Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve elements to allow file and inline bindings #14490

Open
wants to merge 5 commits into
base: 3.x
from

Conversation

Projects
None yet
4 participants
@mvoevodskiy
Copy link

commented Mar 16, 2019

What does it do?

Added bindings @code, @inline, @file bindings with elements: snippets, chunk. This available for templates and plugins, but it's not callable as "$modx->getChunk() " / "$modx->runSnippet()".
Also, this bindings available in resource content or templates body and other parsible places.

Why is it needed?

This ability do simplier site development because you can not create chunks and snippets in database in all cases.

Also, fixed bug with static elements: now correctly check static file modofication time and if it's more than cache file, cache file will be rewrited.

Small fix PHP notice in modmediasource.class.php.

How works @FILE binding

@FILE binding creates temporary static element (chunk, snippet, template). Then static element works as usual.
You can use 2 system settings:

  • static_elements_default_mediasource for choose media source. If not selected, MODX wiil be use default media source ("Filesystem" or other)
  • static_elements_basepath for specify elements directory from media source root.

If you leave blank both settongs, specify full path for @FILE binding from site root.
If you fill static_elements_basepath setting, path for @FILE binding should be relative from path in setting.

How works @INLINE for chunks

You can use MODX tags in inline chunks with both: [[ ... ]] or {{ ... }}
{{ ... }} need to support MODX tags in inline chunk when it specified at other chunk or template.

Examples

Files

chunks/example.tpl:

[[++site_name]]
<h2>Hello, [[+modx.user.username]]!</h2>
link to home page: [[~1]]
<p>[[+param1]]</p>
<p>[[+param100]]</p>

snippets/example.php:

<?php
return $modx->user->username . ' Param: ' . $snParam;

PHP

chunks:

$chunk = '@INLINE {{++site_name}} <i>[[++emailsender]]</i> ';
echo $modx->getChunk($chunk));

$chunkName = '@FILE chunks/example.tpl';
echo $modx->getChunk($chunkName, array('param1' => 'value1 :)', 'param100' => 'cache success!!!'));

snippets:

$snippet = '@FILE snippets/example.php';
// echo $modx->runSnippet($snippet, array('snParam' => 'testValue and Cache!!'));

HTML

chunks:

[[$@INLINE {{++site_name}} <i>[[++emailsender]]</i>]]
[[$@FILE chunks/example.tpl ? &param1=`value 1 :)` &param100=`cache success!!!`]]

snippets:

[[@FILE snippets/example.php]]

Related issue(s)/PR(s)

#14201

Thanks to @bezumkin

Thanks to @bezumkin and his pdoTools. A part of logic for creating dynamic elements taken from pdoTools::_loadElement().

@mvoevodskiy mvoevodskiy requested review from Mark-H and opengeek as code owners Mar 16, 2019

@Mark-H

This comment has been minimized.

Copy link
Collaborator

commented Mar 16, 2019

I'll need to look at this more closely later, but it looks like this would allow syntax like [[!@CODE: runArbitraryPHP(); ]].

In 3.x, the @EVAL binding was removed because it could be used in TVs to run arbitrary code. This proposal seemingly would allow any access to anything editable in MODX to result in arbitrary code execution, making it a potential very disastrous vulnerability.

@mvoevodskiy

This comment has been minimized.

Copy link
Author

commented Mar 16, 2019

I'll need to look at this more closely later, but it looks like this would allow syntax like [[!@CODE: runArbitraryPHP(); ]].

In 3.x, the @EVAL binding was removed because it could be used in TVs to run arbitrary code. This proposal seemingly would allow any access to anything editable in MODX to result in arbitrary code execution, making it a potential very disastrous vulnerability.

Disabled this. @CODE and @INLINE only for chunks and templates.

@mvoevodskiy mvoevodskiy changed the title Issue 14201 Improve elements to allow file and inline bindings Mar 16, 2019

@mvoevodskiy

This comment has been minimized.

Copy link
Author

commented Mar 16, 2019

Updated description.

@JoshuaLuckers
Copy link
Collaborator

left a comment

There is a typo (temlplates) in this path: core/elements/temlplates/.gitignore

@mvoevodskiy

This comment has been minimized.

Copy link
Author

commented Mar 17, 2019

There is a typo (temlplates) in this path: core/elements/temlplates/.gitignore

Done.

@Jako Jako added this to the v3.0.0-alpha milestone Apr 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.