Security error on validation

[MEG Venture]

I am trying to validate one of my existing modules' upgrades on the validator. Security issues are handles except one.

 

Please see below:

 

/views/frontend/1.6/product.tpl
Variable should be escaped, modifier not found ('htmlall', 'intval', etc.).

691.
————{addJsDefL·name='upToTxt'}{l·s='Up·to'·js=1}{/addJsDefL}
691.
————{addJsDefL·name='upToTxt'}{l·s='Up·to'·js=1}{/addJsDefL}
754.
{addJsDefL·name=doesntExistNoMore}{l·s='This·product·is·no·longer·in·stock'·js=1}{/addJsDefL}
754.
{addJsDefL·name=doesntExistNoMore}{l·s='This·product·is·no·longer·in·stock'·js=1}{/addJsDefL}
755.
{addJsDefL·name=doesntExistNoMoreBut}{l·s='with·those·attributes·but·is·available·with·others.'·js=1}{/addJsDefL}
755.
{addJsDefL·name=doesntExistNoMoreBut}{l·s='with·those·attributes·but·is·available·with·others.'·js=1}{/addJsDefL}
757.
{addJsDefL·name=uploading_in_progress}{l·s='Uploading·in·progress,·please·be·patient.'·js=1}{/addJsDefL}
757.
{addJsDefL·name=uploading_in_progress}{l·s='Uploading·in·progress,·please·be·patient.'·js=1}{/addJsDefL}

I understand the need to escape variables and I applied the needed cure to the default Prestashop theme files that I replace upon installation like product.tpl, but when it comes to these javascript variables, I am hopeless.

 

Are these also required to be escaped to be technically validated? If so, can you give an example how to escape? And one more question is that why Prestashop doesn't escape its default theme files and asks us to implement the fix to its default files?

 

Thanks...

Edited December 13, 2014 by MEG Venture (see edit history)

[bellini13]

It is a double standard they fail to address whenever asked (trust me, I've asked a bunch of times).

 

There is nothing in those variables that need to be escaped.  They are never submitted back to the server, and therefore would never present a security issue.  You should just add comments around them and explain that to them, and hope they approve.

[shacker]

I am trying to validate one of my existing modules' upgrades on the validator. Security issues are handles except one.

 

Please see below:

 

/views/frontend/1.6/product.tpl

Variable should be escaped, modifier not found ('htmlall', 'intval', etc.).

691.
————{addJsDefL·name='upToTxt'}{l·s='Up·to'·js=1}{/addJsDefL}
691.
————{addJsDefL·name='upToTxt'}{l·s='Up·to'·js=1}{/addJsDefL}
754.
{addJsDefL·name=doesntExistNoMore}{l·s='This·product·is·no·longer·in·stock'·js=1}{/addJsDefL}
754.
{addJsDefL·name=doesntExistNoMore}{l·s='This·product·is·no·longer·in·stock'·js=1}{/addJsDefL}
755.
{addJsDefL·name=doesntExistNoMoreBut}{l·s='with·those·attributes·but·is·available·with·others.'·js=1}{/addJsDefL}
755.
{addJsDefL·name=doesntExistNoMoreBut}{l·s='with·those·attributes·but·is·available·with·others.'·js=1}{/addJsDefL}
757.
{addJsDefL·name=uploading_in_progress}{l·s='Uploading·in·progress,·please·be·patient.'·js=1}{/addJsDefL}
757.
{addJsDefL·name=uploading_in_progress}{l·s='Uploading·in·progress,·please·be·patient.'·js=1}{/addJsDefL}

I understand the need to escape variables and I applied the needed cure to the default Prestashop theme files that I replace upon installation like product.tpl, but when it comes to these javascript variables, I am hopeless.

 

Are these also required to be escaped to be technically validated? If so, can you give an example how to escape? And one more question is that why Prestashop doesn't escape its default theme files and asks us to implement the fix to its default files?

 

Thanks...

Yeap, bellini13 are right, when you submit and need an expeption like functions, variables , etc that dont validate, you can add a comment and prestasho paddons take care of this

[MEG Venture]

Thanks for the answers. I submitted as is without explanation and it is technically validated.