NishantVadgama Posted July 22, 2015 Share Posted July 22, 2015 hello I am developing prestashop module in which I am facing so many problem with prestashop validator all the time. this time in my module there is requirement of calling hook payment in my template file so I have call rightly and works fine as well. but while validating prestashop validator gives following error in security tab. Invalid escape modifiers count, must be escaped like: "{$data|escape:'htmlall':'UTF-8'}" in line where I have write smarty variable as {$HOOK_PAYMENT} to solve that error I have change that line of code to like follows {$HOOK_PAYMENT|escape:'htmlall':'UTF-8'} with above line of code its not working fine its displaying simple line of code like follows <div class="row"> <div class="col-xs-12"> <p class="payment_module"> <a class="bankwire" href="https://192.168.0.50/prestashop_1.6.0.13/module/bankwire/payment" title="Pay by bank wire"> Pay by bank wire <span>(order processing will be longer)</span> </a> </p> </div> </div> <div class="row"> <div class="col-xs-12"> <p class="payment_module"> <a class="cheque" href="https://192.168.0.50/prestashop_1.6.0.13/module/cheque/payment" title="Pay by check."> Pay by check <span>(order processing will be longer)</span> </a> </p> </div> </div> <form action="https://www.paypal.com/cgi-bin/webscr" method="post"> <p class="payment_module"> <input type="hidden" name="cmd" value="_cart" /> <input type="hidden" name="upload" value="1" /> <input type="hidden" name="charset" value="utf8" /> <input type="hidden" name="business" value="" /> <input type="hidden" name="currency_code" value="USD" /> <input type="hidden" name="custom" value="79;1" /> <input type="hidden" name="amount" value="13.5" /> <input type="hidden" name="first_name" value="Nishant" /> <input type="hidden" name="last_name" value="Vadgama" /> <input type="hidden" name="address1" value="2041 Martin Luther King Junior Avenue Southeast Southfield," /> <input type="hidden" name="city" value="Washington" /> <input type="hidden" name="state" value="WA" /> <input type="hidden" name="zip" value="20020" /> <input type="hidden" name="email" value="[email protected]" /> <input type="hidden" name="night_phone_b" value="202) 652-0536" /> <input type="hidden" name="address_override" value="1" /> <input type="hidden" name="item_name_1" value="Installment" /> <input type="hidden" name="amount_1" value="13.5" /> <input type="hidden" name="quantity_1" value="1" /> <input type="hidden" name="tax_cart" value="0" /> <input type="hidden" name="notify_url" value="https://192.168.0.50/prestashop_1.6.0.13/module/paypalusa/validation?pps=1" /> <input type="hidden" name="return" value="https://192.168.0.50/prestashop_1.6.0.13/order-confirmation?id_cart=79&key=0795569296641f8d784ca5affafe1484&id_module=90" /> <input type="hidden" name="cancel_return" value="http://192.168.0.50/prestashop_1.6.0.13/order" /> <input type="hidden" name="no_shipping" value="1" /> <input type="hidden" name="bn" value="PrestashopUS_Cart" /> <input id="paypal-standard-btn" type="image" name="submit" src="https://www.paypalobjects.com/en_US/i/bnr/horizontal_solution_PPeCheck.gif" alt="" style="vertical-align: middle; margin-right: 10px;" /> Pay with PayPal </p> </form> <div class="row"> <div class="col-xs-12"> <p class="payment_module"> <a class="cash" href="https://192.168.0.50/prestashop_1.6.0.13/module/cashondelivery/validation" title="Pay with cash on delivery (COD)" rel="nofollow"> Pay with cash on delivery (COD) <span>(You pay for the merchandise upon delivery)</span> </a> </p> </div> </div> <link rel="shortcut icon" type="image/x-icon" href="/prestashop_1.6.0.13/modules/authorizeaim/img/secure.png" /> <p class="payment_module" > <form name="authorizeaim_form" id="authorizeaim_form" action="/prestashop_1.6.0.13/modules/authorizeaim/validation.php" method="post"> <span style="border: 1px solid #595A5E;display: block;padding: 0.6em;text-decoration: none;margin-left: 0.7em;"> <a id="click_authorizeaim" href="#" title="Pay with AuthorizeAIM" style="display: block;text-decoration: none; font-weight: bold;"> <img src="/prestashop_1.6.0.13/modules/authorizeaim/cards/visa.gif" alt="Visa Logo" style="vertical-align: middle;" /> <img src="/prestashop_1.6.0.13/modules/authorizeaim/cards/mastercard.gif" alt="Mastercard Logo" style="vertical-align: middle;" /> <img src="/prestashop_1.6.0.13/modules/authorizeaim/cards/discover.gif" alt="Discover Logo" style="vertical-align: middle;" /><img src="/prestashop_1.6.0.13/modules/authorizeaim/cards/ax.gif" alt="American Express Logo" style="vertical-align: middle;" /> Secured card payment </a> <div id="aut2"style="display:none"> <br /><br /> <div style="width: 136px; height: 145px; float: left; padding-top:40px; padding-right: 20px; border-right: 1px solid #DDD;"> <img src="/prestashop_1.6.0.13/modules/authorizeaim/img/logoa.gif" alt="secure payment" /> </div> <input type="hidden" name="x_solution_ID" value="A1000006" /> <input type="hidden" name="x_invoice_num" value="79" /> <input type="hidden" name="x_currency_code" value="USD" /> <label style="margin-top: 4px; margin-left: 35px;display: block;width: 90px;float: left;">Full name</label> <input type="text" name="name" id="fullname" size="30" maxlength="25S" /><img src="/prestashop_1.6.0.13/modules/authorizeaim/img/secure.png" alt="" style="margin-left: 5px;" /><br /><br /> <label style="margin-top: 4px; margin-left: 35px; display: block;width: 90px;float: left;">Card Type</label> <select id="cardType"> <option value="AmEx">American Express</option> <option value="Visa">Visa</option> <option value="MasterCard">MasterCard</option> <option value="Discover">Discover</option> </select> <img src="/prestashop_1.6.0.13/modules/authorizeaim/img/secure.png" alt="" style="margin-left: 5px;" /><br /><br /> <label style="margin-top: 4px; margin-left: 35px; display: block; width: 90px; float: left;">Card number</label> <input type="text" name="x_card_num" id="cardnum" size="30" maxlength="16" autocomplete="Off" /><img src="/prestashop_1.6.0.13/modules/authorizeaim/img/secure.png" alt="" style="margin-left: 5px;" /><br /><br /> <label style="margin-top: 4px; margin-left: 35px; display: block; width: 90px; float: left;">Expiration date</label> <select id="x_exp_date_m" name="x_exp_date_m" style="width:60px;"> <option value="1">1</option> <option value="2">2</option> <option value="3">3</option> <option value="4">4</option> <option value="5">5</option> <option value="6">6</option> <option value="7">7</option> <option value="8">8</option> <option value="9">9</option> <option value="10">10</option> <option value="11">11</option> <option value="12">12</option> </select>/<select name="x_exp_date_y"> <option value="14">2014</option> <option value="15">2015</option> <option value="16">2016</option> <option value="17">2017</option> <option value="18">2018</option> <option value="19">2019</option> <option value="20">2020</option> <option value="21">2021</option> <option value="22">2022</option> <option value="23">2023</option> <option value="24">2024</option> <option value="25">2025</option> </select> <img src="/prestashop_1.6.0.13/modules/authorizeaim/img/secure.png" alt="" style="margin-left: 5px;" /><br /><br /> <label style="margin-top: 4px; margin-left: 35px; display: block; width: 90px; float: left;">[spam-filter]</label> <input type="text" name="x_card_code" id="x_card_code" size="4" maxlength="4" /> <img src="/prestashop_1.6.0.13/modules/authorizeaim/img/secure.png" alt="" style="margin-left: 5px;"/> <img src="/prestashop_1.6.0.13/modules/authorizeaim/img/help.png" id="[spam-filter]_help" title="the 3 last digits on the back of your credit card" alt="" /><br /><br /> <img src="/prestashop_1.6.0.13/modules/authorizeaim/img/[spam-filter].png" id="[spam-filter]_help_img" alt=""style="display: none;margin-left: 211px;" /> <input type="button" id="asubmit" value="Validate order" style="margin-left: 124px; padding-left: 25px; padding-right: 25px;" class="button" /> <br class="clear" /> </div> </span> </form> </p><script type="text/javascript"> var mess_error = "Please check your credit card information (Credit card type, number and expiration date)"; var mess_error2 = "Please specify your Full Name"; $(document).ready(function() { $('#x_exp_date_m').children('option').each(function() { if ($(this).val() < 10) { $(this).val('0' + $(this).val()); $(this).html($(this).val()) } }); $('#click_authorizeaim').click(function(e) { e.preventDefault(); $('#click_authorizeaim').fadeOut("fast", function() { $("#aut2").show(); $('#click_authorizeaim').fadeIn('fast'); }); $('#click_authorizeaim').unbind(); $('#click_authorizeaim').click(function(e) { e.preventDefault(); }); }); $('#[spam-filter]_help').click(function() { $("#[spam-filter]_help_img").show(); $('#[spam-filter]_help').unbind(); }); $('#asubmit').click(function() { if ($('#fullname').val() == '') { alert(mess_error2); } else if (!validateCC($('#cardnum').val(), $('#cardType').val()) || $('#x_card_code').val() == '') { alert(mess_error); } else { $('#authorizeaim_form').submit(); $('#asubmit').prop("disabled", true); } return false; }); });</script> except working file without escape modifier. so anybody can help me to come out with this problem? Link to comment Share on other sites More sharing options...
bellini13 Posted July 22, 2015 Share Posted July 22, 2015 leave it as {$HOOK_PAYMENT} and just add a comment that explains this is HTML content and escaping it is not necessary. something like this... {$HOOK_PAYMENT} {* HTML comment, no escape necessary *} The validator will still complain, but when you submit the module they should ignore the error and approve it. You might need to explain why you are adding new hooks in your module, but that is a functional question, not a security concern 1 Link to comment Share on other sites More sharing options...
NishantVadgama Posted July 22, 2015 Author Share Posted July 22, 2015 Thank You for reply. I hope they'll not reject my module with validator's security complain. I'll submit my module with adding comment on such smarty variable as you explain. thanks again for your valuable reply. Link to comment Share on other sites More sharing options...
NemoPS Posted July 29, 2015 Share Posted July 29, 2015 Honestly - can't they just take off these ridiculous validation rules. 4 Link to comment Share on other sites More sharing options...
bellini13 Posted July 29, 2015 Share Posted July 29, 2015 I've fought with them over this for a long time, and they fail to see how pointless these escape rules are. even when using escape, an end user can still submit malicious data to the server. They are trying to prevent cross site scripting, and I get that, but its way overboard. 1 Link to comment Share on other sites More sharing options...
NishantVadgama Posted July 30, 2015 Author Share Posted July 30, 2015 SOOOOOOOOOOOOOOOOOOOOOOOOO RIDICULOUS - PRESTAHOP DEVELOPMENT now-a-days I have submit my module on date 17-07-2015 after validated on prestashop validator and there is no bug (0 errors) as prestashop team takes 7-10 days (for testing) to upload addons market place in between they update that validator (on 20-07-2015) and my module sudden have 5 security bug and prestashop team reject my module this happen same thing with another module also so is there any KNOWLEDGEABLE person in PRESTASHOP team that can solve this kind of problems otherwise either this framework lots of suffering to become a popular as well as useful or developer leave it. Link to comment Share on other sites More sharing options...
bellini13 Posted July 30, 2015 Share Posted July 30, 2015 what are the 5 security bugs? Link to comment Share on other sites More sharing options...
NishantVadgama Posted August 3, 2015 Author Share Posted August 3, 2015 Invalid escape modifiers count, could be escaped like: "{$data|escape:'htmlall':'UTF-8'}" Link to comment Share on other sites More sharing options...
bellini13 Posted August 3, 2015 Share Posted August 3, 2015 ok, so escape them or explain why they cannot be escaped? Link to comment Share on other sites More sharing options...
NishantVadgama Posted August 4, 2015 Author Share Posted August 4, 2015 (edited) MY POINT IS THAT YOUR PRESTASHOP VALIDATOR IS NOT ACCURATE ON 17-07-2015 IT HAS BEEN VALIDATE SUCCESSFULLY AND ON 20-07-2015 THERE IS 5 BUG OF "ESCAPE MODIFIERS". SO WHY IT HAS BEEN NOT DETECT THAT 5 BUG ON FIRST TIME (DATED 17-07-2015). Edited August 4, 2015 by NishantVadgama (see edit history) Link to comment Share on other sites More sharing options...
bellini13 Posted August 4, 2015 Share Posted August 4, 2015 MY POINT IS THAT YOUR PRESTASHOP VALIDATOR IS NOT ACCURATE The validator is not mine, I do not work for Prestashop SO WHY IT HAS BEEN NOT DETECT THAT 5 BUG ON FIRST TIME (DATED 17-07-2015). The validator changes frequently, and it changed on7/20 You can always click on the changelog link at the bottom of the validator page https://validator.prestashop.com/changelog Link to comment Share on other sites More sharing options...
NishantVadgama Posted August 5, 2015 Author Share Posted August 5, 2015 The validator changes frequently, and it changed on7/20 I clearly know this. but prestashop team should consider that date (or refer a graph) before rejecting module. considering that he/she submitted on xx-xx-xxxx and that day there is no any bug and after that validator changes so they should accept that. and I think they have track of such module validations that we have performs. Link to comment Share on other sites More sharing options...
bellini13 Posted August 5, 2015 Share Posted August 5, 2015 good luck with that. you'd be better off updating your module and resubmitting it Link to comment Share on other sites More sharing options...
vblanch Posted August 11, 2015 Share Posted August 11, 2015 (edited) I have a similar problem. I want to show HTML code (an image with a link) in my module but the validator keeps telling me to escape HTML. If I do, the button is not displayed (displays the HTML code instead!). The point is, some of my customers complained that PrestaShop Cloud is NOT acepting non-validated modules, even if sold in other markets outside PrestaShop. Any ideas on how to solve this? Thanks! *Edit: Just tried "unescape" command in Smarty but the validator got me This is getting ridiculous... so we can't render HTML in our modules? Edited August 11, 2015 by vblanch (see edit history) Link to comment Share on other sites More sharing options...
bellini13 Posted August 12, 2015 Share Posted August 12, 2015 I have a similar problem. I want to show HTML code (an image with a link) in my module but the validator keeps telling me to escape HTML. If I do, the button is not displayed (displays the HTML code instead!). The point is, some of my customers complained that PrestaShop Cloud is NOT acepting non-validated modules, even if sold in other markets outside PrestaShop. Any ideas on how to solve this? Thanks! *Edit: Just tried "unescape" command in Smarty but the validator got me This is getting ridiculous... so we can't render HTML in our modules? I already addressed this in my first reply above... Link to comment Share on other sites More sharing options...
vblanch Posted August 13, 2015 Share Posted August 13, 2015 I already addressed this in my first reply above... Hi there bellini13, thanks for your answer. Yes you addressed the issue. However it's not the ideal solution, since I have customers using the validator over my software and complaning about the "errors" (yes it reports the unescaped strings as errors, not as warnings). It's hard to explain the reason to people who aren't programmers. Anyway I will do the comment thing and explain. I guess I have no other option. Cheers 1 Link to comment Share on other sites More sharing options...
bellini13 Posted August 13, 2015 Share Posted August 13, 2015 Tell your customers to take Prestashops own modules and run them through validator, they will all fail. 3 Link to comment Share on other sites More sharing options...
NishantVadgama Posted August 14, 2015 Author Share Posted August 14, 2015 Tell your customers to take Prestashops own modules and run them through validator, they will all fail. Yes. you are absolutely right. not even core part of prestashop following such ridiculous validation rules so how can they expect from developers? they should think about feasibility of this before applying such rules. 1 Link to comment Share on other sites More sharing options...
Matthieu Malttt Posted January 6, 2016 Share Posted January 6, 2016 No news about this ? Still getting error on validator. We need something ... Link to comment Share on other sites More sharing options...
bellini13 Posted January 6, 2016 Share Posted January 6, 2016 No news about this ? Still getting error on validator. We need something ... what news update are you expecting? Link to comment Share on other sites More sharing options...
Matthieu Malttt Posted January 8, 2016 Share Posted January 8, 2016 Someone found a trick or Prestashop Validator and Addons bought a brain to let us work in sanity ? Link to comment Share on other sites More sharing options...
Matthieu Malttt Posted January 14, 2016 Share Posted January 14, 2016 Trick found ! {html_entity_decode($var|escape:'htmlall':'UTF-8')} Link to comment Share on other sites More sharing options...
TheMacros Posted February 13, 2017 Share Posted February 13, 2017 Trick found ! {html_entity_decode($var|escape:'htmlall':'UTF-8')} have you submit some modules with this? Link to comment Share on other sites More sharing options...
TheMacros Posted February 13, 2017 Share Posted February 13, 2017 Trick found ! {html_entity_decode($var|escape:'htmlall':'UTF-8')} In some cases its not working. For example when we have js script in $var variable Link to comment Share on other sites More sharing options...
Arnaud Drieux Posted March 9, 2017 Share Posted March 9, 2017 Hum ! I just tried this on PS 1.7. That doesn't work.So you need to use {$var nofilter} but Prestashop Validator say : Removing variable escaping is highly discouraged because malicious code can be displayed and executed Well... Link to comment Share on other sites More sharing options...
bellini13 Posted March 10, 2017 Share Posted March 10, 2017 in front office templates, the nofilter is required since all escaping is performed in the core now. you still need it for back office templates however. so if it is working properly in your testing, and the only thing is a validator warning, ignore it and submit the module. it is their own rule. http://build.prestashop.com/news/module-development-changes-in-17/#general-information Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now