Jump to content

Prestashop Validator ISSUE


Recommended Posts

Is there any expert or say at least a good developer in prestashop..?
 
I have develop many modules and face same problem with each and every time.
 
I have upload one module on 23-06-2015 with validation done successfully. 
and on 26-06-2015 got reply of security issue and I have try to validate same package and there is security issue of
"Invalid escape modifiers" on 23-06-2015 there no any issue and sudden there is 79 such smarty variables error.
 
I have written following code in one of my .tpl file

 

<script type="text/javascript">

function sendMail(id_record)
{
$.ajax({
type:"POST",
url: "{$link->getAdminLink('AdminNotifyme')}" + "&action=sendMail&id=" + id_record,
async: true,
dataType: "json",
success: function(jsonData)
{
if (jsonData.result)
$('#success').show();
}
});
}
</script>

 

In validator gives error "Invalid escape modifiers count, must be escaped like: "{$data|escape:'htmlall':'UTF-8'}"".
in follwing line.

 

 

"url: "{$link->getAdminLink('AdminNotifyme')}" + "&action=sendMail&id=" + id_record"
so any expert can tell me how can I use these modifier ({$data|escape:'htmlall':'UTF-8'}) with this line..?
if I use such modifier as follows.

 

 

url: "{$link->getAdminLink('AdminNotifyme')|escape:'htmlall':'UTF-8'}" + "&action=sendMail&id=" + id_record,

it will convert ever "&" to "&"

and if I am not use such modifier then validator gives error! What should I do.?
 
another problem with validator with same module as follows.
I have override Cart's getProducts method in my module and while validating prestashop gives
"Variable "$_attributesLists" have not right syntax. Should be : "$attributes_lists"" error in following line. 

 

if (array_key_exists($row['id_product_attribute'].'-'.$this->id_lang, self::$_attributesLists))

      $row = array_merge($row, self::$_attributesLists[$row['id_product_attribute'].'-'.$this->id_lang]);

these two variables are of cart class's (parent/CartCore) member variable so how can I change it on override file..!

 

I have attach two screenshot of such error so it can help you to understand how parestashop development becomes inaccurate day by day.

 

post-781913-0-19616300-1435314113_thumb.jpg

post-781913-0-82572800-1435314113_thumb.jpg

Link to comment
Share on other sites

I assume your module is trying to do something in the back office?  If so, you should review the following template on how to properly do this

/admin/themes/default/template/header.tpl

 

so instead of this

"url: "{$link->getAdminLink('AdminNotifyme')}" + "&action=sendMail&id=" + id_record"

do this. 

"url: "{$link->getAdminLink('AdminNotifyme')|escape:'htmlall':'UTF-8'}" + "&action=sendMail&id=" + id_record"

Note: There is no reason that you need to perform this escape other than it is triggering a validator rule.  This won't actually prevent a user from performing XSS if they want to, but it is easier to add the escape, then argue with the addons team over it.  

 

Also Note: There is no reason to escape your parameters (ie.. action=sendMail), since they are static and you are not collecting the values from the UI.  The Prestashop core code does not escape them either.  However it is proven over and over again that they hold contributors to a higher standard than themselves.


 

For the second one, they are not going to like that you are creating an override to begin with, and will probably reject this anyway.  However your only option here is to add comments to your code explaining why you cannot do what the validator is complaining about.  Then add a note to the addons team when you submit the file pointing this out. 

 

They will most likely argue and tell you to find another way to accomplish this override.  So before you submit, try to consider if there is a reason you need to override their code entirely, or can you instead call the parent function in your override and receive the product array.  Then do whatever you need to do to the product array once you have it?

  • Like 2
Link to comment
Share on other sites

If I write the following

"url: "{$link->getAdminLink('AdminNotifyme')|escape:'htmlall':'UTF-8'}" + "&action=sendMail&id=" + id_record"

It'll convert all '&' in the url to '&' so admin controller link not working and if I write without 'escape' modifier then prestashop validator gives error and rejected module by security issue.  there is any proper way to do this ..? 

 

and For Second One 

I have already upload one module with note same note that I have not change label bcos of the parent class's member variable so that can't change it. if I do forcefully then it may not working as it is.but still prestashop reject my module by telling you should validate on prestashop validator fitst and solved errors then only submit your module. they are not consider any kind of note or message. even if they are wrong (rules for development)

  • Like 1
Link to comment
Share on other sites

  • 4 weeks later...

Hello,

I have a similar problem. I have several modules that need to show the tpl files in HTML content.

The validator does not allow this:

<div class = "rte"> {$product-> description} </ div>

In the theme default-bootstrap is set likewise.

The validator does not accept something that is in default-boostrap theme.

what should I do?

 

Regards

Link to comment
Share on other sites

  • 2 weeks later...

 If I write the following

"url: "{$link->getAdminLink('AdminNotifyme')|escape:'htmlall':'UTF-8'}" + "&action=sendMail&id=" + id_record"

It'll convert all '&' in the url to '&' so admin controller link not working and if I write without 'escape' modifier then prestashop validator gives error and rejected module by security issue.  there is any proper way to do this ..? 

 

 

Hi...

 

you can use this way...

"url: "{$link->getAdminLink('AdminNotifyme')|escape:'url':'UTF-8'}" + "&action=sendMail&id=" + id_record"

thanks.

Edited by Nishith (see edit history)
Link to comment
Share on other sites

Doing this is entirely pointless.  There is nothing in this URL that can be altered by a malicious client side user to cause a XSS issue. The URL is also constructed server side by core Prestashop code, so if there is an issue, PS core code should be altered.

"url: "{$link->getAdminLink('AdminNotifyme')|escape:'url':'UTF-8'}"
Link to comment
Share on other sites

  • 10 months later...

I think that I should answer this in case anyone else has the same issue.

 

The $link->getAdminLink('AdminNotifyme') contains an ampersand, so escaping it breaks the URL.

 

If you are using the URL in JavaScript you could assign the url to a variable this way:
 

$this->context->smarty->assign(array(
    'my_url' => rawurlencode($this->context->link->getAdminLink('AdminMyModuleController'))
));

and then in your .tpl file write something like this:

var my_url = decodeURIComponent("{$my_url|escape:'htmlall':'UTF-8'}");

In case you want to insert HTML code, you can use:

{$my_html|escape:'html':'UTF-8'|htmlspecialchars_decode:3}

which does not break your HTML.

Edited by GeorgeFilippakis (see edit history)
  • Like 1
Link to comment
Share on other sites

×
×
  • Create New...