Jump to content

Prestashop Validator headache


NishantVadgama
 Share

Recommended Posts

hello I am developing prestashop module in which I am facing so many problem with prestashop validator all the time. this time in my module there is requirement of calling hook payment in my template file so I have call rightly and works fine as well. but while validating prestashop validator gives following error in security tab.

Invalid escape modifiers count, must be escaped like: "{$data|escape:'htmlall':'UTF-8'}"
in line where I have write smarty variable as {$HOOK_PAYMENT}

to solve that error I have change that line of code to like follows

{$HOOK_PAYMENT|escape:'htmlall':'UTF-8'}

with above line of code its not working fine its displaying simple line of code like follows

 <div class="row"> <div class="col-xs-12"> <p class="payment_module"> <a class="bankwire" href="https://192.168.0.50/prestashop_1.6.0.13/module/bankwire/payment" title="Pay by bank wire"> Pay by bank wire <span>(order processing will be longer)</span> </a> </p> </div> </div> <div class="row"> <div class="col-xs-12"> <p class="payment_module"> <a class="cheque" href="https://192.168.0.50/prestashop_1.6.0.13/module/cheque/payment" title="Pay by check."> Pay by check <span>(order processing will be longer)</span> </a> </p> </div> </div> <form action="https://www.paypal.com/cgi-bin/webscr" method="post"> <p class="payment_module"> <input type="hidden" name="cmd" value="_cart" /> <input type="hidden" name="upload" value="1" /> <input type="hidden" name="charset" value="utf8" /> <input type="hidden" name="business" value="" /> <input type="hidden" name="currency_code" value="USD" /> <input type="hidden" name="custom" value="79;1" /> <input type="hidden" name="amount" value="13.5" /> <input type="hidden" name="first_name" value="Nishant" /> <input type="hidden" name="last_name" value="Vadgama" /> <input type="hidden" name="address1" value="2041 Martin Luther King Junior Avenue Southeast Southfield," /> <input type="hidden" name="city" value="Washington" /> <input type="hidden" name="state" value="WA" /> <input type="hidden" name="zip" value="20020" /> <input type="hidden" name="email" value="[email protected]" /> <input type="hidden" name="night_phone_b" value="202) 652-0536" /> <input type="hidden" name="address_override" value="1" /> <input type="hidden" name="item_name_1" value="Installment" /> <input type="hidden" name="amount_1" value="13.5" /> <input type="hidden" name="quantity_1" value="1" /> <input type="hidden" name="tax_cart" value="0" /> <input type="hidden" name="notify_url" value="https://192.168.0.50/prestashop_1.6.0.13/module/paypalusa/validation?pps=1" /> <input type="hidden" name="return" value="https://192.168.0.50/prestashop_1.6.0.13/order-confirmation?id_cart=79&key=0795569296641f8d784ca5affafe1484&id_module=90" /> <input type="hidden" name="cancel_return" value="http://192.168.0.50/prestashop_1.6.0.13/order" /> <input type="hidden" name="no_shipping" value="1" /> <input type="hidden" name="bn" value="PrestashopUS_Cart" /> <input id="paypal-standard-btn" type="image" name="submit" src="https://www.paypalobjects.com/en_US/i/bnr/horizontal_solution_PPeCheck.gif" alt="" style="vertical-align: middle; margin-right: 10px;" /> Pay with PayPal </p> </form> <div class="row"> <div class="col-xs-12"> <p class="payment_module"> <a class="cash" href="https://192.168.0.50/prestashop_1.6.0.13/module/cashondelivery/validation" title="Pay with cash on delivery (COD)" rel="nofollow"> Pay with cash on delivery (COD) <span>(You pay for the merchandise upon delivery)</span> </a> </p> </div> </div> <link rel="shortcut icon" type="image/x-icon" href="/prestashop_1.6.0.13/modules/authorizeaim/img/secure.png" /> <p class="payment_module" > <form name="authorizeaim_form" id="authorizeaim_form" action="/prestashop_1.6.0.13/modules/authorizeaim/validation.php" method="post"> <span style="border: 1px solid #595A5E;display: block;padding: 0.6em;text-decoration: none;margin-left: 0.7em;"> <a id="click_authorizeaim" href="#" title="Pay with AuthorizeAIM" style="display: block;text-decoration: none; font-weight: bold;"> <img src="/prestashop_1.6.0.13/modules/authorizeaim/cards/visa.gif" alt="Visa Logo" style="vertical-align: middle;" /> <img src="/prestashop_1.6.0.13/modules/authorizeaim/cards/mastercard.gif" alt="Mastercard Logo" style="vertical-align: middle;" /> <img src="/prestashop_1.6.0.13/modules/authorizeaim/cards/discover.gif" alt="Discover Logo" style="vertical-align: middle;" /><img src="/prestashop_1.6.0.13/modules/authorizeaim/cards/ax.gif" alt="American Express Logo" style="vertical-align: middle;" />  Secured card payment </a> <div id="aut2"style="display:none"> <br /><br /> <div style="width: 136px; height: 145px; float: left; padding-top:40px; padding-right: 20px; border-right: 1px solid #DDD;"> <img src="/prestashop_1.6.0.13/modules/authorizeaim/img/logoa.gif" alt="secure payment" /> </div> <input type="hidden" name="x_solution_ID" value="A1000006" /> <input type="hidden" name="x_invoice_num" value="79" /> <input type="hidden" name="x_currency_code" value="USD" /> <label style="margin-top: 4px; margin-left: 35px;display: block;width: 90px;float: left;">Full name</label> <input type="text" name="name" id="fullname" size="30" maxlength="25S" /><img src="/prestashop_1.6.0.13/modules/authorizeaim/img/secure.png" alt="" style="margin-left: 5px;" /><br /><br /> <label style="margin-top: 4px; margin-left: 35px; display: block;width: 90px;float: left;">Card Type</label> <select id="cardType"> <option value="AmEx">American Express</option> <option value="Visa">Visa</option> <option value="MasterCard">MasterCard</option> <option value="Discover">Discover</option> </select> <img src="/prestashop_1.6.0.13/modules/authorizeaim/img/secure.png" alt="" style="margin-left: 5px;" /><br /><br /> <label style="margin-top: 4px; margin-left: 35px; display: block; width: 90px; float: left;">Card number</label> <input type="text" name="x_card_num" id="cardnum" size="30" maxlength="16" autocomplete="Off" /><img src="/prestashop_1.6.0.13/modules/authorizeaim/img/secure.png" alt="" style="margin-left: 5px;" /><br /><br /> <label style="margin-top: 4px; margin-left: 35px; display: block; width: 90px; float: left;">Expiration date</label> <select id="x_exp_date_m" name="x_exp_date_m" style="width:60px;"> <option value="1">1</option> <option value="2">2</option> <option value="3">3</option> <option value="4">4</option> <option value="5">5</option> <option value="6">6</option> <option value="7">7</option> <option value="8">8</option> <option value="9">9</option> <option value="10">10</option> <option value="11">11</option> <option value="12">12</option> </select>/<select name="x_exp_date_y"> <option value="14">2014</option> <option value="15">2015</option> <option value="16">2016</option> <option value="17">2017</option> <option value="18">2018</option> <option value="19">2019</option> <option value="20">2020</option> <option value="21">2021</option> <option value="22">2022</option> <option value="23">2023</option> <option value="24">2024</option> <option value="25">2025</option> </select> <img src="/prestashop_1.6.0.13/modules/authorizeaim/img/secure.png" alt="" style="margin-left: 5px;" /><br /><br /> <label style="margin-top: 4px; margin-left: 35px; display: block; width: 90px; float: left;">[spam-filter]</label> <input type="text" name="x_card_code" id="x_card_code" size="4" maxlength="4" /> <img src="/prestashop_1.6.0.13/modules/authorizeaim/img/secure.png" alt="" style="margin-left: 5px;"/> <img src="/prestashop_1.6.0.13/modules/authorizeaim/img/help.png" id="[spam-filter]_help" title="the 3 last digits on the back of your credit card" alt="" /><br /><br /> <img src="/prestashop_1.6.0.13/modules/authorizeaim/img/[spam-filter].png" id="[spam-filter]_help_img" alt=""style="display: none;margin-left: 211px;" /> <input type="button" id="asubmit" value="Validate order" style="margin-left: 124px; padding-left: 25px; padding-right: 25px;" class="button" /> <br class="clear" /> </div> </span> </form> </p><script type="text/javascript"> var mess_error = "Please check your credit card information (Credit card type, number and expiration date)"; var mess_error2 = "Please specify your Full Name"; $(document).ready(function() { $('#x_exp_date_m').children('option').each(function() { if ($(this).val() < 10) { $(this).val('0' + $(this).val()); $(this).html($(this).val()) } }); $('#click_authorizeaim').click(function(e) { e.preventDefault(); $('#click_authorizeaim').fadeOut("fast", function() { $("#aut2").show(); $('#click_authorizeaim').fadeIn('fast'); }); $('#click_authorizeaim').unbind(); $('#click_authorizeaim').click(function(e) { e.preventDefault(); }); }); $('#[spam-filter]_help').click(function() { $("#[spam-filter]_help_img").show(); $('#[spam-filter]_help').unbind(); }); $('#asubmit').click(function() { if ($('#fullname').val() == '') { alert(mess_error2); } else if (!validateCC($('#cardnum').val(), $('#cardType').val()) || $('#x_card_code').val() == '') { alert(mess_error); } else { $('#authorizeaim_form').submit(); $('#asubmit').prop("disabled", true); } return false; }); });</script>

except working file without escape modifier.

so anybody can help me to come out with this problem?

Share this post


Link to post
Share on other sites

leave it as {$HOOK_PAYMENT} and just add a comment that explains this is HTML content and escaping it is not necessary.

 

something like this...

{$HOOK_PAYMENT} {* HTML comment, no escape necessary *}

 

The validator will still complain, but when you submit the module they should ignore the error and approve it.  You might need to explain why you are adding new hooks in your module, but that is a functional question, not a security concern

  • Like 1

Share this post


Link to post
Share on other sites

I've fought with them over this for a long time, and they fail to see how pointless these escape rules are.  even when using escape, an end user can still submit malicious data to the server.  They are trying to prevent cross site scripting, and I get that, but its way overboard.

  • Like 1

Share this post


Link to post
Share on other sites

SOOOOOOOOOOOOOOOOOOOOOOOOO RIDICULOUS - PRESTAHOP DEVELOPMENT now-a-days

 

I have submit my module on date 17-07-2015 after validated on prestashop validator and there is no bug (0 errors)
 
as prestashop team takes 7-10 days (for testing) to upload addons market place in between they update that validator (on 20-07-2015)
 
and my module sudden have 5 security bug and prestashop team reject my module 
 
this happen same thing with another module also 
 
so is there any KNOWLEDGEABLE person in PRESTASHOP team that can solve this kind of problems 
 
otherwise either this framework lots of suffering to become a popular as well as useful or developer leave it.

Share this post


Link to post
Share on other sites

MY POINT IS THAT YOUR PRESTASHOP VALIDATOR IS NOT ACCURATE

 

The validator is not mine, I do not work for Prestashop

 

SO WHY IT HAS BEEN NOT DETECT THAT 5 BUG ON FIRST TIME (DATED 17-07-2015).

 

The validator changes frequently, and it changed on7/20

 

You can always click on the changelog link at the bottom of the validator page

https://validator.prestashop.com/changelog

 

 

Share this post


Link to post
Share on other sites

The validator changes frequently, and it changed on7/20

I clearly know this. but prestashop team should consider that date (or refer a graph) before rejecting module. considering that he/she submitted on xx-xx-xxxx and that day there is no any bug and after that validator changes so they should accept that. and I think they have track of such module validations that we have performs.

Share this post


Link to post
Share on other sites

I have a similar problem.

 

I want to show HTML code (an image with a link) in my module but the validator keeps telling me to escape HTML. If I do, the button is not displayed (displays the HTML code instead!).

 

The point is, some of my customers complained that PrestaShop Cloud is NOT acepting non-validated modules, even if sold in other markets outside PrestaShop.

 

Any ideas on how to solve this?

 

Thanks!

 

*Edit: Just tried "unescape" command in Smarty but the validator got me :( This is getting ridiculous... so we can't render HTML in our modules?

Edited by vblanch (see edit history)

Share this post


Link to post
Share on other sites

I have a similar problem.

 

I want to show HTML code (an image with a link) in my module but the validator keeps telling me to escape HTML. If I do, the button is not displayed (displays the HTML code instead!).

 

The point is, some of my customers complained that PrestaShop Cloud is NOT acepting non-validated modules, even if sold in other markets outside PrestaShop.

 

Any ideas on how to solve this?

 

Thanks!

 

*Edit: Just tried "unescape" command in Smarty but the validator got me :( This is getting ridiculous... so we can't render HTML in our modules?

I already addressed this in my first reply above...

Share this post


Link to post
Share on other sites

I already addressed this in my first reply above...

 

Hi there bellini13,

thanks for your answer. Yes you addressed the issue. However it's not the ideal solution, since I have customers using the validator over my software and complaning about the "errors" (yes it reports the unescaped strings as errors, not as warnings). It's hard to explain the reason to people who aren't programmers.

 

Anyway I will do the comment thing and explain. I guess I have no other option.

 

Cheers

  • Like 1

Share this post


Link to post
Share on other sites

 

 

Tell your customers to take Prestashops own modules and run them through validator, they will all fail.

Yes. you are absolutely right. not even core part of prestashop following such ridiculous validation rules so how can they expect from developers? they should think about feasibility of this before applying such rules.

  • Like 1

Share this post


Link to post
Share on other sites

  • 4 months later...
  • 1 year later...
  • 4 weeks later...

Hum !
 

I just tried this on PS 1.7. That doesn't work.

So you need to use {$var nofilter} but Prestashop Validator say :

 

 

Removing variable escaping is highly discouraged because malicious code can be displayed and executed

 

Well...

Share this post


Link to post
Share on other sites

in front office templates, the nofilter is required since all escaping is performed in the core now.  you still need it for back office templates however.

 

so if it is working properly in your testing, and the only thing is a validator warning, ignore it and submit the module.  it is their own rule.

http://build.prestashop.com/news/module-development-changes-in-17/#general-information

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More