Secure TinyButStrong

Hey,

I am new to TinyButStrong.
My intention is to let my users write tiny but strong template code to access variables.
However there are some security related concerns.

I already read in the FAQ that you can limit the access to global variables.
Is it also possible to disable any access to the file system?
Could a user do any harm to my system or spy files?

Regards
Jan

Hi Jan,

The only variables that a TBS template can display are global variables. An you can limit the access to global variables by any suffix you want. You can use this to give access to a a set of global variables you want. To do so, you just have to create a global variable which is an array containing references to all the variables you want. And then limit TBS to displaying this global variable.

A TBS template can also display information that you're references under the ObjectRef property. But this property is feed by the coder.

A TBS template can run any PHP script because of the parameters "script" and "subtpl". This is not a real security problem because in most of configurations, web users can do the same (just type it in the URL and the server run it). PHP scripts should be protected against standalone running.

There is also a small known security problem that can happens between the coder and the template designer, but is is very specific and the effects are very limited. I cannot tell more since this problem is not fixed. It will be soon.

I want to allow the user to "write" tinybutstrong code.

Is there no way to disable script file and subtpl?

What do you mean by "tinybutstrong code" ?

for example
[onshow.x]

Ok so you mean tinybutstrong templates.

You can easily modify the TBS source code to avoid those parameters, or have them limited to a custom list of values. But his is not in native for now.
However, the effects of those parameters are very limited.

Okay thank you very much!

Modifying the code sounds fine to me.