Jump to content

Problem with header/footer feature, suggestion


Guest Luke

Recommended Posts

Posted

There is a problem with that new exec tag feature for header/footer that matt added in. The way it's setup the new exec tags are executed BEFORE the element tags are replaced with html (element tag example: "<% BOARD HEADER %>"). Because of this, it is impossible to "get inside" template bits like the global board heaer. For example lets say you wanted to add this "<~ MY ADD ~>" inside your global header and have the exec replace it with an advertisement, using a banner rotating function. Since the exec happens before the <% %> tags are replaced, you cant do this. To fix this all you have to do is add the exec code (around 5 lines) after the code where <%%>'s are processed. I've done it on my forums, and it works great :)

  • Management
Posted

I deliberately didn't add it there so you couldn't use it in the actual skins.

Maybe in IPB 3.0 I'll add it in the skins and add a warning when importing a skin that the template set contains exec tags.

Posted

The wrapper is exported, but it's far easier to check the wrapper for unwanted exec's than it is to check every single template bit. :)

Posted

True, but either way you still have the same vulnrability. Plus the fact that inorder for a php script to be executed on the server from an exec, it would have to be included with the skin externally. Skins come in an xml package, so it really isnt that big of a risk. I think you would be pretty suspicious if it came with a php file. But if you wanted to keep exec out of template bits but keep the ability to manipulate them, you could alert the user when the skin cache is built, or even reject template bits with exec tags at that time.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...