Location: PHPKode > projects > SithTemplate > SithTemplate-1.1/docs/html/08_security_8php-example.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<title>SithTemplate: 08_security.php</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<link href="doxygen.css" rel="stylesheet" type="text/css"/>
</head>
<body>
<!-- Generated by Doxygen 1.7.2 -->
<div class="navigation" id="top">
  <div class="tabs">
    <ul class="tablist">
      <li><a href="index.html"><span>Main&#160;Page</span></a></li>
      <li><a href="pages.html"><span>Related&#160;Pages</span></a></li>
      <li><a href="annotated.html"><span>Classes</span></a></li>
      <li><a href="files.html"><span>Files</span></a></li>
      <li><a href="examples.html"><span>Examples</span></a></li>
    </ul>
  </div>
</div>
<div class="header">
  <div class="headertitle">
<h1>08_security.php</h1>  </div>
</div>
<div class="contents">
<p>An example showing various security-related settings in SithTemplate.</p>
<div class="fragment"><pre class="fragment">&lt;?php
require_once <span class="stringliteral">&#39;SithTemplate.php&#39;</span>;

$environ = <span class="keyword">new</span> <a name="_a0"></a><a class="code" href="class_template_environ.html" title="Template environment - library&amp;#39;s end-user API.">TemplateEnviron</a>;

<span class="comment">// All security settings are set using environment&#39;s setting array.</span>
<span class="comment">// Some of them may be enforced at runtime, and some at compile time,</span>
<span class="comment">// see TemplateEnviron::$settings documentation for reference.</span>

<span class="comment">// The most common is variable autoescaping, which applies &quot;escape&quot; filter</span>
<span class="comment">// to all stand-alone variables (i.e. {{ vars }}), unless they are marked</span>
<span class="comment">// with &quot;safe&quot; pseudofilter.</span>
<span class="comment">// Autoescaping is turned on with &quot;autoEscape&quot; boolean setting.</span>
$environ-&gt;settings[<span class="stringliteral">&#39;autoEscape&#39;</span>] = <span class="keyword">true</span>;
$environ-&gt;<a name="a1"></a><a class="code" href="class_template_environ.html#a564c04dff7b3d6d026ae07adf64dc8b2" title="Render the template directly.">render</a>(<span class="stringliteral">&#39;string://{{ var }}&#39;</span>, array(<span class="stringliteral">&#39;var&#39;</span> =&gt; <span class="stringliteral">&#39;&lt;b&gt;&#39;</span>));      <span class="comment">// will return &quot;&amp;lt;b&amp;gt;&quot;</span>
$environ-&gt;render(<span class="stringliteral">&#39;string://{{ var|safe }}&#39;</span>, array(<span class="stringliteral">&#39;var&#39;</span> =&gt; <span class="stringliteral">&#39;&lt;b&gt;&#39;</span>)); <span class="comment">// will return &quot;&lt;b&gt;&quot;</span>

<span class="comment">// Next, there are I/O restriction settings. They allow you to enforce specific I/O driver,</span>
<span class="comment">// e.g. when you load template using your own db:// driver, and you don&#39;t want loaded template</span>
<span class="comment">// to use any other I/O driver, like file:// or string://.</span>
<span class="comment">// Note that this is a bit primitive, and may be replaced sometime in the future.</span>
<span class="comment">// I/O restrictions are turned on by &quot;restrictIncludeIO&quot; and &quot;restrictExtendIO&quot; boolean settings.</span>
$environ-&gt;settings[<span class="stringliteral">&#39;restrictIncludeIO&#39;</span>] = <span class="keyword">true</span>;
$environ-&gt;render(<span class="stringliteral">&#39;string://{% include &quot;string://test&quot; %}&#39;</span>, array());    <span class="comment">// will return &quot;test&quot;</span>
$environ-&gt;render(<span class="stringliteral">&#39;string://{% include &quot;file://test.html&quot; %}&#39;</span>, array()); <span class="comment">// will raise TemplateError</span>

<span class="comment">// Next, there are {{ internal }} access restrictions (again, a bit primitive and boolean only).</span>
<span class="comment">// Since {{ internal }} allows template to access global constants and superglobal arrays</span>
<span class="comment">// (like $_SERVER or $_ENV), it may introduce security risk in sandboxed environment</span>
<span class="comment">// (e.g. when templates are loaded from DB, and users can edit them).</span>
<span class="comment">// {{ internal }} restrictions can be set by turning off &quot;allowInternalRequest&quot;</span>
<span class="comment">// and/or &quot;allowInternalConstants&quot; boolean settings.</span>
<span class="comment">// Since this is boolean-only and a bit inconsistent, it may get replaced.</span>
$environ-&gt;render(<span class="stringliteral">&#39;string://{{ internal.request.ENV.PATH.0 }}&#39;</span>, array()); <span class="comment">// will return $_ENV[&#39;PATH&#39;][0]</span>
$environ-&gt;settings[<span class="stringliteral">&#39;allowInternalRequest&#39;</span>] = <span class="keyword">false</span>;
$environ-&gt;render(<span class="stringliteral">&#39;string://{{ internal.request.ENV.PATH.0 }}&#39;</span>, array()); <span class="comment">// will raise TemplateError</span>

<span class="comment">// Finally, there are security lists, that allows you to handpick plugins, tags, filters and</span>
<span class="comment">// plain PHP functions that templates are allowed to use. Lists are the most complex of security</span>
<span class="comment">// settings, as they support multiple modes of evaluation (allow all, deny; allow, deny; deny, allow; deny all, allow),</span>
<span class="comment">// and wildcards (TemplateEnviron::SECURITY_MATCH_EVERYTHING).</span>
<span class="comment">// Evaluation mode is controlled by &quot;securityEvalMode&quot; enumerative setting, and lists themselves</span>
<span class="comment">// are stored in several array settings: &quot;allowedPlugins&quot;, &quot;allowedTags&quot;, &quot;allowedFilters&quot;, &quot;allowedFunctions&quot;</span>
<span class="comment">// and their &quot;disallowed*&quot; counterparts.</span>
$environ-&gt;settings[<span class="stringliteral">&#39;securityEvalMode&#39;</span>] = <a name="a2"></a><a class="code" href="class_template_environ.html#ae3f379fc7bd67ba77f1ad1ad998db3eb" title="One of security modes - first disallow all, then check &amp;#39;allowed&amp;#39; list.">TemplateEnviron::SECURITY_DENY_ALL</a>; <span class="comment">// most restrictive setting</span>
$environ-&gt;settings[<span class="stringliteral">&#39;allowedTags&#39;</span>]      = array(<span class="stringliteral">&#39;block&#39;</span>); <span class="comment">// you don&#39;t have to specify ending tags</span>
$environ-&gt;render(<span class="stringliteral">&#39;string://{% block foo %}foo{% endblock %}&#39;</span>, array()); <span class="comment">// will return &quot;foo&quot;</span>
$environ-&gt;render(<span class="stringliteral">&#39;string://{% comment %}foo{% endcomment %}&#39;</span>, array()); <span class="comment">// will raise TemplateError</span>
</pre></div> </div>
</div>
<hr class="footer"/><address class="footer"><small>Generated on Fri Jan 14 2011 20:08:36 for SithTemplate by&#160;
<a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.2 </small></address>
</body>
</html>
Web-based Email Marketing Software for sending email newsletters
Return current item: SithTemplate