Allow displaying html in customization summary / Solved

[Peter_17]

Hello,

I use html tags in a string that my module display using hookDisplayCustomization.

Prestashop 8.2.3 display this string in FO cart/order correctly.

In BO I see this string in one line with html tags like <br />.
admin/index.php/sell/orders/???/view
admin/index.php/sell/orders/carts/??/view

The problem can be solved by adding "| raw" to a twig files but it is not a safe solution.
https://github.com/PrestaShop/PrestaShop/pull/22227/commits/0ef8c5aaa5bdb574e126687834979e2b7cb75b93

How to solve this problem safe? I want to display customization in BO broken into many lines but I can't use tag <br/>.

My dh_cart_order_details.tpl file to create that string:

<div id="order_details">
    {foreach from=$order_details item=order_detail key=order_detailKey}
        {if $order_detail.do_not_display != 1}  
            {if $order_detail.main_group_id == link}
                <span>{$order_detail.value_name|unescape: "html" nofilter}</span><br />
            {else}
                <span>{$order_detail.main_group_name}: {$order_detail.value_name}</span><br />
            {/if}

        {/if}
    {/foreach}
</div> 

Anyone has an idea how to solve this problem safe? I do not want to generate an image with text to display in BO.

Edited December 17, 2025 by Peter_17 (see edit history)

[wepresta]

Hi,

In the BO this is expected: PrestaShop escapes customization output on purpose to avoid XSS. There is no “official” way to render arbitrary HTML from hookDisplayCustomization in the admin.

Your options are basically:

• Best practice: store/display plain text (and use line breaks like nl2br), not HTML.
• If you really need formatting: output a safe subset by sanitizing the HTML yourself (HTMLPurifier / Symfony HtmlSanitizer), and then render it with |raw in the BO template. That requires an override of the admin twig/template, and it’s only safe if you fully sanitize/whitelist tags.
• Alternative: add a custom admin page/panel for your module where you control the rendering (and sanitize), instead of trying to inject HTML into the default customization summary.

So: without a BO template change, you can’t safely “enable HTML” there.

[Peter_17]

Hi Wepresta,

thank you for that solutions.