Luke Posted November 14, 2005 Posted November 14, 2005 There is a problem with that new exec tag feature for header/footer that matt added in. The way it's setup the new exec tags are executed BEFORE the element tags are replaced with html (element tag example: "<% BOARD HEADER %>"). Because of this, it is impossible to "get inside" template bits like the global board heaer. For example lets say you wanted to add this "<~ MY ADD ~>" inside your global header and have the exec replace it with an advertisement, using a banner rotating function. Since the exec happens before the <% %> tags are replaced, you cant do this. To fix this all you have to do is add the exec code (around 5 lines) after the code where <%%>'s are processed. I've done it on my forums, and it works great :)
Management Matt Posted November 14, 2005 Management Posted November 14, 2005 I deliberately didn't add it there so you couldn't use it in the actual skins. Maybe in IPB 3.0 I'll add it in the skins and add a warning when importing a skin that the template set contains exec tags.
Luke Posted November 15, 2005 Posted November 15, 2005 Hmmmm.... Does that mean header and footer isnt exported with the skin (when you export)? :blink:
Guest Posted November 15, 2005 Posted November 15, 2005 The wrapper is exported, but it's far easier to check the wrapper for unwanted exec's than it is to check every single template bit. :)
Luke Posted November 15, 2005 Posted November 15, 2005 True, but either way you still have the same vulnrability. Plus the fact that inorder for a php script to be executed on the server from an exec, it would have to be included with the skin externally. Skins come in an xml package, so it really isnt that big of a risk. I think you would be pretty suspicious if it came with a php file. But if you wanted to keep exec out of template bits but keep the ability to manipulate them, you could alert the user when the skin cache is built, or even reject template bits with exec tags at that time.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.