Codeigniter + Dwoo

[eluser]danielbertini[/eluser]
Hello all, I am developing a system where customers can add their own pages, the parser CodeIgniter is very simple so I decided to use the Dwoo. All installed, configured and running but the .tpl allows customers to run php code and this can not happen in my project.

Has anyone experienced this and have any idea why?

In controller:

Code:

$this->load->library('Dwootemplate');
      $this->dwootemplate->assign('itshowlate', 'test');
      $this->dwootemplate->display($this->session->userdata('store_store_id').'/tpl/index.tpl', $data);

In view (.tpl):

Code:

<?php echo "daniel"; ?> // actually allow
<br />var: {itshowlate}

result:
daniel
var: test

Regards,
Daniel.

[eluser]bretticus[/eluser]
Are you calling this right? I have never used this, but I was curious and looking at the method call, it shows this code:

Code:

/**
     * Display or return the compiled template
     * Since we assign the results to the standard CI output module
     * you can also use the helper from CI in your templates!!
     *
     * @param string $sTemplate
     * @param boolean $return
     * @return mixed
     */
    public function display($sTemplate, $return = FALSE) {
        // Start benchmark
        $CI = get_instance();
        $CI->benchmark->mark('dwoo_parse_start');

        // Check if file exists
        if ( !file_exists($this->template_dir . $sTemplate ) ) {
            $message = sprintf('Template file \'%s\' not found.', $sTemplate);
            show_error($message);
            log_message('error', $message);
        }

        // Create new template
        $tpl = new Dwoo_Template_File($this->template_dir . $sTemplate);

        // render the template
        $template = $this->get($tpl, $this->dwoo_data);

        // Finish benchmark
        $CI->benchmark->mark('dwoo_parse_end');

        // Return results or not ?
        if ($return == FALSE) {
            $CI->output->final_output = $template;
        } else {
            return $template;
        }
    }

If this is the same lib you have, you should probably call TRUE on the 2nd param and just echo the result.

[eluser]danielbertini[/eluser]
My funtion is like:

Code:

public function display($sTemplate, $return = FALSE) {
        // Start benchmark
        $CI = get_instance();
        $CI->benchmark->mark('dwoo_parse_start');

        // Check if file exists
        if ( !file_exists($this->template_dir . $sTemplate ) ) {
            $message = sprintf('Template file \'%s\' not found.', $sTemplate);
            show_error($message);
            log_message('error', $message);
        }

        // Create new template
        $tpl = new Dwoo_Template_File($this->template_dir . $sTemplate);

        // render the template
        $template = $this->get($tpl, $this->dwoo_data);

        // Finish benchmark
        $CI->benchmark->mark('dwoo_parse_end');

        // Return results or not ?
        if ($return == FALSE) {
            $CI->output->final_output = $template;
        } else {
            return $template;
        }
    }

[eluser]bretticus[/eluser]
Yep, looks the same (as you can see.)

Just echo it out (do not allow CI to render.)

Code:

$this->load->library('Dwootemplate');
      $this->dwootemplate->assign('itshowlate', 'test');
      echo $this->dwootemplate->display($this->session->userdata('store_store_id').'/tplindex.tpl', TRUE);

[eluser]danielbertini[/eluser]
'd just try it but the problem continues, it seems that Dwoo simply does not inherit this characteristic of smarty ...

[eluser]bretticus[/eluser]
In that case, I'd check what happens in

Code:

$template = $this->get($tpl, $this->dwoo_data);

Perhaps there is a property you can set that prevents executing code (either via eval() or the template is included--not likely.)

[eluser]Seldaek[/eluser]
Dwoo will allow php to pass through it unless it has a "new Dwoo_Security_Policy()" assigned through $dwoo->setSecurityPolicy($policy). I don't know exactly the CI code you're using and from the code pasted here I can't tell exactly how to work this in, but I hope this will help you to get there.. By default the security policy will strip out all php code.