Jeff, I developed a templating system which is safe for untrusted users. Actually that was one of the main goals. The sources, somewhat messy are at:
http://rmadilo.com/m2/servers/rmadilo/modules/tcl/twt/packages/view/ The templates are 'compiled' into a Tcl script. The template compiler is a C program using flex/bison. Here is a simple example of a template: <table border="1"> [foreach num $MoveCards /] <tr> [set k 0] [set Cards $CardList($num) /] [foreach Card $Cards /] <th>$Card<br /> [if {$num == $MoveCount} /] [if {$k > 0} /] Move: 1<input type="radio" name="move" value="$k [expr ($k - 1) /]"> [/if/] [if {$k > 2} /] 3<input type="radio" name="move" value="$k [expr ($k - 3) /]"> [/if/] [/if/] </th> [incr k /] [/foreach/] </tr> [/foreach/] </table> This is taken from an start.tmpl under: http://rmadilo.com/m2/servers/rmadilo/pages/optimistic/ The live version, to see the resulting html is here: http://rmadilo.com/optimistic/ If there is a syntax error in the script, you get a compile time error, it is pretty easy to track down the error by trying to compile it on the command line. The compiler aborts at the error. The compiler itself has only a limited number of commands, each with a form similar to a tcl command: [command args ] ... ?[/command]? Anything not in [ ] is turned into text. Parsing is not yet 100% perfect and sometimes messes up if there are some combination of " and {. Any variables found in the text, outside of [ ] are also handled. The compiled script, although ugly is just a series of commands which eventually boil down to a series of [append]s, but they are also easy to debug if some problem shows up. The safety comes from only supporting a limited set of safe commands and variable forms. For instance, you can't have an array variable like $a([rm -rf /]). Also, the for and while loop are not available because they execute code. The main extension mechanism is the [resource] tag. Before a template is run, you can add resources, giving them a name. If the resource is in the template, it is executed, possibly passing through arguments. For instance, you could give the template the ability to open a particular file. It would be nice to have another tag which could do something to the contents of the tag (the stuff between [tag] [/tag]), but I haven't given this any thought yet. This is hardly a perfect system, but the main goal of establishing a safe exection environment seems to be met. The way I use this is to have a .tcl file setup all the data and then use ::view::return to find and handle the similarly named .tmpl file. However, the data could be setup from some other source, in a filter or registered proc, or the template itself could be anywhere, like a database or outside of pageroot, or passed in via a form. tom jackson On Monday 24 September 2007 12:54, Jeff Rogers wrote: > Thanks for sharing this with the community. It's been somewhat > depressing to see every php system include a simple templating system > but nothing really solid under AOLserver. (I know OpenACS has a > templating system but I didn't look at it long enough to grok all the > complexity therin, not to mention that it is tightly tied to OpenACS.) > > One thought I had while looking at it is that it isn't really suitable > for letting untrusted users upload arbitrary master pages for > layout/styling/etc, as the users could then run scripts in the pages. > I thought to myself, wouldn't a controlled environment for ADPs be nice? > So I started looking at what it would take to add in a safe adp > execution mode, and I was happy to find that although it's not > documented, it already exists! > > So a suggestion: it would be a nice enhancement to allow for untrusted > master pages that are run in safe mode. I'm not entirely sure what > behavior makes the most sense (i.e., what can and can not be in safe > mode) but the implementation should be pretty simple :) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
