Page 1 of 1

bank transfer's bank name is HTML escaped?

Posted: Wed Oct 07, 2009 7:47 pm
by suhanto
I was unable to enter HTML codes in the bank names inside the bank transfer payment method. Everytime I enter HTML code, it is displayed literally in the confirmation step of checkout process. It looks like the HTML code is encoded, and never get chance to be displayed correctly, because it is never decoded.

for me, this is PROBLEM.

So, then I look for workaround. I found this workaround as easy as changing the source code a little bit.

I changed the code in ControllerPaymentBankTransfer (/catalog/controller/payment/bank_transfer.php), on line 12.

Original code:

Code: Select all

nl2br($this->config->get('bank_transfer_bank_' . $this->language->getId()));
Modified code:

Code: Select all

html_entity_decode($this->config->get('bank_transfer_bank_' . $this->language->getId()));
After this change, all HTML codes are decode, so we can put some HTML tags, logo images, etc for bank names.

Any security consideration on doing this? Feedback welcome!

Re: bank transfer's bank name is HTML escaped?

Posted: Wed Oct 07, 2009 7:57 pm
by suhanto
I just found out, if you're doing this, you also have to change one line of code in /catalog/controller/account/invoice.php on line 193.

Original code:

Code: Select all

'comment'    => nl2br($result['comment'])
Modified code:

Code: Select all

'comment'    => html_entity_decode($result['comment'])

Re: bank transfer's bank name is HTML escaped?

Posted: Sun Oct 10, 2010 9:11 pm
by HTMLCSSNoob
suhanto wrote:I just found out, if you're doing this, you also have to change one line of code in /catalog/controller/account/invoice.php on line 193.

Original code:

Code: Select all

'comment'    => nl2br($result['comment'])
Modified code:

Code: Select all

'comment'    => html_entity_decode($result['comment'])
I tried changing this code, but it's not working. In the e-mail invoice the html code literally still shows up.

Anyone know how to fix this?

Re: bank transfer's bank name is HTML escaped?

Posted: Sun Oct 10, 2010 9:48 pm
by HTMLCSSNoob
Nevermind, i'm getting good at answering my own questions.... :D

Some of the line numbers and code have changed a little bit since OpenCart has been updated. The below works for version 1.4.9.1. Also, maybe this thread should be moved to general support instead of general discussions....

1. EDIT: /catalog/controller/payment/bank_transfer.php

Find on line 12

Code: Select all

$this->data['bank'] = nl2br($this->config->get('bank_transfer_bank_' . $this->config->get('config_language_id')));
Replace with

Code: Select all

$this->data['bank'] = html_entity_decode($this->config->get('bank_transfer_bank_' . $this->config->get('config_language_id')));
2. EDIT: /catalog/controller/account/invoice.php

Find on line 204

Code: Select all

'comment'    => nl2br($result['comment'])
Replace with

Code: Select all

'comment'    => html_entity_decode($result['comment'])
3. EDIT: catalog/model/checkout/order.php

Find on line 176

Code: Select all

$template->data['comment'] = nl2br($order_query->row['comment']);
Replace with

Code: Select all

$template->data['comment'] = html_entity_decode($order_query->row['comment']);
Find on line 179

Code: Select all

$template->data['comment'] .= ('<br /><br />' . nl2br($comment));
Replace with

Code: Select all

$template->data['comment'] .= ('<br /><br />' . html_entity_decode($comment));

Re: bank transfer's bank name is HTML escaped?

Posted: Mon Oct 11, 2010 4:36 pm
by jty
HTMLCSSNoob wrote:Nevermind, i'm getting good at answering my own questions.... :D
:laugh: Yer, I do the same
It is faster to work it out myself than to wait for a kind soul to help.

Re: bank transfer's bank name is HTML escaped?

Posted: Mon Oct 11, 2010 5:42 pm
by jones
wait the developers responses for this, may Daniel or Qphoria able to comments, hope so.

Re: bank transfer's bank name is HTML escaped?

Posted: Tue Oct 19, 2010 4:12 pm
by HTMLCSSNoob
jones wrote:wait the developers responses for this, may Daniel or Qphoria able to comments, hope so.
Ummm, why would we need to wait for the developers response to this? Is there something wrong with the changes I made above? Please let me know if it's not right or if it could be done better.

Re: bank transfer's bank name is HTML escaped?

Posted: Sun Jan 15, 2012 1:35 am
by anti91
1.5.1.1 for ?

Re: bank transfer's bank name is HTML escaped?

Posted: Mon Dec 09, 2013 2:02 pm
by sweezhong
I using 1.5.6
1) For customer checkout
\catalog\controller\payment\bank_transfer.php
$this->data['bank'] = nl2br($this->config->get('bank_transfer_bank_' . $this->config->get('config_language_id')));
to
$this->data['bank'] = html_entity_decode($this->config->get('bank_transfer_bank_' . $this->config->get('config_language_id')));

2) For customer check their order
\catalog\account\order.php
'comment' => nl2br($result['comment'])
to
'comment' => html_entity_decode($result['comment'])

3) For admin view order
\admin\controller\sale\order.php
Line 2200
'comment' => nl2br($result['comment']),
to
'comment' => html_entity_decode($result['comment']),

4) For e-mail
\catalog/model/checkout/order.php
Line 311
$template->data['comment'] = nl2br($comment);
to
$template->data['comment'] = html_entity_decode($comment);

If any missed or incorrect please update.