X-Cart:Using Active Content

From X-Cart 4 Classic
Revision as of 17:47, 8 October 2012 by Dohtur (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

In X-Cart PLATINUM and PRO editions, providers can be allowed to use active content. Active content is unfiltered HTML and Javascript in product descriptions and extra field values and validation Javascript in Product Options.

When the 'Allow this provider to use active content on product pages' option on the provider profile page in the admin section is enabled, this provider becomes trusted and can use active content without any validation.

When this option is disabled, the provider is 'untrusted'. When such a provider imports or updates data, the following data from this provider will be filtered to exclude the possibility of an XSS attack:

  • product descriptions (including international descriptions);
  • extra fields values.
  • Product Configurator data
  • manufacturers data
  • special offer promo texts

When an untrusted provider imports data, all the HTML tags are excluded.

A validation Javascript field for Product Options is not displayed to untrusted providers.

In case the data have already been entered or modified by the admin, and the option 'Allow this provider to use active content on product pages' is disabled (the provider becomes untrusted), data/values of the fields defined above will be filtered before being displayed in the customer area.

Validations Javascript code for Product Options will be ignored.

Important! Enabling/disabling the 'Allow this provider to use active content on product pages' option does not change the data in the products of the providers. Only the provider profile is changed.