security bulletin - 3.3.0 up to 4.0.11

DanUK · #21 01-27-2005, 06:35 AM

Well that seems to work on my 3.5.4 now.

Dan

funkydunk · #22 01-27-2005, 06:41 AM

Quote:

Originally Posted by sstillwell@aerostich.com

In the alert the condition is specified as "Using IE"

So is this an IE flaw that we are patching xcart for or per se does it also affect someone using Firefox?

i got it with firefox

DanUK · #23 01-27-2005, 09:20 AM

Hmmm, interesting.

If I now use the amended prepare.php (for 3.5.4) and then go to edit my categories and try to input some html in the description, it's stripping the html only leaving the plain text description when you click "submit". Reverts back to normal behaviour if I reinstate the old prepare.php. Anyone else find the same?

Thanks

Dan

Genexx · #24 02-01-2005, 05:35 PM

Quote:

Originally Posted by DanUK

If I now use the amended prepare.php (for 3.5.4) and then go to edit my categories and try to input some html in the description, it's stripping the html only leaving the plain text description when you click "submit". Reverts back to normal behaviour if I reinstate the old prepare.php. Anyone else find the same?
Dan

I get the same thing, and also if I edit any text that has HTML in it, such as the welcome text.

DanUK · #25 02-01-2005, 10:58 PM

OK, I got a fix from X-Cart:

Code:

Please download X-Cart 3.5.14 distributions and open the 'admin/category_modify.php' file. Then copy the lines

define('USE_TRUSTED_POST_VARIABLES',1);
$trusted_post_variables = array("category_lng_description","category_new_description","description");

from the new version of the file to yours.

So, use the new prepare.php but add the lines above (taken from the top of a 3.5.14 category_modify.php) to your exisiting category_modify.php ...seems to do the trick

Dan

ETInteractive.com · #26 02-02-2005, 04:04 AM

so it this a fix for the FIX?

if so, Xcart should be sending out another news bulletin email with this.

RRF???

DanUK · #27 02-02-2005, 04:53 AM

Well that would have been a fix if I hadn't discovered another similar bug in this file

When I submit changes on the templates, it's now stripping the html tags -half my admin menus ended up as plain text after trying to make an amendement! Another note to X-cart on its way.....

Dan

ETInteractive.com · #28 02-02-2005, 06:19 AM

keep us posted.

no one else is.

DanUK · #29 02-02-2005, 11:36 PM

OK, I've had a response saying they're going to re-issue the patch (at least for 3.5.4) asap.

Dan

ETInteractive.com · #30 02-03-2005, 12:15 PM

2005?