gibberish on bottom of order confirmation

[keat]

It's been noted that the bottom of an order confirmation contains gibberish (see image)

 

Any ideas where to start looking ?

[keat]

I considered that it may have been the email template, but I switched my language to French and the same gibberish appears.

I've never meddled with any of the foriegn templates.

 

Edited September 22, 2022 by keat

[bsmither]

This is found in an email received by the customer?

It looks like javascript that would be found in the PayPal plugin module.

If possible, look at the plain text component of the received email. (Granted, that might be a feature of the email program you use that simply isn't available.)

If not, you should be able to look at the email's raw source.

Does the rogue content also appear in the plain text component?

 

[keat]

Looking at the nessage source, I found this in the bottom.

There is reference to 'PP_Config' and also 'Mailscanner' which is a piece of software running on our mailserver.

 

<MailScannerS=
cript29528 script id=3D"pp_config" type=3D"application/json">{"home":{"dom"=
:".home_wrapper"},"category":{"dom":".category_wrapper"},"product":{"dom":"=
.product_wrapper #main_content form .row .row:last-child"},"payment": {"dom=
":"#checkout_actions"},"cart": {"dom":"#checkout_actions"}}</MailScannerScr=
ipt29528><MailScannerScript29528 script>
        var pp_config =3D JSON.parse(document.getElementById('pp_config').t=
extContent)
        var pp_amount =3D 36.36;</MailScannerScript29528></body></html>

[keat]

I disabled the PayPal Commerce plugin and now the gibberish has gone.

Re-enabled it and the gibberish is back.

[keat]

One of the phrases in the message headers sent me off on a tangent, and I came across a mailscanner config setting, which i've modifed and seems to have resolved the error for now.

Do you want to allow <Script> tags in email messages? This is a bad idea
 as these are used to exploit vulnerabilities in email applications and
 web browsers.
 Value: yes     => Allow these tags to be in the message
        no      => Ban messages containing these tags
        disarm  => Allow these tags, but stop these tags from working
                   Note: Disarming can be defeated, it is not 100% safe!
 This can also be the filename of a ruleset.

 

But reading the description, it sounds somewhat dangerous to allow this.

So if it is the PayPal plugin which is causing this, would there be a fix rather than allowing this security setting.

[bsmither]

In the PayPal Commerce plugin, there is a hook file named 'controller.index.php'. This hook code creates and registers a Smarty output filter. (An output filter can add, edit, and delete content from rendered sources, usually skin templates.)

I assume this output filter is required for displaying PayPal stuff on the PayPal skin template when checking out, but the Smarty output filter also seems to be applied to any and all rendered templates universally, including email templates (the HTML component only).

Then, the MailScanner utility catches the email, sees the <script> tag, and disarms it. The result is visible text.

CubeCart's email templates do not have the target of the javascript generated by this hook, so it's not necessary. But, as an output filter that is instantiated at 'controller.index', the action this hook provides will get applied to unintended content.

Resolving this will require the CubeCart programmers to come up with a solution: possibly testing for what will be using the output filter, or using different hooks.

As for MailScanner, according to the documentation posted above, it is unfortunate that there is no choice to 'remove' script tags and the inner content.

[keat]

@Al BrookbanksDo we need to raise this on GitHub ??

[Al Brookbanks]

Thanks I'm looking at this on GitHub.

I know the reason. It's caused by the hooks/controller.index.php file binding the JS to the </html> tag. 

I need to figure out how to exclude the email.

Can you try this? https://github.com/cubecart/v6/commit/296fc41ee207c2f9e572ab802544658cad95f0c5