February 26th, 2014 at 5:39 PM
I rewrote the class, and it's literally only 26 lines of code. The new class does not require to you define a specified template when setting variables. I think it's unnecessary, personally. For instance, the variables that would be set on the user profile page would only be set when the user was viewing the profile, so it's not an issue of scope or of performance.
I'm now working on implementing the beginnings of it into Filecave. Of course I'll probably expand it out a good bit as well, but this will be a start. One of the reasons I'm going for this system over some more obvious template solutions is for security concerns. For example, in PHP, you could do something like this in a text string:
It so turns out that what you will see in your browser is "some number in code = 4" when you go to the script in your browser. $number actually gets replaced with the actual value of $number. This is the concept that MyBB utilizes in its template engine, but I've purposefully avoided going that route for a very specific reason. For example, this is also possible.
And voila, your database password has been leaked. Using PHP variables in strings that could potentially be altered by either the user or a plugin is, for that reason, dangerous. MyBB attempts to filter out unsecure code before saving a template, which seems to solve their problem. Unfortunately, I don't have time to write complex security scanners, so it's much easier just to filter out anything that looks like PHP at all, rather than just validating certain code and denying other code based on a complex set of conditions.
This system may be replaced later, depending on how it works out, but I'd like to see how it works. It definitely has the potential to be much more secure because you can only include tags that are explicitly set in code (and thus you cannot include the database password, or anything else that isn't intended for templates).
I'm now working on implementing the beginnings of it into Filecave. Of course I'll probably expand it out a good bit as well, but this will be a start. One of the reasons I'm going for this system over some more obvious template solutions is for security concerns. For example, in PHP, you could do something like this in a text string:
Quote:$number = 4;
echo "some number in code = $number";
It so turns out that what you will see in your browser is "some number in code = 4" when you go to the script in your browser. $number actually gets replaced with the actual value of $number. This is the concept that MyBB utilizes in its template engine, but I've purposefully avoided going that route for a very specific reason. For example, this is also possible.
Quote:echo "DB password: {$conf['dbpassword']}";
And voila, your database password has been leaked. Using PHP variables in strings that could potentially be altered by either the user or a plugin is, for that reason, dangerous. MyBB attempts to filter out unsecure code before saving a template, which seems to solve their problem. Unfortunately, I don't have time to write complex security scanners, so it's much easier just to filter out anything that looks like PHP at all, rather than just validating certain code and denying other code based on a complex set of conditions.
This system may be replaced later, depending on how it works out, but I'd like to see how it works. It definitely has the potential to be much more secure because you can only include tags that are explicitly set in code (and thus you cannot include the database password, or anything else that isn't intended for templates).