Welcome to Geeklog, Anonymous Wednesday, December 11 2024 @ 01:44 am EST

Geeklog Forums

autotags in static pages with execute PHP enabled


Status: offline

briel

Forum User
Newbie
Registered: 04/01/07
Posts: 3
determined
I noticed that autotags are not processed in static pages when the option "execute PHP" is enabled. Possibly this is by design. However, I didn't see the risk of incorrect translation of text within a PHP block as a big concern in my case (considering the bracketed autotag format, and since I'm aware of the issue), so I made the following hack to my /plugins/staticpages/functions.inc.

If you implement this hack, be aware that strings in your PHP code that resemble autotags could be translated prior to the execution the PHP block, and hence this could cause problems, including security risks, so if you make this change, be sure that you don't put PHP code in static pages that includes autotag-like strings Smile.

CB

Text Formatted Code

function SP_render_content ($sp_content, $sp_php)
{
    global $_SP_CONF, $LANG_STATIC;

    $retval = '';

    if ($_SP_CONF['allow_php'] == 1) {
        // Check for type (ie html or php)
        if ($sp_php == 1) {
            $sp_content = PLG_replacetags ($sp_content);   // This line was added
            $retval .= eval ($sp_content);
        } else if ($sp_php == 2) {
            $sp_content = PLG_replacetags ($sp_content);  // This line was added
            ob_start ();
            eval ($sp_content);
            $retval .= ob_get_contents ();
            ob_end_clean ();
        } else {
            $retval .= PLG_replacetags ($sp_content);
        }
    } else {
        if ($sp_php != 0) {
            COM_errorLog ("PHP in static pages is disabled. Can not display page '$page'.", 1);
            $retval .= $LANG_STATIC['deny_msg'];
        } else {
            $retval .= PLG_replacetags ($sp_content);
        }
    }

    return $retval;
}
 
 Quote

Status: offline

LWC

Forum User
Full Member
Registered: 02/19/04
Posts: 818

Status: offline

briel

Forum User
Newbie
Registered: 04/01/07
Posts: 3
It wouldn't surprise me if this issue was left as is in GL (as seems to be implied by Dirk's comments). For me, the convenience of being able to use autotags normally, outweighed any worry about my PHP code being translated incorrectly by the autotags handler, since I'm the only one writing PHP code in my case. Possibly a middle-ground option could be a checkbox that is available when PHP is enabled in static pages w/ the appropriate warning,. Something like "Process autotags (Warning: your PHP could be translated!)". But, as Dirk points out, the autotags translation function can be called directly in PHP.
 Quote

Status: offline

jmucchiello

Forum User
Full Member
Registered: 08/29/05
Posts: 985
Why not replace autotags after running the PHP? Any tags you want to process in PHP you would call PLG_replaceTags directly. And if your output contains tags, they are replaced at the end.
Text Formatted Code

function SP_render_content ($sp_content, $sp_php)
{
    global $_SP_CONF, $LANG_STATIC;

    $retval = $sp_content;

    if ($_SP_CONF['allow_php'] == 1) {
        // Check for type (ie html or php)
        if ($sp_php == 1) {
            $retval = eval ($sp_content);
        } else if ($sp_php == 2) {
            ob_start ();
            eval ($sp_content);
            $retval = ob_get_contents ();
            ob_end_clean ();
        }
    } else {
        if ($sp_php != 0) {
            COM_errorLog ("PHP in static pages is disabled. Can not display page '$page'.", 1); // $page is not defined
            $retval = $LANG_STATIC['deny_msg'];
        }
    }
    $retval = PLG_replacetags ($retval);   // This line was moved

    return $retval;
}
 
[/p][/QUOTE]
 Quote

Status: offline

briel

Forum User
Newbie
Registered: 04/01/07
Posts: 3
That's a really good point Smile Seems obvious. And if processing autotags after evaluating PHP does not raise other issues, it would seem that it could be added to released code.
 Quote

All times are EST. The time is now 01:44 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content