javiertoledos

Forum Replies Created

Viewing 2 replies - 1 through 2 (of 2 total)
  • Forum: Reviews
    In reply to: [Ajax Load More – Infinite Scroll, Load More, & Lazy Load] Good but some tweaks needed
    Thread Starter javiertoledos

    (@javiertoledos)

    11 years, 1 month ago

    That’s the thing I don’t think that the user should be able write php code directly in terms of security, despite of adding a lot of flexibility, someone who gains access to the backend would able to write arbitrary code to escalate privileges. The idea is to limit the user to use exclusively shortcodes (no more php) in the repeater templates to implement a kind of sandboxing. Anyways it’s just a suggestion, you always sacrifice something when improving security.

    I know I’m discouraging storing or letting the user write custom php code, but, if you’re going to execute the php code in the repeater templates and they cannot be written in files, you may be able to execute the repeater template code from database by doing an eval ( '?> ' . $repeater_template ); the eval function can run an arbitrary (and malicious) code but it’s what the plugin is doing already by including custom repeater templates from files.

    Maybe something like this 

    $repeater_template_file =  alm_get_current_repeater ($repeater, $type);
/* If file doesn't exists that means that the ALM template folder
 * is not writable, then use the database
 */
if ( !file_exists ( $repeater_include_file) ):
  $repeater_template = alm_get_current_repeater_from_db ( $repeater, $type );
  eval ('?> ' . $repeater_template );
else:
  include ( $repeater_template_file );
endif;
    Forum: Reviews
    In reply to: [Ajax Load More – Infinite Scroll, Load More, & Lazy Load] Good but some tweaks needed
    Thread Starter javiertoledos

    (@javiertoledos)

    11 years, 1 month ago

    I think I was a little bit angry when I first reviewed the plugin, it’s just that the die() calls really gets on my nerves, sorry for that.

    I think, if the plugin cannot write to the file or the plugin folder (like it’s our case with Pantheon environment, or environments where you version the code), it should use the database as fallback, I imagine you store the templates as files to improve load speed. Another option could be using memcache or redis if they’re available.

    Having the option to select a template file from the server would be great.

    When I mentioned shorttags, I meant short codes, like contact form 7 for example. Anyways, my only concerns were the die() calls that break the admin if the ALM templates folder is not writable (sorry, forgot to read the FAQ) and the fact that you let the users write PHP code, in terms of security, it would be better if the users are sandboxed somehow, like using shortags [title], [permalink],[time format=”F d, Y”], or using a templating language {{{ $post->title }}}. I know this would represent less flexibility.

    After all, I think it’s a good plugin with only those drawbacks, and your plugin deserve a better review than the one I originally gave.

Viewing 2 replies - 1 through 2 (of 2 total)