Template Conditionals
Author Message
This is essentially a more restrictive version of my PHP in Templates plugin.  The restrictions aim to make this a "safe" plugin to use, that is, doesn't allow arbitrary PHP execution, but still gives the benefits of template conditionals.

You may notice that this still uses the "phptpl" name, and thus, is incompatible with the PHP in Templates plugin.  Both plugins are very similar though.  The differences between this and the other plugin are:
  • Admins cannot enter PHP code using <?php ?> tags
  • Conditionals in <if> and <elseif> tags are checked to ensure that they are "safe" (see below)
  • file_get_contents function has been removed from the allowable <func ...>...</func> shortcuts
  • There's a new <?=...?> tag to print out the result of a "safe" PHP expression; although this is a tag, only PHP expressions may exist inside (do not terminate expressions with a semicolon), so you cannot nest other tags inside this
    Example (prints 123654321):

    HTML Code
    123<?=substr("987654321", 3)?>

  • There's also a new <setvar name>...</setvar> tag which can set variables; for safety reasons, these are actually stored in a $tplvars array.  Examples:
    (just prints some text)

    HTML Code
    <setvar uselesstext>"some text"</setvar>
    {$tplvars['uselesstext']}

    (prints out the username of the user with UID of 2)

    HTML Code
    <setvar user2>get_user(2)</setvar>
    <func htmlspecialchars_uni>{$tplvars['user2']['username']}</func>


v1.0-1.3 of this plugin is based off v1.7 of PHP in Templates.
As of v1.8, PHP 5.3 or later is required.
This plugin can be used with the Admin Security plugin.

"Safe expressions"
This plugin implements "safe expression" checking; essentially, this does impose a bit of a performance hit, but, on the other hand, tries to ensure no "bad PHP" gets executed.
For more information on what I consider to be a "safe expression", see my blog post here.
For the purposes of this plugin, all valid PHP expressions are allowed, as long as they don't infringe on any of the following conditions:
  • no assignment/modification operators (=, +=, |=, ++ etc) allowed
  • no statements such as include, exit, eval etc are allowed
  • no special constants such as PHP_OS, PHP_LIBDIR etc are allowed
  • backtick (`) operator not allowed
  • heredoc type strings not allowed (takes too much effort to handle) - use double quoted strings instead
  • double quoted strings may not contain the "{" character (takes too much effort to handle) - use string concatenation instead
  • array and object typecasting not allowed
  • no variable functions or method calls allowed
  • single line comments (//, #) not allowed
  • only some functions are allowed - see inc/plugins/phptpl_allowed_funcs.txt for a list of allowed functions
(This post was last modified: 06-26-2023 10:42 PM by ZiNgA BuRgA.)
Find all posts by this user
Quote this message in a reply
Download: tplcond-1.9.7z (6.35 KB)
Plugin Version: 1.9
Last Updated: 06-26-2023, 10:42 PM

Downloads: 5,372
MyBB Compatibility: 1.2.x, 1.4.x, 1.6.x, 1.8.x
Plugin License: GPLv3
Uploader: ZiNgA BuRgA
RateU Offline
Administrator
*******
Posts: 2,350
Joined: Mar 2010
Post: #2
RE: Template Conditionals
Finally, we have the solution for using conditional in template and Admin Security plugin.
Thank you very much, Yumi Smile

09-18-2010 06:11 AM
Find all posts by this user Quote this message in a reply
Imran Offline
Member
***
Posts: 204
Joined: Apr 2010
Post: #3
RE: Template Conditionals
Very nice addition Zinga. Thank You ! Smile

[Image: logo.png]

[Image: twitter.png]
09-18-2010 04:53 PM
Visit this user's website Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #4
RE: Template Conditionals
Thanks.

I've decided to make some minor adjustments for v1.1 update:
- semicolon now allowed, although not much point; maybe will allow lambda functions in the future perhaps
- changed <print>...</print> tag to, probably, more proper <?=...?> syntax; may include this tag in the next version of PHP in Templates

My Blog
09-19-2010 12:50 PM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #5
RE: Template Conditionals
Update to v1.2, fix an exploit allowing arbitrary function calls through array/string indicies or complex variables.

My Blog
09-22-2010 03:54 PM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #6
RE: Template Conditionals
Updated to v1.3:
- improved safety checks a bit
- add new <setvar> tag for setting variables - see first post for info
- added a bunch of MyBB functions to the allowed list of functions

My Blog
11-03-2010 08:18 PM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #7
RE: Template Conditionals
Update to v1.4:
- allow use of array operator =>
- add two new functions (available in conditionals, cannot be used with the <function ..> tag), phptpl_eval_expr and phptpl_eval_text:

phptpl_eval_expr
This function works similar to PHP's eval(), except it always returns the result.  The function checks that the string you pass it is a safe expression, then evaluates the result.
Example (displays "2"):

Code:
<?=phptpl_eval_expr('1+1')?>


phptpl_eval_text
This evaluates a text string like template text, supporting conditional constructs etc.
Example:

Code:
<?=phptpl_eval_text('Welcome {$GLOBALS[\'mybb\']->user[\'username\']}!  <'.'if $GLOBALS[\'mybb\']->usergroup[\'cancp\'] then>You are an administrator.</'.'if>')?>

Note that the <if> ... </if> tags are broken up to prevent them being parsed as tags to be used in the actual template.

Note about scope
Both of the above functions are, PHP functions, so they will have function scope and won't carry over the scope you're calling them from.  Essentially, this means you will probably need to globalise all variables to use them.


My Blog
(This post was last modified: 12-16-2010 10:53 AM by ZiNgA BuRgA.)
12-16-2010 10:51 AM
Find all posts by this user Quote this message in a reply
Imran Offline
Member
***
Posts: 204
Joined: Apr 2010
Post: #8
RE: Template Conditionals
I like the way you added "array operator" Yumi. Great upgrade. Smile

[Image: logo.png]

[Image: twitter.png]
12-17-2010 07:01 AM
Visit this user's website Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #9
RE: Template Conditionals
Updated to v1.5:
- fix bug with this plugin not working if HTML Comments is disabled

My Blog
02-15-2011 09:28 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #10
RE: Template Conditionals
Thanks to RateU for pointing out that <setvar> will always set, even if wrapped in a conditional.

My Blog
03-11-2011 08:53 AM
Find all posts by this user Quote this message in a reply


Forum Jump: