3.1 HTML Settings(FIXED)

[WB]

We just upgraded to 3.1 (using the current build as of today).

Two things that we noticed thus far:

The 'HTML' settings don't appear to be respected.

For example:

Allow HTML in Reviews?

is set to no in our admin interface but HTML still gets evaluated. It is back to how it was when I first reported the security issue with HTML. I can put in a sample JS and it gets evaluated.

I tried switching the setting to yes and then back to no to no avail. No matter what the setting, HTML gets evaluated.

Note that we are using the customer service templates so not sure if it is an error in just that template set or across the board.

Looking at Mark's prior posts though, I suspect it may be across the board, since he mentions the field being set to the opposite of what is happening.

In the build we downloaded there wasn't a commentspal.tmpl file in the templates folder. Is that file no longer needed or was it left out of the build? If left out, can you include so we can update ours (we updated all templates to make sure that we got the latest changes)?

Thanks.

[Chuck S]

this is what I show and I dont think it is any different convert_markups displays and nullifys html from displaying

Code:

Content visible to verified customers only.

You would need to post an example of what your entering as if I have html disabled all it does is print and not get executes which is perfectly fine

[Chuck S]

Here is an example of what I mean this is the same way photopost handles it

http://www.reeftalk.com/reviews/show...p?product=1760

however photopost does not have an allow html switch so that the code actually executes

If I turn on allow html in reviews then you will see an image not just the code

[WB]

I'm entering:

<script>alert(document.cookie)</script>

and it is getting executed. I also tried an image as well and it did get included so for some reason html in reviews is definitely getting executed.

We verified that the setting is indeed set to off in the admin display, and that all .php files and templates were updated.

I also checked the db and reviewhtml is set to no.

We are using the customer service templates so perhaps that might be where our tests are differing.

The setting worked as intended when we were running 3.01.

Thanks.

[Chuck S]

well the html clearly DOES NOT get executed only shown in 3.1 as seen here which I showed

http://www.reeftalk.com/reviews/show...p?product=1760

I do not get a popup window with cookie info do you?

However let's not even go there as I dont like the fact that script tag can even be shown so I have a very simple code to suggest that allows no java script to get shown at all in pp-inc.php replace your un_htmlspecialchars function with this

Code:

Content visible to verified customers only.

[WB]

Yes, on our install I get a popup display with the cookie info, so yes it is getting executed on our end.


For the change you suggested, will that take care of the images showing up as well? I wasn't clear on if that change was specific to stop the scripts or would solve the larger issue of html getting executed.

Also, will changing that affect both products and reviews? We are the only ones that post products so we want scripts to execute there but not in reviews only (allow html is set to on for products and off for reviews).

Thanks.

[Chuck S]

If you get code executed then something is not right.

There is no code executed with the download of 3.1 that I see I showed this on my install which is running the current code

[WB]

Yes, that's what we figured that something isn't right since the setting doesn't appear to be taking effect.

Reeftalk appears to be using vb integration.

We are using the standard Rp integration (with reviewpost.php). Do you have a rp integration to test on in case that is impacting what we are seeing?

[Chuck S]

that should have no impact on the setting as here is the code I show in the download. Vb3 only difference is whether convert_returns is called

Code:

Content visible to verified customers only.

Using the latest files if html is off then it does not execute as I have shown and there is nothing integration related here to do with that

[WB]

I just redownloaded the build to make sure and the mod dates are the same as the ones we are using.

I did a differential compare on the showproduct files, only difference was ASC to DESC for the reviews query. Everything else is the same.

Did anything change from 3.0x to 3.1 in how the html characters were dealt with? Perhaps our box isn't 'liking' a function change? We had no issues with 3.0x on the same box.

[Chuck S]

pp-inc.php? un_htmlspecialchars

The changed files are listed with the upgrade.

The code does appear as noted on my site in both a vb and regular reviewpost install so I know it works as intended.

Only proposed change which does not exist in the download is me saying that script tags should be nixed and they will

[Chuck S]

Nevermind your right about a regular install

try this

Code:

Content visible to verified customers only.

[WB]

Thanks, that looks like it was what was needed.

On a quick test, the code is now not being evaluated.

Doesn't affect us since we have html in products on but is a similar change needed for those that have it off? Haven't tested that since we keep it on but wanted to suggest it just in case the other portion for allowhtml for products needs a fix too.

Just need to know about commentspal.tmpl now and we are likely good to go.

Thanks!

[Chuck S]

I dont show a commentspal in the build its reviewspal

[WB]

Thanks, I'll delete the prior one on our install then.

[Mark Goldstein]

So which specific file do I add this code to?

if ( $Globals['reviewhtml'] == "yes" ) $reviewtextline = un_htmlspecialchars($reviewtextline);
else $reviewtextline = convert_markups($reviewtextline);
if ( VB3_ENHANCEDINT == "off" ) $reviewtextline = convert_returns($reviewtextline);

[Chuck S]

That code is in showproduct.php and is in the current build

[Mark Goldstein]

OK, I will download the latest build now...

[Mark Goldstein]

Uploading showproduct.php and pp-inc.php has created this error when I click the Admin link:

Fatal error: Cannot redeclare updateparents() (previously declared in /home/photogra/public_html/reviews/adm-inc.php:458) in /home/photogra/public_html/reviews/pp-inc.php on line 2040

[Chuck S]

There are multiple files at work here Update all the normal php files do not overwrite your config