IMPORTANT: Apply security fixes to third-party themes

[rocky]

I've noticed that a lot of third-party themes are missing the security fixes that were added to PrestaShop v1.3.1. If you are using PrestaShop v1.3.1 or later and are using a third-party theme, make sure that your theme includes the security fixes. If necessary, change line 8 of errors.tpl in your theme from:

{$smarty.server.HTTP_REFERER|escape:'htmlall':'UTF-8'}

to:

{$smarty.server.HTTP_REFERER|escape:'htmlall':'UTF-8'|secureReferrer}

and line 274 of shopping-cart.tpl from:

{$smarty.server.HTTP_REFERER|escape:'htmlall':'UTF-8'}

to:

{$smarty.server.HTTP_REFERER|escape:'htmlall':'UTF-8'|secureReferrer}

If you are using a version of PrestaShop before v1.3.1, you'll need to apply the rest of the fixes here, otherwise you'll get an error that the secureReferrer function doesn't exist.

Message for Theme Creators

Theme creators should create two separate themes for PrestaShop v1.2.5 and PrestaShop v1.3, instead of just writing that their theme is "compatible with PrestaShop v1.3" without making any changes to the PrestaShop v1.2.5 theme. Although PrestaShop v1.2.5 themes do work in PrestaShop v1.3 without any modifications, they are missing the security fix. At the very least, theme creators should apply the security fix above to their theme, though ideally, they should recreate their theme using the default PrestaShop v1.3.1 theme to include all bug fixes made to the theme.

When posting your theme on the forums, please write which version of the default PrestaShop theme your theme was based on. For example, if your theme was based on the default PrestaShop v1.2.5 theme, you should write:

Designed for PrestaShop v1.2.5
Compatible with PrestaShop v1.2.5

Only if you've created a version of your theme that includes the security fix, add that it is compatible with v1.3.1:

Designed for PrestaShop v1.2.5
Compatible with PrestaShop v1.2.5 and v1.3.1

When you've created a theme based on the PrestaShop v1.3.1 theme, write the following on your post:

Designed for PrestaShop v1.3.1
Compatible with PrestaShop v1.3.1

Writing which version of PrestaShop the theme was designed for and which versions of PrestaShop it is compatible with will make it clear for theme users exactly what they are getting when they download the theme.

[glenns]

Thanks Rocky! Oddly my theme had the first one correct but not the second!

[GB]

Thank you for your advice!

[ysco]

Thanks Rocky,

My theme was indeed missing the security fixes, i added them right away.
Thanks for letting us know

ysco..

[makaraci]

thanks mate...........

[scottrill2]

Rocky,

I have a line # 274 that has this code:

« {l s='Continue shopping'}

It has the exact phrase you mention but on a different line and grouped with if statement.

Is that OK?

Thanks as always,

Scott

[rocky]

That's the right line. It looks like it already has |secureReferer, so it has the security fix.

[itbranson]

Hi Rocky,
Just a question. My theme is et-clean-blue 1.2. When i checked error.tpl in theme, i found the first one on the line 9:

[itbranson]

Worse, i couldn't find the second one on the line 272 in shopping-cart.tpl because the codes end at the line 205
There's no code further than the line 205.


Any hint? Something is wrong with it?

Thank you as always

very sorry for messing the thread. but my first post was trimmed.

[razaro]

Can you post link to your site or upload in zip file shopping-cart.tpl ?

Edit : change in line 203

{else}{$smarty.server.HTTP_REFERER}{/if}

to

{else}{$smarty.server.HTTP_REFERER|escape:'htmlall':'UTF-8'|secureReferrer}{/if}

[itbranson]

Hi,
thanks a lot for the reply. I've attached the shopping-cart.tpl
i download the theme from here: http://ezytrader.com/product.php?id_product=41

Your suggestions are highly appreciated
many thanks

p.s. rocky said the first one should be found at the line 8 of error.tpl, but in this theme, it's on the line 9. do you think it's Ok? it's also missing the word ''escape'' from the code snippet.

[razaro]

I updated previous post after i downloaded that theme so try that code.
And yes it is ok for error.tpl code is on line 9 :-)

[itbranson]

oh great! Many many thanks and hugs

[Timpet]

thanks alot

[wonderg]

HI im using black and white theme by 2link, and when i check with error.tpl, it seems there are lacking codes compared to yours.

{if isset($errors) && $errors}


{if $errors|@count > 1}{l s='There are'}{else}{l s='There is'}{/if} {$errors|@count} {if $errors|@count > 1}{l s='errors'}{else}{l s='error'}{/if} :

       {foreach from=$errors key=k item=error}
{$error}
       {/foreach}


<a href="{$smarty.server.HTTP_REFERER}" class="button_small" title="{l s='Back'}">« {l s='Back'}

{/if}

this is the code i have. is this ok? or i still have to change something?

[rocky]

Yes, you are missing code. The following line:

<a href="{$smarty.server.HTTP_REFERER}" class="button_small" title="{l s='Back'}">« {l s='Back'}

should be:

<a href="{$smarty.server.HTTP_REFERER|escape:'htmlall':'UTF-8'|secureReferrer}" class="button_small" title="{l s='Back'}">« {l s='Back'}

[shoulders]

Most people develop a theme using the default one, i would also add a list of files they altered so people/developers can quickly update the needed files.

[Digital Cipher]

Cheers for the info, just checked my sites, all ok luckily

[bellini13]

this post needs to be updated for 1.4, the line numbers do not line up. Especially for shopping cart.

[webindiainfotech]

thanks for ur advice

[x4hai83]

Thanks you. I will update this fixes to my theme.

[nglwthnati2de]

How can I apply these fixes to my theme? When I go to file manager it will only allow me to download. I can not open or edit on my site.

[satrops]

Thanks man

[pichDE73]

Thanks you.