safe_data — allow interpolation of database values in search for Interchange tags
By default, Interchange does not allow data returned from the databases to be interpolated (all the [s are converted to an HTML entity [ and displayed literally). Setting this pragma eliminates the restriction and passes [s through for interpolation.
If you want to have tags in your database and display them in Interchange pages (to say, display [page]
links for internal hyperlinks in your product descriptions), you need to enable this pragma.
Some things to consider, though:
It might be better to use the safe_data
attribute available to certain tags, or perhaps the [pragma]
for a whole page or [tag pragma safe_data]
[/tag]
for a small block of ITL code on a page, instead of setting a catalog-wide safe_data
pragma.
In any case, it is strongly recommended that you surround the area in a [restrict]
tag to only allow specific set of tags to appear "in-band" (which should be relatively safe), such as [page]
or [area]
. Expect security compromises if you allow [calc]
, [perl]
or any other extremely powerful tags.
Be certain that you absolutely know where the data from your databases will be used. Consider the following:
Will it always be possible to interpolate?
What about e-mailed plain-text receipts? Will literal "[page ]
" tags show up in product descriptions on the receipt?
Would the desired output of <a href="..."> be any better than a simple plain text?
What if you access your database from applications other than Interchange? You'd then have to decide what to do with such tags; perhaps you could simply strip them, but will the missing output cause trouble?
To sum up, safe_data
is disabled by default for a reason, and you should be very careful if you decide to enable it.
Watch out for parse order with tag pragma
or restrict
when used with lists that retrieve data from the database (such as [PREFIX-*]
, [loop]
, or the flypage). Loops parse before regular tags like [tag]
, and are thus not affected by them (so you must include the whole loop code in the "critical section").
Interchange 5.9.0 (1/1 contexts shown):
Source: lib/Vend/Interpolate.pm
Line 1746 (context shows lines 1736-1750 in ed():1745)
if ($opt->{no_return}) { $Vend::Session->{mv_perl_result} = $result; $result = join "", @Vend::Document::Out; @Vend::Document::Out = (); } #::logDebug("tag_perl succeeded result=$result\nEND"); return $result; } sub ed { return $_[0] if ! $_[0] or $Safe_data or $::Pragma->{safe_data}; $_[0] =~ s/\[/[/g; return $_[0]; }