Forum OpenACS Development: Templates & Security

Collapse
1: Templates & Security
Posted by Malte Sussdorff on 10/25/03 08:48 AM
I've realized an itch, that I can easily scratch myself, but will be tremendously more difficult for someone without SSH access to my machine:

How do I change templates? I'm asking this in the light of Site-Wide, ETP and Suvey (0.3d). Is it possible using a "template" package, and if yes, what security measures should we have to take.

Let me scatch my vision here:

The Templating package will allow you to edit all templates the various packages offer using a webfrontend. In a first step, all packages would have to tell the templating package, what template directory they have. We might define special types of templates for easy access to quick manipulations affecting the whole site (default-master, article-index..).

The templating package  goes through the directory and scans in all template.tcl files, looking for variables that will be set in the context of the ADP. A structured view is presented to the user (all installed packages with templates), that allows the user to view, add and edit the current templates.

In the editing mode, the whole .adp file will be shown in a textarea and above or below you will see all variables available to you.

In the add mode, you will first have to select an existing template to start from and then edit your ADP. Why ? Well, how are you going to get the .tcl file otherwise.

Which brings me to the second part of the topic: Security. As you can do pretty nasty stuff with templates, a scanner has to be installed that prevents the template designer to include malicious code. I'd follow the idea of TIP 14 (https://openacs.org/forums/message-view?message_id=120544), but as Don said it might take a while. Maybe a check by the add/edit page would be enough?

I think we should in the medium run generate an RFC about this, also incorporating the idea of having templates depending on the package instance. I know Timo has worked on a templating system for Shar****, it would be good to talk about the design ideas behind it as well.

Jeff, do you see this doublicating your work on theming (https://openacs.org/forums/message-view?message_id=134257) ?

Collapse
2: Re: Templates & Security (response to 1)
Posted by Jeff Davis on 10/25/03 09:13 AM
I don't think it directly duplicates theming. Most of the work for theming will be cleaning up existing markup so that it is less presumptious about layout (make it all semantic with suitable css classes), improving documentation, and breaking some things out into includable templates.

In fact what you are talking about is quite complimentary to theming, although I think you will need to be quite thoughtful about how you support different subsites using the same templates (and it would be nice to think about how to export those templates to others as well).

Collapse
3: Re: Templates & Security (response to 1)
Posted by Dave Bauer on 10/25/03 04:13 PM
Malte,

I have been thinking about this for awhile. What I think is the best idea is to define an alternative adp location for each package instance. Either through a package instance parameter, or just a parallel directory tree, possible under openacs-4/templates which mirrors the site-map.

Doing this requires a small change to ad_return_template which sets what template file to use.  And of course, make sure all the tcl files that return a page explicity call ad_return_template.

In addition, programmers should set the -properties section in the tcl file to document what variables are available to use in the adp file. Then they can easily be offered on the edit page.

For security, disallowing tcl code in adps, and adding additional adp tags to make it easier to add functions to pages should be helpful.

Of course, if more packages used the content repository, we could use the template assignment features of the content repository to figure out which template to use to display a page. The old CMS package actually parses the CR templates, and implements its own additional tags to make it easier for template editors.

I look forward to getting this working.