1. Fabrik 3.9 has been released. If you have updated Joomla to 3.9, this is a required update.
    Dismiss Notice

processing {plugins} in form input

Discussion in 'Professional Support' started by skyrun, Aug 13, 2019.

  1. skyrun

    skyrun Active Member

    Level: Professional
    i can't seem to get it to stop processing plugins if they are in the content of a form field.
    works (ie shows the actual data, does not process the plugin) when i view the form on the backend, but when viewed on the front-end, the plugins are getting evaluated and the content displayed in the field (when RO or RW) is the result of the plugin in the field, not the raw data.

    i have set 'Process joomla plugins' to 'No' on the form. i am using the std 'bootstrap' layout.
     
    Last edited: Aug 13, 2019
  2. troester

    troester Well-Known Member Staff Member

    Level: Community
    Do you mean plugins like {fabrik view...} or placeholders {table___ element}?

    Gesendet von meinem SM-G930F mit Tapatalk
     
  3. cheesegrits

    cheesegrits Support Gopher Staff Member

    Level: Community
  4. skyrun

    skyrun Active Member

    Level: Professional
    no joy. commented out that line, and it still processes joomla plugins on the input box on the form.
     
  5. cheesegrits

    cheesegrits Support Gopher Staff Member

    Level: Community
    OK, then it probably isn't Fabrik doing it. That's the only place we run J! plugins on the form or details views.

    You might wanna poking around in whatever 3rd party system plugins you have, or maybe test a different site template, see if that's the issue.

    -- hugh
     
  6. skyrun

    skyrun Active Member

    Level: Professional
    m. ok.

    seems like any joomla form would have it happen then if a {xxxxx} is in the data in the form... and i doubt it does. certainly doesn't when you use JCE or any of the editors when you put the {xxxxx}'s in. it doesn't render them. so i am still suspecting fabrik.

    it does it when i run the form on protostar also.
     
  7. troester

    troester Well-Known Member Staff Member

    Level: Community
    I just tested (for a field and a WYSIWYG textarea with JCE) and can't replicate:
    with "process Joomla plugins" = no in form settings (Options) and in list settings (Advanced) it's displaying the raw {fabrik view=....} literally in list, form and details view.
     
  8. cheesegrits

    cheesegrits Support Gopher Staff Member

    Level: Community
    And I've searched through the code, and there is nowhere in form or details view we process plugins except that line I pointed at.

    Do you have anything "unusual" on the form, like any form plugins or element types that are out of the ordinary / not normal kinda stuff?

    -- hugh
     
  9. skyrun

    skyrun Active Member

    Level: Professional
    thanks hugh,

    you're right that it is not fabrik.

    i've discovered that sourceerer (from regular labs) processes everything in joomla by default when the plugin is on. form text, and even form input that is output/included when the form is loaded. this seems like really dangerous behaviour to me, but they're not seeing it that way. so i could type php code, invoking sourcerer that does bad stuff into any joomla form on any site that uses sourcerer. yikes! their response is that i can turn it off by component. so i could turn off fsourcerer for fabrik. but it's all or nothing and i use php code in my form and list heading text...

    they have hardcoded/removed the known/common joomla forms by form id like the logon and contact form and all joomla forms, but forms on other components that don't happen to use one of their hardcoded form ids are all processed. they feel it's a feature. and maybe it is, but should be able to be turned off and shouldn't be the default for unsuspecting users.

    but they did take some quick action to provide a solution that is not perfect but is workable if you are aware of it. to accomodate me they have added a class 'no-sourcerer' that if ttat's on the form (in their development/beta version for now). seems pretty easy to remove in inspector though...

    anyway, perhaps this is something other fabrik users (that happen to use sourcerer) should be aware of. but on the other hand, we don't want to expose a vulnerability that others have nto locked down.

    if you could add a way to add a 'class' to a form, that would be great, but since i don't think there is an easy way, i have added class = 'no-sourcerer' to my fabrik templates to protect my forms. (bootstrap_no-sourcerer) to get around this imo dangerous default behavior.

    AND THE BEST DEFENSE is that sourcer allows you to override their default tag. so instead of {source}<?php ...code...?>{/source}, you can change that to {fubar} or whatever. that's the most quick and simple security against this behavior being used against you by people that don't know your plugin word.
     
  10. cheesegrits

    cheesegrits Support Gopher Staff Member

    Level: Community
    Hmmm, that is bad. I might talk to them. Meanwhile I'll add the ability to add a class to a form.

    Is there a forum thread you were discussing this with them I could join in on?

    -- hugh
     

Share This Page