MyBB Community Forums

Full Version: Template Rejection Info
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I recently discovered that MyBB implements some kind of system that detects security issues/hazardous variable names, and it's very annoying having to go through and pinpoint exactly what's throwing this.   Dodgy

My suggestion is for MyBB to identify exactly what caused it and why it was rejected. Anything from the line number to the offending name. As of now, the error reads:

Quote:
  • A potential security issue was found in the template. Please review your changes or contact the MyBB Group for support.

As you can see, it's also prompting to contact the MyBB group which means another help thread on what is probably a simple name error.

Had a look and didn't see any similar suggestions so hopefully this can be considered!
This shouldn't be an issue with MyBB 2.0 as the template engine doesn't allow PHP to be used directly in views.
Also the template editor will be completely rewritten (like everything else) so this shouldn't be an issue.
(2016-01-13, 06:28 AM)Nathan Malcolm Wrote: [ -> ]This shouldn't be an issue with MyBB 2.0 as the template engine doesn't allow PHP to be used directly in views.

Sorry, I wasn't very clear in my post. By variable names, it appeared the references to my lang files were triggering the security block. This isn't talking about that plugin which supported php/conditionals in templates.
(2016-01-13, 05:13 PM)Abstergo Wrote: [ -> ]
(2016-01-13, 06:28 AM)Nathan Malcolm Wrote: [ -> ]This shouldn't be an issue with MyBB 2.0 as the template engine doesn't allow PHP to be used directly in views.

Sorry, I wasn't very clear in my post. By variable names, it appeared the references to my lang files were triggering the security block. This isn't talking about that plugin which supported php/conditionals in templates.

I understood your post clearly; all variables in templates are PHP variables. The Twig engine doesn't use PHP variables in views so there shouldn't be any security issues regarding code execution.
(2016-01-14, 03:50 AM)Nathan Malcolm Wrote: [ -> ]
(2016-01-13, 05:13 PM)Abstergo Wrote: [ -> ]
(2016-01-13, 06:28 AM)Nathan Malcolm Wrote: [ -> ]This shouldn't be an issue with MyBB 2.0 as the template engine doesn't allow PHP to be used directly in views.

Sorry, I wasn't very clear in my post. By variable names, it appeared the references to my lang files were triggering the security block. This isn't talking about that plugin which supported php/conditionals in templates.

I understood your post clearly; all variables in templates are PHP variables. The Twig engine doesn't use PHP variables in views so there shouldn't be any security issues regarding code execution.

Oh I see. Wishing I had saved what was causing the issue so you could see for yourself, can't seem to replicate it any more. But I was able to pinpoint it to one exact line and changing the lang's reference name solved it.

If this renders my suggestion obsolete then staff feel free to move it wherever. Smile
As for 1.8.x, you can implement these edits: http://community.mybb.com/thread-148259.html It's indeed annoying that anything similar wasn't implemented in the core (theoretically it still could be, I don't see why not).
@Destroy666 - would you please post a PR or start a discussion in MyBB dev team about this change for 1.8.x? It seems to be useful, at least better have it in core than add them manually