Location template and input validation - Newscoop Themes Discussions on Sourcefabric Forum

Sebastian Olsson (2) · Post edited by Sebastian Olsson (2) at 2013-06-05 13:37:20

I changed the New Custodian theme to link the geolocation of an article to a list of other articles about the same location.

This is the link:

{{ if $gimme->article->has_map }}
{{ list_article_locations }}{{ if $gimme->location->enabled }}{{ if $gimme->current_list->at_beginning }}Location(s): {{ /if }}<a href="{{ uripath options="publication" }}?{{urlparameters options="template location.tpl" }}&location={{ $gimme->location->name }}&latitude={{ $gimme->location->latitude }}&longitude={{ $gimme->location->longitude }}">{{ $gimme->location->name }}</a>{{ if $gimme->current_list->at_end }}{{ else }}, {{ /if }}{{ /if }}{{ /list_article_locations }}
{{ /if }}

And this is the template location.tpl:

{{ assign var="latitude" value=$gimme->url->get_parameter('latitude') }}
{{ assign var="longitude" value=$gimme->url->get_parameter('longitude') }}

<h1>Location: {{ $gimme->url->get_parameter('location') }}</h1>

{{ list_articles length="10" ignore_issue="true" ignore_section="true" order="bypublishdate desc" location="$latitude $longitude, $latitude $longitude" constraints="type is news" }}

<section class="art-item clearfix">
<header>
<h3><a href="{{ uri options="article" }}">{{ $gimme->article->name }}</a></h3>
<p><span class="right">{{ include file="_tpl/article-icons.tpl" }}</span>Published on <time datetime="{{$gimme->article->publish_date|date_format:"%Y-%m-%dT%H:%MZ"}}">{{ $gimme->article->publish_date|camp_date_format:"%M %d, %Y" }}</time> by {{ list_article_authors }}{{ if $gimme->author->user->defined }}<a href="{{ $view->url(['username' => $gimme->author->user->uname], 'user') }}">{{ /if }}{{ $gimme->author->name }}{{ if $gimme->author->user->defined }}</a>{{ /if }} ({{ $gimme->author->type|lower }}){{ if !$gimme->current_list->at_end }}, {{ /if }}{{ /list_article_authors }}</p>
</header>
{{ include file="_tpl/img/img_250x167.tpl" where="section" }}
<p>{{ include file="_tpl/_edit-article.tpl" }}{{ $gimme->article->deck }}</p>
</section>

{{ if $gimme->current_list->at_end }}

{{* PAGINATION *}}
{{ $pages=ceil($gimme->current_list->count/10) }}
{{ $curpage=intval($gimme->url->get_parameter($gimme->current_list_id())) }}
{{ if $pages gt 1 }}
<ul class="pagination">
{{ if $gimme->current_list->has_previous_elements }}<li class="prev"><a href="{{ uripath options="section" }}?{{ urlparameters options="previous_items" }}">Previous</a></li>{{ /if }}
{{ for $i=0 to $pages - 1 }}
{{ $curlistid=$i*10 }}
{{ $gimme->url->set_parameter($gimme->current_list_id(),$curlistid) }}
{{ if $curlistid != $curpage }}
<li><a href="{{ uripath options="section" }}?{{ urlparameters }}">{{ $i+1 }}</a></li>
{{ else }}
<li class="selected"><a href="{{ uripath options="section" }}?{{ urlparameters }}">{{ $i+1 }}</a></li>
{{ $remi=$i+1 }}
{{ /if }}
{{ /for }}
{{ if $gimme->current_list->has_next_elements }}<li class="next"><a href="{{ uripath options="template topics.tpl" }}?{{ urlparameters options="next_items" }}">Next</a></li>{{ /if }}
</ul>
{{ $gimme->url->set_parameter($gimme->current_list_id(),$curpage) }}
{{ /if }}

{{ /if }}
{{ /list_articles }}

It works, but I am worried that this might be vulnerable to SQL injections or cross-site scripting. Are there any input validations I should do or any other optimizations of this code? Or is there a better way to do it?

ljuba rankovic

Hi,

this is nice, straightforward way of doing this; for little bit more security on url parameters, use Smarty modifiers, like this:

Sebastian Olsson (2)

Thank you! I will use that on all three variables.

Howdy, Stranger!

Categories

Poll

Top Posters