Hello.

Since my ISP does not provide the tidy module for Apache, I tested writing a wrapper script for a locally installed tidy binary. In general, the script is triggered by a modification to the .htaccess file like so:

AddHandler server-parsed .php
Action server-parsed /tidy_wrapper.php5

All php pages are by that means "treated" by the script tidy_wrapper.php5.

Here is the code for tidy_wrapper.php5:

<?php

chdir ( dirname ( $_SERVER['PATH_TRANSLATED'] ) );
ob_start();
include ( $_SERVER['PATH_TRANSLATED'] );
$output = ob_get_contents();
ob_end_clean();

// Including a line with the commend "<!-- NO TIDY !-->" will turn off tidy conversion

if ( !stristr ( $output, "<!-- NO TIDY !-->" ) ) {
        $localfile = tempnam ( '../tmp', "tmp" );
        $handle = fopen($localfile, "w");
        fwrite($handle, $output);
        fclose($handle);

$command = '/Library/WebServer/CGI-Executables/tidy -iq --show- errors 0 --show-warnings 0 -wrap 100 ' . $localfile . ' 2>&1';

        exec ( $command, $output_exec );
        echo implode ( "\n", $output_exec );
        unlink ( $localfile );
} else {
        echo $output;
}
exit;
?>

Although the script is actually working fine, there is at least one downside: speed. As you can see, the output buffer must be written to a file in order to be processed by tidy. I was not able to get tidy to accept a string for processing. Doing so, tidy throws en error. I have looked through tidy documentation without finding any clues. I would appreciate any hints. Any ideas for a walk-around for that file saving-thing would be welcome!

Otherwise, I strongly feel that this script might become/be a security hole. Because it does not validate the included PHP code, it could be misused for doing bad stuff, or am I wrong? Once more, any suggestions are welcome.

regards,
/frank

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to