This reminds me of the Smarty for PHP. Has anyone looked at porting
Smarty to ADP? It's pretty PHP-specific but the syntax, like Tom's
stuff below, is pretty convenient.
http://smarty.php.net/
-Jim
On Sep 25, 2007, at 10:50 AM, Tom Jackson wrote:
Jeff,
I developed a templating system which is safe for untrusted users.
Actually that was one of the main goals. The sources, somewhat
messy are at:
http://rmadilo.com/m2/servers/rmadilo/modules/tcl/twt/packages/view/
The templates are 'compiled' into a Tcl script.
The template compiler is a C program using flex/bison.
Here is a simple example of a template:
<table border="1">
[foreach num $MoveCards /]
<tr>
[set k 0]
[set Cards $CardList($num) /]
[foreach Card $Cards /]
<th>$Card<br />
[if {$num == $MoveCount} /]
[if {$k > 0} /]
Move: 1<input type="radio" name="move" value="$k [expr ($k - 1) /]">
[/if/]
[if {$k > 2} /]
3<input type="radio" name="move" value="$k [expr ($k - 3) /]">
[/if/]
[/if/]
</th>
[incr k /]
[/foreach/]
</tr>
[/foreach/]
</table>
This is taken from an start.tmpl under:
http://rmadilo.com/m2/servers/rmadilo/pages/optimistic/
The live version, to see the resulting html is here:
http://rmadilo.com/optimistic/
If there is a syntax error in the script, you get a compile time
error,
it is pretty easy to track down the error by trying to compile it
on the
command line. The compiler aborts at the error.
The compiler itself has only a limited number of commands, each
with a form
similar to a tcl command:
[command args ] ... ?[/command]?
Anything not in [ ] is turned into text. Parsing is not yet 100%
perfect and
sometimes messes up if there are some combination of " and {.
Any variables found in the text, outside of [ ] are also handled.
The compiled script,
although ugly is just a series of commands which eventually boil
down to a series of
[append]s, but they are also easy to debug if some problem shows up.
The safety comes from only supporting a limited set of safe
commands and variable
forms. For instance, you can't have an array variable like $a([rm -
rf /]). Also, the
for and while loop are not available because they execute code.
The main extension mechanism is the [resource] tag. Before a
template is run, you can add
resources, giving them a name. If the resource is in the template,
it is executed, possibly
passing through arguments. For instance, you could give the
template the ability to open
a particular file. It would be nice to have another tag which could
do something to the
contents of the tag (the stuff between [tag] [/tag]), but I haven't
given this any thought
yet.
This is hardly a perfect system, but the main goal of establishing
a safe exection environment
seems to be met.
The way I use this is to have a .tcl file setup all the data and
then use ::view::return to
find and handle the similarly named .tmpl file. However, the data
could be setup from some other
source, in a filter or registered proc, or the template itself
could be anywhere, like a database
or outside of pageroot, or passed in via a form.
tom jackson
On Monday 24 September 2007 12:54, Jeff Rogers wrote:
Thanks for sharing this with the community. It's been somewhat
depressing to see every php system include a simple templating system
but nothing really solid under AOLserver. (I know OpenACS has a
templating system but I didn't look at it long enough to grok all the
complexity therin, not to mention that it is tightly tied to
OpenACS.)
One thought I had while looking at it is that it isn't really
suitable
for letting untrusted users upload arbitrary master pages for
layout/styling/etc, as the users could then run scripts in the
pages.
I thought to myself, wouldn't a controlled environment for ADPs be
nice?
So I started looking at what it would take to add in a safe adp
execution mode, and I was happy to find that although it's not
documented, it already exists!
So a suggestion: it would be a nice enhancement to allow for
untrusted
master pages that are run in safe mode. I'm not entirely sure what
behavior makes the most sense (i.e., what can and can not be in safe
mode) but the implementation should be pretty simple :)
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the
Subject: field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]>
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.