From dbb8a9f2e0160373dfaff15239094b95a7dd211b Mon Sep 17 00:00:00 2001
From: Gregory Roussac <gregory.roussac@prestashop.com>
Date: Thu, 27 Dec 2012 12:21:03 +0100
Subject: [PATCH] [-] FO : Fix html entities in order messages and threads

---
 .../controllers/orders/helpers/view/view.tpl  |  4 +-
 classes/PaymentModule.php                     |  2 +-
 controllers/front/ParentOrderController.php   |  4 +-
 .../upgrade/php/updateordermessages.php       | 48 +++++++++++++++++++
 install-dev/upgrade/sql/1.5.3.0.sql           |  2 +
 themes/default/js/history.js                  |  2 +-
 6 files changed, 56 insertions(+), 6 deletions(-)
 create mode 100644 install-dev/upgrade/php/updateordermessages.php

diff --git a/admin-dev/themes/default/template/controllers/orders/helpers/view/view.tpl b/admin-dev/themes/default/template/controllers/orders/helpers/view/view.tpl
index 949367e56..d77b35781 100755
--- a/admin-dev/themes/default/template/controllers/orders/helpers/view/view.tpl
+++ b/admin-dev/themes/default/template/controllers/orders/helpers/view/view.tpl
@@ -778,9 +778,9 @@
 				<a class="new_message" title="{l s='Mark this message as \'viewed\''}" href="{$smarty.server.REQUEST_URI}&token={$smarty.get.token}&messageReaded={$message['id_message']}"><img src="../img/admin/enabled.gif" alt="" /></a>
 			{/if}
 			{l s='At'} <i>{dateFormat date=$message['date_add']}
-			</i> {l s='from'} <b>{if ($message['elastname'])}{$message['efirstname']} {$message['elastname']}{else}{$message['cfirstname']} {$message['clastname']}{/if}</b>
+			</i> {l s='from'} <b>{if ($message['elastname']|escape:'htmlall':'UTF-8')}{$message['efirstname']|escape:'htmlall':'UTF-8'} {$message['elastname']|escape:'htmlall':'UTF-8'}{else}{$message['cfirstname']|escape:'htmlall':'UTF-8'} {$message['clastname']|escape:'htmlall':'UTF-8'}{/if}</b>
 			{if ($message['private'] == 1)}<span style="color:red; font-weight:bold;">{l s='Private:'}</span>{/if}
-			<p>{$message['message']|nl2br}</p>
+			<p>{$message['message']|escape:'htmlall':'UTF-8'|nl2br}</p>
 			</div>
 			<br />
 		{/foreach}
diff --git a/classes/PaymentModule.php b/classes/PaymentModule.php
index 29c9a513a..756e7bdd9 100644
--- a/classes/PaymentModule.php
+++ b/classes/PaymentModule.php
@@ -509,7 +509,7 @@ abstract class PaymentModuleCore extends Module
 						$customer_message = new CustomerMessage();
 						$customer_message->id_customer_thread = $customer_thread->id;
 						$customer_message->id_employee = 0;
-						$customer_message->message = htmlentities($update_message->message, ENT_COMPAT, 'UTF-8');
+						$customer_message->message = $update_message->message;
 						$customer_message->private = 0;
 
 						if (!$customer_message->add())
diff --git a/controllers/front/ParentOrderController.php b/controllers/front/ParentOrderController.php
index 6de89a766..c4b5bb40c 100644
--- a/controllers/front/ParentOrderController.php
+++ b/controllers/front/ParentOrderController.php
@@ -182,13 +182,13 @@ class ParentOrderControllerCore extends FrontController
 			else if ($oldMessage = Message::getMessageByCartId((int)($this->context->cart->id)))
 			{
 				$message = new Message((int)($oldMessage['id_message']));
-				$message->message = htmlentities($messageContent, ENT_COMPAT, 'UTF-8');
+				$message->message = $messageContent;
 				$message->update();
 			}
 			else
 			{
 				$message = new Message();
-				$message->message = htmlentities($messageContent, ENT_COMPAT, 'UTF-8');
+				$message->message = $messageContent;
 				$message->id_cart = (int)($this->context->cart->id);
 				$message->id_customer = (int)($this->context->cart->id_customer);
 				$message->add();
diff --git a/install-dev/upgrade/php/updateordermessages.php b/install-dev/upgrade/php/updateordermessages.php
new file mode 100644
index 000000000..8628ba750
--- /dev/null
+++ b/install-dev/upgrade/php/updateordermessages.php
@@ -0,0 +1,48 @@
+<?php
+/*
+* 2007-2012 PrestaShop
+*
+* NOTICE OF LICENSE
+*
+* This source file is subject to the Open Software License (OSL 3.0)
+* that is bundled with this package in the file LICENSE.txt.
+* It is also available through the world-wide-web at this URL:
+* http://opensource.org/licenses/osl-3.0.php
+* If you did not receive a copy of the license and are unable to
+* obtain it through the world-wide-web, please send an email
+* to license@prestashop.com so we can send you a copy immediately.
+*
+* DISCLAIMER
+*
+* Do not edit or add to this file if you wish to upgrade PrestaShop to newer
+* versions in the future. If you wish to customize PrestaShop for your
+* needs please refer to http://www.prestashop.com for more information.
+*
+*  @author PrestaShop SA <contact@prestashop.com>
+*  @copyright  2007-2012 PrestaShop SA
+*  @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
+*  International Registered Trademark & Property of PrestaShop SA
+*/
+
+function updateordermessages()
+{
+	if ($messages = Db::getInstance()->executeS('SELECT id_message, message FROM '._DB_PREFIX_.'message'))
+	{
+        if(is_array($messages))
+            foreach($messages as $message)
+            {
+                $sql = 'UPDATE '._DB_PREFIX_.'message SET message = \''.pSQL(html_entity_decode($message['message'], ENT_COMPAT, 'UTF-8')).'\' WHERE id_message = '.(int)$message['id_message'];
+                Db::getInstance()->execute($sql);
+            }
+	}
+    
+	if ($messages = Db::getInstance()->executeS('SELECT id_customer_message, message FROM '._DB_PREFIX_.'customer_message'))
+	{
+        if(is_array($messages))
+            foreach($messages as $message)
+            {
+                $sql = 'UPDATE '._DB_PREFIX_.'customer_message SET message = \''.pSQL(html_entity_decode(str_replace('&amp;', '&', $message['message']), ENT_COMPAT, 'UTF-8')).'\' WHERE id_customer_message = '.(int)$message['id_customer_message'];
+                Db::getInstance()->execute($sql);
+            }
+	}    
+}
\ No newline at end of file
diff --git a/install-dev/upgrade/sql/1.5.3.0.sql b/install-dev/upgrade/sql/1.5.3.0.sql
index 19cf3a44d..bfd68fd6a 100644
--- a/install-dev/upgrade/sql/1.5.3.0.sql
+++ b/install-dev/upgrade/sql/1.5.3.0.sql
@@ -6,6 +6,8 @@ ALTER TABLE `PREFIX_address` CHANGE  `outstanding_allow_amount` `outstanding_all
 
 /* PHP:block_category_1521(); */;
 
+/* PHP:updateordermessages(); */;
+
 UPDATE `PREFIX_order_state` SET `delivery` = 0 WHERE `id_order_state` = 3;
 
 ALTER TABLE  `PREFIX_product_shop` ADD `id_product_redirected` int(10) unsigned NOT NULL default '0' AFTER `active` , ADD `available_for_order` tinyint(1) NOT NULL default '1' AFTER `id_product_redirected`;
diff --git a/themes/default/js/history.js b/themes/default/js/history.js
index dcddcce7c..267352455 100644
--- a/themes/default/js/history.js
+++ b/themes/default/js/history.js
@@ -102,7 +102,7 @@ function updateOrderLineDisplay(domCheckbox)
 function sendOrderMessage()
 {
 	paramString = "ajax=true";
-	$('#sendOrderMessage').find('input, textarea').each(function(){
+	$('#sendOrderMessage').find('input, textarea, select').each(function(){
 		paramString += '&' + $(this).attr('name') + '=' + encodeURIComponent($(this).val());
 	});