Testing: Template Editor Plugin
Testing: Template Editor Plugin
Well, dont know if theres something like that already done, but heres a first testing release of a rudimentary template editor plugin i am planning to finish
its not yet a really nice one, more a quick and dirty thingy, but loading and saving (including creating a backup) works so far, though you should not really use it without creating a backup of your template folder. resizable textarea and quicklinks work too. if you have good ideas about which quicklinks i should implement just let me know.
(german) articles w/ download @ my blog: http://www.arnekolja.de/130/ & http://www.arnekolja.de/131/
its not yet a really nice one, more a quick and dirty thingy, but loading and saving (including creating a backup) works so far, though you should not really use it without creating a backup of your template folder. resizable textarea and quicklinks work too. if you have good ideas about which quicklinks i should implement just let me know.
(german) articles w/ download @ my blog: http://www.arnekolja.de/130/ & http://www.arnekolja.de/131/
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Testing: Template Editor Plugin
Hi!
Wow. That is awesome work, and was requested many times before.
I have only just checked out your code, and in its basic forms it seems well!
There are some things I'd like to suggest:
1a. Please use proper indentation of the code. Use 4 spaces, no tabs. Only if you follow those rules, we can add the plugin to spartacus, and I will be able to work with the code easily. *g*
1b. Please try to stick to PEAR code guidelines, generally. Usually you only use brackets around function methods; not PHP tokens like "echo" or "print", which are considered general statements. Of course this is purely cosmetical, but it makes s9y plugins look more in synch if all of them look somewhat alike.
1c. You still use many native english outputs, if possible please abstract them into constants.
2. For security reasons, you should consider using the serendipity_setFormToken() and serendipity_checkFormToken() functions to first set a session token which will later be checked, so that nobody can trick you into clicking alink that performs an action like saving a remote file with evil content on your webserver. Have a look in the s9y code to see how exactly those two functions are used.
3. Also for security reasons, you should make VERY VERY sure that you only read and write files that are within the $serendipity['serendipityPath'] directory. Thus, you should clear all "../" and other evil characters frmo the $_POST['filename'] variable before you use fopen/fwrite commands on it. Or else, people would be able to operate on all files that the webserver can write to. Have a look at the serendipity_uploadSecure() function to see how to sanitize those variables. Also when you output filenames, make sure you use htmlentities() around it to prevent XSS.
4. You should create a configuration value that defines the HTTP path to your plugin's directory. Currently you use:
but it can be that people install the plugin in a mod_Rewrite environment or within a plugins/more_plugins/serendipity... directory structure, and then the fetch would fail. Have a look at a plugin like the FCKEditor one, which defines a path from where to load JS files.
5. Try to avoid using $PHP_SELF. It can be exploited for XSS; either use htmlspecialchars($_SERVER['PHP_SELF']), or (even better) build the module by specifying the path to serendipity_admin.php with the URL variables you need.
6. You should definitely use htmlspecialchars($theData) to prohibit XSS within your textarea! If people write "</textarea>" inside their templates, they could put any HTML they want into your admin interface.
All in all, this are things that should be fixable easy, and I am looking very much forward onto the development if this plugin. Awesome work!
Best regards,
Garvin
Wow. That is awesome work, and was requested many times before.
I have only just checked out your code, and in its basic forms it seems well!
There are some things I'd like to suggest:
1a. Please use proper indentation of the code. Use 4 spaces, no tabs. Only if you follow those rules, we can add the plugin to spartacus, and I will be able to work with the code easily. *g*
1b. Please try to stick to PEAR code guidelines, generally. Usually you only use brackets around function methods; not PHP tokens like "echo" or "print", which are considered general statements. Of course this is purely cosmetical, but it makes s9y plugins look more in synch if all of them look somewhat alike.
1c. You still use many native english outputs, if possible please abstract them into constants.
2. For security reasons, you should consider using the serendipity_setFormToken() and serendipity_checkFormToken() functions to first set a session token which will later be checked, so that nobody can trick you into clicking alink that performs an action like saving a remote file with evil content on your webserver. Have a look in the s9y code to see how exactly those two functions are used.
3. Also for security reasons, you should make VERY VERY sure that you only read and write files that are within the $serendipity['serendipityPath'] directory. Thus, you should clear all "../" and other evil characters frmo the $_POST['filename'] variable before you use fopen/fwrite commands on it. Or else, people would be able to operate on all files that the webserver can write to. Have a look at the serendipity_uploadSecure() function to see how to sanitize those variables. Also when you output filenames, make sure you use htmlentities() around it to prevent XSS.
4. You should create a configuration value that defines the HTTP path to your plugin's directory. Currently you use:
Code: Select all
<script src="'. $serendipity['serendipityHTTPPath'] .'/plugins/serendipity_event_templateeditor/js/tinytype.js" type="text/javascript"></script>
5. Try to avoid using $PHP_SELF. It can be exploited for XSS; either use htmlspecialchars($_SERVER['PHP_SELF']), or (even better) build the module by specifying the path to serendipity_admin.php with the URL variables you need.
6. You should definitely use htmlspecialchars($theData) to prohibit XSS within your textarea! If people write "</textarea>" inside their templates, they could put any HTML they want into your admin interface.
All in all, this are things that should be fixable easy, and I am looking very much forward onto the development if this plugin. Awesome work!
Best regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
thanks for that great reply, garvin
like i mentioned above its only a testing release and i didnt spend much time into this yet. actually i just typed a bit of code via ssh + midnight commander while i watched tv with my girl but since this has great potential, i'll do that cleanup and try to follow your wishes and guidelines btw reading your posting tells me about one great thing: the wellness of s9y's code base. its really good you set up those requirements for proper coded plugins, because it avoids that state i see with many other php software i dont want to mention now
well... after clearing this out: tell me your wishes regarding the plugins functionality what would you like to see this plugin to be able to?
like i mentioned above its only a testing release and i didnt spend much time into this yet. actually i just typed a bit of code via ssh + midnight commander while i watched tv with my girl but since this has great potential, i'll do that cleanup and try to follow your wishes and guidelines btw reading your posting tells me about one great thing: the wellness of s9y's code base. its really good you set up those requirements for proper coded plugins, because it avoids that state i see with many other php software i dont want to mention now
well... after clearing this out: tell me your wishes regarding the plugins functionality what would you like to see this plugin to be able to?
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi!
Great news. I'm looking forward to the new version. Let us know!
Best regards,
Garvin
Great news. I'm looking forward to the new version. Let us know!
Maybe this is also for other people. What I would love to see is this "quick snippet" functionality you already showed. Maybe some W3C/CSS Links as well...I'm not really sure, maybe template coders like Carl or d_cee have some wisheswell... after clearing this out: tell me your wishes regarding the plugins functionality what would you like to see this plugin to be able to?
Best regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Hi
this seems like a great idea.
I've downloaded your plugin and installed it on my test server. I'll take a good look later and post any suggestions I might have.
In the meantime I got this message when I tried to use the plugin to edit the index.tpl file
Dave
this seems like a great idea.
I've downloaded your plugin and installed it on my test server. I'll take a good look later and post any suggestions I might have.
In the meantime I got this message when I tried to use the plugin to edit the index.tpl file
cheersCreating backup...
Warning: copy(index.tpl): failed to open stream: No such file or directory in /var/www/vhosts/mydomain.com/subdomains/test/httpdocs/plugins/serendipity_event_templateeditor/serendipity_event_templateeditor.php on line 90
failed!
Not saving file, because backup failed, sorry!
Dave
hi dave,
great you tested it, i fixed this earlier ago and updated the testing archive multiple times today, so you're very welcome to check out the newest one
http://www.arnekolja.de/131/
I now also got a changelog at my article and will update the whole article tomorrow or something, including an english version. the editor itself is quite usable now i think.
@garvin: i'll do my best to follow your guidelines, well, i already changed a bit from what you told. my todo (documented within the php file) reflects your wishes on my way to "officially" releasing this plugin too. so... one quick question: as soon as it achieves the quality standards, would you like to put it into s9y's release package too? its not just being "promoted" or something like that to me, but more a thing of thinking that there are many users waiting for this such a long time now... maybe the community would like to have this as part of the release base
great you tested it, i fixed this earlier ago and updated the testing archive multiple times today, so you're very welcome to check out the newest one
http://www.arnekolja.de/131/
I now also got a changelog at my article and will update the whole article tomorrow or something, including an english version. the editor itself is quite usable now i think.
@garvin: i'll do my best to follow your guidelines, well, i already changed a bit from what you told. my todo (documented within the php file) reflects your wishes on my way to "officially" releasing this plugin too. so... one quick question: as soon as it achieves the quality standards, would you like to put it into s9y's release package too? its not just being "promoted" or something like that to me, but more a thing of thinking that there are many users waiting for this such a long time now... maybe the community would like to have this as part of the release base
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Like Judebert said.
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
- Regular
- Posts: 1331
- Joined: Sun Dec 04, 2005 5:43 pm
- Location: Andalucia, Spain
- Contact:
I second (or is it third) that.
This ability is exactly what Serendipity needs to really take off, but it also means that we might have to re-structure our stylesheets to put all color values at the top so that users aren't unnecessarilty confused with structural styles that they may never need to change.
I guess the next logical step after this would be to allow on-the-fly image changes which would allow users to replace a header/background/footer image. This might be taking things too far, but I can bet it will be asked for.
This ability is exactly what Serendipity needs to really take off, but it also means that we might have to re-structure our stylesheets to put all color values at the top so that users aren't unnecessarilty confused with structural styles that they may never need to change.
I guess the next logical step after this would be to allow on-the-fly image changes which would allow users to replace a header/background/footer image. This might be taking things too far, but I can bet it will be asked for.
Hi akb
garvin and carl had a thread about a colou-wheel in the theme configurator here if it's of any help http://www.s9y.org/forums/viewtopic.php?t=5514
Dave
garvin and carl had a thread about a colou-wheel in the theme configurator here if it's of any help http://www.s9y.org/forums/viewtopic.php?t=5514
Dave
yeah, this javascript color picker seems nice, but i cannot find any credits or license about it
btw: the span thing (and div, and anchor) is now available (not in the testing release yet). i simply used the s9y/serendipity_editor.js to implement it, it has everything we need for this i also gave the usual serendipitys button class to my buttons, so it looks a bit more "official" now, he he.
well... before releasing the plugin officially, i might need to rewrite the code base again, because... well, you know, you start coding something and then you notice that you need to implement the base in an other way to give you the possibilities you want to have for enhancing it. i really need a bit more streamlined code within the editor, i think its really the best to rewrite its base.
after all i think it might take 1 or 2 weeks to release it ready for spartacus, because i dont have the time i had at the weekend now. but i think it will be good
btw: the span thing (and div, and anchor) is now available (not in the testing release yet). i simply used the s9y/serendipity_editor.js to implement it, it has everything we need for this i also gave the usual serendipitys button class to my buttons, so it looks a bit more "official" now, he he.
well... before releasing the plugin officially, i might need to rewrite the code base again, because... well, you know, you start coding something and then you notice that you need to implement the base in an other way to give you the possibilities you want to have for enhancing it. i really need a bit more streamlined code within the editor, i think its really the best to rewrite its base.
after all i think it might take 1 or 2 weeks to release it ready for spartacus, because i dont have the time i had at the weekend now. but i think it will be good
-
- Regular
- Posts: 1331
- Joined: Sun Dec 04, 2005 5:43 pm
- Location: Andalucia, Spain
- Contact:
Garvin and I haven't continued our discussion about the colorwheel thing yet, but I might send my preview template to him (and you) if you would like to see it implemented.
I think adding a colorwheel directly into serendipity (your plugin) might be better than in the template config because it keeps things in places where users might expect to see them. As for the credits, I think the javascript file actually has those in it, but I'll chase them down if its needed.
So if anyone wants to see how I've implemented the colorpicker into a template, please pm me with your email address and I'll send it out today or tomorrow.
I think adding a colorwheel directly into serendipity (your plugin) might be better than in the template config because it keeps things in places where users might expect to see them. As for the credits, I think the javascript file actually has those in it, but I'll chase them down if its needed.
So if anyone wants to see how I've implemented the colorpicker into a template, please pm me with your email address and I'll send it out today or tomorrow.