Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Create images page with captions
zero wrote:
Aaarrrggghhhh! So how do I fix that, Jukka?
I’ve updated my previous post (I suppose I’m one of those that never finishes their posts). There just are some practical issues with the thing; trusting and using information provided by client and all that.
The biggest issue, which is the remote injection, can be cured by running everything coming from the client, including HTTP headers as referrer (the back link), with htmlspecialchars() or the appropriate sanitizer given the situation.
As the previous page (referer) and landing page goes (cookie’s request URI) go, I would try to find some other way of getting those values. By using the current image ID as the starting point for example, and then using that information to calculate the appropriate page locations, or something like that. Using information from client directly isn’t a good idea. You can use it for comparisons and fetching stuff, but placing it directly to your page template is not very good idea.
Offline
Re: Create images page with captions
I’m not sure as to why one should use php there. Wouldn’t <a href="#" onclick="history.go(-1);return false;">Back</a> do the same thing? (Except on browsers who have disabled js… I know: )
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Create images page with captions
Yiannis, your javascript just goes back to the last page, it doesn’t take me out of the gallery back to the thumbs page. That’s the trickiest bit, I think.
Jukka, thanks for the explanations. I’m sure I don’t fully understand yet, but I’ve reverted to using smd_lately (as in this ) to replace the photos page “thumbspage variable/cookie/back” combination and deleted the cookie from thumbs pages. Is there still a problem with adi_gps grabbing the variables from my thumbs page? Should I be escaping anything in there to prevent somebody passing some php along?
Dozy P My attempt at music
Offline
Re: Create images page with captions
zero wrote:
Jukka, thanks for the explanations. I’m sure I don’t fully understand yet, but I’ve reverted to using
smd_lately(as in this ) to replace the photos page “thumbspage variable/cookie/back” combination and deleted the cookie from thumbs pages. Is there still a problem withadi_gpsgrabbing the variables from my thumbs page? Should I be escaping anything in there to prevent somebody passing some php along?
Probably not, if the plugins do escaping correctly. Can’t comment on if they do. I’m not familiar with smd_lately, I can not say how well it works, or if it’s suitable. Most lilkely is a good choice and secure.
But keep in mind that you do not use IP to link any “private” or “sensitive” content to anyone. IPs are not permanent, unique or trustworthy. There is change that one can read somebody else’ history.
Last edited by Gocom (2012-06-09 17:29:21)
Offline
Re: Create images page with captions
$_SESSION is probably a better option than $_COOKIE, but, as Jukka suggests, you’d rather find some client-independent solution. I personally know someone who disables cookies, referrers and javascript while surfing :-)
Offline
Re: Create images page with captions
I’ve updated the TXP Tip so the cookies are gone and smd_lately is used to leave the gallery and return to the originating thumbs page.
I’ve actually found an alternative method to smd_lately: I copied the URL-only title into the keywords field and used article_custom with the keywords filter (keywords='<txp:variable name="cat" />') and a form to link the site, section and url_title together. But this only works for me because my “cat” variables are the same as the url_title of the thumbs page. This will not be practical for most users, I should think, but smd_lately has the benefits of being a dev’s plugin, and therefore secure and kept up-to-date most probably so like Jukka says, I think it’s most likely a good choice.
A moral I’ve learned: a little knowledge is dangerous so wherever possible use a txp plugin or txp native tags!
Dozy P My attempt at music
Offline