We use cookies to improve your experience. No personal information is gathered and we don't serve ads. Cookies Policy.

ExpressionEngine
Log In Sign Up

Turn off Template processing for editing template

Development and Programming

Phoebe's avatar
Phoebe
58 posts
17 years ago
Phoebe's avatar Phoebe

I have a module that allows the user to modify a snippet of a template to format a list in the way they want.

The snippet might look like this:

<tr>
<td>{entry_id}</td>
<td><a href="http://{path=todo/more}{weblog}/{url_title}">{title}</a>
</td> 
<td>{owner}</td>
<td>{priority}</td>
<td>{importance}</td>
<td>{finish}</td>
</tr>

The problem is that when the snippet is displayed to the user, the path= bit is parsed so it appears

<tr>
<td>{entry_id}</td>
<td><a href="http://phb.savemybacon.com/index.php/todo/more}{weblog}/{url_title}">{title}</a>
</td> 
<td>{owner}</td>
<td>{priority}</td>
<td>{importance}</td>
<td>{finish}</td>
</tr>

Is there any way I can stop this behaviour?

       
Jamie Poitra's avatar
Jamie Poitra
409 posts
17 years ago
Jamie Poitra's avatar Jamie Poitra

You allow users to modify a snippet of a template?!!

Sorry my security hole sensor just went into overdrive. I would strongly recommend finding a different way of allowing people to format a list. Allowing people to edit a portion of a template is opening up your site to users putting very harmful things into a page.

Templates are supposed to parse EE tags. To turn that off you can set the template to be a static one but then you aren’t going to get any EE tags to work in that template.

All of that said, you could revert the rendered path= bit back to it’s EE tag form after the fact. Which is probably what I would do here.

I still really think you can do what you are trying in a much better way unless you just really trust the users not do something silly or bad.

Have you looked at dynamic CSS swapping combined with some variable list ordering via Javascript? A library like jQuery could allow much of this without many of the security issues inherent in the method you are allowing.

Jamie

       
Phoebe's avatar
Phoebe
58 posts
17 years ago
Phoebe's avatar Phoebe

I actually have it working at the moment by the simple expedient of chaning the delimiters from {} to [[]] and then switching back at the last minute. However, you are right about the security aspect and maybe need to think again. I want to offer not just options for formating the list, but selecting as well. Might be worth looking at the YUI library which can do MYSQL calls in Javascirpt I think.

Thanks for you suggestions.

       
Jamie Poitra's avatar
Jamie Poitra
409 posts
17 years ago
Jamie Poitra's avatar Jamie Poitra

You solution makes sense. I should have though of it as we do something very similar within EE from time to time.

jQuery does MySQL as well and is much lighter than YUI if do go that route eventually. Though YUI is hard to beat for sheer features.

Jamie

       

Reply

Sign In To Reply

ExpressionEngine Home Features Pro Contact Version Support
Learn Docs University Forums
Resources Support Add-Ons Partners Blog
Privacy Terms Trademark Use License

Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.