Hi!
Wow. That is awesome work, and was requested many times before.
I have only just checked out your code, and in its basic forms it seems well!
There are some things I'd like to suggest:
1a. Please use proper indentation of the code. Use 4 spaces, no tabs. Only if you follow those rules, we can add the plugin to spartacus, and I will be able to work with the code easily. *g*
1b. Please try to stick to PEAR code guidelines, generally. Usually you only use brackets around function methods; not PHP tokens like "echo" or "print", which are considered general statements. Of course this is purely cosmetical, but it makes s9y plugins look more in synch if all of them look somewhat alike.
1c. You still use many native english outputs, if possible please abstract them into constants.
2. For security reasons, you should consider using the serendipity_setFormToken() and serendipity_checkFormToken() functions to first set a session token which will later be checked, so that nobody can trick you into clicking alink that performs an action like saving a remote file with evil content on your webserver. Have a look in the s9y code to see how exactly those two functions are used.
3. Also for security reasons, you should make VERY VERY sure that you only read and write files that are within the $serendipity['serendipityPath'] directory. Thus, you should clear all "../" and other evil characters frmo the $_POST['filename'] variable before you use fopen/fwrite commands on it. Or else, people would be able to operate on all files that the webserver can write to. Have a look at the serendipity_uploadSecure() function to see how to sanitize those variables. Also when you output filenames, make sure you use htmlentities() around it to prevent XSS.
4. You should create a configuration value that defines the HTTP path to your plugin's directory. Currently you use:
Code: Select all
<script src="'. $serendipity['serendipityHTTPPath'] .'/plugins/serendipity_event_templateeditor/js/tinytype.js" type="text/javascript"></script>
but it can be that people install the plugin in a mod_Rewrite environment or within a plugins/more_plugins/serendipity... directory structure, and then the fetch would fail. Have a look at a plugin like the FCKEditor one, which defines a path from where to load JS files.
5. Try to avoid using $PHP_SELF. It can be exploited for XSS; either use htmlspecialchars($_SERVER['PHP_SELF']), or (even better) build the module by specifying the path to serendipity_admin.php with the URL variables you need.
6. You should definitely use htmlspecialchars($theData) to prohibit XSS within your textarea! If people write "</textarea>" inside their templates, they could put any HTML they want into your admin interface.
All in all, this are things that should be fixable easy, and I am looking very much forward onto the development if this plugin. Awesome work!
Best regards,
Garvin