OXID eShop bugtrack - Issues

0007878: company and add info is missing

Tue, 14 Apr 2026 13:34:27 +0200

Hello,

oxcompany and oxaddinfo is missing in the creation of the addresslines for the amazon payload.
htdocs/vendor/oxid-esales/amazon-pay-module/src/Core/Payload.php

The values should be set in addressLine1 or addressLine2 depending wich values are set.
If company is set it should probably be set in addressLine1 and the address in addresLine2.
If NO company ist set the address should be set in addressLine1.

Would be nice if you could look into that.

Greeting and happy new year.

0007920: In the sub-shop, the fallback credit card is displayed even though it is not active

Tue, 14 Apr 2026 12:41:50 +0200

In the sub-shop, the fallback credit card is displayed even though the payment methods (PayPal credit or debit card and PayPal credit or debit card fallback) are not active.
However, this only happens if ‘Vaulting: No’ is also set.

/var/configuration/shops/1/modules/osc_paypal.yaml
oscPayPalSandboxVaultingEligibility:
type: bool
value: false

0007922: getMasterZoomPictureUrl is used in our product gallery but doesnt support webp setting

Fri, 10 Apr 2026 16:49:00 +0200

getMasterZoomPictureUrl not even going to getPicUrl which is adding the ".webp" ending.. it goest to getPictureUrl from Config, so looks like we have a problem there with that current gallery in apex.

0007921: Extending module templates is not simple where it should be

Fri, 10 Apr 2026 16:40:38 +0200

Extending module templates is not simple where it should be

0007870: Amazon Pay Button wird nicht geladen

Fri, 10 Apr 2026 10:45:40 +0200

Wir haben in unserem OXID Shop das Module oxid-esales/amazon-pay-module von der Version 2.1.6 auf die 2.1.8 aktualisiert.
Nach dem Testen ist uns aufgefallen, dass der amazon pay Button nicht mehr angezeigt wird.

In der Datei vendor/oxid-esales/amazon-pay-module/views/blocks/page/checkout/basket_btn_next_bottom.tpl wurde die Schreibweise von Twig zum Einbinden der Templates genutzt statt die normale Smarty Schreibweise.

0007896: Mini-Warenkorb-Popup auf der Bestellübersichtsseite mit zwei Amazon-Pay-Buttons

Fri, 10 Apr 2026 10:44:56 +0200

Das Problem ist nachstellbar mit

- OXID eShop Community Edition Version 7.3.0
- Apex Theme Version 2.1.0 mit Theme Einstellung “Popup öffnen” wenn ein Produkt in den Warenkorb gelegt wird
- Amazon Pay Modul Version 3.1.7

0007902: The Amazon Pay module uses the wrong block to display the Amazon Pay button

Fri, 10 Apr 2026 10:44:26 +0200

The Amazon Pay module uses the “checkout_order_btn_confirm_bottom” block to display the Amazon Pay button in the order.html.twig template, whereas the PayPal module extends the correct block, “checkout_order_next_step_side.”

The correct place for the Amazon button would also be the block
{% block checkout_order_next_step_side %}
as in the PayPal module, and not as currently
{% block checkout_order_btn_confirm_bottom %}

0007913: Google Trusted Stores missing

Wed, 08 Apr 2026 11:05:58 +0200

The Google Trusted Shops settings are still available in the admin area for the APEX theme. However, the corresponding section is missing from the theme file compared to the old Smarty templates.

If you have settings in theme, you should be able to use them.

0007918: Misleading error message when Authorization header is stripped by Apache

Wed, 08 Apr 2026 08:40:24 +0200

Misleading error message when Authorization header is stripped by Apache

When Apache strips the Authorization header before it reaches PHP (a common default configuration), all #[Logged] endpoints return:

"You need to be logged to access this field"
This is the same error message regardless of whether:

No token was sent
An invalid token was sent
A valid token was sent but the header was stripped by the webserver

The module should differentiate between:

No Authorization header present use current anonymous fallback is acceptable
Authorization header present but token invalid use specific error, e.g. "Invalid or expired token"
Authorization header absent despite being expected use ideally a hint that the header may be stripped by the webserver
At minimum, when a Bearer token is provided but cannot be parsed (because the header was silently dropped), the error should differ from the anonymous-user case.

Suggested Improvements
Documentation: Add the .htaccess RewriteRule to the installation docs as a required step for Apache environments. This is a well-known Apache/PHP issue but not obvious for OXID module developers debugging "You need to be logged" errors.

Error differentiation: In RequestReader::getAuthToken(), if no Authorization header is found, check for REDIRECT_HTTP_AUTHORIZATION and HTTP_AUTHORIZATION server variables as fallback. If none are present, consider setting a flag that distinguishes "no auth attempted" from "auth attempted but failed".

Environment
OXID eShop 7.4.x
graphql-base 12.0.1
Apache with mod_rewrite (Docker SDK setup)
PHP-FPM

0007619: content is deleted if emojis are used in the text

Tue, 07 Apr 2026 15:35:04 +0200

All content is deleted if emojis are used in the text in the WYSIWYG editor and the content is saved.

0007917: Tracking Carrier (Country) and Tracking Carrier (Provider) is not saved if you select Global

Thu, 02 Apr 2026 14:43:25 +0200

Current version of the PayPal module (2.8.1 and 3.7.1)
The country selection / courier selection still does not work as intended.

Background information from the customer: We, or one of our suppliers, ship within Germany using UPS. UPS is still not selectable from the list (when the country is set to Germany):
If I select ‘Worldwide’ as the country, I can choose UPS, but when I save, the shop reverts to Germany and UPS disappears again.

0007915: Call to a member function getId() on null beim Aufruf von hasProductVariantInBasket auf der Detailseite

Thu, 02 Apr 2026 14:42:43 +0200

Der hasProductVariantInBasket-Aufruf in https://github.com/OXID-eSales/paypal-module/blob/b-6.3.x/views/blocks/page/details/inc/productmain.tpl#L8 führt zu einer "OXID Logger.ERROR: Call to a member function getId() on null" Exception, wenn eine ausverkaufte Variante im Warenkorb liegt. Grund ist der Einsatz von getArtStockInBasket(), welche wiederum in https://github.com/OXID-eSales/oxideshop_ce/blob/b-6.5.x/source/Application/Model/Basket.php#L2823 nur Artikel verarbeiten kann, die gekauft werden können.

0007914: Pay upon invoice does not work after updating to 2.8.1

Thu, 02 Apr 2026 14:42:21 +0200

After updating to 2.8.1 pay upon invoice no longer works. I always get redirected to "?cl=payment&payerror=2".

I found out that the problem is in https://github.com/OXID-eSales/paypal-module/blob/v2.8.1/src/Model/Order.php#L487 . This line will abort "_executePayment" when using PUI. But the PUI payment is done via PaymentGateway in OXID's core order model in "_executePayment", which is called in the lines below.

For fixing this, I patched the source code and replaced
if (PayPalDefinitions::isPayPalPayment($sessionPaymentId)) {
with
if (PayPalDefinitions::isPayPalPayment($sessionPaymentId) && $sessionPaymentId != 'oscpaypal_pui') {

With this patch I am now able to order and pay with PUI again.

0007907: Discount calculation differs unexpectedly

Wed, 01 Apr 2026 09:06:25 +0200

If you enter 0 in the field, the discount is deducted directly from the item and you will not see a discount. If you enter 1 here, the discount is no longer deducted directly from the item, but is also listed as such in the summary.
This also means that a discount applies at item level for quantities of 0 or more, whereas the discount applies at shopping cart level for quantities of 1.

An example:
1€ discount for quantities of 0 or more
2 items for 5€ in the shopping cart = 2€ discount
1€ discount for quantities of 1 or more
2 items for 5€ in the shopping cart = 1€ discount

0007178: empty Dropdown in CategoryList if Rootcategory has only hidden Subcats

Fri, 27 Mar 2026 14:55:20 +0100

Navi generates an empty Dropdown if Rootcategory has only hidden Subcats. Not great in Desktop, but fatal in mobile. In mobile klicking this Category do nothing.

0007119: WYSIWYG Editor + Mediathek - error on creating relative links

Tue, 24 Mar 2026 07:43:46 +0100

If you try to create a relative link, always a absolute link is saved.

Example:
Input: /kontakt (with/without / doeas not matter)
Result:http:///kontakt

0006607: low product stock warning should be based on product's oxremindamount instead of global sStockWarningLimit

Fri, 20 Mar 2026 21:09:18 +0100

right now product's stock status is calculated based on setting "sStockWarningLimit", which can be configured in general settings -> config -> stock.
But stock status is actually very product specific, e.g.:
10 Bugatti Veyrons would be considered as high stock status, since you sell maybe 1 per month
But 10 gallons of fuel would be kind of "no stock at all", cause you sell about 1000 units per day.

In my opinion, this high / low stock threshold should be also configurable for every product.
Thats why i suggest to use oxarticle__oxremindamount for calculating low / high stock status and sStockWarningLimit just as fallback if there is no oxremindamount configured for this product.

tomorrow i will make a pull request with my suggested adjustments for oxarticle::_assignStock()

0007751: Adding license keys via the command line: only the last key is kept

Thu, 19 Mar 2026 16:27:26 +0100

If a license key is added using the command line, only the last added key remains in the shop:
oe-console oe:license:add KEY

The reason is probably that the variable is always empty because it is only set if in admin login mode, which is not possible in command line mode:
$activeSerial = $this->getConfig()->getConfigParam('sSerialNr') ?? '';

0007911: Function 'getRenderer' does not exist or is not accessible!

Thu, 19 Mar 2026 14:27:01 +0100

Innerhalb von OxidSolutionCatalysts\PayPal\Core\Email->sendPuiInfo() wird getRenderer() in https://github.com/OXID-eSales/paypal-module/blob/b-6.3.x/src/Core/Email.php#L55 aufgerufen, welche nicht existiert. Die Methode gibts zwar in der Parent-Email Klasse, allerdings ist sie dort als private markiert und steht dem Modul damit nicht zur Verfügung.

Die Email-Klasse vom Paypal Modul braucht seine eigene getRenderer() Methode oder der Aufruf wird komplett durch die zugrundeliegende Logik ersetzt.

0007910: Incorrect / missing ?? fallback for $_POST parameters

Thu, 19 Mar 2026 14:26:11 +0100

The files OrderController.php and ProxyController.php contain code that manually sets $_POST parameters before calling execute().

Error 1: Missing ?? fallback in checkAgbTop
// BUGGY
$_POST[“ord_agb”] = (int)filter_var($_POST[“checkAgbTop”], FILTER_VALIDATE_BOOLEAN);
// CORRECT
$_POST[“ord_agb”] = (int)filter_var($_POST[“checkAgbTop”] ?? false, FILTER_VALIDATE_BOOLEAN);

Error 2: Bug in oxserviceproductsagreement
The bug (oxserviceproductsagreement reads from oxdownloadableproductsagreement) causes the following:
- the consent for the service products checkbox always adopts the value of the downloadable products checkbox, regardless of what the customer has clicked
- validateTermsAndConditions() consequently checks incorrect values

// BUGGY — incorrectly reads “oxdownloadableproductsagreement” instead of “oxserviceproductsagreement”
$_POST[“oxserviceproductsagreement”] = (int)filter_var($_POST[“oxdownloadableproductsagreement”], FILTER_VALIDATE_BOOLEAN);
// CORRECT
$_POST[“oxserviceproductsagreement”] = (int)filter_var($_POST[“oxserviceproductsagreement”] ?? false, FILTER_VALIDATE_BOOLEAN);

Also Fallback for
$_POST['oxdownloadableproductsagreement'] = (int)filter_var($_POST['oxdownloadableproductsagreement'], FILTER_VALIDATE_BOOLEAN);

0007912: OSC Paypal Modul - Fix webhook URL resolution for mall sub-shops during onboarding

Thu, 19 Mar 2026 14:22:19 +0100

In OXID Enterprise mall setups, the onboarding flow registered the
webhook with the mall admin URL because the endpoint was always built
from the current shop URL.

Resolve the webhook base URL from the requested shop context first by
using the shop-specific mall SSL/non-SSL URL and fall back to the
current shop URL when no mall URL is available. This keeps the legacy
behavior for Community Edition while ensuring Enterprise sub-shops use
their own storefront URL.

See in Paypal Package: \OxidSolutionCatalysts\PayPal\Core\Config::getWebhookControllerUrl

0007889: The OXID migration script does not run through to the modules on a fresh OXID system.

Tue, 17 Mar 2026 07:59:43 +0100

The OXID migration script is hard-coded and processes three areas: shop migrations, project migrations, and module migrations.

The migration files are located here:

Shop: source/migration/data/

Project: source/migration/project_data/

Module: moduleRoot/migration/data/

Since the project directory (source/migration/project_data/) is empty, the `migrations` command performs the shop migrations. The following error occurs with the project migrations:

[ERROR] The version "latest" couldn't be reached, there are no registered migrations.

The script then terminates and ignores the module migrations.

This can be remedied by creating dummy migrations using the `migration:generate` command.

Afterward, all three areas are processed.

0007877: Unified namespace generator package requires `composer/composer` while `composer-runtime-api` is enough

Mon, 16 Mar 2026 10:58:01 +0100

Hey guys,

you are requiring `composer/composer` in `oxid-esales/oxideshop-unified-namespace-generator`.
Since the mentioned package is a plugin, its enough to require a specific runtime API and move the `composer/composer` dependency to `require-dev` to have proper auto-completion during development.

It is bad practice to require `composer/composer` to enforce upstream projects having that dependency.
I only know about the `oxid-esales/oxideshop-unified-namespace-generator` package but it seems that the metapackage is also requiring `composer/composer` which is (again) bad practice.
https://github.com/OXID-eSales/oxideshop_metapackage_ce/blob/v7.4.0/composer.json

Please consider not requiring `composer/composer` as it is not required by any of the OXID packages.

0007881: ContentFactory bypasses module chain by using concrete Community namespace instead of Unified Namespace

Mon, 16 Mar 2026 10:50:19 +0100

The ContentFactory class in OxidEsales\EshopCommunity\Internal\Transition\Adapter\TemplateLogic uses the concrete Community Edition class directly instead of the Unified Namespace.

This causes the module chain to be completely bypassed when using {% include_content %} in Twig templates.

Modules that extend OxidEsales\Eshop\Application\Model\Content are not loaded when content is rendered via the Twig function.

**Affected file:**

vendor/oxid-esales/oxideshop-ce/source/Internal/Transition/Adapter/TemplateLogic/ContentFactory.php

**Current (incorrect) code:**

use OxidEsales\EshopCommunity\Application\Model\Content;

class ContentFactory
{
    public function getContent(string $key, string $value): ?Content
    {
        $content = oxNew(Content::class);
        // ...
    }
}

**Expected (correct) code:**

use OxidEsales\Eshop\Application\Model\Content;

class ContentFactory
{
    public function getContent(string $key, string $value): ?Content
    {
        $content = oxNew(Content::class);
        // ...
    }
}

0007898: /index.php?cl=oscpaypalwebhook get HTTP Code 500

Fri, 13 Mar 2026 14:25:21 +0100

/index.php?cl=oscpaypalwebhook get allways a http code 500:

173.0.81.140 - - [23/Feb/2026:09:52:50 +0100] "POST /index.php?cl=oscpaypalwebhook HTTP/1.1" 500 8324 "-" "PayPal/AUHR-1.0-1" "abc.de"
173.0.81.140 - - [23/Feb/2026:09:53:39 +0100] "POST /index.php?cl=oscpaypalwebhook HTTP/1.1" 500 8324 "-" "PayPal/AUHR-1.0-1" "abc.de"
173.0.81.65 - - [23/Feb/2026:09:54:27 +0100] "POST /index.php?cl=oscpaypalwebhook HTTP/1.1" 500 10106 "-" "PayPal/AUHR-1.0-1" "abc.de"
173.0.81.65 - - [23/Feb/2026:09:54:40 +0100] "POST /index.php?cl=oscpaypalwebhook HTTP/1.1" 500 10106 "-" "PayPal/AUHR-1.0-1" "abc.de"

Image is from Tideways.

D3 / MG