Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Added constant support to context #131

Closed
wants to merge 1 commit into from

2 participants

@dkraczkowski

Hi, I was searching a way to not everytime pass a config data to my templates (basehref example). Hope constant support can help someone

@bobthecow
Owner

This introduces a lot of things you might not have anticipated...

{{ _POST }}, {{ _SERVER }}, {{ _SESSION }}, {{ _COOKIE }} and other superglobals probably shouldn't be exposed as globals in your templating language.

Exposing magic constants (__DIR__, __METHOD__, etc) would be unexpected and strange, but most likely not a vulnerability. I haven't looked at all of 'em, but there are a bajillion more predefined constants... or at least thousands.

Even worse: in many apps and environments, authentication data for third-party APIs and services is set as environment variables, so exposing {{ _ENV }} would be particularly disastrous.

A better approach than blindly allowing all constants would be to pass in explicitly whitelisted values which you wish to make available. You could register a "helper" full of them while instantiating your Mustache instance if you want to have them available to all templates:

<?php
$m = new Mustache_Engine;
$m->addHelper('config', array(
    'domain'    => 'example.com',
    'base_href' => 'http://example.com/',
    'site_name' => MY_SITE_NAME_CONSTANT,
    // ...
));

$m->render('<a href="{{ config.base_href }}">{{ config.site_name }}</a>');
@dkraczkowski

Yep you're right I haven't thought about it

@dkraczkowski dkraczkowski deleted the branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 14, 2013
  1. @dkraczkowski
This page is out of date. Refresh to see the latest.
Showing with 3 additions and 0 deletions.
  1. +3 −0  src/Mustache/Context.php
View
3  src/Mustache/Context.php
@@ -132,6 +132,9 @@ public function findDot($id)
*/
private function findVariableInStack($id, array $stack)
{
+ if (defined($id)) {
+ return constant($id);
+ }
for ($i = count($stack) - 1; $i >= 0; $i--) {
if (is_object($stack[$i]) && !$stack[$i] instanceof Closure) {
if (method_exists($stack[$i], $id)) {
Something went wrong with that request. Please try again.