Static blocks not working – Magento 1.9.2.2

4.77/5 (65)

The problem

Click here if you want to go directly to the solution.

After updating Magento to version 1.9.2.2, or installing security patch SUPEE-6788 on an older version, lots of people are noticing that their static block shortcodes are no longer working. On my homepage, for example, I’m including a CMS Static Block as follows:

{{block type="cms/block" block_id="slide_home"}}

After the upgrade, this block was no longer displaying. In fact, this shortcode caused a PHP error to show up in my log files:

Notice: Undefined variable: block  in /app/code/core/Mage/Core/Model/Email/Template/Filter.php on line 187

Furthermore, it soon became clear that error is not limited to shortcodes for CMS Static Blocks, but that in fact all my custom blocks, including those in 3rd party extensions, failed to display.

The cause

Upon investigating the issue, I quickly found out that this it not a bug, but a security feature added in security patch SUPEE-6788. When reading the technical details the author clearly states that blocks will have to be added to a white list if they are to be displayed:

Magento now includes a white list of allowed blocks or directives. If a module or extension uses variables like {{config path=”web/unsecure/base_url”}} and {{block type=rss/order_new}} in CMS pages or emails, and the directives are not on this list, you will need to add them with your database installation script. Extensions or custom code that handles content (like blog extensions) might be affected. – See more at: http://magento.com/security/patches/supee-6788-technical-details#sthash.oywSvFeq.dpuf

Checking the above PHP error, it becomes clear that it’s caused by the requested block type (in my case cms/block) not being added to the white list. The responsible code in Filter.php looks as follows:

if (isset($blockParameters['type'])) {
    if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
        $type = $blockParameters['type'];
        $block = $layout->createBlock($type, null, $blockParameters);
    }
} elseif (isset($blockParameters['id'])) {
    $block = $layout->createBlock('cms/block');
    if ($block) {
        $block->setBlockId($blockParameters['id']);
    }
}

Simply put, this little piece of PHP checks if your block type is added to the white list, which is stored in the MySQL table permission_block.

The solution

Clearly, all that remains is adding the block type you wish to display to Magento’s white list. Luckily, this is very easy and can be done through the Magento backend interface. Simply navigate to

System => Permissions => Blocks

And add the block type you wish to display. For a visual of my situation, see the screenshots below.

Navigate to System => Permissions => Blocks
Navigate to System => Permissions => Blocks
Click on Add new Block, fill in the block type and set Allowed to Yes
Click on Add new Block, fill in the block type and set Allowed to Yes

Which block type should I add to the white list?

Some people find it hard to find out which block id to add to the white list. If you added the block with a shortcode, simply add the block type. In this shortcode

{{block type="cms/block" block_id="slide_home"}}

the type to add would be ‘cms/block’. If you can’t figure out which block type to use, you can temporarily edit the Magento core to find out the type of the block. Open the file

/app/code/core/Mage/Core/Model/Email/Template/Filter.php

in your favorite editor and navigate to line 175. There you can update the code

if (isset($blockParameters['type'])) {
    if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
        $type = $blockParameters['type'];
        $block = $layout->createBlock($type, null, $blockParameters);
    }
} elseif (isset($blockParameters['id'])) {
    $block = $layout->createBlock('cms/block');
    if ($block) {
        $block->setBlockId($blockParameters['id']);
    }
}

to print the block type if it’s not whitelisted.

if (isset($blockParameters['type'])) {
    if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
        $type = $blockParameters['type'];
        $block = $layout->createBlock($type, null, $blockParameters);
    } else {
        var_dump($blockParameters['type']);
        die;
    }
} elseif (isset($blockParameters['id'])) {
    $block = $layout->createBlock('cms/block');
    if ($block) {
        $block->setBlockId($blockParameters['id']);
    }
}

Please note that this breaks your site, and should only be used temporarily to find out the type of the missing block. A more subtle solution would be to send an email with the missing block type.

if (isset($blockParameters['type'])) {
    if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
        $type = $blockParameters['type'];
        $block = $layout->createBlock($type, null, $blockParameters);
    } else {
        mail('email@domain.com', 'Disallowed block for ' . Mage::getBaseUrl(), $blockParameters['type'] . "\n" . print_r($_SERVER, true));
    }
} elseif (isset($blockParameters['id'])) {
    $block = $layout->createBlock('cms/block');
    if ($block) {
        $block->setBlockId($blockParameters['id']);
    }
}

Did you find this post useful?

34 thoughts on “Static blocks not working – Magento 1.9.2.2”

  1. Hi,

    Superb post! I was strugling for few module to get them functional after upgrading the version of magento to 1.9.2.2. I found this post and followed the steps and problem is solved :).

    Many Many Thanks!
    Hemant

    1. Thank you so much, I was wondering why it didn’t work after the upgrade. You saved lots of hours of my time finding a solution..

      Cheers

  2. Hi,
    Thanks for your post. I use the Magestore Banner Extension
    which uses block type=”bannerslider/default”
    After whitelisting , my banners still not visible.

    Any idea why?
    Thanks and regards,
    Martijn

    1. I managed to apply the whitelisting successfully for another banner extension which does NOT use variables.
      Hence I noticed that the Magestore Bannerslider Extension uses variables to identify the individual banners, for example {{block type=”bannerslider/default” name=”bannerslider.bannerslider” template=”bannerslider/bannerslider.phtml” bannerslider_id=5}}

      How to whitelist the individual bannersliders, i.e. bannerslider_id=5 or bannerslider_id=1 ?

      1. Hi Martijn,

        Which version of Bannerslider are you using? When I try to use the latest version in Magento 1.9.2.2 I get an SQL error. Apparently I’m not the only one, so you should check your log if you have the same problem. Just visit the extension page, go to Q&A tab and click on the question ‘Problem after updating to 1.9.2’. I guess you’ll have to wait till they fix their extension.

  3. Thanks for this, spent hours trying to figure out why the catalog page wouldn’t display any products. This helped me find the issue, much appreciated.

  4. Hi,
    Great post. Thanks so much! That did the trick and my featured slider works again with SUPEE-6788.

  5. I was pulling my hair out… great post, thanks very much! I wonder from a security perspective though – if someone had access to your cms to add a rogue block, wouldn’t they also have access to your cms to whitelist that block? I guess it may provide a patch for those with actively compromised sites, and maybe it’s a deterrent by requiring one additional step to pull this type of hack off.

  6. This helped me a lot! I was struggle on investigating what happened to some of my blocks after security patch SUPEE-6788. 😀

    Thanks!

  7. Thanks for this, you saved my bacon!

    I’m writing this to boost the SEO a bit for people with the same problem I encountered in regards to Magento products on the home page breaking after installing SUPEE-6788.

    I simply went to: system->permissions->blocks

    and then added a new block called catalog/product_list

    I hope this helps somebody else.

  8. Huge thanks! Trying to stay ahead of the security updates and this totally wrecked our site.

  9. I was wondering what happened to magento, tried different installation, you saved my time
    Thank you very much

  10. Dude,

    Thanks for your hard work, seriously HATS OFF TO YOU.
    Myself, Chetan Verma from India.

    Regards
    Chetan Verma

  11. Hi,

    Awesome post, I was struggling from last two and finally get a working solution.

    Thanks a lot

  12. CMS static blocks are now cached. The problem arises from how the cache key info is generated. It falls back to the

Comments are closed.