Checkout removes html tags in custom order fields

Janus Lock

Posted on 12/12/2012 11:43:44

On checkout page we have some custom order fields and in one of them, we have a html br tag. This needs to be saved to the custom order field on checkout.

This has been working fine i DW 7, but now in DW8 there are added som more security, so on checkout the < > tags are removed from the tag. The added security is of course good, but in this case makes a problem for our customer :)

Any ideas on how we can get around this? Or manipulate the field during checkout but after the html injection check?

Replies

Nicolai Høeg Pedersen

Posted on 17/01/2013 12:26:17

This post has been marked as an answer

Both DW 7 and DW 8 replaces html start and end tag when using base.request - so it is not a change in the injection check - but the order handler have changed to use base.request and not going directly on the request.form object. This is because of a vulnerability.

So you cannot bypass it as it is now, unless you save [tag] and use a Notifications.eCommerce.Cart.AfterCustomFieldValueIsChanged to replace the [tag] with your markup.

The notification has an argument with the order object. Find the field value in order.OrderFieldValues and do the replace...

Also, I've made a change for 8.2.2 so base.request will only do this very strict parsing on querystring values and not post values. Also I've changed the order handler to not replace html open/close tags.

BR Nicolai

Votes for this answer: 1

Nicolai Høeg Pedersen

Posted on 17/01/2013 12:30:07

TFS# 10943 - is the bug fix.

You must be logged in to post in the forum

Developer forum

Checkout removes html tags in custom order fields

Replies