Newbie question

Post Reply
vidar.ramdal
Posts: 9
Joined: Fri Dec 15, 2000 12:53 pm

Newbie question

Post by vidar.ramdal »

I want to make a script that reads and output a template HTML file and looks for a token. When the token is found, the script should read and output another file until EOF, and then put out the rest of the template.

What I can't figure out, is how to read the query string (/texis/scriptname?querystring). The query string should be the name of the file to render through the template.

This is how far I've come:

<SCRIPT LANGUAGE=vortex>

<A NAME=main>
<$defaultdir = "c:/HS-web/search/">
<READLN template.html>
<$s = $ret>
<strstri "<!--token -->" $s>
<$innh = $ret>

<strlen $s>
<$lngd = $ret>

<if $lngd neq 0>
<IF $innh neq -1>
<writecontent>
<ELSE>
<send $s>

<verb>
</verb>

</IF>

<else>
</IF>

</READLN>
</A>

<a name=writecontent>
<!-- output content HTML file -->
</A>

</SCRIPT>
User avatar
Kai
Site Admin
Posts: 1271
Joined: Tue Apr 25, 2000 1:27 pm

Newbie question

Post by Kai »

You don't need to read the query string; variables in it are already decoded as Vortex variables. Ie. if the query string is "file=/test" then $file is already "/test".

If the whole query string is the filename, eg. just "/test", then use $QUERY_STRING. You may have to URL-decode it in that case; see <strfmt "%!U"> (if your version supports it), otherwise <sum "%s" "x=" $QUERY_STRING><readvars "x" $ret> and $x will be the name of the file. See the manual on <fmt> and <readvars>.

<fmtcp sandcall> is probably the best way to handle the template; with <readln> you still have to deal with potential leftover text at start and end of line. Does the <!-- token --> contain the name of the sub-file to print, eg. <!-- file=/some/file -->? Then something like this should work:

<A NAME=dumpfile hit>
<rex ">><\!--=\space*file=\space*\=\P=[^\space\-]+\F\space*-->"
$hit> <!-- pull out file name from token -->
<spew $ret>
</A>

<A NAME=main>
<fmtcp sandcall noesc
">><\!--=\space*file=\space*\==[^\space\-]+\space*-->"
dumpfile>
<sum "%s" "x=" $QUERY_STRING>
<readvars "x" $ret> <!-- URL-decode template filename -->
<read $x> <!-- Read in template -->
<sb>$ret</sb>
</A>
vidar.ramdal
Posts: 9
Joined: Fri Dec 15, 2000 12:53 pm

Newbie question

Post by vidar.ramdal »

We're almost there! However, the token is not a file name, but rather a constant announcing where the contents of the sub-file is going to be put. An extract from the template file would look like this:
...
<!-- content -->
...
The name of the template file is constant, so it is the name of the sub-file that should be in the query string.
User avatar
John
Site Admin
Posts: 2597
Joined: Mon Apr 24, 2000 3:18 pm
Location: Cleveland, OH
Contact:

Newbie question

Post by John »

In that case you should be able to simplify things a little. The dumpfile function can simply be:

<A NAME=dumpfile>
<spew $QUERY_STRING>
</A>

And in the main function you would change the expression to match to:

<fmtcp sandcall noesc ">><\!--=\space*content=\space*-->"

And you would change the <read> to read your template.

It is usually easier to simply incorporate the template into the script, rather than reading a file, searching for a token, and then reading another file.
John Turnbull
Thunderstone Software
User avatar
Kai
Site Admin
Posts: 1271
Joined: Tue Apr 25, 2000 1:27 pm

Newbie question

Post by Kai »

Note that there are security issues with simply <spew>ing or reading a file straight from the query string or other user variable. A user could potentially grab any file on your server just by hand-creating a URL with, say, /etc/passwd or /docs/whos/going/to/be/fired in the query string.

You should check that the file is within an acceptable range, say the HTML document tree, and contains no /../ sequences before <spew>ing it.
vidar.ramdal
Posts: 9
Joined: Fri Dec 15, 2000 12:53 pm

Newbie question

Post by vidar.ramdal »

Thanks a lot!
I'm used to programming languages, so I guess I have to reset my mind to understand Vortex properly. Wow, is it powerful!
And thanks for the security notice - I think I'll be able to work that out.
Post Reply