Formatted Include
This is a modification of the wikka include action adding css formatting. The idea & some of the code came from a gpl wikini action by Eric Feldstein.You can use it to completely replace the include.php file in the action directory.
Useage is....
{{include page="HomePage" class="gray_background solid_border small_fonts height10em"}}
The class parameter is optional.
An example of it in use here.
<?php
// wikka include action modified by GmBowen so that included page is formatted according to css code
// Idea & code modifications from Wikini include action by Eric Feldstein released under GPL
if ($class) {
$array_classes = explode(" ", $class);
foreach ($array_classes as $c) { $classes = $classes . "include_" . $c . " "; }
}
if (!$page) $page = $wikka_vars;
$page = strtolower($page);
if (!$this->config["includes"]) $this->config["includes"][] = strtolower($this->tag);
if (!in_array($page, $this->config["includes"]) && $page != $this->tag) {
if ($this->HasAccess("read", $page)) {
$this->config["includes"][] = $page;
$page = $this->LoadPage($page);
$output = $this->Format($page["body"]);
if ($classes) echo "<div class=\"", $classes,"\">\n", $output, "</div>\n";
else echo $output;
}
} else print "<span class='error'>Circular reference detected</span>";
?>
// wikka include action modified by GmBowen so that included page is formatted according to css code
// Idea & code modifications from Wikini include action by Eric Feldstein released under GPL
if ($class) {
$array_classes = explode(" ", $class);
foreach ($array_classes as $c) { $classes = $classes . "include_" . $c . " "; }
}
if (!$page) $page = $wikka_vars;
$page = strtolower($page);
if (!$this->config["includes"]) $this->config["includes"][] = strtolower($this->tag);
if (!in_array($page, $this->config["includes"]) && $page != $this->tag) {
if ($this->HasAccess("read", $page)) {
$this->config["includes"][] = $page;
$page = $this->LoadPage($page);
$output = $this->Format($page["body"]);
if ($classes) echo "<div class=\"", $classes,"\">\n", $output, "</div>\n";
else echo $output;
}
} else print "<span class='error'>Circular reference detected</span>";
?>
the css file in use has to have the following text added to it....
.include_right { float: right; width: 17%; } /* floating box to the right */ .include_left { float: left; width: 17%; } /* floating box to the left*/ .include_solid_border { border: solid; padding: 2px; } /* solid border*/ .include_gray_background { background-color: #DDDDDD; } /* grey background*/ .include_small_fonts { font-size: 0.8em; } /* small fonts */ .include_big_fonts { font-size: 1.2em; } /* large fonts*/ .include_height10em { height: 10em; overflow: scroll; } /* in a scrollable box 10em high */ .include_height15em { height: 15em; overflow: scroll; } /* in a scrollable box 15em high */ .include_height30em { height: 30em; overflow: scroll; } /* in a scrollable box 30em high */ .include_height60em { height: 60em; overflow: scroll; } /* in a scrollable box 60em high */
CategoryUserContributions
I don't see how the release {{include}} action is a security risk - each (recursively) included $page is ultimately retrieved from the database via the LoadPage() function which takes care to mysql_real-escape_string() the page name before feeding it to the SQL query. And {{include}} has no other parameters except $page.
Roman is correct about the $class parameter in this action code here though: it is accepted without any validation or sanitation - that is indeed a security risk.
Do NOT EVER trust user input!
/[_a-z][_a-zA-Z0-9-]*/
(that's based on the CSS 2.1 standard).
For a class *attribute* you need to take into account that it should be a space-separated list of valid class names. So you'd get somethng like:
/([_a-z][_a-zA-Z0-9-]*)( ([_a-z][_a-zA-Z0-9-]*)*/
(I think - unchecked)
""<div style="float: left; width: 45%; margin: 0.5%; padding: 5px; background: #EAEAEA;
border: 1px #777 dotted; ">Here goes some text </div>""
Hope this helps
Before going down that path though, we should discuss what other properties (if any) we would allow to be specified at the wikka syntax level - to avoid making it into a "full HTML equivalent".