[-] FO : Fix html entities in order messages and threads

2012-12-27 12:21:03 +01:00
parent 83cceb1ac7
commit dbb8a9f2e0
6 changed files with 56 additions and 6 deletions
@@ -778,9 +778,9 @@
 				<a class="new_message" title="{l s='Mark this message as \'viewed\''}" href="{$smarty.server.REQUEST_URI}&token={$smarty.get.token}&messageReaded={$message['id_message']}"><img src="../img/admin/enabled.gif" alt="" /></a>
 			{/if}
 			{l s='At'} <i>{dateFormat date=$message['date_add']}
-			</i> {l s='from'} <b>{if ($message['elastname'])}{$message['efirstname']} {$message['elastname']}{else}{$message['cfirstname']} {$message['clastname']}{/if}</b>
+			</i> {l s='from'} <b>{if ($message['elastname']|escape:'htmlall':'UTF-8')}{$message['efirstname']|escape:'htmlall':'UTF-8'} {$message['elastname']|escape:'htmlall':'UTF-8'}{else}{$message['cfirstname']|escape:'htmlall':'UTF-8'} {$message['clastname']|escape:'htmlall':'UTF-8'}{/if}</b>
 			{if ($message['private'] == 1)}<span style="color:red; font-weight:bold;">{l s='Private:'}</span>{/if}
-			<p>{$message['message']|nl2br}</p>
+			<p>{$message['message']|escape:'htmlall':'UTF-8'|nl2br}</p>
 			</div>
 			<br />
 		{/foreach}
@@ -509,7 +509,7 @@ abstract class PaymentModuleCore extends Module
 						$customer_message = new CustomerMessage();
 						$customer_message->id_customer_thread = $customer_thread->id;
 						$customer_message->id_employee = 0;
-						$customer_message->message = htmlentities($update_message->message, ENT_COMPAT, 'UTF-8');
+						$customer_message->message = $update_message->message;
 						$customer_message->private = 0;

 						if (!$customer_message->add())
@@ -182,13 +182,13 @@ class ParentOrderControllerCore extends FrontController
 			else if ($oldMessage = Message::getMessageByCartId((int)($this->context->cart->id)))
 			{
 				$message = new Message((int)($oldMessage['id_message']));
-				$message->message = htmlentities($messageContent, ENT_COMPAT, 'UTF-8');
+				$message->message = $messageContent;
 				$message->update();
 			}
 			else
 			{
 				$message = new Message();
-				$message->message = htmlentities($messageContent, ENT_COMPAT, 'UTF-8');
+				$message->message = $messageContent;
 				$message->id_cart = (int)($this->context->cart->id);
 				$message->id_customer = (int)($this->context->cart->id_customer);
 				$message->add();
@@ -0,0 +1,48 @@
+<?php
+/*
+* 2007-2012 PrestaShop
+*
+* NOTICE OF LICENSE
+*
+* This source file is subject to the Open Software License (OSL 3.0)
+* that is bundled with this package in the file LICENSE.txt.
+* It is also available through the world-wide-web at this URL:
+* http://opensource.org/licenses/osl-3.0.php
+* If you did not receive a copy of the license and are unable to
+* obtain it through the world-wide-web, please send an email
+* to license@prestashop.com so we can send you a copy immediately.
+*
+* DISCLAIMER
+*
+* Do not edit or add to this file if you wish to upgrade PrestaShop to newer
+* versions in the future. If you wish to customize PrestaShop for your
+* needs please refer to http://www.prestashop.com for more information.
+*
+*  @author PrestaShop SA <contact@prestashop.com>
+*  @copyright  2007-2012 PrestaShop SA
+*  @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
+*  International Registered Trademark & Property of PrestaShop SA
+*/
+
+function updateordermessages()
+{
+	if ($messages = Db::getInstance()->executeS('SELECT id_message, message FROM '._DB_PREFIX_.'message'))
+	{
+        if(is_array($messages))
+            foreach($messages as $message)
+            {
+                $sql = 'UPDATE '._DB_PREFIX_.'message SET message = \''.pSQL(html_entity_decode($message['message'], ENT_COMPAT, 'UTF-8')).'\' WHERE id_message = '.(int)$message['id_message'];
+                Db::getInstance()->execute($sql);
+            }
+	}
+    
+	if ($messages = Db::getInstance()->executeS('SELECT id_customer_message, message FROM '._DB_PREFIX_.'customer_message'))
+	{
+        if(is_array($messages))
+            foreach($messages as $message)
+            {
+                $sql = 'UPDATE '._DB_PREFIX_.'customer_message SET message = \''.pSQL(html_entity_decode(str_replace('&amp;', '&', $message['message']), ENT_COMPAT, 'UTF-8')).'\' WHERE id_customer_message = '.(int)$message['id_customer_message'];
+                Db::getInstance()->execute($sql);
+            }
+	}    
+}
@@ -6,6 +6,8 @@ ALTER TABLE `PREFIX_address` CHANGE  `outstanding_allow_amount` `outstanding_all

 /* PHP:block_category_1521(); */;

+/* PHP:updateordermessages(); */;
+
 UPDATE `PREFIX_order_state` SET `delivery` = 0 WHERE `id_order_state` = 3;

 ALTER TABLE  `PREFIX_product_shop` ADD `id_product_redirected` int(10) unsigned NOT NULL default '0' AFTER `active` , ADD `available_for_order` tinyint(1) NOT NULL default '1' AFTER `id_product_redirected`;
@@ -102,7 +102,7 @@ function updateOrderLineDisplay(domCheckbox)
 function sendOrderMessage()
 {
 	paramString = "ajax=true";
-	$('#sendOrderMessage').find('input, textarea').each(function(){
+	$('#sendOrderMessage').find('input, textarea, select').each(function(){
 		paramString += '&' + $(this).attr('name') + '=' + encodeURIComponent($(this).val());
 	});