I’m new to Crystal (and never really used ruby) so apologies for the ignorance here! I've looked at the ecr docs but can't seem to find an answer there.
I’m looking at using Embedded Crystal for dynamic templates in Kemal. Can I confirm - can templates only render variables that are available in the scope of the call, or can one make method/function calls from within the template itself? I.E. is there any possibility/risk of being able to execute “malicious” crystal code from within a template (in this case malicious refers to I/O or file access etc)?
To take an example from the Kemal docs:
get "/:name" do |env|
name = env.params.url["name"]
render "src/views/hello.ecr"
end
In the view hello.ecr - is name the only item that will be available in the template, or could one call File.delete("./foo")from within the template for example?
A template is compiled into Crystal code, you can write any kind of code in there, like File.delete("./foo"), for example if you write <% File.delete("./foo") %> inside of your template.
If your worry is that name will contain code and that will somehow get executed, then don't worry, that's not going to happen. Dynamic runtime code execution in Crystal is not possible, so there's no way someone will inject malicious code into your templates.
Related
In the root template page.10 is already taken. If I put page.10 into my extension template, I override it. How can I make sure (just putting a large number is not "making sure") that I don't override anything? The root template is very complicated and includes many other templates, so I cannot really tell which numbers are already taken. I just want to use the extension template to append some content.
The safest solution would be not adding anything automatically. Instead you could provide your rendering instruction via lib.* or tt_content.list.* in case it is a registered plugin:
lib.yourContent = USER_INT
lib.yourContent { ... }
Then you only need to document how to add something to the page output, e.g.:
page.11 < lib.yourContent
I know it has been a while since you've asked this question.
You're saying "just putting a large number is not making sure" because you have no idea what content is using which number on the page object.
If you want to be 99,9% sure that a number has not been used, why don't you use the current timestamp as a number on this cObject? That's how the TYPO3 Errorhandler also refers to pages, using the timestamp they wrote it.
The simpliest answer if you can make sure which Page object index is already used for something is you cannot.
It might be set somewhere deeper in extensions, in any condition that meets any expression is defined there.
None of standard built in tools in TYPO3 can predict that and check all combinations of conditions to tell you if such number is set somewhere in some case.
But.
If you are an admin of that page, then the best approach is just to know your template.
Analyse the typoscript and know what numbers in Page object are used for something. Make a tidy consistent template, clean it up, check using Template tools -> Typoscript object browser. You have to know what's going on on your site, the elements in indexes of main Page object are the main and basis things which are shown public.
(Or just guess any random big number and try to search it in whole typoscript using Template tools -> Template Analyzer -> View complete TS listing. Let's be honest, probability that you shoot a big number which is already used is rather low)
I am trying to create global functions in Lucee. I have followed the directions here and have it "Kind of" working. Inside of Application.cfc I placed the following code:
public void function onRequest() {
URL.IsInternalUser = function() { return (SESSION.user.ID ?: 0); };
}
This seems to work fine in some cases but if we need to access this function in a subdirectory that contains an Application.cfc that does not have the function re-defined it will error out saying the function doesn't exist.
The ultimate goal I am trying to achive is to have a cfc file that contains several user defined functions and then have them accessible throughout the entire application without redefining things over and over again.
Is there a better way to accomplish what we want? I ask this because on the page I referenced earlier in the comments section there is a quote:
I concur. Wouldn't surprise me to see it somewhere else in the future.
What I like about Railo's method is that it is completely sandboxed.
Host A's tags & functions libraries never cross/conflict with Host B's
libraries unless they're put into the global server folders. It's the
same way for the virtual file system too and pretty much everything
else (datasources, etc).
It specifically mentions Railo having a way to create UDF but I can not find any documentaion on this anywhere. Since we are using Lucee which is a fork of Railo I figure it must have what Railo has for creating UDF. Hoping someone that reads this can help me out and point me in the right direction.
Railo/Lucee support custom functions. You can declare them in /WEB-INF/{railo|lucee}/library/function/ of the site. Save the function in a .cfm file and name the file the same as the function. The server needs a restart after creating new functions. Here is Railo's blog post about it.
Adobe ColdFusion doesn't support this AFAIK. So you have to store your functions in the SERVER scope here.
Trying to figure out the best way to accomplish this. I have inhereted a Django project that is pretty well done.
There are a number of pre coded modules that a user can include in a page's (a page and a module are models in this app) left well in the admin (ie: side links, ads, constant contact).
A new requirement involves inserting a module of internal links in the same well. These links are not associated with a page in the same way the other modules, they are a seperate many to many join - ie one link can be reused in a set across all the pages.
the template pseudo code is:
if page has modules:
loop through modules:
write the pre coded content of module
Since the links need to be in the same well as the modules, I have created a "link placeholder module" with a slug of link-placeholder.
The new pseudo code is:
if page has modules:
loop through modules:
if module.slug is "link-placeholder":
loop through page.links and output each
else:
write pre-coded module
My question is where is the best place to write this output for the links? As I see it, my options are:
Build the out put in the template (easy, but kind of gets messy - code is nice and neat now)
Build a function in the page model that is called when the "link placeholder is encountered) page.get_internal_link_ouutput. Essentially this would query, build and print internal link module output.
Do the same thing with a custom template tag.
I am leaning towards 2 or 3, but it doesn't seem like the right place to do it. I guess I sometimes get a little confused about the best place to put code in django apps, though I do really like the framework.
Thanks in advance for any advice.
I'd recommend using a custom template tag.
Writing the code directly into the template is not the right place for that much logic, and I don't believe a model should have template-specific methods added to it. Better to have template-specific logic live in template-specific classes and functions (e.g. template tags).
in the template.phtml file there is a line of code which refers to the content, using
getChildHtml('content') ?>
which echos out the content and the containing divs, i wish to access this raw code so i can insert
some custom data but for the life of me cannot find where it is?! i have found the Mage_Page_Block_Html class in the core but cannot see any html that it is throwing out!
Thanks in advance
In the Admin, if you go to System>Config>Advanced>Developer and select your Store View from the Scope Selector (top-left), you can turn on Template and Block hints. That will tell you exactly which PHP Block is generating the code and therefore $this relates to.
Generally, all the basic layout templates are backed by Mage_Core_Block_Template, and all blocks inherit from Mage_Core_Block_Abstract.
Cheers,
Jonathan
As always, I recommend understanding what the entire layout system is doing to understand what's going on.
As to your specific question, $this always refers to the template's Block class. (Every phtml template has a Block class in Magento). Which class this is will depend on what's in your layout XML files. You can always output the class at runtime with something like this
var_dump(get_class($this));
The getChildHtml method is defined on the base abstract block class
app/code/core/Mage/Core/Block/Abstract.php
This method is used by ALL blocks, so be sure you take this into account with your code.
as a side note.. if you ever wondering where a $this is point to you can also use
echo get_class($this)
helped me out quiet a few times
I have gone through the (painful) process of writing a custom template tag for use in Django. It is registered as an inclusion_tag so that it renders a template. However, this tag breaks as soon as I try to change something.
I've tried changing the number of parameters and correspondingly changing the parameters when it's called. It's clear the new tag code isn't being loaded, because an error is thrown stating that there is a mismatch in the number of parameters, and it's evident that it's attempting to call the old function.
The same problem occurs if I try to change the name of the template being rendered and correspondingly change the name of the template on disk. It continues to try to call the old template. I've tried clearing old .pyc files with no luck.
Overall, the system is acting as though it's caching the template tags, likely due to the register command. I have dug through endless threads trying to find out if this is so, but all could find it James Bennett stating here that register doesn't do anything. Please help!
I have gone through the (painful) process of writing a custom template tag for use in Django
I agree that the process for writing the template tag in django is more elaborate than it needs to be.
But let me point you towards some of the third party apps, that when installed, a template tag is just another python function (or class).
http://github.com/alex/django-templatetag-sugar
http://github.com/codysoyland/django-template-repl
Firstly, I can't imagine what's complicated about inclusion tags. Writing a completely custom tag from scratch, yes: that's complicated. But inclusion tags are simply three lines of code and a template - what's complicated about that?
Secondly, all Python code in your Django project is loaded once by the server [*], and remains until it is restarted. The dev server usually detects changes and restarts itself to reload the code, but this doesn't always work. You should get into the habit of checking the console to see that it does restart, and doing it manually if necessary. Note that this has nothing whatsoever to do with caching.
[*] strictly speaking, once per process, but the dev server is single-process anyway.
In case anybody else encounters this: the exact caching mechanism is unclear, but restarting the django dev server fixes the problem.