MyBB Hacks

Full Version: Template Conditionals
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5 6 7 8 9 10 11
This is essentially a more restrictive version of my PHP in Templates plugin.  The restrictions aim to make this a "safe" plugin to use, that is, doesn't allow arbitrary PHP execution, but still gives the benefits of template conditionals.

You may notice that this still uses the "phptpl" name, and thus, is incompatible with the PHP in Templates plugin.  Both plugins are very similar though.  The differences between this and the other plugin are:
  • Admins cannot enter PHP code using <?php ?> tags
  • Conditionals in <if> and <elseif> tags are checked to ensure that they are "safe" (see below)
  • file_get_contents function has been removed from the allowable <func ...>...</func> shortcuts
  • There's a new <?=...?> tag to print out the result of a "safe" PHP expression; although this is a tag, only PHP expressions may exist inside (do not terminate expressions with a semicolon), so you cannot nest other tags inside this
    Example (prints 123654321):

    HTML Code
    123<?=substr("987654321", 3)?>

  • There's also a new <setvar name>...</setvar> tag which can set variables; for safety reasons, these are actually stored in a $tplvars array.  Examples:
    (just prints some text)

    HTML Code
    <setvar uselesstext>"some text"</setvar>

    (prints out the username of the user with UID of 2)

    HTML Code
    <setvar user2>get_user(2)</setvar>
    <func htmlspecialchars_uni>{$tplvars['user2']['username']}</func>

v1.0-1.3 of this plugin is based off v1.7 of PHP in Templates.
As of v1.8, PHP 5.3 or later is required.
This plugin can be used with the Admin Security plugin.

"Safe expressions"
This plugin implements "safe expression" checking; essentially, this does impose a bit of a performance hit, but, on the other hand, tries to ensure no "bad PHP" gets executed.
For more information on what I consider to be a "safe expression", see my blog post here.
For the purposes of this plugin, all valid PHP expressions are allowed, as long as they don't infringe on any of the following conditions:
  • no assignment/modification operators (=, +=, |=, ++ etc) allowed
  • no statements such as include, exit, eval etc are allowed
  • no special constants such as PHP_OS, PHP_LIBDIR etc are allowed
  • backtick (`) operator not allowed
  • heredoc type strings not allowed (takes too much effort to handle) - use double quoted strings instead
  • double quoted strings may not contain the "{" character (takes too much effort to handle) - use string concatenation instead
  • array and object typecasting not allowed
  • no variable functions or method calls allowed
  • single line comments (//, #) not allowed
  • only some functions are allowed - see inc/plugins/phptpl_allowed_funcs.txt for a list of allowed functions
Finally, we have the solution for using conditional in template and Admin Security plugin.
Thank you very much, Yumi Smile
Very nice addition Zinga. Thank You ! Smile

I've decided to make some minor adjustments for v1.1 update:
- semicolon now allowed, although not much point; maybe will allow lambda functions in the future perhaps
- changed <print>...</print> tag to, probably, more proper <?=...?> syntax; may include this tag in the next version of PHP in Templates
Update to v1.2, fix an exploit allowing arbitrary function calls through array/string indicies or complex variables.
Updated to v1.3:
- improved safety checks a bit
- add new <setvar> tag for setting variables - see first post for info
- added a bunch of MyBB functions to the allowed list of functions
Update to v1.4:
- allow use of array operator =>
- add two new functions (available in conditionals, cannot be used with the <function ..> tag), phptpl_eval_expr and phptpl_eval_text:

This function works similar to PHP's eval(), except it always returns the result.  The function checks that the string you pass it is a safe expression, then evaluates the result.
Example (displays "2"):


This evaluates a text string like template text, supporting conditional constructs etc.

<?=phptpl_eval_text('Welcome {$GLOBALS[\'mybb\']->user[\'username\']}!  <'.'if $GLOBALS[\'mybb\']->usergroup[\'cancp\'] then>You are an administrator.</'.'if>')?>

Note that the <if> ... </if> tags are broken up to prevent them being parsed as tags to be used in the actual template.

Note about scope
Both of the above functions are, PHP functions, so they will have function scope and won't carry over the scope you're calling them from.  Essentially, this means you will probably need to globalise all variables to use them.

I like the way you added "array operator" Yumi. Great upgrade. Smile
Updated to v1.5:
- fix bug with this plugin not working if HTML Comments is disabled
Thanks to RateU for pointing out that <setvar> will always set, even if wrapped in a conditional.
Pages: 1 2 3 4 5 6 7 8 9 10 11
Reference URL's