NishantVadgama Posted June 26, 2015 Share Posted June 26, 2015 Is there any expert or say at least a good developer in prestashop..? I have develop many modules and face same problem with each and every time. I have upload one module on 23-06-2015 with validation done successfully. and on 26-06-2015 got reply of security issue and I have try to validate same package and there is security issue of "Invalid escape modifiers" on 23-06-2015 there no any issue and sudden there is 79 such smarty variables error. I have written following code in one of my .tpl file <script type="text/javascript"> function sendMail(id_record) { $.ajax({ type:"POST", url: "{$link->getAdminLink('AdminNotifyme')}" + "&action=sendMail&id=" + id_record, async: true, dataType: "json", success: function(jsonData) { if (jsonData.result) $('#success').show(); } }); } </script> In validator gives error "Invalid escape modifiers count, must be escaped like: "{$data|escape:'htmlall':'UTF-8'}"". in follwing line. "url: "{$link->getAdminLink('AdminNotifyme')}" + "&action=sendMail&id=" + id_record" so any expert can tell me how can I use these modifier ({$data|escape:'htmlall':'UTF-8'}) with this line..? if I use such modifier as follows. url: "{$link->getAdminLink('AdminNotifyme')|escape:'htmlall':'UTF-8'}" + "&action=sendMail&id=" + id_record, it will convert ever "&" to "&" and if I am not use such modifier then validator gives error! What should I do.? another problem with validator with same module as follows. I have override Cart's getProducts method in my module and while validating prestashop gives "Variable "$_attributesLists" have not right syntax. Should be : "$attributes_lists"" error in following line. if (array_key_exists($row['id_product_attribute'].'-'.$this->id_lang, self::$_attributesLists)) $row = array_merge($row, self::$_attributesLists[$row['id_product_attribute'].'-'.$this->id_lang]); these two variables are of cart class's (parent/CartCore) member variable so how can I change it on override file..! I have attach two screenshot of such error so it can help you to understand how parestashop development becomes inaccurate day by day. Link to comment Share on other sites More sharing options...
bellini13 Posted June 26, 2015 Share Posted June 26, 2015 I assume your module is trying to do something in the back office? If so, you should review the following template on how to properly do this /admin/themes/default/template/header.tpl so instead of this "url: "{$link->getAdminLink('AdminNotifyme')}" + "&action=sendMail&id=" + id_record" do this. "url: "{$link->getAdminLink('AdminNotifyme')|escape:'htmlall':'UTF-8'}" + "&action=sendMail&id=" + id_record" Note: There is no reason that you need to perform this escape other than it is triggering a validator rule. This won't actually prevent a user from performing XSS if they want to, but it is easier to add the escape, then argue with the addons team over it. Also Note: There is no reason to escape your parameters (ie.. action=sendMail), since they are static and you are not collecting the values from the UI. The Prestashop core code does not escape them either. However it is proven over and over again that they hold contributors to a higher standard than themselves. For the second one, they are not going to like that you are creating an override to begin with, and will probably reject this anyway. However your only option here is to add comments to your code explaining why you cannot do what the validator is complaining about. Then add a note to the addons team when you submit the file pointing this out. They will most likely argue and tell you to find another way to accomplish this override. So before you submit, try to consider if there is a reason you need to override their code entirely, or can you instead call the parent function in your override and receive the product array. Then do whatever you need to do to the product array once you have it? 2 Link to comment Share on other sites More sharing options...
NishantVadgama Posted June 29, 2015 Author Share Posted June 29, 2015 If I write the following "url: "{$link->getAdminLink('AdminNotifyme')|escape:'htmlall':'UTF-8'}" + "&action=sendMail&id=" + id_record" It'll convert all '&' in the url to '&' so admin controller link not working and if I write without 'escape' modifier then prestashop validator gives error and rejected module by security issue. there is any proper way to do this ..? and For Second One I have already upload one module with note same note that I have not change label bcos of the parent class's member variable so that can't change it. if I do forcefully then it may not working as it is.but still prestashop reject my module by telling you should validate on prestashop validator fitst and solved errors then only submit your module. they are not consider any kind of note or message. even if they are wrong (rules for development) 1 Link to comment Share on other sites More sharing options...
bellini13 Posted June 30, 2015 Share Posted June 30, 2015 explain what part of the URL would have the ampersand character? {$link->getAdminLink('AdminNotifyme')|escape:'htmlall':'UTF-8'} Link to comment Share on other sites More sharing options...
JA MODULES Posted July 24, 2015 Share Posted July 24, 2015 Hello,I have a similar problem. I have several modules that need to show the tpl files in HTML content.The validator does not allow this:<div class = "rte"> {$product-> description} </ div>In the theme default-bootstrap is set likewise. The validator does not accept something that is in default-boostrap theme.what should I do? Regards Link to comment Share on other sites More sharing options...
NishantVadgama Posted July 24, 2015 Author Share Posted July 24, 2015 I am not so sure but It could help you . refer following forum link https://www.prestashop.com/forums/topic/455995-prestashop-validator-headache/ Link to comment Share on other sites More sharing options...
JA MODULES Posted July 24, 2015 Share Posted July 24, 2015 Ok, thanks. I also try to put comments to see if prestashop accept . Link to comment Share on other sites More sharing options...
Nishith Nesdiya Posted August 4, 2015 Share Posted August 4, 2015 (edited) If I write the following "url: "{$link->getAdminLink('AdminNotifyme')|escape:'htmlall':'UTF-8'}" + "&action=sendMail&id=" + id_record" It'll convert all '&' in the url to '&' so admin controller link not working and if I write without 'escape' modifier then prestashop validator gives error and rejected module by security issue. there is any proper way to do this ..? Hi... you can use this way... "url: "{$link->getAdminLink('AdminNotifyme')|escape:'url':'UTF-8'}" + "&action=sendMail&id=" + id_record" thanks. Edited August 4, 2015 by Nishith (see edit history) Link to comment Share on other sites More sharing options...
bellini13 Posted August 4, 2015 Share Posted August 4, 2015 Doing this is entirely pointless. There is nothing in this URL that can be altered by a malicious client side user to cause a XSS issue. The URL is also constructed server side by core Prestashop code, so if there is an issue, PS core code should be altered. "url: "{$link->getAdminLink('AdminNotifyme')|escape:'url':'UTF-8'}" Link to comment Share on other sites More sharing options...
GeorgeFilippakis Posted June 9, 2016 Share Posted June 9, 2016 (edited) I think that I should answer this in case anyone else has the same issue. The $link->getAdminLink('AdminNotifyme') contains an ampersand, so escaping it breaks the URL. If you are using the URL in JavaScript you could assign the url to a variable this way: $this->context->smarty->assign(array( 'my_url' => rawurlencode($this->context->link->getAdminLink('AdminMyModuleController')) )); and then in your .tpl file write something like this: var my_url = decodeURIComponent("{$my_url|escape:'htmlall':'UTF-8'}"); In case you want to insert HTML code, you can use: {$my_html|escape:'html':'UTF-8'|htmlspecialchars_decode:3} which does not break your HTML. Edited June 11, 2016 by GeorgeFilippakis (see edit history) 1 Link to comment Share on other sites More sharing options...
Recommended Posts