Jump to content

Archived

This topic is now archived and is closed to further replies.

Taipo

Oscommerce Security - Osc_Sec.php

Recommended Posts

osC_Sec_2.5[r1] updated

Whats New?

- IMPORTANT: osC_Sec is now split into two files (thanks to a suggestion by Grakkam) osc.php which contains the settings, and the rest is in osc_sec.php. So from now onward updating will mean simply overwriting the osc_sec.php file which contains the actual code.

- removed the SSL code from osC_Sec as it is no longer needed and as someone else pointed out, there is already an addon that deals with SSL issues.

- updated the way osC_Sec determines SSL (thanks to germ)

 

Download full fileset from: http://www.oscommerce.com/community/contributions,7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Great contribution. Already using it on a few sites. My problem is with Ajax Attribute Manager When I use osC_Sec with Ajax Attribute Manager the remove attribute button does not remove the attribute from the product. Is there anything I can do to allow Ajax Attribute Manager to work with osC_Sec?

Share this post


Link to post
Share on other sites

Can you paste in the settings you are using in osc_sec thanks.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Can you paste in the settings you are using in osc_sec thanks.

 

I am using the latest version and the settings are as follows. I have played with different setting combinations but no luck so far:

 

$nonGETPOSTReqs = 0; # 1 = Prevent security bylass attacks via forged requests, 0 = let it as it is

$chkPostLocation = 0; # 1 = check to see if cookies and referer are set before accepting post vars, 0; don't (especially if using Paypal)

$forceHTTPS = 0; # 1 = redirects everything to https, 0 = don't

$testExpiredCookie = 1; # 1 = checks to see if the browser understands what to do with an expired cookie, 0 = don't check

$arbitrarysession_block = 0; # 1 = prevents arbitrary session injections, 0 = leave it as it is

Share this post


Link to post
Share on other sites

I have had one other user complain of the same thing with the ajax addon but theirs was solved by disabling $arbitrarysession_block.

 

Since you have that disabled that really only leaves you with commenting out a couple of sections of osC_Sec which update variables and values.

 

So I am just going to take an educated guess here. Find the following section around line 274:

 

       $getvariables = $_GET;
       $getvariables = array_keys( $getvariables );
       if( $getvariables !== array() ) {
           $count = 0;
           while( $count < count( $getvariables ) ) {
                  $_GET[$getvariables[$count]] = scrubster( $_GET[$getvariables[$count]] );
           $count++;
           }
       }

 

Replace with the following:

 

       $getvariables = $_GET;
       $getvariables = array_keys( $getvariables );
       if( $getvariables !== array() ) {
           $count = 0;
           while( $count < count( $getvariables ) ) {
           #       $_GET[$getvariables[$count]] = scrubster( $_GET[$getvariables[$count]] );
           $count++;
           }
       }

 

That is the main piece that actually updates the GET array. There is one more piece in the code that does so, but try that first and let me know if that corrects the problem.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

I have had one other user complain of the same thing with the ajax addon but theirs was solved by disabling $arbitrarysession_block.

 

Since you have that disabled that really only leaves you with commenting out a couple of sections of osC_Sec which update variables and values.

 

So I am just going to take an educated guess here. Find the following section around line 274:

 

       $getvariables = $_GET;
       $getvariables = array_keys( $getvariables );
       if( $getvariables !== array() ) {
           $count = 0;
           while( $count < count( $getvariables ) ) {
                  $_GET[$getvariables[$count]] = scrubster( $_GET[$getvariables[$count]] );
           $count++;
           }
       }

 

Replace with the following:

 

       $getvariables = $_GET;
       $getvariables = array_keys( $getvariables );
       if( $getvariables !== array() ) {
           $count = 0;
           while( $count < count( $getvariables ) ) {
           #       $_GET[$getvariables[$count]] = scrubster( $_GET[$getvariables[$count]] );
           $count++;
           }
       }

 

That is the main piece that actually updates the GET array. There is one more piece in the code that does so, but try that first and let me know if that corrects the problem.

I really appreciate your help. This has fixed my problem. Thank you.

Share this post


Link to post
Share on other sites

The problem seems offhand to be a combination of possible conflicts with the way the attributes manager uses urlencode and how osC_Sec uses urldecode, and perhaps even addslashes. My problem is I cannot replicate the error you are getting here in order to properly fix this in osC_Sec if that is even possible. I will keep working on it.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec_2.5[r2] Updated

Whats New?

- Shifted the timezone settings into the settings area. These determine the accuracy of the timestamp when an exploit attempt is detected. This will mean that you will have to update the settings file osc.php as well as the content file osc_sec.php (hopefully last time)

- Made the cleanup of the $_GET variables optional again due to conflicts with some addons. A setting has been added to osc.php called $GETcleanup. It is by default set to activated so no changes needed for most users.

- Removed surplus settings from osc.php which were no longer used

 

Download from: http://www.oscommerce.com/community/contributions,7834

 

fenerbahce: this should make it easier for you in the future to update osC_Sec as you can just set $GETcleanup to 0 in the osc.php file without having to reapply that change above everytime you update osC_Sec.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

I made a comment about it below

http://forums.oscommerce.com/topic/375408-231-bug/

 

2.3.1 is patched against this, so its a bogus exploit, or one that has not been tested on a fresh install of osCommerce 2.3.1

 

And yes osC_Sec will block/ban this as will any addon that looks for the combination of '.php/login'


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi!

 

I just installed OSC_SEC 2.5r2 on my nearly ready German shop. :thumbsup:

 

May you please change the $GETcleanup filter, because it filters German umlauts, like ö Ö ä Ä Ü ü if set to $GETcleanup = 1

 

This is the same if the umlauts are html coded, eg. ü = ü

 

Thank you in advance.

 

 

Regards


Best regards

 

Popsel

Share this post


Link to post
Share on other sites

Are the umlauts just on the vowels or are there more. What is the full set?


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Are the umlauts just on the vowels or are there more. What is the full set?

 

Hi!

 

In Germany we have a ß character, too.

So all the special charcters we need here are:

 

ö Ö ä Ä ü Ü ß and the € = € sign.

 

 

It would be a good idea to add a way to add more special characters (some table or similar).

Other countries will need other special characters, too.

 

Regards

 

popsel


Best regards

 

Popsel

Share this post


Link to post
Share on other sites

Try this out for now.

 

Scroll to about line 720 in osc_sec.php and find the function below:

 

  /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
    if ( is_array( $nodes ) ) {
  foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 		      scrubster( $value );
               } else {
                     $nodes[ $key ] = preg_replace("/[^ a-zA-Z0-9@%:{}\/_.-]/i", "", urldecode( $value ) );
               }
         }
    } else {
         $nodes = preg_replace("/[^ a-zA-Z0-9?=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
   }
   return $nodes;
 }

 

Replace with this:

 

  /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
    if ( is_array( $nodes ) ) {
  foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 		      scrubster( $value );
               } else {
                     $nodes = preg_replace("/[^ a-zA-Z0-9?äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
               }
         }
    } else {
         $nodes = preg_replace("/[^ a-zA-Z0-9?äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
   }
   return $nodes;
 }

 

See if that works for you.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Try this out for now.

 

Scroll to about line 720 in osc_sec.php and find the function below:

 

  /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
    if ( is_array( $nodes ) ) {
  foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 		      scrubster( $value );
               } else {
                     $nodes[ $key ] = preg_replace("/[^ a-zA-Z0-9@%:{}\/_.-]/i", "", urldecode( $value ) );
               }
         }
    } else {
         $nodes = preg_replace("/[^ a-zA-Z0-9?=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
   }
   return $nodes;
 }

 

Replace with this:

 

  /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
    if ( is_array( $nodes ) ) {
  foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 		      scrubster( $value );
               } else {
                     $nodes = preg_replace("/[^ a-zA-Z0-9?äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
               }
         }
    } else {
         $nodes = preg_replace("/[^ a-zA-Z0-9?äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
   }
   return $nodes;
 }

 

See if that works for you.

 

Hi!

 

This works for input to forms like Order Editor V5.09, which is already a big success.

It is not working if the special chars are HTML coded. eg. ü is still filtered.

 

Thank you for very fast reply.

 

Regards

 

Popsel


Best regards

 

Popsel

Share this post


Link to post
Share on other sites

I've installed OSC SEC on a customer site, but I cannot figure out how to test it.

 

I'm using OSC 2.2 RC2.

 

Could someone suggest some url strings that would get me banned?

 

Note: I have the admin directory Apache password protected, so I'm talking about testing the catalog, not the admin.

 

Thanks,

 

Geoff

Share this post


Link to post
Share on other sites

I've installed OSC SEC on a customer site, but I cannot figure out how to test it.

 

...

 

Thanks,

 

Geoff

 

I did discover that OSC SEC gave an error message in Admin that it couldn't write to the htaccess file. I changed the permissions and the error message went away, but nothing was actually written to the .htaccess.

 

Is it correct that OSC SEC won't write anything to the .htaccess until it actually has an ip to ban?

 

Anyway, I haven't as yet figured out what url string I could use to cause my ip to be banned or to generate an email.

Share this post


Link to post
Share on other sites

Try something like:

http://www.yourdomain.com/catalog/admin/categories.php/login.php?cookies=1


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi!

 

This works for input to forms like Order Editor V5.09, which is already a big success.

It is not working if the special chars are HTML coded. eg. ü is still filtered.

 

Thank you for very fast reply.

 

Regards

 

Popsel

 

I guess what I will need to test this is a scenario or addon that tries to put ü into a GET request. Keep in mind that ü and other html coded umlauts are not filtered in form variables (POST requests). At the moment I am hesitant to allow the '&' and ';' as whitelisted characters by themselves because they, well at least the ';' is a regularly used character in attempts to inject into the database.

 

If you can give me a scenario that I can test and simulate here I might be able to come up with a better method of allowing the German characters through the GET whitelist.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

I guess what I will need to test this is a scenario or addon that tries to put ü into a GET request. Keep in mind that ü and other html coded umlauts are not filtered in form variables (POST requests). At the moment I am hesitant to allow the '&' and ';' as whitelisted characters by themselves because they, well at least the ';' is a regularly used character in attempts to inject into the database.

 

If you can give me a scenario that I can test and simulate here I might be able to come up with a better method of allowing the German characters through the GET whitelist.

 

Hi!

 

I noticed the missing umlaut characters when the Discount Coupon Codes V3.34 addon shows error messages.

After translating the text constants to German the html coded umlauts are truncated,

eg. input string is: ü

this is cut down to: uuml (missing the first and last character).

The & and ; characters are filtered, so the browser shows uuml instead of ü

 

The message string is provided this way:

 

These are the German translations in catalog\includes\languages\german.php:

//kgt - discount coupons
define('ENTRY_DISCOUNT_COUPON_ERROR', 'Der eingegebene Gutscheincode ist ungültig.');
define('ENTRY_DISCOUNT_COUPON_AVAILABLE_ERROR', 'Der eingegebene Gutscheincode ist nicht mehr gültig.');
define('ENTRY_DISCOUNT_COUPON_USE_ERROR', 'Unsere Aufzeichnungen zeigen, dass Sie diesen Gutschein-Code bereits %s Mal benutzt haben.  Sie dürfen diesen Code nicht mehr als %s Mal verwenden.');
define('ENTRY_DISCOUNT_COUPON_MIN_PRICE_ERROR', 'Der Mindestbestellwert für diesen Gutschein beträgt %s und wurde noch nicht erreicht');
define('ENTRY_DISCOUNT_COUPON_MIN_QUANTITY_ERROR', 'Die minimale Anzahl der Produkte zur Benutzung dieses Gutscheines ist %s');
define('ENTRY_DISCOUNT_COUPON_EXCLUSION_ERROR', 'Einige oder alle der Produkte im Warenkorb sind von der Verrechnung mit diesem Gutschein ausgeschlossen.' );
define('ENTRY_DISCOUNT_COUPON', 'Gutschein-Code:');
define('ENTRY_DISCOUNT_COUPON_SHIPPING_CALC_ERROR', 'Die Ihnen berechneten Versandkosten wurden geändert.');
//end kgt - discount coupons
?>

 

If conditions are met eg. entering a wrong coupon code in frontend (checkout_payment.php) text constants are send from

catalog\includes\classes\discount_coupon.php in the function get_coupon()

example: look how the constant ENTRY_DISCOUNT_COUPON_ERROR is send here:

   function get_coupon( $code, $delivery ) {
     global $customer_id; //needed for customer_exclusions
     $check_code_query = tep_db_query( $sql = "SELECT dc.*
                                               FROM " . TABLE_DISCOUNT_COUPONS . " dc
                                               WHERE coupons_id = '".tep_db_input( $code )."'
                                                 AND ( coupons_date_start <= CURDATE() OR coupons_date_start IS NULL )
                                                 AND ( coupons_date_end >= CURDATE() OR coupons_date_end IS NULL )" );
     if( tep_db_num_rows( $check_code_query ) != 1 ) { //if no rows are returned, then they haven't entered a valid code
       $this->message( ENTRY_DISCOUNT_COUPON_ERROR ); //display the error message
     } else {
       //customer_exclusions
       $check_user_query = tep_db_query( $sql = 'SELECT dc2u.customers_id

 

So the output should be

Der eingegebene Gutscheincode ist ungültig

but it is:

Der eingegebene Gutscheincode ist unguumlltig.

 

So IMHO the fiter should block the single problematic chars, like & ; but bypass umlaut strings like ü if they are exactly written as a refrence pattern.

 

 

Regards

 

Popsel


Best regards

 

Popsel

Share this post


Link to post
Share on other sites

Ok thanks for that. That gives me something to work with.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Ok thanks for that. That gives me something to work with.

 

Hi!

 

I just noticed another problem with filtering:

In Germany we use comma as separator between Euro and cents. So the system is set according to it.

I set up a discount coupon to be used with a mimimal order value of 10 EURO.

Now, with $GETcleanup = 0, after adding an amount of 9 EURO to the cart and entering the coupon code I get an

error message

(translated to English) ... minimal order is 10,00 € ...

This is like it should be.

After setting $GETcleanup = 1; there is a funny message with the same conditions I get:

(translated to English) ... minimal order is 1000 ... (the comma and the € sign is missing)

This can be really confusing to a customer, isn`t it ?

 

Regards

 

Popsel


Best regards

 

Popsel

Share this post


Link to post
Share on other sites

Try this out and let me know if it works for you.

 

Replace the code I gave you above with this:

 

 /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
    if ( is_array( $nodes ) ) {
  foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 		      scrubster( $value );
               } else {
                    $nodes = getCleaner( $nodes );
               }
         }
    } else {
         $nodes = getCleaner( $nodes, TRUE );
         $nodes = preg_replace("/[^ a-zA-Z0-9?,ßäöüÄÖÜ€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
         $nodes = getCleaner( $nodes, FALSE );
   }
   return $nodes;
 }

 /**
 * Called above, this will clean up
 * values but not interfere with umlauts
 */
 function getCleaner($string, $conv=1) {
   $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
 $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . 
 $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
   $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€");
   $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,szlig,euro");
   for($wr=0;$wr<=count($tolist);$wr++) {
      if ( $conv > 0 ) {
          $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
      } else {
   $string = str_replace($x.$fromlist[$wr], $tolist[$wr], $string);
      }
   }
   return $string;
}


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Try this out and let me know if it works for you.

 

Replace the code I gave you above with this:

 

 /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
    if ( is_array( $nodes ) ) {
  foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 		      scrubster( $value );
               } else {
                    $nodes = getCleaner( $nodes );
               }
         }
    } else {
         $nodes = getCleaner( $nodes, TRUE );
         $nodes = preg_replace("/[^ a-zA-Z0-9?,ßäöüÄÖÜ€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
         $nodes = getCleaner( $nodes, FALSE );
   }
   return $nodes;
 }

 /**
 * Called above, this will clean up
 * values but not interfere with umlauts
 */
 function getCleaner($string, $conv=1) {
   $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
 $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . 
 $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
   $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€");
   $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,szlig,euro");
   for($wr=0;$wr<=count($tolist);$wr++) {
      if ( $conv > 0 ) {
          $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
      } else {
   $string = str_replace($x.$fromlist[$wr], $tolist[$wr], $string);
      }
   }
   return $string;
}

 

Hi!

 

Thanks for your engagement.

 

After a quick check I get this display in the frontend with Firefox:

Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht.

 

checking the generated html code with Firebug shows amp inside the umlaut strings ?!

<td class="headerError">Der Mindestbestellwert f&amp;uuml;r diesen Gutschein betr&amp;auml;gt 10,00 und wurde noch nicht erreicht.</td>

 

hmm.. but the comma inside the 10,00 is now visible :rolleyes:

 

Here is a realtime html editor, suitable to show how the strings are displayed from browser:

http://htmledit.squarefree.com/

To simulate it you may copy this original output string into the window to see the result:

 

<td class="headerError">Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht.</td>


Best regards

 

Popsel

Share this post


Link to post
Share on other sites

 

To simulate it you may copy this original output string into the window to see the result:

 

<td class="headerError">Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht.</td>

 

Sorry, the way I did copy was wrong. It should be:

 

Der Mindestbestellwert f&uuml;r diesen Gutschein betr&auml;gt 10,00 und wurde noch nicht erreicht.


Best regards

 

Popsel

Share this post


Link to post
Share on other sites

×