Jump to content
thirty bees forum

Banküberweisung Zeilenumbruch

RabbitZzZ
 Share

Recommended Posts

Occam Newbie

Occam

Posted
Posted (edited)

Eigentlich sollte das beim Speichern aber nicht passieren.

EDIT: Habe es gerade nochmal in der Datenbank überprüft. Du hast recht. Obwohl das aus dem Quellcode nicht ersichtlich ist, werden alle HTML-Steuerzeichen aus dem Text entfernt, bevor er als Variable BANK_WIRE_DETAILS in der Datenbank abgespeichert wird. Fügt man manuell ein <br> in den Text ein, dann wird sogar alles, was danach kommt, beim Speichern abgeschnitten.

Das solltest du als Bug melden.

 
 
Edited by Occam
Link to comment
Share on other sites
Occam Newbie

Occam

Posted
Posted (edited)

Es liegt an einer foreach-Schleife in der Funktion updateValue in der Datei /classes/Configuration.php. (Oder genauer gesagt, an der Aufsplittung einer Funktion in zwei, bei der bestimmte Informationen anscheinend verloren gehen.)

Wenn du nicht warten willst, bis der Bug behoben wird, dann kopiere einfach die gesamte Funktion aus der Version thirty bees 1.0.8 und ersetze damit die gleichnamige Funktion in thirty bees 1.1.0. Dann ist der Bug schon mal zumindest außer Kraft gesetzt und es funktioniert wieder.

Edited by Occam
Link to comment
Share on other sites
Occam Newbie

Occam

Posted
Posted (edited)

Da hätte ich vieleicht auch als erstes nachgucken sollen! Und wo genau? Denn ich finde nur das hier: https://github.com/thirtybees/thirtybees/commit/8e89acf9061e88bc106658891c8bd5abb83eeb9c#diff-f44483a142f09ca47bd59224eb070bfb
Und damit hat sich eigentlich erst der Bug eingenistet.

Hast du mal einen Link für mich?

Edited by Occam
Link to comment
Share on other sites
Occam Newbie

Occam

Posted
Posted

I checked this once more, and it seems that if you omit the else-branch in function function updateValue of Configuration.php completely, the corresponding change in bankwire.php, though explicit, seems  to be superfluous. 

    public static function updateValue($key, $values, $html = false, $idShopGroup = null, $idShop = null)
    {
        if (!is_array($values)) {
            $values = [$values];
        }

        // sanitize values
        foreach ($values as &$value) {
            if (! is_numeric($value)) {
                if ($html) {
                    // if html values are allowed, just purify html code
                    $value = Tools::purifyHTML($value);
                //} else {
                    // if html values are not allowed, strip tags
                   // $value = strip_tags(Tools::nl2br($value));
                }
            }
        }

I did not find out yet the reason why the boolean variable $html seems to be true by default.

Link to comment
Share on other sites
datakick Experienced

datakick

Posted
Posted

That's true. If we were to remove the else branch, then Configuration::updateValue($key, $value) call would not remove html tags from values stored into configuration table. 

And that would be a HUGE security bug.

In other words -- if programmer wants to store html code, he need to be very explicit about it. He must evaluate the context in which data are provided, and decide if it's safe to allow html code to enter the system or not. He needs to know where the data will go, and how it will impact rendered output of these pages.

Link to comment
Share on other sites
Occam Newbie

Occam

Posted
Posted

Maybe, but I guess you missed the point:

2 hours ago, Occam said:

the boolean variable $html seems to be true by default.

Even with 

Configuration::updateValue('BANK_WIRE_DETAILS', Tools::getValue('BANK_WIRE_DETAILS'), false);

in bankwire.php the string will be stored formatted in tb_configuration. The parameter seems to be always $html = true when you call this function.

Link to comment
Share on other sites
datakick Experienced

datakick

Posted
Posted
12 minutes ago, Occam said:

Maybe, but I guess you missed the point:

Even with 


Configuration::updateValue('BANK_WIRE_DETAILS', Tools::getValue('BANK_WIRE_DETAILS'), false);

in bankwire.php the string will be stored formatted in tb_configuration. The parameter seems to be always $html = true when you call this function.

No, it's  not. I've just tested it. 

I tried to save this string: 

Hello <strong>there</strong>

With false, it's saved as  

Hello there

With true, it's saved correctly: 

Hello <strong>there</strong>

Note that you have to re-load the page, because this module (like most of them) shows last $POSTed value, instead of what was actually saved into db. That can be, of course, considered as another bug. This is probably why you thought it is always called with `true` parameter.

 

Link to comment
Share on other sites
Occam Newbie

Occam

Posted
Posted
1 hour ago, datakick said:

Note that you have to re-load the page, because this module (like most of them) shows last $POSTed value, instead of what was actually saved into db.

Well, I always doublechecked: the database entry AND the reloaded module page.

Link to comment
Share on other sites
Occam Newbie

Occam

Posted
Posted (edited)
14 hours ago, datakick said:

Then you have some override installed, or modified core code.

No, it is a fresh 1.1.0, upgraded to Bleeding Edge. The only modifications I made were your proposals.

Technically spoken: With reference to my tests in tb itself I would not dispute the validity of your test, but the reliability.

Edited by Occam
Link to comment
Share on other sites
Occam Newbie

Occam

Posted
Posted (edited)

Update ... and just for the record:

a) $html = false (default value) --> removes all visible html tags of a given textarea, incl. added <br> for a linefeed ( &#10; ). But it does not affect a hard carriage return ( &#13; &#10;). Every new line you start in a textarea field will be treated as a linebreak, no matter if you finish the previuous line with a RETURN (linebreak) or a SHIFT RETURN (linefeed).

b) $html = true --> keeps all visible html tags of a given textarea and changes every <br> to <br /> for compatibility reasons.

Cases a) and b) Linebreaks (&#13; &#10;) in a textarea will always be maintained in the database field (after the bug fix above). The current function updateValue() will not remove linebreaks in a textarea.

Case a) Each html tag will be removed before storing in the database.

Case b) All html tags incl. <br> will be kept in the database.

==> With the current modifications the bankwire details and address seem to work properly. Thank you, @datakick. I was just puzzled because the line breaks did not disappear when setting $html to default like before the bug fix.

Edited by Occam
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...