Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
What are the risks of letting users edit their laravel blade views in order for them to edit the theme they are using?
Each user will have a folder created for them in the views folder containing their template made of blade.php files. There they can edit the html and access the $php_variables to display. Or is there a better way?
Thanks
First off all there is the risk that your user creates vulnerabilities unintentionally. In example, if he does not escape an output correctly, another user could inject a malicious script (XSS) and then exploit your application. For laravel, this could happen by using {!! !!} instead of {{ }}.
Then there is the risk that your users wants to exploit your application himself by adding malicious code. Since blade templates are php files, he could do anything. And don't forget that he could execute javascript too.
Without knowing any more, it is hard to find a better solution. Depending on what your application is supposed to do, you should adapt the security.
For max security, i would filter the submitted content and delete all javascript and php, except for {{}}. For {{}}, check that the variables inside are allowed (create a list with allowed variable). Also make sure that he can not execute any other code inside the {{}}.
Block any external (and maybe even internal) link calls, since an attacker could load malicious script from another server/source. This goes for <img>, <link> etc... And no, it is not enough to simply block some file extensions.
Please read the blade doc and make sure any other way for code execution is blocked, i.e.
#php
//
#endphp
If you want to create such a filter, check out this link, maybe it will help you to start. Please do a lot of research in order to be sure that you application is secure. And don't forget to secure the rest of you application too ;-)
Also check out the OWASP PHP Security Cheat Sheet
EDIT: Of course there are several other ways to handle this. You could review each template yourself (if there are limited users), you could let the user choose between multiple templates (no edit), you could block all php&javascript and use "shortcodes" which you then replace by your controlled php code(basically your own template engine) etc.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I want to start a project but I am unable to select a technology. I basically work in JavaScript. So, develop a project with JavaScript both in front end and back end will be good for me. But I need a suggestion regarding a headless cms called Strapi. Why should I use it with React? What is the advantage and disadvantage of using strapi with react. Because Strapi is still fixing many bugs they had with their alpha version. So, I need a suggestion for this case.
You are not required to use React in your client application while creating a project with Strapi. The whole concept of is that Strapi is front-end agnostic which means that you can use it with your preferred framework or library.
The administration panel which is provided with your project is built with React, however it is completely different than your client application.
You already said, Strapi is a Headless CMS, which is defined as:
A headless CMS is a back-end only content management system (CMS)
built from the ground up as a content repository that makes content
accessible via a RESTful API for display on any device.
source
This explains why it is NOT A MUST to use a React Library, #scoupette pointed out. It does not work with REACT itself, it just sends you a data as a response, when you query something or gaining access to somewhere.
Strapi is meant to stay as a backend. Be responsible for all hard work like authentication, content type management and flexibility. When you create a content type in Strapi, you are not limited by creating only Posts or Pages, as it would be on a Wordpress default CMS configuration.
When you start developing in Strapi, generally is enough to control the backend and whole system you have created only by sending and receiving some JSON data between the listening server on default :1337 port. I do it with Postman. Whenever you decide to build a frontend, you start "rendering" the JSON responses got from Strapi. They might be displayed on your web app using: React, Gatsby, Angular, Next.js and many more. You can find their "Blog" demos with those frontend frameworks on the website.
Now lets have a look at the second part of the question:
What is the advantage and disadvantage of using strapi with react
Let's reassemble the question: Pros and Cons of using React with a Headless CMS. To know that you have to compare it with other opportunities we have, but that might get us out of the topic. Instead you might like to refer more experienced users of the frameworks in The Best JS Frameworks for Front End.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
Imagine you have a web page which has some static contents and some dynamic contents based on the user's session. For example, you may see a webpage with a menu at top of the page which displays username but the remaining content is completely cachable and static.
There could be a simple solution to achieve that:
You can handle the dynamic part of the page in the client side with ajax request (which is not cachable) e.g. single page applications.
There may be another solution that client sends a request to a middleware(e.g. API Gateway) and the middleware fetches static part from cache and dynamic part from the backend then returns aggregated content to the client.
In my idea, the worst solution is to disable the cache.
What Facebook is doing, loads dynamic part at first request, and loads remaining contents with XHR requests.
Questions:
What is the best practice for this issue?
What would be the drawback of the second solution?
What do you think about Stackoverflow top menu that displays your username?
An AJAX request (or fetch, or any other HTTP based request) may well be cached by using a RESTful service.
For more fine grained controll over what should be cached you could use a service worker, for example by adding https://developers.google.com/web/tools/workbox/ to your application.
If your dynamic data has to be updated live, you should also have a look at WebSockets. Depending on your stack you could use a wrapper library like SignalR, socket.io or simply follow one of the tutorials at http://websocketd.com/
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I must complete the comperation table below. I've searched and filled a few but i'm not sure about my answers.
Can you help me check them?
Thanks so much.
comperation table
I am working on Laravel from the last 5 years, so I can give my perspective on that. According to me, Laravel is easy to learn and fast to develop a framework.
They have artisan commands to create your basic structure very fast.
Routing - Laravel has now categorized routes according to their area, like web routes, API routes and console routes. so you can easily differentiate your routes according to their use.
Database - As you said Eloquent, it is enough powerful. you can use the DB facade as well.
HTML JSON & Image Rendering - Laravel uses a blade template engine so their helpers come very handy. e.g. #yield or #include, now they have even #slots.
helpers are available for assets.
Login - just enter one command basic login structure is ready for you. from registration to forgot password. make::auth command is there. it even creates basic database tables for you. you can override it as well. Authentication Quickstart
ACL - You are free to write your own middlewares.Middleware laravel
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I have a unix shell script generating output over time that I would like to pipe to a web page which would display it as it appears.
Is there a simple way to do this? I have tried "Transfer-Encoding: chunked" which doesn't work and AJAX which is not so simple. Thanks.
The simple way: If you save the output to a text file, somewhere within your website, you could embed it in an iframe. You could then use JavaScript in the parent page to reload the iframe periodically, or an HTTP refresh if you can't use script.
A more elegant solution would be to use something like jQuery.get() to check for updates and write them to the page. Here's an example: http://jsfiddle.net/S9nYE/1/ (the fiddle doesn't do much, as it isn't pointed at a real file, but I've tested the code on my webserver).
How to set it up: have your command output to a file, say log.txt in your web root, put the fiddle code into an HTML file in the same folder, and edit var fileToCheck = "log.txt" (or whatever the file is called). Then, load the HTML file in a browser. Change checkInterval to alter the speed of updates.
Either way, be careful that if this command might give away details of your system, that the webpage is appropriately locked down. If it's sensitive, it may be easier and safer to ssh into your system and tail -f logfile.
You could just make the raw output file available on your website or over an api call and then write a small html/javascript page that can query the output file over AJAX and insert it into the page.
Transfer-Encoding: Chunked is what you need however you also need to ensure that the web-server has compression disabled as well; although it's meant to work with compression, I couldn't get a chunked encoding and mod_deflate to play well together with Apache -- this is something I bumped into with a Perl CGI that feeds data out continuously; it involved placing Set-Env no-gzip 1 into .htaccess for the folder my CGI lives in.
If in doubt, start a Wireshark trace and try to see exactly what's coming over the wire.
The only other thing to mention is to ensure your script is not buffering output. If this is a bash/ksh/*sh script, then you might need to override the buffer with the stdbuf command (part of coreutils; this is a good primer on controlling buffering).
If you're writing this in Perl make sure it's unbuffered with $|=1.
Once you know what's coming over the wire, you'll get an idea whether its the script or the web-server (or both!) that you need to tweak.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
Is it possible to host multiple websites that all have one single/common CMS (Joomla)?
Thanks.
Joomla offers a CMS to run a website on. Joomla uses mysql databases that just hold the information that will be shown on the content pages at the front. The way it is supposed to be used you won't be able to run multiple sites on a single cms.
You can't run 2 websites with different content on that single cms, but you can create multiple front ends on one cms. You could for example store your data using joomla and get it shown at the front using your own code. This way you will be able to have two interfaces / websites on one cms, both running on the same data.
So from what I read in your question I think the answer will be NO, unless you want to just apply another presentation to your data.
My own experience: I have used Joomla to just hold news articles that my web-master will add. I just used php to get those news-articles out of the mysql database and did that to make sure i could get my own presentation for the data displayed.
I actually beg to differ with those people that were so quick to say "NO!!" As of joomla version 1.5.x there are some components that allow you to do just that, most of them being commercial but there's also http://www.janguo.de/lang-en/Downloads/func-finishdown/31/ which is free at the moment. As of joomla version 1.6.x multiple sites will be integrated into joomla.
If what you need is to have several domains that point to the same Joomla (and to the same content) the answer is YES (see #S.Mark's answer).
If you want to use the same Joomla installation for two different websites (with different content), the answer is NO.
An alternative is to use some Joomla extension, such as:
http://extensions.joomla.org/extensions/core-enhancements/multiple-sites/5550
Yes you can, we have done this before. What you need to do is to have two databases though. We have just written about running multiple Joomla websites on the same Joomla installation. Hope you'll find it useful...
With CNAME record, you could able to mirror a web site to 2+ domains.