On Mon, 25 Oct 2004 07:44:33 -0700, shane freese <shane.freese@gmail.com> wrote:
> On Mon, 25 Oct 2004 08:27:44 -0600, Taneem A T <thezeropoint@gmail.com> wrote:
> > > 2 thing I am trying to accomplish.
> > > 1. Parse a RSS feed from another site to display it on mine.
> > > 2. Put the latest Forum posts from my boards on the wiki main page.
> >
> > I basically wanted to do the exact same thing and I posted the same
> > question a few days ago ... the answer I was given is that for
> > security reasons you can't include PHP in any editable page, whether
> > you are sysop or not (someone please tell me I am wrong?? ;) )
Well, you have the source, it's up to you - but it *would* be pretty risky.
Somebody described how they'd done exactly this a few weeks ago: see
http://mail.wikipedia.org/pipermail/wikitech-l/2004-October/025771.html and its follow-ups; but they then had problems with the pages being
cached, as discussed in the threads starting with
http://mail.wikipedia.org/pipermail/wikitech-l/2004-October/025786.html and
http://mail.wikipedia.org/pipermail/wikitech-l/2004-October/025787.html > Well I have figured out how to enable full html code. This allows me
> to add javascript. However I do not know enough about javascript to
> make it include a php file. I have gotten it to open a new window
> with my code but have yet to get it in the wiki page itself.
This is, of course, just as dodgy as allowing arbitrary php code:
there are all sorts of evil things someone could do with uncontrolled
javascript, such as accessing cookie data and sending it somewhere
else (since the JavaScript would be on your site, this could probably
allow them to steal information necessary to log into your site as the
person viewing the article). But if you make sure you really really
trust everyone who can edit, this isn't a problem (it's not a wiki
either, but there you go).
> I think if I could somehow use javascript to include the php file I
> could solve my problem. However I do not know if this is possible
> with javascript.
It's certainly possible: people use "javascript feeds" all the time; I
think the basic trick is to grab the data from a special URL, and then
use document.write() to add it to the current page.
However, better than allowing arbitrary anything is just to build the
PHP script you want to execute into the code. You could probably
create a <feed>url:path/to/feed</feed> "extension" (see above
referenced threads), perhaps limiting it to relative paths (so nothing
can be included from somewhere other than your server). Or you could
be less flexible, and just have a magic word, checked for in
Parser.php::internalParse(), that runs a function of your own design;
hacky, but very simple to program.
Of course, you will then end up in the same caching conundrum as
Arvalux in the threads I already referenced: how to make sure the
pages in question are forced to remain uncached. Some kind of hack
with timestamps whereby the cache never thinks it has the latest
version seems to be the best anyone's come up with for this; or, if
you want to be less hacky, a cur_nocache flag in the database that's
set and unset in Parser.php::preSaveTransform() [.he says, quoting bits
of code from memory that he's never really looked at carefully]
Good luck...
--
Rowan Collins BSc
[IMSoP]