Go to main content

Navigation menu

Textpattern CMS support forum

You are not logged in. Register | Login | Help

  1. Index
  2. » How do I…?
  3. » <txp:variable /> not parsed inside <txp:article_custom /> help

Pages: 1

#1 2012-12-06 23:29:13

piyashrija
Member
Registered: 2012-05-17
Posts: 30

<txp:variable /> not parsed inside <txp:article_custom /> help

I have code as below:

<txp:php>
if($_GET['date']){
$art = $_GET['date'];
$test = '<txp:skp_act_date orderby="posted" date="'.$art.'"/>';//this is small plugin i developed to return all the active article id.
$GLOBALS['thisarticle']['test'] = $test;
}
</txp:php>

<txp:variable name="selected_date" value='<txp:php>echo $GLOBALS["thisarticle"]["test"];</txp:php>'/>

<txp:variable name='selected_date'/>// return id as 22,171,16,23

Problem: will not return any article even there is id stored in txp:variable.

<txp:article_custom  time="any" ID='<txp:variable name="selected_date"/>'/>

Any solution much appreciated.

Thanks

Offline

#2 2012-12-07 09:17:26

milosevic
Member
From: Madrid, Spain
Registered: 2005-09-19
Posts: 390

Re: <txp:variable /> not parsed inside <txp:article_custom /> help

I will try adi_gps plugin to extract varables from the Url

Last edited by milosevic (2012-12-07 09:18:04)

<txp:rocks/>

Offline

#3 2012-12-07 10:33:16

etc
Developer
Registered: 2010-11-11
Posts: 5,397
Website GitHub

Re: <txp:variable /> not parsed inside <txp:article_custom /> help

If you use it inside some article, try to put form="article_listing" (or any form other than default) in <txp:article_custom />.

bloatware

Offline

#4 2012-12-07 12:02:06

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: <txp:variable /> not parsed inside <txp:article_custom /> help

Slight warning, but the code you are using is extremely dangerous. Anyone could use the ‘date’ GET parameter to inject any markup to the page template and as such run any server-side code on the server. The ‘date’ parameter is directly passed to the template markup without any validation or escaping.

The actual cause why the code doesn’t work is because the global variable of yours contains a string of markup instead of list of IDs. The markup is never parsed, and as such will be seen as as a plain string in your article_custom tag’s attribute. Textpattern has an ancient legacy feature where the page template is passed by two parser calls which causes the code to seem like it works when used directly inside a page template or a form.

Few things you need to consider:

  • If you ever have a user-defined value that needs to be passed to a template, run it through txpspecialchars() first. Otherwise you have accidentally created remote-code execution vulnerability.
  • Any Textpattern markup needs to be parsed using parse(). Otherwise it’s treated as a plain-text.
  • Normally mixing PHP and Textpattern markup like that isn’t the wisest idea. Both are different beasts. Inside PHP usually only PHP should be applied and inside markup driven templates smaller, enclosed PHP blocks.
  • Normally it’s best to avoid modifying core variables if possible. Any undocumented variable is subject to change and modifying them can cause issue along the lines. Instead of adding something to $thisarticle, consider using a variables when working inside templates. Inside PHP, use your own, prefixed global variables where needed.
  • If you need to retrieve HTTP values in PHP, see the Textpattern HTTP functions, such as gps(), ps(), psa() and gpsa(). They do all internal configuration handling for you too.

If you just want to select specific date with article_custom, the tag has an option for that through the month attribute.

<txp:article_custom month="2012-05-12" />

The above shows posts from 12th of last May. You could use that attribute to feed custom values to it from the ‘date’ parameter you have:

<!--
	Populate 'selected_date' variable with 'date' HTTP GET parameter
	after it's been sanitized with txpspecialchars()
-->

<txp:variable name="selected_date"><txp:php>
	echo txpspecialchars(gps("date"));
</txp:php></txp:variable>

<!--
	Feed 'selected_date' variable to article custom.
-->

<txp:article_custom month='<txp:variable name="selected_date" />' />

If you want to keep using what to you have now, same practice would apply. Flip the stuff over, deploy the internal functions and sanitize values. Like so:

<txp:variable name="selected_date"><txp:skp_act_date orderby="posted" date='<txp:php>
	echo txpspecialchars(gps("date"));
</txp:php>' /></txp:variable>

<txp:article_custom  time="any" id='<txp:variable name="selected_date"/>' />

Last edited by Gocom (2012-12-07 12:09:13)

Rah | GitHub

Offline

#5 2012-12-09 22:21:16

piyashrija
Member
Registered: 2012-05-17
Posts: 30

Re: <txp:variable /> not parsed inside <txp:article_custom /> help

Hi Svahn,

Thanks for Brief explanation.
I am aware of security issue with the code…i was just testing output id work flow.
I am also aware of month attribute but that’s not what i want.
The thing i was confused about is why output ID from the plugin don’t work with article custom.

This is best answer and you have cleared so many things off my mind

Cheers

Offline

Pages: 1

  1. Index
  2. » How do I…?
  3. » <txp:variable /> not parsed inside <txp:article_custom /> help

Board footer

Powered by FluxBB