Help, Zen Cart 1.3.9 G Broke My Defined Pages!

By Melanie Prough on Thursday, October 7, 2010
Filed Under: Zen Cart News












So you upgraded to 1.3.9 G and everything seemed ok until you updated your main page, or other defined pages content…. Not to worry, the Zen Cart team has a fix for this. I will explain this for you in detail, so you can correctly whitelist and fix these and other functions that rely on the HTML parsing in your Zen Cart. Note that all of your admin previews are also not parsing the HTML and you see them as code in preview… This is not a mistake and protects you against the possible execution of scripts in the defined area and XSS injection. I imagine that eventually the “preview” button will simply be removed and we will have just “save” like other areas.

First of all Zen Cart 13.9 version G was released to fix XSS vulnerabilities and you MUST upgrade to G to be protected. That being said I have some upgrade notes for you, first the all important change log.

Changed Files (since release of v1.3.9f)

  • /admin/ezpages.php
  • /admin/options_name_manager.php
  • /admin/includes/auto_loaders/config.core.php
  • /admin/includes/functions/general.php
  • /admin/includes/functions/html_output.php
  • /admin/includes/init_includes/init_admin_auth.php
  • /admin/includes/init_includes/init_errors.php
  • /admin/includes/init_includes/init_sanitize.php (NEW file)
  • /admin/includes/init_includes/init_sessions.php
  • /admin/includes/modules/product/preview_info.php
  • /docs/ <VARIOUS FILES HERE>
  • /includes/.htaccess
  • /includes/filenames.php
  • /includes/version.php
  • /includes/classes/db/mysql/query_factory.php
  • /includes/classes/payment.php ***
  • /includes/classes/shopping_cart.php
  • /includes/init_includes/init_canonical.php
  • /includes/init_includes/init_sanitize.php
  • /includes/init_includes/init_sessions.php
  • /includes/modules/checkout_process.php
  • /includes/modules/pages/advanced_search/header_php.php
  • /includes/modules/pages/advanced_search_result/header_php.php
  • /includes/modules/pages/contact_us/header_php.php
  • /includes/modules/payment/paypal/tpl_ec_button.php ***
  • /includes/modules/payment/authorizenet.php
  • /includes/modules/payment/authorizenet_aim.php
  • /includes/modules/payment/authorizenet_echeck.php
  • /includes/modules/payment/linkpoint_api.php
  • /includes/modules/payment/paypal/paypal_curl.php
  • /includes/modules/payment/paypal/paypal_functions.php
  • /includes/modules/payment/paypaldp.php
  • /includes/modules/payment/paypalwpp.php
  • /includes/templates/template_default/sideboxes/tpl_featured.php
  • /includes/templates/template_default/sideboxes/tpl_specials.php
  • /includes/templates/template_default/sideboxes/tpl_whats_new.php
  • /ipn_main_handler.php
  • /zc_install/ … assume all of /zc_install/ has changed

Deleted Files (since release of v1.3.9a/b/c/d/e/f)

  • /admin/includes/languages/english/cache.php (deleted in 1.3.9g)
  • /admin/includes/functions/gzip_compression.php (deleted in 1.3.9f)
  • /includes/functions/gzip_compression.php (deleted in 1.3.9f)

New Files (since release of v1.3.9a/b/c/d/e/f)

  • /admin/alert_page.php
  • /admin/includes/init_includes/init_sanitize.php
  • /admin/includes/languages/english/alert_page.php

Moved Files (since release of v1.3.9a/b/c/d/e/f)

  • None

*** These changes were omitted from the changelog and reported by the Zen cart team on 9/29/2010

As always, it is very important that you merge your customizations in to the new files for changed files. In the F to G upgrade, note specifically that many payment modules were changed. The safest way to upgrade these is to record your settings for Authorize.net and PayPal, uninstall the modules , upload the files and reinstall and reconfigure the modules. There is no database upgrade to complete, but it is always a best practice to do a full site backup (including your database) before proceeding to upgrade your Zen Cart.

Zen Cart 1.3.9G takes a VERY aggressive stand on security and you may have some issues with the htaccess files and other new security features…. Such as:

  1. Your defined pages and other HTML parsing addon modules not converting your entries in to HTML
  2. Your admin if not renamed will simply not work at all
  3. Your catalog configure file will attempt to set it’s permissions correctly to 444 (You should still set your admin one!)

The issue with the HTML not being properly converted to code is an issue that will likely be resolved in the coming Zen Cart 1.3.9H, however, addons and such which need to use this function will continue to use the following fix and treat it as a permanent solution.

How to Whitelist your Defined Pages

To fix your defined pages for example, you will create a .php file such as this

<?php
$global_xss_whitelist = isset($global_xss_whitelist) ? $global_xss_whitelist : array();
$my_whitelist  = array('file_contents');
$global_xss_whitelist = array_merge($my_whitelist, $global_xss_whitelist);

Note the “my_whitelist” array, this is also where you will add thewhitelist fix if you are having issues with your banners… Like this

<?php
$global_xss_whitelist = isset($global_xss_whitelist) ? $global_xss_whitelist : array();
$my_whitelist  = array('file_contents', 'banners_html_text');
$global_xss_whitelist = array_merge($my_whitelist, $global_xss_whitelist);

Additionally you can add the following for the short description module as well….

<?php
$global_xss_whitelist = isset($global_xss_whitelist) ? $global_xss_whitelist : array();
$my_whitelist  = array('file_contents', 'banners_html_text', 
'categories_description_sub');
$global_xss_whitelist = array_merge($my_whitelist, $global_xss_whitelist);

Other modules you come across which require whitelisting would be completed in the same manner. This file once complete is named extra_white_list.php then uploaded to

/admin/includes/extra_configures/extra_white_list.php

To make things a bit easier for you we have the file here…. Just download it and rename it from .txt to .php.

Tags: , , , , , , , , ,

One Response to “Help, Zen Cart 1.3.9 G Broke My Defined Pages!”

  1.  Tweets that mention Zen Cart Marketing -- Topsy.com Says:

    […] This post was mentioned on Twitter by PRO-Webs, Inc and PRO-Webs, Inc, PRO-Webs, Inc. PRO-Webs, Inc said: Zen Cart Marketing http://bit.ly/aIOZo0 […]

Template Original