'll manually change the database to accomplish this).

I am looking forward to a fix.

Oh, turning off "strict sanitizing" doesn’t stop the sanitize error messages, which I am sure you know.

A question, if I may: It seems to me, on reflection, that the Admin Sanitizer documentation implies I should set up data files in /admin/includes/extra_datafiles/ (for me, /backend/…) to define how the Admin Sanitizer should handle any additional GET or POST fields I have added to the Admin core. It doesn’t indicate how the file names should be formed. Could you tell me please? And whether they are necessary (i.e. advised for good security)?

[JRGoold]

It wasn’t necessary to manual change the database. Instead, in Admin, Catalog—>Product Types

Wilt: Sorry, I didn’t realize I hadn't posted the sanitizer log. If you want it, I can reproduce it.

[DrByte]

Hi all

This is in fact a problem with core code, and not really related to any plugins.

The reviews code passes a 'products_name' hidden field which in this context is a string.
However in general 'products_name' is expected to be an array (e.g. to account for language translations)
Hence the sanitizer complaining it's not an array.

Will push a fix up shortly

Wilt's fix is the 3 files mentioned here: https://www.zen-cart.com/showthread....33#post1312333

[JRGoold]

Thank you for the link. I shall apply the fixes to both the live and test sites.

[schoolboy]

I need to enclose some text in html tags, in the Option Names Comments field, but when I put the tags in, it is not sanitizing and converts the < to &lt; , and the > to &gt; . I have to then go into the database and change them back to < and > so that they do not render as &lt; and &gt; in-screen.

eg: <hr /> becomes &lt;hr /&gt;

How do I fix this?

[DrByte]

but when I put the tags in, it is not sanitizing and converts the < to &lt; , and the > to &gt; .

Actually, it *is* sanitizing; actually appears to be sanitizing something you wish it didn't.

The process to change this is to identify the name of the input field, and change which sanitization rule is being applied to it for the specified page.

[lat9]

@schoolboy, towards the bottom of the (Zen Cart 1.5.5b) file /YOUR_ADMIN/includes/init_includes/init_sanitize.php, find:

Code:

$group = array('customers_email_address' => array('sanitizerType' => 'SANITIZE_EMAIL_AUDIENCE', 'method' => 'post', 'pages' => array('mail')));
$sanitizer->addComplexSanitization($group);

$group = array('customers_email_address');
$sanitizer->addSimpleSanitization('SANITIZE_EMAIL', $group);

$group = array('products_description', 'coupon_desc', 'file_contents', 'categories_description', 'message_html', 'banners_html_text', 'pages_html_text', 'comments');
$sanitizer->addSimpleSanitization('PRODUCT_DESC_REGEX', $group);

$group = array('products_url');
$sanitizer->addSimpleSanitization('PRODUCT_URL_REGEX', $group);

$group = array('coupon_min_order');
$sanitizer->addSimpleSanitization('CURRENCY_VALUE_REGEX', $group);

and add the highlighted variable name to enable HTML tags in the products' options' comments:

Code:

$group = array('customers_email_address' => array('sanitizerType' => 'SANITIZE_EMAIL_AUDIENCE', 'method' => 'post', 'pages' => array('mail')));
$sanitizer->addComplexSanitization($group);

$group = array('customers_email_address');
$sanitizer->addSimpleSanitization('SANITIZE_EMAIL', $group);

$group = array('products_description', 'coupon_desc', 'file_contents', 'categories_description', 'message_html', 'banners_html_text', 'pages_html_text', 'comments', 'products_options_comment');
$sanitizer->addSimpleSanitization('PRODUCT_DESC_REGEX', $group);

$group = array('products_url');
$sanitizer->addSimpleSanitization('PRODUCT_URL_REGEX', $group);

$group = array('coupon_min_order');
$sanitizer->addSimpleSanitization('CURRENCY_VALUE_REGEX', $group);

[wilt]

Hi

There is some documentation about customizing the sanitizers here

However, to make your life easier, here is what to do.

Create a new file in [admin]/includes/extra_datafiles/

I named it sanitize_products_options_comment.php

contents of the file should be

PHP Code:

<?php
$sanitizer = AdminRequestSanitizer::getInstance();
$group = array(
    'products_options_comment' => array('sanitizerType' => 'PRODUCT_DESC_REGEX', 'method' => 'post'),
);
$sanitizer->addComplexSanitization($group);

I need to enclose some text in html tags, in the Option Names Comments field, but when I put the tags in, it is not sanitizing and converts the < to < , and the > to > . I have to then go into the database and change them back to < and > so that they do not render as < and > in-screen.

eg: <hr /> becomes <hr />

How do I fix this?

[wilt]

Note.

Have also opened a github issue.
https://github.com/zencart/zencart/issues/1348