CMSimple_XH 1.6 :: handling of config and text forms

Discussions and requests related to new CMSimple features, plugins, templates etc. and how to develop.
Please don't ask for support at this forums!
manu
Posts: 1086
Joined: Wed Jun 04, 2008 12:05 pm
Location: St. Gallen - Schweiz
Contact:

CMSimple_XH 1.6 :: handling of config and text forms

Post by manu » Fri Jan 04, 2013 11:24 am

This is really a great improvement:
cmb wrote:I refactored the handling of config and text forms for the core and the plugins. The display and saving is now handled by a class hierarchy in cmsimple/classes/FileEdit.php. This greatly reduced the required code, which basically was duplicated in adm.php and pluginloader/index.php; in addition this file is only included, if it is actually required. Additional benefits: both the core and the plugin config etc. now have identical look and feel; it should be easy to introduce any "typed" config (some basics are already in place); it's easy to extend the class hierarchy for special needs of plugins.
As it it quoted here I allow myself to open a new thread because of its importance. The whole extended config handling is related to this.
What I miss a bit is the message handling. I don't see a success message when a file is updated after form submit. As the page is forwarded after a successfull update it's not so easy to display a message because of the forwarded page.
How about to set a message GET variable in the forward URI/query string? The value of this key could be used as a key for some standard messages (with placeholders). This message could be displayed by the FileEdit->form() method.
Or the key could be a standard key in the plugin tx file.
regards manu

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: CMSimple_XH 1.6 :: handling of config and text forms

Post by cmb » Fri Jan 04, 2013 1:48 pm

Yes, you're right: a success message is missing! Probably it's already enough to pass a flag (something like &success=1) in the query string, which will trigger the display of a success message from the general language file; the name of the plugin, and the type of config (config/language) can be inserted through placeholders.
Christoph M. Becker – Plugins for CMSimple_XH

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: CMSimple_XH 1.6 :: handling of config and text forms

Post by cmb » Tue Jan 29, 2013 11:10 am

Hello Community,

as basically the same issue has to be faced by the new restore feature, we might consider a general possibility to handle such success messages. My suggestion &success=1 won't fit for this purpose.

So what about introducing xhsuccess as GET parameter, which will cause it's value to be displayed on top of the contents area? This could be used by plugins too:

Code: Select all

header('Location: ' . CMSIMPLE_URL . '&xhsuccess=' . urlencode($mySuccessMessage), true, 303); 
There's a limit on the size of an URL in certain browsers, but at least 2000 bytes seem to be accepted everywhere. So error messages up to 100 characters should never be a problem (which are at most 1200 bytes urlencoded).

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

manu
Posts: 1086
Joined: Wed Jun 04, 2008 12:05 pm
Location: St. Gallen - Schweiz
Contact:

Re: CMSimple_XH 1.6 :: handling of config and text forms

Post by manu » Tue Jan 29, 2013 11:23 am

Good idea!
But why not sendig the key of successmsg in plugin language file, as the outcome has to by i18n'd anyway?

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: CMSimple_XH 1.6 :: handling of config and text forms

Post by cmb » Tue Jan 29, 2013 11:44 am

manu wrote:But why not sendig the key of successmsg in plugin language file, as the outcome has to by i18n'd anyway?
By sending the complete message this can generally be handled in cms.php:

Code: Select all

if (isset($_GET['xhsuccess']) {
    $o .= '<p class="cmsimplecore_success">' 
        . htmlspecialchars($_GET['xhsuccess'], ENT_COMPAT, 'UTF-8') 
        . '</p>'; 
Otherwise additional parameters would have to be send, stating if the key should be looked up in the core or in which plugin, and maybe additional placeholders.

But of course sending the complete message doesn't look nice in the address bar. And sending a key + additional info, if necessary, is cleaner anyway.

So I'm not sure, what's best. At least introducing the CSS class "cmsimplecore_success" seems to be reasonable.
Christoph M. Becker – Plugins for CMSimple_XH

Holger
Site Admin
Posts: 3470
Joined: Mon May 19, 2008 7:10 pm
Location: Hessen, Germany

Re: CMSimple_XH 1.6 :: handling of config and text forms

Post by Holger » Tue Jan 29, 2013 11:41 pm

cmb wrote:So I'm not sure, what's best.
I think sending a key is the better way.
Therefore it might be useful to have a flexible function to build the messages. Maybe it's possible to extend / change the existing function e(...) or introduce
a new function and keep e() for compatibility with plugins (I've used it sometimes).

BTW:
cmb wrote:At least introducing the CSS class "cmsimplecore_success" seems to be reasonable.
Yes, but IMO we need 4 classes:
- cmsimplecore_success (green)
- cmsimplecore_info (blue)
- cmsimplecore_warning (yellow - already there)
- cmsimplecore_fail (red)
to make it usable with plugins.

Holger

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: CMSimple_XH 1.6 :: handling of config and text forms

Post by cmb » Wed Jan 30, 2013 1:30 pm

Hi Holger,

I would definitely keep e() as it is. It's only meant to display file related messages/errors, and is very handy for this. I'm using it quite often.

Another function to display messages is something to consider. Probably it would be just a wrapper around sprintf():

Code: Select all

XH_message($tx['message']['a_key'], $arg1, $arg2);
XH_message($plugin_tx['a_plugin']['a_key'], $arg1, $arg2);
Or do I miss something?
Holger wrote:Yes, but IMO we need 4 classes:
Currently the core and plugins use cmsimplecore_warning for everything stored in $e (errors, warnings and sometimes information). It will be hard to split this. But offering a more fine grained solution isn't bad for sure. And we might consider to modernize the styling a bit.

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

Holger
Site Admin
Posts: 3470
Joined: Mon May 19, 2008 7:10 pm
Location: Hessen, Germany

Re: CMSimple_XH 1.6 :: handling of config and text forms

Post by Holger » Sat Feb 02, 2013 9:52 pm

Hi Christoph,

for sure we should keep function e() as it is.
And a tiny solution to throw messages to the user seems to be a simple wrapper as suggested.

OT:
But I have another question, coming up with this thread:
I've noticed that you often use the ENT_COMPAT flag with htmlspecialchars() (which is the IMO not useful default-value).
Is there any reason why you keep the single-quotes?

Consider the code below:

Code: Select all

<?php
$_POST['test'] = "'onclick='alert(/XSS!/)'";
$test = htmlspecialchars($_POST['test'], ENT_COMPAT);
?>

<input name='test' value='<?php echo $test ?>'>
The single-quotes are not only bad, when it comes to sql. Leaving them unescaped in forms might be dangerous too.

As I said, just a question because I've seen it the last days in some code-examples here and I prefer to use ENT_QUOTES.

Holger

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: CMSimple_XH 1.6 :: handling of config and text forms

Post by cmb » Sat Feb 02, 2013 10:22 pm

Hi Holger,
Holger wrote:Is there any reason why you keep the single-quotes?
I thought that &apos; isn't a generally accepted XHTML entity. But I just looked that up, and obviously I was wrong. So indeed it's better, if we change that throughout the core. Perhaps it's even reasonable to introduce a simple function (say XH_hsc()) to keep the code shorter?
Holger wrote:The single-quotes are not only bad, when it comes to sql. Leaving them unescaped in forms might be dangerous too.
I always enclose attribute values of nodes in double-quotes. But of course you're right, and one never knows, if somebody else might change this later (or if I inadvertantly use single-quotes).

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

Holger
Site Admin
Posts: 3470
Joined: Mon May 19, 2008 7:10 pm
Location: Hessen, Germany

Re: CMSimple_XH 1.6 :: handling of config and text forms

Post by Holger » Sat Feb 02, 2013 10:34 pm

Hi Christoph,
cmb wrote:I thought that &apos; isn't a generally accepted XHTML entity.
That's why I've asked. I was not sure about side effects escaping single quotes at all.
But I've never noticed problems yet when using ENT_QUOTES.
cmb wrote:I always enclose attribute values of nodes in double-quotes.
That's for sure best practice.

Holger

Post Reply