TalkPHP
Home Forums Articles Glossary Awards Register Rules Members Search Today's Posts Mark Forums Read
 
 
 
Account Login
Latest Articles
» The basic usage of PHPTAL, a XML/XHTML template library for PHP
by awuehr on 11-10-2008 in Tips & Tricks
» Vulnerable methods and the areas they are commonly trusted in.
by Village Idiot on 11-04-2008 in Classes & Objects
» Simple way to protect a form from bot
by codefreek on 10-23-2008 in Basic
» The Basics On: How Session Stealing Works
by wiifanatic on 09-12-2008 in Security & Permissions
» How to keep your forms from double posting data
by drewbee on 07-03-2008 in Tips & Tricks
IRC Channel
IRC Speech Bubble Join the friendly bunch on IRC...
(#TalkPHP on Freenode)

...Also available via a web interface.

See this thread for information on the TalkPHP Free Hugs Initiative™. Subject to availability.
Associates
Associates
CSS Tutorials
TalkPHP > Developer Forums > General » Templating
Reply
 
LinkBack Thread Tools Search this Thread Display Modes
Old 07-26-2008, 09:36 AM   #1 (permalink)
Jmz
The Acquainted
 
Join Date: Oct 2007
Location: Newcastle, UK
Posts: 113
Thanks: 3
Jmz is on a distinguished road
Default Templating
I run a site where users can create a 'profile' for themselves. Basically it's a mini site that they can update themselves.

I would like to allow the users to be able to edit the design of their own site themselves. Basically they will create a template for their website. I want to be able to do this without giving them the chance to do anything bad (so for example, access to the PHP is a no no).

What's the best way to do this?
__________________
Free CSS Tutorials
Send a message via MSN to Jmz
Jmz is offline   		Reply With Quote
Old 07-26-2008, 11:09 AM   #2 (permalink)
The Contributor
 
abiko's Avatar
 
Join Date: Feb 2008
Location: Croatia
Posts: 90
Thanks: 4
abiko is on a distinguished road
Default
Let the just edit the CSS of the page.
You make a structure and they can easily edit certain classes or IDs.. That is if you have a fixed layout, but if you want them to make their own page, order the things as they want them..
Use one of the templating engines and give them the variables what they can use.
__________________
Back from sysadmins to the programmers.
Send a message via ICQ to abiko Send a message via MSN to abiko
abiko is offline   		Reply With Quote
Old 07-26-2008, 04:20 PM   #3 (permalink)
The Contributor
 
ryanmr's Avatar
 
Join Date: Jun 2008
Location: Twin Cities, Minnesota, USA
Posts: 44
Thanks: 3
ryanmr is on a distinguished road
Default
Make sure you either strip out or stop CSS like this:
HTML Code:
 .h1 {
  background-image: url( javascript: XSS() );
 }
That's a pretty big XSS vector. If you don't only allow edits to css but also to xhtml/html, I suggest using HTML Purifier - Filter your HTML the standards-compliant way!, since that will be very likely to stop major XSS vectors.
ryanmr is offline   		Reply With Quote
Reply

« Previous Thread | Next Thread »


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 06:30 PM.

 
     
Contact Us - TalkPHP - PHP Community - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Inactive Reminders By Icora Web Design