Static or Custom Blocks are not Working – Magento 1.9.2.2

You must be here because of your static block or custom block shortcodes are not working. It must happen after updating either any Magento version to version 1.9.2.2 or installing patch SUPEE-6788. A lot of Magento website owners are facing this problem, and we have also seen this most common question asked in Magento StackExchange and Magento community.

So here for an example on the homepage, I include CMS Static Block as follows:

{{block type="cms/block" block_id="blog"}}

After upgrading this, blog block was no longer displaying on the home page. Moreover, this shortcode also shows a PHP error in my log files:

Notice: Undefined variable: block  in /app/code/core/Mage/Core/Model/Email/Template/Filter.php on line 187

I checked if it’s only for this block or all my custom blocks and I realized all static blocks are not working and not displaying in the front end.

So, I did Googled and gone through various answers and investigated this issue. This is not a bug but a new security patch SUPEE-6788. And it was already mentioned in technical details that blocks which you want to display should be added to the whitelist.

Magento now includes a white list of allowed blocks or directives. If a module or extension uses variables like {{config path=”web/unsecure/base_url”}} and {{block type=rss/order_new}} in CMS pages or emails, and the directives are not on this list, you will need to add them with your database installation script. Extensions or custom code that handles content (like blog extensions) might be affected. – See more at: http://magento.com/security/patches/supee-6788-technical-details#sthash.oywSvFeq.dpuf

After reading this, it clears my mind that this PHP error is coming because I have not added this block to a whitelist.

The responsible code in Filter.php will be like this:

if (isset($blockParameters['type'])) {
if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
$type = $blockParameters['type'];
$block = $layout->createBlock($type, null, $blockParameters);
}
} elseif (isset($blockParameters['id'])) {
$block = $layout->createBlock('cms/block');
if ($block) {
$block->setBlockId($blockParameters['id']);
}
}

Just this PHP checks if your block type is added to the white list, which is stored in the MySQL table permission_block.

Now to resolve this go to System => Permissions => Blocks

And Click on Add new Block, fill in the block type and set Allowed to Yes

If you are facing difficulty in finding out which block id to add, simply add the block type which you have added the block with a shortcode. In this shortcode

{{block type="cms/block" block_id="blog"}}

Select “Is Allowed” as “Yes”

Now, your static block is whitelisted in Magento and can be used to display on the frontend.

For 3^rd party extension or custom blocks, insert your custom block name in “Block Name” field. E.g., for brand logo sliders, add brandlogo/brandlogo

Select “Is Allowed” as “Yes”

Now, your custom module block is whitelisted in Magento and can be used to display on the frontend.

The type to add would be ‘cms/block.’ If you are not able to figure out which block type to use, you can temporarily edit the Magento core to find out the type of the block. Open the file

/app/code/core/Mage/Core/Model/Email/Template/Filter.php

Navigate to line 175, and here you can update this code

if (isset($blockParameters['type'])) {
if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
$type = $blockParameters['type'];
$block = $layout->createBlock($type, null, $blockParameters);
}
} elseif (isset($blockParameters['id'])) {
$block = $layout->createBlock('cms/block');
if ($block) {
$block->setBlockId($blockParameters['id']);
}
}

to print the block type if it’s not whitelisted.

if (isset($blockParameters['type'])) {
if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
$type = $blockParameters['type'];
$block = $layout->createBlock($type, null, $blockParameters);
} else {
var_dump($blockParameters['type']);
die;
}
} elseif (isset($blockParameters['id'])) {
$block = $layout->createBlock('cms/block');
if ($block) {
$block->setBlockId($blockParameters['id']);
}
}
Make sure that this breaks your site. Therefore it should be temporarily used to figure out missing block type. Ideally, you should send a mail including missing block type.

if (isset($blockParameters['type'])) {
if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
$type = $blockParameters['type'];
$block = $layout->createBlock($type, null, $blockParameters);
} else {
mail('email@domain.com', 'Disallowed block for ' . Mage::getBaseUrl(), $blockParameters['type'] . "\n" . print_r($_SERVER, true));
}
} elseif (isset($blockParameters['id'])) {
$block = $layout->createBlock('cms/block');
if ($block) {
$block->setBlockId($blockParameters['id']);
}
}

If you have any questions or need to help in Magento development, then feel free to contact us!