keat Posted September 22, 2022 Share Posted September 22, 2022 It's been noted that the bottom of an order confirmation contains gibberish (see image) Any ideas where to start looking ? Quote Link to comment Share on other sites More sharing options...
keat Posted September 22, 2022 Author Share Posted September 22, 2022 (edited) I considered that it may have been the email template, but I switched my language to French and the same gibberish appears. I've never meddled with any of the foriegn templates. Edited September 22, 2022 by keat Quote Link to comment Share on other sites More sharing options...
bsmither Posted September 22, 2022 Share Posted September 22, 2022 This is found in an email received by the customer? It looks like javascript that would be found in the PayPal plugin module. If possible, look at the plain text component of the received email. (Granted, that might be a feature of the email program you use that simply isn't available.) If not, you should be able to look at the email's raw source. Does the rogue content also appear in the plain text component? Quote Link to comment Share on other sites More sharing options...
keat Posted September 23, 2022 Author Share Posted September 23, 2022 Looking at the nessage source, I found this in the bottom. There is reference to 'PP_Config' and also 'Mailscanner' which is a piece of software running on our mailserver. <MailScannerS= cript29528 script id=3D"pp_config" type=3D"application/json">{"home":{"dom"= :".home_wrapper"},"category":{"dom":".category_wrapper"},"product":{"dom":"= .product_wrapper #main_content form .row .row:last-child"},"payment": {"dom= ":"#checkout_actions"},"cart": {"dom":"#checkout_actions"}}</MailScannerScr= ipt29528><MailScannerScript29528 script> var pp_config =3D JSON.parse(document.getElementById('pp_config').t= extContent) var pp_amount =3D 36.36;</MailScannerScript29528></body></html> Quote Link to comment Share on other sites More sharing options...
keat Posted September 23, 2022 Author Share Posted September 23, 2022 I disabled the PayPal Commerce plugin and now the gibberish has gone. Re-enabled it and the gibberish is back. Quote Link to comment Share on other sites More sharing options...
keat Posted September 23, 2022 Author Share Posted September 23, 2022 One of the phrases in the message headers sent me off on a tangent, and I came across a mailscanner config setting, which i've modifed and seems to have resolved the error for now. Do you want to allow <Script> tags in email messages? This is a bad idea as these are used to exploit vulnerabilities in email applications and web browsers. Value: yes => Allow these tags to be in the message no => Ban messages containing these tags disarm => Allow these tags, but stop these tags from working Note: Disarming can be defeated, it is not 100% safe! This can also be the filename of a ruleset. But reading the description, it sounds somewhat dangerous to allow this. So if it is the PayPal plugin which is causing this, would there be a fix rather than allowing this security setting. Quote Link to comment Share on other sites More sharing options...
bsmither Posted September 23, 2022 Share Posted September 23, 2022 In the PayPal Commerce plugin, there is a hook file named 'controller.index.php'. This hook code creates and registers a Smarty output filter. (An output filter can add, edit, and delete content from rendered sources, usually skin templates.) I assume this output filter is required for displaying PayPal stuff on the PayPal skin template when checking out, but the Smarty output filter also seems to be applied to any and all rendered templates universally, including email templates (the HTML component only). Then, the MailScanner utility catches the email, sees the <script> tag, and disarms it. The result is visible text. CubeCart's email templates do not have the target of the javascript generated by this hook, so it's not necessary. But, as an output filter that is instantiated at 'controller.index', the action this hook provides will get applied to unintended content. Resolving this will require the CubeCart programmers to come up with a solution: possibly testing for what will be using the output filter, or using different hooks. As for MailScanner, according to the documentation posted above, it is unfortunate that there is no choice to 'remove' script tags and the inner content. Quote Link to comment Share on other sites More sharing options...
keat Posted September 26, 2022 Author Share Posted September 26, 2022 @Al BrookbanksDo we need to raise this on GitHub ?? Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted November 15, 2022 Share Posted November 15, 2022 Thanks I'm looking at this on GitHub. I know the reason. It's caused by the hooks/controller.index.php file binding the JS to the </html> tag. I need to figure out how to exclude the email. Can you try this? https://github.com/cubecart/v6/commit/296fc41ee207c2f9e572ab802544658cad95f0c5 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.