Jump to content

security for including php file with str_replace

Recommended Posts

Hey there,

so Im working on this module wich adds css grid drag and drop functionality to a pagetableextended like field and I wonder if the following working approach would cause security issues? 

I save the positions and dimensions of the pagetable items in one text field (named style) on the page in css syntax (its also easy to save css for different responsive sizes this way using my js code).

Now I created a file for my css called style.php:

namespace ProcessWire; 
//in admin page var needs to be set
if($isAdmin = $this->page->rootParent->id == 2) {
$page = $this->pages->get((int) wire('input')->get('id'));

<style id='pgrid-style'>
 <?php echo $page->style ?>

This is how I include that file in my module for the backend:

$this->addHookAfter('Page::render', function($event) {
            $page = $event->object;
            $value = $event->return; // Return Content
            $p = $this->pages->get((int) wire('input')->get('id'));
//          // include style if page has style field
         if ($page->process == 'ProcessPageEdit' && count($p->pgrid_style_desktop)) {
            $dir = dirname(__FILE__);   
            $contents = ob_get_contents();

            $event->return = str_replace("</head>", "\n\t{$contents}</head>", $value); // Return All Changes

On frontend in head of main template:

<!--  module css-->
  <?php include($config->paths->site ."modules/PageTableExtendedGrid/css/style.php");?>


Share this post

Link to post
Share on other sites


for better readability and more stability in edge cases, I would use the $config->paths->get("NameOfMyModule") syntax to get the exact matching path to your modules root directory. This is working even if someone, for example, dropped in the module from zip from github and the directory name became something different like "NameOfMyModule-master". I only would use this in front- and back end.

$includeFilename = $config->paths->get("NameOfMyModule") . 'css/style.php';


  • Like 2

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...