safe_data
Prev     Next

Name

safe_data — allow interpolation of database values in search for Interchange tags

VALUE

0 | 1

DEFAULT

0

DESCRIPTION

By default, Interchange does not allow data returned from the databases to be interpolated (all the [s are converted to an HTML entity [ and displayed literally). Setting this pragma eliminates the restriction and passes [s through for interpolation.

If you want to have tags in your database and display them in Interchange pages (to say, display [page] links for internal hyperlinks in your product descriptions), you need to enable this pragma. Some things to consider, though:

It might be better to use the safe_data attribute available to certain tags, or perhaps the [pragma] for a whole page or [tag pragma safe_data][/tag] for a small block of ITL code on a page, instead of setting a catalog-wide safe_data pragma.

In any case, it is strongly recommended that you surround the area in a [restrict] tag to only allow specific set of tags to appear "in-band" (which should be relatively safe), such as [page] or [area]. Expect security compromises if you allow [calc], [perl] or any other extremely powerful tags.

Be certain that you absolutely know where the data from your databases will be used. Consider the following:

  • Will it always be possible to interpolate?

  • What about e-mailed plain-text receipts? Will literal "[page ]" tags show up in product descriptions on the receipt?

  • Would the desired output of <a href="..."> be any better than a simple plain text?

  • What if you access your database from applications other than Interchange? You'd then have to decide what to do with such tags; perhaps you could simply strip them, but will the missing output cause trouble?

To sum up, safe_data is disabled by default for a reason, and you should be very careful if you decide to enable it.

EXAMPLES

Example: Enabling safe_data catalog-wide

Add the following to catalog.cfg:

Pragma safe_data

Example: Enabling safe_data block-wide

We'll restrict the available tags to [area] and [page], and enclose the critical section in [tag pragma ...]:

[tag pragma safe_data]1[/tag]
  ...critical section...
  [restrict area page]
  ...critical section...
  [/restrict]
  ...critical section...
[tag pragma safe_data]0[/tag]

Example: Enabling safe_data page-wide

Add the following anywhere on an Interchange page:

NOTES

Watch out for parse order with tag pragma or restrict when used with lists that retrieve data from the database (such as [PREFIX-*], [loop], or the flypage). Loops parse before regular tags like [tag], and are thus not affected by them (so you must include the whole loop code in the "critical section").

AVAILABILITY

safe_data is available in Interchange versions:

4.6.0-5.9.0 (git-head)

SOURCE

Interchange 5.9.0 (1/1 contexts shown):

Source: lib/Vend/Interpolate.pm
Line 1746 (context shows lines 1736-1750 in ed():1745) 

if ($opt->{no_return}) {
  $Vend::Session->{mv_perl_result} = $result;
  $result = join "", @Vend::Document::Out;
  @Vend::Document::Out = ();
}
#::logDebug("tag_perl succeeded result=$result\nEND");
return $result;
}

sub ed {
return $_[0] if ! $_[0] or $Safe_data or $::Pragma->{safe_data};
$_[0] =~ s/\[/&#91;/g;
return $_[0];
}

AUTHORS

Interchange Development Group

SEE ALSO

DocBook! Interchange!

Prev     Next
pre_page  Home  set_httponly