Template Conditionals

ZiNgA BuRgA · (This post was last modified: 06-26-2023 10:42 PM by ZiNgA BuRgA.)

This is essentially a more restrictive version of my PHP in Templates plugin. The restrictions aim to make this a "safe" plugin to use, that is, doesn't allow arbitrary PHP execution, but still gives the benefits of template conditionals.

You may notice that this still uses the "phptpl" name, and thus, is incompatible with the PHP in Templates plugin. Both plugins are very similar though. The differences between this and the other plugin are:

Admins cannot enter PHP code using <?php ?> tags
Conditionals in <if> and <elseif> tags are checked to ensure that they are "safe" (see below)
file_get_contents function has been removed from the allowable <func ...>...</func> shortcuts
There's a new <?=...?> tag to print out the result of a "safe" PHP expression; although this is a tag, only PHP expressions may exist inside (do not terminate expressions with a semicolon), so you cannot nest other tags inside this
Example (prints 123654321):
HTML Code
123<?=substr("987654321", 3)?>
There's also a new <setvar name>...</setvar> tag which can set variables; for safety reasons, these are actually stored in a $tplvars array. Examples:
(just prints some text)
HTML Code
<setvar uselesstext>"some text"</setvar> {$tplvars['uselesstext']}
(prints out the username of the user with UID of 2)
HTML Code
<setvar user2>get_user(2)</setvar> <func htmlspecialchars_uni>{$tplvars['user2']['username']}</func>

v1.0-1.3 of this plugin is based off v1.7 of PHP in Templates.
As of v1.8, PHP 5.3 or later is required.
This plugin can be used with the Admin Security plugin.

"Safe expressions"
This plugin implements "safe expression" checking; essentially, this does impose a bit of a performance hit, but, on the other hand, tries to ensure no "bad PHP" gets executed.
For more information on what I consider to be a "safe expression", see my blog post here.
For the purposes of this plugin, all valid PHP expressions are allowed, as long as they don't infringe on any of the following conditions:

no assignment/modification operators (=, +=, |=, ++ etc) allowed
no statements such as include, exit, eval etc are allowed
no special constants such as PHP_OS, PHP_LIBDIR etc are allowed
backtick (`) operator not allowed
heredoc type strings not allowed (takes too much effort to handle) - use double quoted strings instead
double quoted strings may not contain the "{" character (takes too much effort to handle) - use string concatenation instead
array and object typecasting not allowed
no variable functions or method calls allowed
single line comments (//, #) not allowed
only some functions are allowed - see inc/plugins/phptpl_allowed_funcs.txt for a list of allowed functions

***RateU*** · 09-18-2010 06:11 AM

Finally, we have the solution for using conditional in template and Admin Security plugin.
Thank you very much, Yumi Smile

Imran · 09-18-2010 04:53 PM

Very nice addition Zinga. Thank You ! Smile

***ZiNgA BuRgA*** · 09-19-2010 12:50 PM

Thanks.

I've decided to make some minor adjustments for v1.1 update:
- semicolon now allowed, although not much point; maybe will allow lambda functions in the future perhaps
- changed <print>...</print> tag to, probably, more proper <?=...?> syntax; may include this tag in the next version of PHP in Templates

***ZiNgA BuRgA*** · 09-22-2010 03:54 PM

Update to v1.2, fix an exploit allowing arbitrary function calls through array/string indicies or complex variables.

***ZiNgA BuRgA*** · 11-03-2010 08:18 PM

Updated to v1.3:
- improved safety checks a bit
- add new <setvar> tag for setting variables - see first post for info
- added a bunch of MyBB functions to the allowed list of functions

***ZiNgA BuRgA*** · 12-16-2010 10:51 AM

Update to v1.4:
- allow use of array operator =>
- add two new functions (available in conditionals, cannot be used with the <function ..> tag), phptpl_eval_expr and phptpl_eval_text:

phptpl_eval_expr
This function works similar to PHP's eval(), except it always returns the result. The function checks that the string you pass it is a safe expression, then evaluates the result.
Example (displays "2"):

Code:

<?=phptpl_eval_expr('1+1')?>

phptpl_eval_text
This evaluates a text string like template text, supporting conditional constructs etc.
Example:

Code:

<?=phptpl_eval_text('Welcome {$GLOBALS[\'mybb\']->user[\'username\']}!  <'.'if $GLOBALS[\'mybb\']->usergroup[\'cancp\'] then>You are an administrator.</'.'if>')?>

Note that the <if> ... </if> tags are broken up to prevent them being parsed as tags to be used in the actual template.

Note about scope
Both of the above functions are, PHP functions, so they will have function scope and won't carry over the scope you're calling them from. Essentially, this means you will probably need to globalise all variables to use them.

Imran · 12-17-2010 07:01 AM

I like the way you added "array operator" Yumi. Great upgrade. Smile

***ZiNgA BuRgA*** · 02-15-2011 09:28 AM

Updated to v1.5:
- fix bug with this plugin not working if HTML Comments is disabled

***ZiNgA BuRgA*** · 03-11-2011 08:53 AM

Thanks to RateU for pointing out that <setvar> will always set, even if wrapped in a conditional.

Template Conditionals
Author	Message