I'm mainly a Wordpress guy and am trying to learn the ropes of Drupal 7. My question relates to templating best practices and security concerns. I am working with extremely complex designs (yeah designers right!?) so my markup needs to be clean and just right which I have found Drupal makes extremely difficult with the large hierarchy of template files and functions. Basically the workflow I have found that has been working for me is to override the output of specific content types that I need really specialized markup for at the node level.
So for instance : node--custom-content-type.tpl.php
Like I said I am a wordpress guy and am used to being able to run a database query, grab the exact field values that I want and use them however I want. I have been kpr or printing out the $variables array, studying what it contains, and grabbing values directly like so:
$link = $variables['field_link'][0]['url'];
$link_title = $variables['field_link'][0]['title'];
$target = $variables['field_link'][0]['attributes']['target'];
$text = $variables['field_main_text'][0]['safe_value'];
And then echo'ing out and using the variables in the markup exactly as I'd like:
<article class="getstarted-wrapper">
<a id="tocollege" target="<?php print_r($target); ?>" title="<?php print_r($link_title); ?>" href="<?php print_r($link); ?>"><img src="/sites/all/themes/amped/images/visiticon.png" /></a>
<a id="mapcollege" target="_blank" title="View Location In Google Maps" href="<?php echo $maplink; ?>"><img src="/sites/all/themes/amped/images/mapicon.png" /></a>
<div class="getstarted-top" style="background:<?php print_r($bg); ?>;">
<figure>
<img title="<?php print_r($auth_title); ?>" alt="<?php print_r($auth_alt); ?>" src="<?php print_r($auth_img); ?>" />
</figure>
</div><!--getstarted-top-->
<div class="getstarted-bottom">
<p><?php print_r($text); ?></p>
<a target="<?php print_r($target); ?>" title="<?php print_r($link_title); ?>" href="<?php print_r($link); ?>">Get Started</a>
<span>This will take you to <?php print_r($college_name); ?></span>
</div><!--getstarted-bottom-->
</article><!--getstarted-wrapper-->
I am wondering how this process matches up against best practices, what am I doing wrong, what am I doing right, and more importantly what are my security risks and how can I avoid them??
Every time you output a plain text string (ie anything that is not deliberately markup) into an HTML page, you need to escape it.
In plain PHP templates that is typically done with the htmlspecialchars() function. Drupal offers check_plain() as a short-cut, although not a very short one. You can define your own shorter cut to reduce the pain:
function h($s) {
echo htmlspecialchars($s, ENT_QUOTES, 'utf-8');
}
<a id="tocollege" target="<?php h($target); ?>" title="<?php h($link_title); ?>" href="<?php h($link); ?>">...
(I'm not sure what the use of print_r was for—this is traditionally used for producing readable structured-object output for debugging, but that format of output isn't generally what you want in a production web page, and in your example it was only being used for strings, where it makes no difference anyway.)
The correct approach with Drupal is to sanitize user input on output. Since Drupal has multiple modes of output (not just HTML) it's improper to sanitize on input, so when outputting HTML you can use Drupal's check_plain() function as bobince suggests. check_plain is one of several filter functions available for use, see https://drupal.org/node/28984 for more.
If you are overriding the output and accessing theme variables it is correct that the best practice to run check_plain (or other filter functions) yourself. If it's node properties then you can also use the 'safe' properties as described on the link above.
Related
I'm looking to create a reusable, modularized component in Umbraco 9. I've never worked with any Umbraco before. The example I'll use is a text widget/component that has an image on the left and text on the right, with the ability to set whether you want to swap this to be image right, text left.
I come from the Sitecore world where creating a component like this would mean creating a definition with the fields in the back office, creating an MVC controller and an action, and pointing that back office definition at the controller/action combo. Then, anywhere I've deemed a component hot spot, I can click an "add component" and it'd display the available components I've created (Text + Image Block, in our example).
Our team has been researching how to do something like this in Umbraco. We've been using element types. I've got it working where I can create a list of element types, but we couldn't figure out how to add a controller/action/view to this process to really control what gets displayed.
We've looked into the Grid Type Editor. That requires some Angular work that wasn't exactly playing nice, for some reason it was seeing our image fields as null even though they had an image.
We also tried messing with the Block List editor, and are currently investigating macros.
We've been spinning our wheels and I'm hoping to get some assistance on how to do something like this in Umbraco. Perhaps I'm searching/using the wrong terminology?
Most of our components are super simple, and rather than create a reusable component, we can just use the grid editor. In our example above, we could create a 50/50 grid row and put an image in the left column and the text in the right. This would work, but we'd like to have a little more of a reusable package. Furthermore, a few of the components will require some controller functionality to be able to hit an API and massage some data before passing it to the presentation layer.
We will keep investigating, but ultimately I'm hoping someone can clear up if we're going down the wrong path, or just missing some crucial point here.
Sure! Two ways come to mind for me. One would be make a simple doctype like the screenshot below and let layout decide how to stack them
This sample uses bootstrap which of course you don't have to use, and in my case I have them in a nested content element so I basically just loop through them and alternate putting flex-row-reverse on the row.
#{
var i = 0
foreach(var contentBlock in Model.ContentBlocks)
{
<div class="d-flex flex-wrap align-items-center #(i %2 != 0 ? "flex-row-reverse" : null)">
<div class="block-left col-sm-7">
<h5>#contentBlock.SectionHeading</h5>
#Html.Raw(contentBlock.SectionDescription.ToString())
</div>
#if(contentBlock.HasValue("sectionImage") && contentBlock.SectionImage != null)
{
<div class="block1-right col-sm-5 ml-auto">
<figure class="hover">
<img id="#contentBlock.SectionImage.Name.Trim().Replace(" ", "-")" src="#contentBlock.SectionImage.Url">
</figure>
</div>
}
</div>
i++;
}
}
The other way (as you asked for) is to give the content editor the choice with a toggle, add a toggle to the doctype
and instead of this line
<div class="d-flex flex-wrap align-items-center #(i %2 != 0 ? "flex-row-reverse" : null)">
you could use this line
<div class="d-flex flex-wrap align-items-center #(contentBlock.SectionAlignment == true ? "flex-row-reverse":null)">
Or even something like this where you just assign your own class and write the CSS separately
<div class="d-flex flex-wrap align-items-center #(contentBlock.SectionAlignment == true ? "block-right":"block-left")">
Hope that helps get you going in the right direction. I'm sure you'll have to adapt this for your situation and this code is not tested.
Happy to help if you have any issues.
I am trying from last 5-8 hours not getting solution for xss prevent in magento,
I have already installed all latest patch in my magento.
I am using this script in catalog search input box
"><img src=x onerror=prompt(1);>
and i am getting this output :-
xss result
I have also tried with some validation like htmlEscape , strip_tags but none of working for me.
Can someone please help me ?
I Made many themes in magneto 1.9 , and tested many xss scripts but script is not triggered.
1. <script>alert('hello')</script> even
2. In url www.yourwebsite.com?query=<script>alert('hello')</script> or
3. <img src=x onerror="alert('Pop-up window XSS infected');" in search box but every string is by default escaped by Magneto itself.
This can be happen if you made your own custom search and didn't followed magento standard to pass the data to controllers and back to fronted.
You can use value="<?php echo $this->htmlEscape(input_values_here) ?>"
Example: credit
Magento Xss Prevention
<li class="wide">
<label for="street_1" class="required"><em>*</em><?php echo $this->__('Street Address') ?></label>
<div class="input-box">
<input type="text" name="street[]" value="<?php echo $this->htmlEscape($this->getAddress()->getStreet(1)) ?>" title="<?php echo $this->__('Street Address') ?>" id="street_1" class="input-text required-entry" />
</div>
</li>
JUst for knowledge :
You can learn more about xss from
XSS Tutorial
You can even check is there any message from Magento in your admin panel or any patches .
Perform these basic tests on your application:
Interact with your custom form/search box. Insert strings that contain HTML and JavaScript match characters into all application inputs, such as forms, URL parameters, hidden fields(!), or cookie values.
If your form doesn't correctly escape this string, you will see an alert and will know that something went wrong.
Wherever your custom form handles user-supplied URLs, enter javascript:alert(0) or data:text/html,alert(0).
Create a test user profile with data similar to the test strings above. Use that profile to interact with your application. This can help identify stored XSS bugs.
layout.phtml code:
<ul class="dropdown-menu">
<li><a tabindex="-1" href="<?php echo $this->url('project') ?>">Java</a></li>
<li><a tabindex="-1" href="<?php echo $this->url('project') ?>">android</a></li>
<li><a tabindex="-1" href="<?php echo $this->url('project') ?>">Dot Net</a></li>
<li><a tabindex="-1" href="<?php echo $this->url('project') ?>">Zend Framework</a></li>
</ul>
but i want to convert into loop here.
Module.php code:
class Module
{
public function onBootstrap(MvcEvent $e) {
$eventManager = $e->getApplication()->getEventManager();
$moduleRouteListener = new ModuleRouteListener();
$moduleRouteListener->attach($eventManager);
// this is for session
$this->initSession(array(
'remember_me_seconds' => 180,
'use_cookies' => true,
'cookie_httponly' => true,
));
// this code is not working(to get the values from db for menu list)
$service = $this->getServiceLocator()->get('UserService');
$result = $service->getmenulist();
$this->layout()->myVariable = $result;
}
//other code
}
This is my current menu in layout, but i want make the drop down list from database. i don't know how to pass the value to layout from module.php. anyone help me to solve this issue. Is there any other way to execute it. In module.php, i am trying to get list of menu names and passing that to layout.
Your code for retrieving the UserService doesn't belong in the onBootstrap method as it will be executed every time your app is run, regardless of whether or not you actually access that module. This code may belong in a custom viewhelper, as #Sam suggested, which could be used to inject your menu into the layout.
If you're planning on additional functionality around the menu, for example toggling items based on an ACL, then you're approach might involve a custom Navigation container and/or a Listener to fetch and populate your menu.
Unfortunately, your question is more of a design issue and likely just an absence of a full understanding of the some basic ZF2 concepts than an actual problem with a particular piece of code. As such, you're not going to get too many responses from the community. You probably just need to review the ZF2 docs and tutorials and come back when you're having a specific problem with implementing those concepts.
ZF2 Navigation
ZF2 View Helpers
ZF2 Module Class Best Practices
I need to make a completely normal restricted area of my website accessible only to registered, logged-in members. The restricted pages will be pulling data from a MySQL database using PHP.
I have been searching for a way to do this, finding many useless results. Most of what I've found is either insecure, outdated or just deals with one very specific area of the process. It is incredibly frustrating spending hours studying a method of doing this, only to find out that they've used some insecure method and it's completely useless. So I'm hoping to get the opinions of the experienced stackoverflow community to point me in the right direction.
So my question is this:
Knowing that hundreds of thousands of websites have exactly the same "register, log in, grant access to pages A, B and C, log out" combination of events, is there a universally accepted way of setting this up (and if not, why not)? Is this: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL a "good" way of achieving this (assuming I figure out how to get it to work)?
The pages/database will not hold anything like credit card numbers or other sensitive information, so I don't think I'll have thousands of hackers constantly attacking the site, but I obviously want to maintain a reasonable level of security. I've been careful to avoid the potential of SQL injection attacks on the database side of things.
Many thanks,
Paul
try this.
login.php
<form action="check.php" method="post">
<table border="0" cellpadding="0" cellspacing="0" style="margin-left:auto; margin-right:auto;">
<tr><td>Nickname:</td><td><input type="text" id="usernaame" name="usernaame"></td></tr>
<tr><td>Password:</td><td><input type="password" id="passworrd" name="passworrd"></td></tr>
<tr><td colspan="2"><input type="submit" value="Login" class="button"></td></tr></table>
</form>
<br><button>Register</button></div>
check.php
<?php
session_start();
$user = htmlspecialchars(addslashes($_POST['usernaame']));
//you can also edit password encryption
$password = htmlspecialchars(addslashes(md5(sha1($_POST['passworrd']))));
//put here your query
$query = mysqli_query();
if(mysqli_num_rows($query)=="1"){
$_SESSION['logged'] = $user;
}
else{echo 'Data is incorrect';}
?>
index.php (where protected content is)
<?php
session_start();
if(!isset($_SESSION['logged'])){echo 'Please login';}
else{
//your private content here
}
?>
I am working on an Expression Engine site and am trying to fix a bug with pagination. A user performs a search which displays paginated results. The search terms are in a query string, so all I need to do is include the query string in the pagination links. However, I don't know how to configure this in Expression Engine. This is all I have to work with:
{paginate}
<div class="results-pager">
Page {current_page} of {total_pages} pages {pagination_links}
</div>
{/paginate}
Can I pass some sort of option to {pagination_links} to include the query string in the links it generates? Or do I need to write this code myself?
I found a way to do it. If you enable PHP code in your templates, you can manually recreate the pagination_links functionality and include the query string in the generated links.
Replace this:
{pagination_links}
With this:
{if total_pages > 1}
<div class="pagination">
{pagination_links}
{first_page}‹ First{/first_page}
{previous_page}‹ Prev{/previous_page}
{page}
{if current_page}
<strong>{pagination_page_number}</strong>
{if:else}
{pagination_page_number}
{/if}
{/page}
{next_page}Next ›{/next_page}
{last_page}Last ›{/last_page}
{/pagination_links}
</div>
{/if}
You might take a look at this free add-on:
http://devot-ee.com/add-ons/better-pagination
Not sure it's the exact fit for what you're doing though, it might allow you to do what you want without turning PHP on.