Textpattern CMS support forum

You are not logged in. Register | Login | Help

#11 2019-08-14 14:07:30

etc
Developer
Registered: 2010-11-11
Posts: 3,296
Website

Re: txp PHP does not output

For the record, <txp:php /> has been disabled on the second pass because is_article_body context is not preserved after the first pass. It means that authors privileges are not checked any more, so even low-level users were potentially able to execute php via an easy second pass <txp:php /> injection.

Another point: if your code requires more complex calculations, you can register “safe” php functions for use in <txp:evaluate /> via advanced prefs. For date calculations, please look here.

Offline

#12 2019-08-14 14:54:27

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 8,760
Website

Re: txp PHP does not output

etc wrote #319052:

For the record, <txp:php /> has been disabled on the second pass because is_article_body context is not preserved after the first pass.

Yes. I think it’s the right thing to do anyway. I’m glad you found it when tweaking the parser.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#13 2019-08-14 15:05:31

etc
Developer
Registered: 2010-11-11
Posts: 3,296
Website

Re: txp PHP does not output

That was the easiest thing to do, I have not found a way to tell articles content from forms output after the first pass :-/

Offline

#14 2019-08-15 03:13:03

Kjeld
Member
From: Tokyo, Japan
Registered: 2005-02-05
Posts: 253
Website

Re: txp PHP does not output

Thank you for all the assistance and input.

Good to know that <txp:php /> being disabled on the second pass has made txp safer. And the new <txp:evaluate /> is awesome!


JapaneseStreets.com – Japanese street fashion (mostly txp)
Old Photos of Japan – Japan between 1860 and 1940 (100% txp)
MeijiShowa – Stock photos of Japan between 1860 and 1940 (100% txp)

Offline

#15 2019-10-09 16:55:44

towndock
Member
From: Oriental, NC USA
Registered: 2007-04-06
Posts: 278
Website

Re: txp PHP does not output

etc wrote #319052:

Another point: if your code requires more complex calculations, you can register “safe” php functions for use in <txp:evaluate /> via advanced prefs.

Could you explain how to register php functions in advanced prefs? (I can’t find this in the docs)

I do indeed have a site with complex calculations. I’m unable to determine a way that doesn’t involve a second pass to display some of our content.

Last edited by towndock (2019-10-09 16:56:08)

Offline

#16 2019-10-09 18:26:03

etc
Developer
Registered: 2010-11-11
Posts: 3,296
Website

Re: txp PHP does not output

towndock wrote #319604:

Could you explain how to register php functions in advanced prefs? (I can’t find this in the docs)

I do indeed have a site with complex calculations. I’m unable to determine a way that doesn’t involve a second pass to display some of our content.

Sure, though this will only help with simple one-line calculations. Go to Preferences/Admin pane, switch Advanced options on and save. You will then gain access to Advanced options pane, where you will find PHP functions enabled in txp:evaluate pref. Its help is rather terse, so don’t hesitate to post your calculations here if needed.

Offline

#17 2019-10-10 21:14:02

etc
Developer
Registered: 2010-11-11
Posts: 3,296
Website

Re: txp PHP does not output

Now <txp:php /> should work (almost) as before in dev branch, testers welcome. Article context is preserved on second+ passes, so users without php rights should not be able to bypass this restriction any more.

An extra bonus is that (mistyped) things like

<txp:article_custom id="1,2,3" break=",">
    <txp:variable name="id" value="<txp:article_id />" />
    <txp:variable name="id" />
</txp:article_custom>

now work as expected, outputting 1,2,3. You can try it in 4.7- to see the difference.

Offline

#18 2019-10-14 16:37:47

towndock
Member
From: Oriental, NC USA
Registered: 2007-04-06
Posts: 278
Website

Re: txp PHP does not output

etc wrote #319641:

Now <txp:php /> should work (almost) as before in dev branch, testers welcome. Article context is preserved on second+ passes, so users without php rights should not be able to bypass this restriction any more.

Now testing the 4.80 dev branch – all working fine with content that requires that second pass. Thank you much. Will be testing this version further.

Offline

#19 2019-10-14 19:51:02

etc
Developer
Registered: 2010-11-11
Posts: 3,296
Website

Re: txp PHP does not output

towndock wrote #319710:

Now testing the 4.80 dev branch – all working fine with content that requires that second pass.

Nice to know it, thanks for testing. Sorry for the trouble it could have caused, but we patch all potential security holes asap, sometimes brutally.

Offline

Board footer

Powered by FluxBB