Jump to content

gibberish on bottom of order confirmation


Recommended Posts

This is found in an email received by the customer?

It looks like javascript that would be found in the PayPal plugin module.

If possible, look at the plain text component of the received email. (Granted, that might be a feature of the email program you use that simply isn't available.)

If not, you should be able to look at the email's raw source.

Does the rogue content also appear in the plain text component?


Link to comment
Share on other sites

Looking at the nessage source, I found this in the bottom.

There is reference to 'PP_Config' and also 'Mailscanner' which is a piece of software running on our mailserver.


cript29528 script id=3D"pp_config" type=3D"application/json">{"home":{"dom"=
.product_wrapper #main_content form .row .row:last-child"},"payment": {"dom=
":"#checkout_actions"},"cart": {"dom":"#checkout_actions"}}</MailScannerScr=
ipt29528><MailScannerScript29528 script>
        var pp_config =3D JSON.parse(document.getElementById('pp_config').t=
        var pp_amount =3D 36.36;</MailScannerScript29528></body></html>
Link to comment
Share on other sites

One of the phrases in the message headers sent me off on a tangent, and I came across a mailscanner config setting, which i've modifed and seems to have resolved the error for now.

Do you want to allow <Script> tags in email messages? This is a bad idea
 as these are used to exploit vulnerabilities in email applications and
 web browsers.
 Value: yes     => Allow these tags to be in the message
        no      => Ban messages containing these tags
        disarm  => Allow these tags, but stop these tags from working
                   Note: Disarming can be defeated, it is not 100% safe!
 This can also be the filename of a ruleset.


But reading the description, it sounds somewhat dangerous to allow this.

So if it is the PayPal plugin which is causing this, would there be a fix rather than allowing this security setting.

Link to comment
Share on other sites

In the PayPal Commerce plugin, there is a hook file named 'controller.index.php'. This hook code creates and registers a Smarty output filter. (An output filter can add, edit, and delete content from rendered sources, usually skin templates.)

I assume this output filter is required for displaying PayPal stuff on the PayPal skin template when checking out, but the Smarty output filter also seems to be applied to any and all rendered templates universally, including email templates (the HTML component only).

Then, the MailScanner utility catches the email, sees the <script> tag, and disarms it. The result is visible text.

CubeCart's email templates do not have the target of the javascript generated by this hook, so it's not necessary. But, as an output filter that is instantiated at 'controller.index', the action this hook provides will get applied to unintended content.

Resolving this will require the CubeCart programmers to come up with a solution: possibly testing for what will be using the output filter, or using different hooks.

As for MailScanner, according to the documentation posted above, it is unfortunate that there is no choice to 'remove' script tags and the inner content.

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...