Module guidelines

Bianka Martinovic edited this page Sep 2, 2014 · 9 revisions

THIS IS WORK IN PROGRESS! YOU ARE INVITED TO MAKE SUGGESTIONS FOR THESE GUIDELINES!

File headers / Copyright headers

Any PHP file MUST have a copyright header. Other files - like CSS, templates, READMEs and so on - MAY have a copyright header.

See https://github.com/webbird/LEPTON_2_BlackCat/wiki/Copyright-headers for more information about copyright headers.

Securing the CMS

Include class.secure.php

Any PHP file MUST include the class.secure.php. This will protect the file from being called directly and restrict the number of files that are allowed to include the config.php directly.

If you need a file to be allowed to include the config.php directly, you can use the sec_register_file() method of the Addons Helper class on installation. But please use this option carefully!

Code:

if (defined('CAT_PATH')) {	
	include(CAT_PATH.'/framework/class.secure.php'); 
} else {
	$root = "../";
	$level = 1;
	while (($level < 10) && (!file_exists($root.'/framework/class.secure.php'))) {
		$root .= "../";
		$level += 1;
	}
	if (file_exists($root.'/framework/class.secure.php')) { 
		include($root.'/framework/class.secure.php'); 
	} else {
		trigger_error(sprintf("[ <b>%s</b> ] Can't include class.secure.php!", $_SERVER['SCRIPT_NAME']), E_USER_ERROR);
	}
}

If you need to be compatible with Website Baker, use this code:

if (defined('WB_PATH')) {
    if (defined('CAT_PATH')) include(CAT_PATH.'/framework/class.secure.php');
    elseif (defined('LEPTON_PATH')) include(LEPTON_PATH.'/framework/class.secure.php');
}
else {
    $root = "../";
    $level = 1;
    while (($level < 10) && (!file_exists($root.'/framework/class.secure.php'))) {
        $root .= "../";
        $level += 1;
    }
    if (file_exists($root.'/framework/class.secure.php')) { 
        include($root.'/framework/class.secure.php'); 
    } else {
        trigger_error(sprintf("[ <b>%s</b> ] Can't include class.secure.php!", $_SERVER['SCRIPT_NAME']), E_USER_ERROR);
    }
}

Use Validate helper to sanitize form input

To improve security, modules MAY use the Validate helper class to sanitize/validate user input. If you decide to not use this class, you need to create your own form data validation. Using unvalidated form data is NEVER allowed!

See the CAT_Helper_Validate API reference for a list of available methods.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.