Extension talk:Secured PHP

From MediaWiki.org

Jump to: navigation, search

[edit] Default Values for Parameters

While trying to use this extension to include a script, I discovered that it does not allow the use of default values in its parameter syntax...

While with templates, you can use the following in the template wikitext:

{{{param_name|default_value}}}

this extension didn't support it. Therefore, I replaced the following function:

function renderSecuredPHP( &$parser, $param1 = '', $param2 = '' ) {
	            $title    = Title::makeTitleSafe( NS_PHP, $param1 );
	            if(!$title)return false;
				$revision = Revision::newFromTitle( $title );
				if(!$revision)return false;
				$wikitext = $revision->getText();
				if($param2){
					$params = explode('&',$param2);
					foreach($params as $param)
					{
						$param = explode('=',$param);
						$wikitext = str_replace('{{{'.$param[0].'|}}}',$param[1],$wikitext);
						$wikitext = str_replace('{{{'.$param[0].'}}}',$param[1],$wikitext);
					}
				}
				$wikitext = preg_replace('/{{{[^}]+\|}}}/','',$wikitext);
                ob_start();
                $callback = eval( $wikitext );
                $output = ob_get_contents();
                ob_end_clean();
                return array($output, 'noparse' => true, 'isHTML' => true);
}

with

function renderSecuredPHP( &$parser, $param1 = '', $param2 = '' ) {
                $title    = Title::makeTitleSafe( NS_PHP, $param1 );
                if(!$title)return false;
                $revision = Revision::newFromTitle( $title );
                if(!$revision)return false;
                $wikitext = $revision->getText();
                if($param2){
                    $params = explode('&',$param2);
                    foreach($params as $param)
                    {
                        $param = explode('=',$param);
                        $wikitext = preg_replace('/{{{'.preg_quote($param[0]).'\|[^}]*}}}/',$param[1],$wikitext);
                        $wikitext = preg_replace('/{{{'.preg_quote($param[0]).'}}}/',$param[1],$wikitext);
                    }
                }
                $wikitext = preg_replace('/{{{[^}]+\|([^}]*)}}}/','\\1',$wikitext);
                $wikitext = preg_replace('/{{{[^}]+}}}/', '', $wikitext);
                ob_start();
                $callback = eval( $wikitext );
                $output = ob_get_contents();
                ob_end_clean();
                return array($output, 'noparse' => true, 'isHTML' => true);
}

While I only changed tthe middle few lines, the function is indented erratically in the original article and so I have copied the whole function. By replacing the code as mentioned above, you can use the standard default value syntax for templates.

An example:

PHP:Greeting:

Hello {{{name|MediaWiki}}} user! Welcome to {{{website|http://www.example.com}}}. Testing {{{teststr|1, 2, 3}}}.

Any other page:

A greeting: {{#php: Greeting|name=Example &teststr=3, 2, 1}}

Result:

Hello Example user! Welcome to http://www.example.com. Testing 3, 2, 1.

I hope this proves useful for others as it did for me. While I cannot see any immediate security flaws, if anyone sees any, please post them here and post the corrected code below.

Finally, while I didn't edit the code on the page itself so that the code's original author can maintain control, as this only adds functionality, it probably makes sense for this to be merged into the main code.

If the author (or whoever is taking responsibility for the extension page) wishes so, feel free to merge this into the main code.

--TechKid 18:30, 16 May 2009 (UTC)

Retrieved from "http://www.mediawiki.org/wiki/Extension_talk:Secured_PHP"