• Zen Cart Experts
  • Web Sites
  • Training & Support
  • Content Management
  • Other Services

    • Warning, Warning, Will Robinson… Zen (Cart) and the Art of Website Maintenance.

    Well, maybe you are too young to remember that cool robot and his warnings but that phrase always comes to mind when I need to warn someone!

    And a major cool title – just had to use it , even tho it’s a better title for a book than this blog post!

    For the first time, I have run into a major problem with a Zen Cart release.  1.3.9g contains some great code that addresses some possible security vulnerabilities but seems to indicate a lack of foresight on the part of that great Zen Cart team.

    First off, if you are the kind of cart owner that doesn’t even have an ftp client, you probably aren’t upgrading now anyway.  But since Fantastico and other control panel install scripts will make this available shortly, everyone needs to understand one particular change to Zen Cart.

    I’m not positive sure of the details of the changes that caused the problem. There was an effort (that probably works really well) to prevent XSS injection. The upshot of it can be very problematic for some cart owners. Up front on and center for me is the fact that if you edit a define page, you will find that the source code now prints on the page.  Oops.  Since the most often edited page would be the homepage (define_main_page.php), this is not pretty.

    The fix for this and for  the banner manager, ezpage titles  and html emails is to create a file and upload it to your admin/extra_configures folder.

    This not a patch for a bug; it is the way to “white-list” those three things so that they work as they have been.  I truly don’t know any more details and the only information so far is in a bug report thread. If I have misstated any of the information, Zen Cart Team, my apologies and let me know where I went wrong.   If you add this file to your website, I recommend you subscribe to that thread so that you will be informed on this issue as it develops further.

    The code is below and tho the file can be named anything, the suggested name is whitelist.php. I would follow that suggestion to stay in line with future possible code.

    <?php
$global_xss_whitelist = isset($global_xss_whitelist) ? $global_xss_whitelist : array();
$my_whitelist  = array('file_contents', 'banners_html_text', 'pages_title', 'message_html');
$global_xss_whitelist = array_merge($my_whitelist, $global_xss_whitelist);
    

     Author: Delia Wilson Lunsford, Founder & CEO, WizTech, Inc.
    This entry was written by admin, posted on October 3, 2010 at 12:10 pm, filed under Zen Cart. Bookmark the permalink.