Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m writing a basic CMS for one of my sites and have run into an issue where some pages need to dynamically serve PHP and JS, where as others are plain HTMl. I want there to be a setting which will allow this for the pages that need it and will load ACE editor instead of a different wysiwyg editor. I want to reject any inputs that code on non-code enable pages. How do I ensure that all JS and PHP included from the database will not execute?
You don’t really want to do this. Beyond the security concerns if you do things wrong, it becomes an absolute maintenance nightmare – there’s no good way to put CMS pages into version control. Testing and migrating code between development environments and live sites becomes brittle, at best. In one of my other posts, I detailed the problems that come along with running a Drupal site & you’re starting down a similar road.
With that said, if you insist on following through with this plan, the way to go is to use a proper template engine (I’ve been using h2o lately) & leave the worry of escaping content to it. The other thing I’d do would be to separate the PHP and the displayable part of the code by putting them in completely separate fields. This not only gives you cleaner code (remember, mixing display and logic is bad) but you can always treat what you display as ‘dumb’ text and only allow it access, via the templates, to the output of your PHP.