PHP in WYSIWYG....

[StefanRSA]

Does anybody know how to activate the use of php in any WYSIWYG editor?

[thorn]

Hello,

there is a thread about that in the german subforum
http://www.websitebaker2.org/forum/index.php/topic,11688.msg71336.html#msg71336
with a proof-of-concept implementation.
But keep in mind that there are high security issues (e.g. XSS, Code-Injection for modules which allows user-interaction (e.g. commenting)).

One have to add this to /modules/fckeditor/wb_config/wb_fckconfig.js

Code:

FCKConfig.ProtectedSource.Add( /<\?[\s\S]*?\?>/g ) ;    // PHP style server side code

and to replace in /framework/frontend_functions.php this

Code:

// highlights searchresults
if (isset($_GET['searchresult']) AND is_numeric($_GET['searchresult']) AND !isset($_GET['nohighlight'])) {
  if (isset($_GET['sstring']) AND !empty($_GET['sstring']) ){
    $arr_string = explode(" ", $_GET['sstring']);
    if($_GET['searchresult'] == 2) {
      // exact match
      $arr_string[0] = strtr($arr_string[0], "_"," ");
    }
    ob_start(); //start output buffer
    require(WB_PATH.'/modules/'.$module.'/view.php');
    $foo = ob_get_contents();    // put outputbuffer in $foo
    ob_end_clean();             // clear outputbuffer
    echo search_highlight($foo, $arr_string);
  }
} else {
  require(WB_PATH.'/modules/'.$module.'/view.php');
}

with this

Code:

// use eval on allowed modules
$eval_allowed_modules = array('wysiwyg');
ob_start(); // fetch original content
require(WB_PATH.'/modules/'.$module.'/view.php');
$content = ob_get_contents();
ob_end_clean();
if(in_array($module, $eval_allowed_modules)) {
  if(preg_match('#<\?php#',$content)) {
    ob_start(); // fetch 'evaluated' content
    eval('?>'.$content);
    $content = ob_get_contents();
    ob_end_clean();
  }
}
// highlights searchresults
if(isset($_GET['searchresult']) && is_numeric($_GET['searchresult']) && !isset($_GET['nohighlight']) && isset($_GET['sstring']) && !empty($_GET['sstring'])) {
  $arr_string = explode(" ", $_GET['sstring']);
  if($_GET['searchresult']==2) { // exact match
    $arr_string[0] = strtr($arr_string[0], "_"," ");
  }
  echo search_highlight($content, $arr_string);
} else {
  echo $content;
}

eval() is called in the variable-scope of page_content(). So, it's pretty easy to overwrite some of page_content's  variables 

thorn.

[StefanRSA]

Thanks Thorn...

In short... If I make the changes, will I be able to add variables on the editor?
I tried to follow the German threat of this subject but my translator is not clear enough...

[crnogorac081]

Hello,

there is a thread about that in the german subforum
http://www.websitebaker2.org/forum/index.php/topic,11688.msg71336.html#msg71336
with a proof-of-concept implementation.
But keep in mind that there are high security issues (e.g. XSS, Code-Injection for modules which allows user-interaction (e.g. commenting)).

One have to add this to /modules/fckeditor/wb_config/wb_fckconfig.js

Code:

FCKConfig.ProtectedSource.Add( /<\?[\s\S]*?\?>/g ) ;    // PHP style server side code

and to replace in /framework/frontend_functions.php this

Code:

// highlights searchresults
if (isset($_GET['searchresult']) AND is_numeric($_GET['searchresult']) AND !isset($_GET['nohighlight'])) {
  if (isset($_GET['sstring']) AND !empty($_GET['sstring']) ){
    $arr_string = explode(" ", $_GET['sstring']);
    if($_GET['searchresult'] == 2) {
      // exact match
      $arr_string[0] = strtr($arr_string[0], "_"," ");
    }
    ob_start(); //start output buffer
    require(WB_PATH.'/modules/'.$module.'/view.php');
    $foo = ob_get_contents();    // put outputbuffer in $foo
    ob_end_clean();             // clear outputbuffer
    echo search_highlight($foo, $arr_string);
  }
} else {
  require(WB_PATH.'/modules/'.$module.'/view.php');
}

with this

Code:

// use eval on allowed modules
$eval_allowed_modules = array('wysiwyg');
ob_start(); // fetch original content
require(WB_PATH.'/modules/'.$module.'/view.php');
$content = ob_get_contents();
ob_end_clean();
if(in_array($module, $eval_allowed_modules)) {
  if(preg_match('#<\?php#',$content)) {
    ob_start(); // fetch 'evaluated' content
    eval('?>'.$content);
    $content = ob_get_contents();
    ob_end_clean();
  }
}
// highlights searchresults
if(isset($_GET['searchresult']) && is_numeric($_GET['searchresult']) && !isset($_GET['nohighlight']) && isset($_GET['sstring']) && !empty($_GET['sstring'])) {
  $arr_string = explode(" ", $_GET['sstring']);
  if($_GET['searchresult']==2) { // exact match
    $arr_string[0] = strtr($arr_string[0], "_"," ");
  }
  echo search_highlight($content, $arr_string);
} else {
  echo $content;
}

eval() is called in the variable-scope of page_content(). So, it's pretty easy to overwrite some of page_content's  variables 

thorn.

I have a small problem , The file I have in WB instal dir in /framework is frontend.functions. php not frontend_functions. php and when I open it the code which starts with // highlights searchresults is different...
How much code I have to change ??

Code:

//function to highlight search results
if (!function_exists('search_highlight')) {
function search_highlight($foo='', $arr_string=array()) {
    require_once(WB_PATH.'/framework/functions.php');
    static $string_ul_umlauts=array();
    if($string_ul_umlauts == array())
        require(WB_PATH.'/search/search_convert.php');
    $foo = entities_to_umlauts($foo, 'UTF-8');
    array_walk($arr_string, create_function('&$v,$k','$v = preg_quote($v, \'/\');'));
    $search_string = implode("|", $arr_string);
    $string = strtr($search_string, $string_ul_umlauts);
    // special-feature: '|' means word-boundary (\b). Searching for 'the|' will find 'the', but not 'thema'.
    $string = strtr($string, array('\\|'=>'\b'));
    // the highlighting
    // match $string, but not inside <style>...</style>, <script>...</script>, <!--...--> or HTML-Tags
    // split $string into pieces - "cut away" styles, scripts, comments, HTML-tags and eMail-addresses
    // for HTML-Tags use <(?:[^<]|<.*>)*> which will match strings like <input ... value="<b>value</b>" >
    $matches = preg_split("/(<style.*<\/style>|<script.*<\/script>|<!--.*-->|<(?:[^<]|<.*>)*>|\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,8}\b)/iUs",$foo,-1,(PREG_SPLIT_DELIM_CAPTURE|PREG_SPLIT_NO_EMPTY));
    if(is_array($matches) && $matches != array()) {
        $foo = "";
        foreach($matches as $match) {
            if($match{0}!="<" && !preg_match('/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,8}$/i', $match)) {
                $match = strtr($match, array('&lt;'=>'<', '&gt;'=>'>', '&amp;'=>'&', '&quot;'=>'"', '&#39;'=>'\'', '&nbsp;'=>"\xC2\xA0"));
                $match = preg_replace('/('.$string.')/iS', '_span class=_highlight__$1_/span_',$match);
                $match = strtr($match, array('<'=>'&lt;', '>'=>'&gt;', '&'=>'&amp;', '"'=>'&quot;', '\''=>'&#39;', "\xC2\xA0"=>'&nbsp;'));
                $match = str_replace(array('_span class=_highlight__', '_/span_'), array('<span class="highlight">', '</span>'), $match);
            }
            $foo .= $match;
        }
    }
   
    if(DEFAULT_CHARSET != 'utf-8') {
        $foo = umlauts_to_entities($foo, 'UTF-8');
    }
    return $foo;
}
}

// Old menu call invokes new menu function

[thorn]

Hello,

there is another block later on.
Lock for

Code:

// highlights searchresults

thorn.

[crnogorac081]

So I need to put new code between:

//function to highlight search results

and

// special-feature: '|' means word-boundary (\b). Searching for 'the|' will find 'the', but not 'thema'.


in the old code, right

[thorn]

Hello,

no. Look for

Code:

// highlights searchresults

inside function page_content()

Code:

if (!function_exists('page_content')) {
    function page_content($block = 1) {

thorn.

[crnogorac081]

I still dont get it, thorn can you please post(or attach) frontend_functions. php file with changed code ?

[thorn]

Hello,

i would suggest to wait some more days (hm, one or two three weeks).
There will be a Admin-Tool (and some necessary core-replacement files) to maintain Frontend-Filters very easily.

thorn.

[crnogorac081]

wow, great !!!! I look forward to...