X-Cart:Using Active Content

From X-Cart 4 Classic
Revision as of 15:10, 26 January 2010 by Admin (talk | contribs)
Jump to: navigation, search
X-CartPro

A provider can use active content (that is unfiltered HTML and Javascript in product descriptions and extra field values and validation Javascript in Product Options).

When the 'Allow this provider to use active content on product pages' option on the provider profile page in the admin section is enabled, this provider becomes trusted and can use active content without any validation.

When this option is disabled, the provider is 'untrusted'. When such a provider imports or updates data, the following data from this provider will be filtered to exclude the possibility of an XSS attack:

  • product descriptions (including international descriptions);
  • extra fields values.
  • Product Configurator data
  • manufacturers data
  • special offer promo texts

When an untrusted provider imports data, all the HTML tags are excluded.

A validation Javascript field for Product Options is not displayed to untrusted providers.

In case the data have already been entered or modified by the admin, and the option 'Allow this provider to use active content on product pages' is disabled (the provider becomes untrusted), data/values of the fields defined above will be filtered before being displayed in the customer area.

Validations Javascript code for Product Options will be ignored.

Important! Enabling/disabling the 'Allow this provider to use active content on product pages' option does not change the data in the products of the providers. Only the provider profile is changed.