Castwide Developer's Resource

Function Whitelists for PHP Expressions

by Castwide on 4-28-2008 • Tags: pagemill, php, templates • 14 comments

One of my experiments with the new Pagemill is a custom tag that allows limited use of PHP for evaluating expressions. It's not unusual for templates to require more advanced functionality than simple string concatenation, such as formatting dates and numbers. These features are the major benefit that pure PHP templates have over many template systems. Even Smarty provides a method for embedding PHP code into templates. Using pure PHP, however, introduces the possibility that application logic can become intertwined with presentation logic. My custom PHP tag is an attempt to combine the best of both worlds.

A simple example of the PHP tag in action:

<pm:php expr="number_format($amount, 2)" />

The tag's class uses the Tokenizer functions to compare the expression against whitelists of permitted tokens and functions. The functions permitted include those commonly required for data manipulation, such as number_format(), date(), and substr(). If an expression contains a function excluded from the whitelist, such as mysql_query(), the expression will not be evaluated.

Variables in the expression are evaluated according to the Pagemill's current data scope. Any variable that can be evaluated using the template's @{variable}@ syntax can be evaluated using PHP's $variable syntax within the expression. Variables can only be accessed through the Pagemill's data store. Variables that are not defined inside the Pagemill return an empty string, same as elsewhere in the template.

Functions that are currently whitelisted:

• number_format()
• date()
• substr()
• strtolower()
• strtoupper()
• trim()
• money_format()
• ltrim()
• rtrim()
• abs()
• time()
• strtotime()
• gmdate()

A future version of the tag might use a generic syntax that emulates XPath functions so it can be implemented in other languages.

More News

Comments