Problem saving "new order" template with the variable %account_url

[hezide]

Preconditions

1. magento 2.1.2

Steps to reproduce

1. load "new order" template
2. save

Expected result

1. email template saved

Actual result

1. 404 error: Page not found.

This error occurs only if the link to view order details is like this: <a href="%account_url".
full code for this link is:

<a href="%account_url">by logging in</a>.' account_url=$this.getUrl($store,'customer/account/',[_nosid:1]) |raw}}</p>

and if I delete it everything works fine.
Just to mention that this automatically loads from the original template.

Is there a fix for that or another way to include this link?

thanks.

[olysenko]

Hi thank you for your report.
Closed as duplicate. Duplicate: #5101 & PR: #5116
We have separate internal issue for ver. 2.1 - MAGETWO-57026

[olysenko]

@hezide With comma fix applied I can save new template based on your steps to reproduce.

Please provide full template content which you cannot save

[hezide]

<p>{{template config_path="design/email/header_template"}}</p>
<table style="float: right; text-align: right; direction: rtl;">
<tbody>
<tr class="email-intro">
<td>
<p class="greeting">{{trans "%customer_name," customer_name=$order.getCustomerName()}}</p>
<p>{{trans "תודה על הזמנתך ב%store_name." store_name=$store.getFrontendName()}}<br /> {{trans 'ניתן לבדוק את סטטוס ההזמנה <a href="%account_url">כאן</a>.' account_url=$this.getUrl($store,'customer/account/',[_nosid:1]) |raw}}</p>
<p>{{trans 'על כל שאלה ניתן לפנות אלינו בדואר האלקטרוני: <a href="mailto:%store_email">%store_email</a>' store_email=$store_email |raw}}{{depend store_phone}} {{trans 'or call us at <a href="tel:%store_phone">%store_phone</a>' store_phone=$store_phone |raw}}{{/depend}}. {{depend store_hours}} {{trans 'Our hours are <span class="no-link">%store_hours</span>.' store_hours=$store_hours |raw}} {{/depend}}</p>
</td>
</tr>
<tr class="email-summary">
<td>
<h1>{{trans 'מספר הזמנה: <span class="no-link">#%increment_id</span>' increment_id=$order.increment_id |raw}}</h1>
<p>{{trans 'Placed on <span class="no-link">%created_at</span>' created_at=$order.getCreatedAtFormatted(2) |raw}}</p>
</td>
</tr>
<tr class="email-information">
<td style="text-align: right; direction: rtl;">{{depend order.getEmailCustomerNote()}}
<table class="message-info">
<tbody>
<tr>
<td>{{var order.getEmailCustomerNote()|escape|nl2br}}</td>
</tr>
</tbody>
</table>
{{/depend}}{{depend order.getIsNotVirtual()}}{{/depend}}{{depend order.getIsNotVirtual()}}{{/depend}}
<table class="order-details">
<tbody>
<tr>
<td class="address-details">
<h3>{{trans "פרטי תשלום"}}</h3>
<p>{{var formattedBillingAddress|raw}}</p>
</td>
<td class="address-details">
<h3>{{trans "פרטי משלוח"}}</h3>
<p>{{var formattedShippingAddress|raw}}</p>
</td>
</tr>
<tr>
<td class="method-info">
<h3>{{trans "שיטת תשלום"}}</h3>
{{var payment_html|raw}}</td>
<td class="method-info">
<h3>{{trans "שיטת משלוח"}}</h3>
<p>{{var order.getShippingDescription()}}</p>
{{if shipping_msg}}
<p>{{var shipping_msg}}</p>
{{/if}}</td>
</tr>
</tbody>
</table>
{{layout handle="sales_email_order_items" order=$order area="frontend"}}</td>
</tr>
</tbody>
</table>

[jonathanribas]

@hezide this issue still exists in 2.1.4, have you managed a way to correct it?

[hezide]

looks like it's fixed.
I have done another fix in my site so I'm not sure if the system upgrade fixed the issue or the other thing(the other one was a security rule in the server that blocked some stuff).

[jonathanribas]

@hezide had same problem on a Nexcess server:

ModSecurity: Access denied with code 403 (phase 2). String match "on" at TX:sql_injection_score_blocking. [file "/etc/httpd/modsecurity.d/modsecurity_crs_49_inbound_blocking.conf"] [line "87"]

[hezide]

Yes I am in nexcess too, they fixed it...

[kevincal]

This is modsecurity on the web server denying the request because a pattern match is making it seem that there is a SQL-inject hack being attempted. You can contact Nexcess to have them review the modsecurity rules with you.