I have a page which gets edited quite regularly, but I would like to be able to call a php function from inside this page.
Example:
I have a page ‘Contact’.
I have a php function called hide_email() which rewrites an emailaddress so it makes it harder to get crawled by spammers.
I would like to be able to edit the Contact page and use the function inside the editor. Something like:
<?=hide_email('my@e-mailaddress.com')?>
What I have now is:
My_Changes addon enabled.
/app/addons/my_changes/func.php with:
```php
<?php
if (!defined('BOOTSTRAP')) { die('Access denied'); }
function fn_my_changes_hide_email($email)
{
}
?>
<br />
I know it's possible to create a template file and set that template file as dispatch for the correct page and use {$email|fn_my_changes_hide_email}, but it would be quite annoying to have to edit the template each time I want to make a small change to the page, so being able to use the editor would be much more convenient.<br />
<br />
Is it possible to use php or smarty variables/functions from within the editor somehow?
Descriptions and other html editor-type content is used as data, not page source. To use as source would be highly insecure. Writing the same in js would be a better solution.
As alternative, you can create a new function which will find e-mails in the text (e.g. with regular expressions) and apply the fn_my_changes_hide_email function to the matches
Descriptions and other html editor-type content is used as data, not page source. To use as source would be highly insecure. Writing the same in js would be a better solution.
I don't get why using php in the editor would be insecure, I don't see a difference in doing:
$bla = 'text';
echo $bla;
?>
versus
Seeing as php gets executed server side, the only thing a visitor would be able to see in the above example is the output 'text', whereas with the javascript example the entire script would be visible in the sourcecode.
Perhaps I'm missing something, but I can't think of a way this would make things insecure (apart from writing insecure php code itself).
As alternative, you can create a new function which will find e-mails in the text (e.g. with regular expressions) and apply the fn_my_changes_hide_email function to the matches
I'm guessing you would mean a javascript function? In that case I'm thinking about just using ajax to process the emailaddress with my existing function and getting the result back from the ajax request.
I'm guessing you would mean a javascript function? In that case I'm thinking about just using ajax to process the emailaddress with my existing function and getting the result back from the ajax request.
I mean the following:
function fn_render_page_description($text)
{
$emails = ;
foreach ($emails as $e) {
$text = str_replace($e, fn_my_changes_hide_email($e), $text);
}
return $text;
}
?>
then the description output in the template file should be
{$page.description|fn_render_page_decsription nofilter}
I mean the following:
function fn_render_page_description($text)
{
$emails = ;
foreach ($emails as $e) {
$text = str_replace($e, fn_my_changes_hide_email($e), $text);
}
return $text;
}
?>
then the description output in the template file should be
{$page.description|fn_render_page_decsription nofilter}
Ah ok, that way I can just copy the default view.tpl and only add the function to the page.description, I see.
That seems like a more elegant solution than my idea indeed, thanks for the help.
I don't get why using php in the editor would be insecure, I don't see a difference in doing:
Because the php is executed on the server and the JS is executed in the browser. Injecting malicious code into the DB via an html page is the risk.
Because the php is executed on the server and the JS is executed in the browser. Injecting malicious code into the DB via an html page is the risk.
Yes that would be an issue on an editor in the frontend, but seeing as pagecontent is edited in the backend, this would imply that the person who was entering malicious code would already have access to the backend right? When that is the case, they could just use the file editor to directly edit source files...so again...I don't see where this would be an issue.
Please give an example of how this could be be exploited.
Don't get me wrong, i'm genuinely trying to learn about exploits here :)
Most exploits are not injected because the site manager wanted to inject an exploit. Note that a 'description' field is not only entered into the form (and could be intercepted when submitted), but is retrieved from the DB and code from any other area could manipulate it. The purpose is to minimize risk. Not allowing PHP callbacks in areas after the PHP code has been executed is common practice and shouldn't be circumvented.
There are three architectural areas of most software products. These are:
- Data layer (database)
- Business Layer (php or other "logic")
- Presentation Layer (html)
General rule is to not mix and match and to preserve the waterfall above as 1, 2, 3 as closely as possible.