I recently discovered that MyBB implements some kind of system that detects security issues/hazardous variable names, and it's very annoying having to go through and pinpoint exactly what's throwing this.
My suggestion is for MyBB to identify exactly what caused it and why it was rejected. Anything from the line number to the offending name. As of now, the error reads:
Quote:- A potential security issue was found in the template. Please review your changes or contact the MyBB Group for support.
As you can see, it's also prompting to contact the MyBB group which means another help thread on what is probably a simple name error.
Had a look and didn't see any similar suggestions so hopefully this can be considered!
This shouldn't be an issue with MyBB 2.0 as the template engine doesn't allow PHP to be used directly in views.
Also the template editor will be completely rewritten (like everything else) so this shouldn't be an issue.
(2016-01-13, 06:28 AM)Nathan Malcolm Wrote: [ -> ]This shouldn't be an issue with MyBB 2.0 as the template engine doesn't allow PHP to be used directly in views.
Sorry, I wasn't very clear in my post. By variable names, it appeared the references to my lang files were triggering the security block. This isn't talking about that plugin which supported php/conditionals in templates.
(2016-01-13, 05:13 PM)Abstergo Wrote: [ -> ] (2016-01-13, 06:28 AM)Nathan Malcolm Wrote: [ -> ]This shouldn't be an issue with MyBB 2.0 as the template engine doesn't allow PHP to be used directly in views.
Sorry, I wasn't very clear in my post. By variable names, it appeared the references to my lang files were triggering the security block. This isn't talking about that plugin which supported php/conditionals in templates.
I understood your post clearly; all variables in templates are PHP variables. The Twig engine doesn't use PHP variables in views so there shouldn't be any security issues regarding code execution.
(2016-01-14, 03:50 AM)Nathan Malcolm Wrote: [ -> ] (2016-01-13, 05:13 PM)Abstergo Wrote: [ -> ] (2016-01-13, 06:28 AM)Nathan Malcolm Wrote: [ -> ]This shouldn't be an issue with MyBB 2.0 as the template engine doesn't allow PHP to be used directly in views.
Sorry, I wasn't very clear in my post. By variable names, it appeared the references to my lang files were triggering the security block. This isn't talking about that plugin which supported php/conditionals in templates.
I understood your post clearly; all variables in templates are PHP variables. The Twig engine doesn't use PHP variables in views so there shouldn't be any security issues regarding code execution.
Oh I see. Wishing I had saved what was causing the issue so you could see for yourself, can't seem to replicate it any more. But I was able to pinpoint it to one exact line and changing the lang's reference name solved it.
If this renders my suggestion obsolete then staff feel free to move it wherever.
@Destroy666 - would you please post a PR or start a discussion in MyBB dev team about this change for 1.8.x? It seems to be useful, at least better have it in core than add them manually