Let users create custom blade layouts / store in database

Deadly 提交于 2020-01-14 05:28:26

问题


Problem: I need to let my web-app users create their own blade layout templates. So the most convenient solution is to store the blade templates into the database. However, I see no method to extend a child view from a layout code NOT SPECIFIED in a blade file. Furthermore the next concern is security. I can't rely on users to insert safe code. Giving access to insert php code or directly blade code is disastrous for the system. So how to?

  1. Save the layout template in database
  2. Make sure no part of the code gets executed on the server side.

As a side note, I can let users mention pre-specified tokens in the code, that shall be replaced by the results from the system.


回答1:


Solution 1: Let users fill the database column (after filtering the given code for any possible php codes) and save it into a 'master' file, from which the final view is being extended. User may use given codes for content replacement

//master.blade.php
<html>
<head>
<%token%>
</head>
<body>
<%content%>
...
<%scripts%>
</body>
</html>

In the above code, the <% content %>

should be replaced by

@yield('content')

before the actual view is processed.

//final.blade.php
@extends('layouts.master')
@section('content')
...
@endsection

So the controller, saves the database column content into master.blade.php and then calls the view('final') function as necessary.

//In Controller
//Save the contents of database column in master.blade.php
return view('final',$data);

But this is NOT a GOOD solution. File write operation for every request, cache problems, security issues (such as service side execution script injection) etc. An alternate to this is having a master for each user, created only when the user makes changes in the template column. Thus benefiting from lesser file write operations, but file overload on the server because a file for every user in the file-system.


Solution 2: Save the user's layout code into database column (no filtering necessary).

//In controller
$content = View::make('final',compact('data'));
$token = "<meta name='_token' content='" . csrf_token() ."'";
$scripts = View::make('final_scripts',compact('data'));

$view = str_replace_first("<%content%>", $content, $templateInDatabase);
$view = str_replace_first("<%token%>", $token, $view);
$view = str_replace_first("<%scripts%>", $scripts, $view);

return $view;

The user shall be made to include the three <%X%> tags in the template code. Benefits are no server side code execution, hence added security. Cache problems minimize as the final & final_scripts blade templates can be cached. But the string replacements add extra effort.



来源:https://stackoverflow.com/questions/38398783/let-users-create-custom-blade-layouts-store-in-database

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!