Welcome to Geeklog, Anonymous Wednesday, December 11 2024 @ 01:44 am EST
Geeklog Forums
autotags in static pages with execute PHP enabled
I noticed that autotags are not processed in static pages when the option "execute PHP" is enabled. Possibly this is by design. However, I didn't see the risk of incorrect translation of text within a PHP block as a big concern in my case (considering the bracketed autotag format, and since I'm aware of the issue), so I made the following hack to my /plugins/staticpages/functions.inc.
If you implement this hack, be aware that strings in your PHP code that resemble autotags could be translated prior to the execution the PHP block, and hence this could cause problems, including security risks, so if you make this change, be sure that you don't put PHP code in static pages that includes autotag-like strings .
CB
function SP_render_content ($sp_content, $sp_php)
{
global $_SP_CONF, $LANG_STATIC;
$retval = '';
if ($_SP_CONF['allow_php'] == 1) {
// Check for type (ie html or php)
if ($sp_php == 1) {
$sp_content = PLG_replacetags ($sp_content); // This line was added
$retval .= eval ($sp_content);
} else if ($sp_php == 2) {
$sp_content = PLG_replacetags ($sp_content); // This line was added
ob_start ();
eval ($sp_content);
$retval .= ob_get_contents ();
ob_end_clean ();
} else {
$retval .= PLG_replacetags ($sp_content);
}
} else {
if ($sp_php != 0) {
COM_errorLog ("PHP in static pages is disabled. Can not display page '$page'.", 1);
$retval .= $LANG_STATIC['deny_msg'];
} else {
$retval .= PLG_replacetags ($sp_content);
}
}
return $retval;
}
If you implement this hack, be aware that strings in your PHP code that resemble autotags could be translated prior to the execution the PHP block, and hence this could cause problems, including security risks, so if you make this change, be sure that you don't put PHP code in static pages that includes autotag-like strings .
CB
Text Formatted Code
function SP_render_content ($sp_content, $sp_php)
{
global $_SP_CONF, $LANG_STATIC;
$retval = '';
if ($_SP_CONF['allow_php'] == 1) {
// Check for type (ie html or php)
if ($sp_php == 1) {
$sp_content = PLG_replacetags ($sp_content); // This line was added
$retval .= eval ($sp_content);
} else if ($sp_php == 2) {
$sp_content = PLG_replacetags ($sp_content); // This line was added
ob_start ();
eval ($sp_content);
$retval .= ob_get_contents ();
ob_end_clean ();
} else {
$retval .= PLG_replacetags ($sp_content);
}
} else {
if ($sp_php != 0) {
COM_errorLog ("PHP in static pages is disabled. Can not display page '$page'.", 1);
$retval .= $LANG_STATIC['deny_msg'];
} else {
$retval .= PLG_replacetags ($sp_content);
}
}
return $retval;
}
12
13
Quote
Status: offline
LWC
Forum User
Full Member
Registered: 02/19/04
Posts: 818
Status: offline
briel
Forum User
Newbie
Registered: 04/01/07
Posts: 3
It wouldn't surprise me if this issue was left as is in GL (as seems to be implied by Dirk's comments). For me, the convenience of being able to use autotags normally, outweighed any worry about my PHP code being translated incorrectly by the autotags handler, since I'm the only one writing PHP code in my case. Possibly a middle-ground option could be a checkbox that is available when PHP is enabled in static pages w/ the appropriate warning,. Something like "Process autotags (Warning: your PHP could be translated!)". But, as Dirk points out, the autotags translation function can be called directly in PHP.
14
11
Quote
Status: offline
jmucchiello
Forum User
Full Member
Registered: 08/29/05
Posts: 985
Why not replace autotags after running the PHP? Any tags you want to process in PHP you would call PLG_replaceTags directly. And if your output contains tags, they are replaced at the end.
function SP_render_content ($sp_content, $sp_php)
{
global $_SP_CONF, $LANG_STATIC;
$retval = $sp_content;
if ($_SP_CONF['allow_php'] == 1) {
// Check for type (ie html or php)
if ($sp_php == 1) {
$retval = eval ($sp_content);
} else if ($sp_php == 2) {
ob_start ();
eval ($sp_content);
$retval = ob_get_contents ();
ob_end_clean ();
}
} else {
if ($sp_php != 0) {
COM_errorLog ("PHP in static pages is disabled. Can not display page '$page'.", 1); // $page is not defined
$retval = $LANG_STATIC['deny_msg'];
}
}
$retval = PLG_replacetags ($retval); // This line was moved
return $retval;
}
[/p][/QUOTE]
Text Formatted Code
function SP_render_content ($sp_content, $sp_php)
{
global $_SP_CONF, $LANG_STATIC;
$retval = $sp_content;
if ($_SP_CONF['allow_php'] == 1) {
// Check for type (ie html or php)
if ($sp_php == 1) {
$retval = eval ($sp_content);
} else if ($sp_php == 2) {
ob_start ();
eval ($sp_content);
$retval = ob_get_contents ();
ob_end_clean ();
}
} else {
if ($sp_php != 0) {
COM_errorLog ("PHP in static pages is disabled. Can not display page '$page'.", 1); // $page is not defined
$retval = $LANG_STATIC['deny_msg'];
}
}
$retval = PLG_replacetags ($retval); // This line was moved
return $retval;
}
14
8
Quote
All times are EST. The time is now 01:44 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content