Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
Normal
On several sites there is more than one person with access to the AdminCp, it is not uncommon to have an administrator and someone with access to the templates to "edit' the style of the site and make small changes. Giving the ability to run a file from the template engine gives whoever has access to the admincp the ability to execute any random file on the server, even if their access is restricted or if they did not have ftp or ssh access anyway. For a hacker it creates a tunnel from which to inject code into the site that it is hard to detect on top of it (since if someone edits a random template it is unlikely to be noticed). Plus, it is bad design. The templates are the "view". The view layer shouldn't go back into calling controller logic, it should not have access to anything else than the model, by the time we reach the view most of the processing is done and it is only displaying things. It is totally worth it to take the additional time and extend the controller to even execute or include whatever file is needed. All controllers can be extended in XF, and custom ones can be created.
On several sites there is more than one person with access to the AdminCp, it is not uncommon to have an administrator and someone with access to the templates to "edit' the style of the site and make small changes.
Giving the ability to run a file from the template engine gives whoever has access to the admincp the ability to execute any random file on the server, even if their access is restricted or if they did not have ftp or ssh access anyway. For a hacker it creates a tunnel from which to inject code into the site that it is hard to detect on top of it (since if someone edits a random template it is unlikely to be noticed).
Plus, it is bad design. The templates are the "view". The view layer shouldn't go back into calling controller logic, it should not have access to anything else than the model, by the time we reach the view most of the processing is done and it is only displaying things.
It is totally worth it to take the additional time and extend the controller to even execute or include whatever file is needed. All controllers can be extended in XF, and custom ones can be created.
We use essential cookies to make this site work, and optional cookies to enhance your experience.
See further information and configure your preferences
