New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Plugin administration can't be accessed under XH 1.7 #7

Closed
cmb69 opened this Issue Mar 16, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@cmb69
Contributor

cmb69 commented Mar 16, 2017

I've just noticed that the plugin administration of TinyMCE 4 (and also TinyMCE 3, BTW) can't be accessed anymore under recent CMSimple_XH 1.7. That's been caused by cmsimple-xh/cmsimple-xh#22. initvar() in combination with checking for the value to be truthy isn't sufficient, because $tinymce==='' (before this change in CMSimple_XH, the initvar() has been a no-op, by the way).

I suggest to use XH_wantsPluginAdministration() for the check.

@manu37

This comment has been minimized.

Show comment
Hide comment
@manu37

manu37 Apr 6, 2017

Owner

Now is there a new way to sanitize SERVER variables like $admin & $action or do I have to do it by hand like in the old days?

Owner

manu37 commented Apr 6, 2017

Now is there a new way to sanitize SERVER variables like $admin & $action or do I have to do it by hand like in the old days?

@manu37

This comment has been minimized.

Show comment
Hide comment
@manu37

manu37 Apr 6, 2017

Owner

the initvar() has been a no-op, by the way

verstehe nur Bahnhof, but initvar() is still alive, isn't it?

Owner

manu37 commented Apr 6, 2017

the initvar() has been a no-op, by the way

verstehe nur Bahnhof, but initvar() is still alive, isn't it?

@cmb69

This comment has been minimized.

Show comment
Hide comment
@cmb69

cmb69 Apr 6, 2017

Contributor

Now is there a new way to sanitize SERVER variables like $admin & $action or do I have to do it by hand like in the old days?

No, there is no new way. However, I don't think that it is necessary to santize $admin and $action. Just compare them to a white-list, and do the default action for everything else. See, for instance, how it's done in Pagemanager.

If you need to sanitize other variables consider using the filter extension (I suppose that it is generally available). The API is, however, terrible, IMHO.

verstehe nur Bahnhof, but initvar() is still alive, isn't it?

Yes, initvar() still exists, unfortunately, but killing it would be too much of a backward compatibility break, but deprecating it might be appropriate. What I've meant above, is that initvar('pluginname') has been unnecessary in earlier CMSimple(_XH) versions, because $pluginame has already been initialized before, but calling initvar() on an already initialized variable does nothing.

Contributor

cmb69 commented Apr 6, 2017

Now is there a new way to sanitize SERVER variables like $admin & $action or do I have to do it by hand like in the old days?

No, there is no new way. However, I don't think that it is necessary to santize $admin and $action. Just compare them to a white-list, and do the default action for everything else. See, for instance, how it's done in Pagemanager.

If you need to sanitize other variables consider using the filter extension (I suppose that it is generally available). The API is, however, terrible, IMHO.

verstehe nur Bahnhof, but initvar() is still alive, isn't it?

Yes, initvar() still exists, unfortunately, but killing it would be too much of a backward compatibility break, but deprecating it might be appropriate. What I've meant above, is that initvar('pluginname') has been unnecessary in earlier CMSimple(_XH) versions, because $pluginame has already been initialized before, but calling initvar() on an already initialized variable does nothing.

manu37 added a commit that referenced this issue Apr 7, 2017

issues
#7 Plugin administration can't be accessed under XH 1.7 &
#10 Unnecessary by-ref assignments
resolved

Signed-off-by: manu <marinello@pixolution.ch>

@manu37 manu37 closed this Apr 7, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment