X-Cart v4.1.11 released

JWait · #11 09-04-2008, 09:07 AM

Quote:

Originally Posted by intel352

Funny how the email from Qualiteam minimized the size of this upgrade, yet it's still a pretty sizable changelog. Regardless, gj Qualiteam

Looking at the DIFF files, a lot of them do nothing but "update" the version number and date of the file.

tobychapman · #12 09-04-2008, 11:25 AM

I traced the little black squares problem to a php file that hadn't saved properly.

As to the HTML entities, the handling of   has changed since I last worked on a template. " €" is converted to " €" in a template. Why is   changed and not €? Is ths a security issue?

In fact are all instances of " " changed to " " before being saved in the database? Is this what is meant by variables? Or is it just some sections of the database?

Does variables refer to language variables? Unix servers have never been very friendly to accented characters and non english alphabets. What is now the best practice for saving accented characters in the database?

intel352 · #13 09-05-2008, 04:09 AM

Quote:

Originally Posted by JWait

Looking at the DIFF files, a lot of them do nothing but "update" the version number and date of the file.

lmfao, I've seen that happen in other updates as well. Quite annoying if you ask me, if you're having to manually patch files and keep running across DIFFs like that.

elmirage001 · #14 09-05-2008, 07:23 AM

Hi Jon or Anyone!

Edit--> Worked through the blank page and now live on 4.1.11 - Info on the link below

Any clues why during the upgrade after step 1 is all ok that in step 2 the page goes to a blank x-cart/admin/patch.php?mode=result page?

This has happened to 2 of us now. More details in the upgrading section http://forum.x-cart.com/showthread.php?t=42176

Thank you,

Paul

georgewf · #15 09-05-2008, 09:15 PM

Minor disaster doing this upgrade, but I am getting through it. Big problems with some include/func/*.php upgrades, and then some new security mechanism locked me out of my store because the SQL patch had not been applied. So I applied the patch through phpmyadmin.

Noted a discrepancy in

include/templater/plugins/modifier.escape.php ...already patched

In fact the gold version I downloaded for reference does not match the patch version.

include\templater\plugins\modifier.escape.php

case 'htmlall':
$string = func_unhtmlentities($string);

is not the same in the gold version. So should I take it out of the patched version or should Qualiteam add it to the gold version?

George

elmirage001 · #16 09-05-2008, 10:23 PM

Quote:

Originally Posted by georgewf

Minor disaster doing this upgrade, but I am getting through it. Big problems with some include/func/*.php upgrades, and then some new security mechanism locked me out of my store because the SQL patch had not been applied. So I applied the patch through phpmyadmin.

Noted a discrepancy in

include/templater/plugins/modifier.escape.php ...already patched

In fact the gold version I downloaded for reference does not match the patch version.

include\templater\plugins\modifier.escape.php

case 'htmlall':
$string = func_unhtmlentities($string);

is not the same in the gold version. So should I take it out of the patched version or should Qualiteam add it to the gold version?

George

Hi George,

My include/templater/plugins/modifier.escape.php from 4.1.10 was "could not patch" with the differences shown below

Code in 4.1.10 after both security patches <--edited

Quote:

case 'htmlall':
$string = func_unhtmlentities($string);
if (phpversion() >= '4.1.0')
return htmlentities($string, ENT_QUOTES, $char_set);
else
return htmlentities($string, ENT_QUOTES);

Code in 4.1.11

Quote:

case 'htmlall':
if (phpversion() >= '4.1.0')
return htmlentities($string, ENT_QUOTES, $char_set);
else
return htmlentities($string, ENT_QUOTES);

Hope this helps,

Paul

georgewf · #17 09-06-2008, 09:49 AM

I found the cause of the discrepancy - there was a security patch dated 7-31 which I applied

+++ include/templater/plugins/modifier.escape.php 2008-07-31 16:23:54.000000000 +0400
@@ -50,12 +50,14 @@

switch ($esc_type) {
case 'html':
+ $string = func_unhtmlentities($string);
if (phpversion() >= '4.1.0')
return htmlspecialchars($string, ENT_QUOTES, $char_set);
else
return htmlspecialchars($string, ENT_QUOTES);

case 'htmlall':
+ $string = func_unhtmlentities($string);
if (phpversion() >= '4.1.0')
return htmlentities($string, ENT_QUOTES, $char_set);
else

But the line after htmlall is not in the gold version distributive nor in the new patch. No idea if this is important or not. Could be nothing, or could be the cause of future subtle bugs impossible to track down.

EN4U · #18 09-06-2008, 09:53 AM

How important is this update? For instance, we use linkpoint, and linkpoint is pointed out in the docs. DOES this mean my current version is messed up with this processor?

Just trying to figure out if this truly needs to be done for that alone and other levels?

Thanks

elmirage001 · #19 09-06-2008, 10:05 AM

Quote:

Originally Posted by georgewf

I found the cause of the discrepancy - there was a security patch dated 7-31 which I applied

+++ include/templater/plugins/modifier.escape.php 2008-07-31 16:23:54.000000000 +0400
@@ -50,12 +50,14 @@

switch ($esc_type) {
case 'html':
+ $string = func_unhtmlentities($string);
if (phpversion() >= '4.1.0')
return htmlspecialchars($string, ENT_QUOTES, $char_set);
else
return htmlspecialchars($string, ENT_QUOTES);

case 'htmlall':
+ $string = func_unhtmlentities($string);
if (phpversion() >= '4.1.0')
return htmlentities($string, ENT_QUOTES, $char_set);
else

But the line after htmlall is not in the gold version distributive nor in the new patch. No idea if this is important or not. Could be nothing, or could be the cause of future subtle bugs impossible to track down.

You make an excellent point! Did QT mean to remove this line in 4.1.11 or did they forget to add it in from the second security patch???
Edited 9/8 --> Vyacheslav from Qualiteam was nice enough to reply that in 4.1.11 this line is not needed due to changes in other files.

Quote:

case 'htmlall':
$string = func_unhtmlentities($string);
if (phpversion() >= '4.1.0')
return htmlentities($string, ENT_QUOTES, $char_set);
else
return htmlentities($string, ENT_QUOTES);

georgewf · #20 09-07-2008, 03:59 PM

re: html entities

I have most of my database encoded using html entities like &eacute. These still display correctly and I can create descriptions using them, however I cannot edit these items without losing most of the codes.

Try some of these for yourself:

´ U+00B4
Æ U+00C6
æ U+00E6
À U+00C0
à U+00E0
&alefsym; U+2135
Α U+0391
α U+03B1
& U+0026

It seems like all the entities which are less than hex x00FF value cannot be edited in xcart.

Can Qualiteam please confirm if this is expected behaviour now? The message in the changelog about entities is very vague.

Thanks