safe_data — allow interpolation of database values in search for Interchange tags
By default, Interchange does not allow data returned from the databases to be interpolated (all the [s are converted to an HTML entity [ and displayed literally). Setting this pragma eliminates the restriction and passes [s through for interpolation.
If you want to have tags in your database and display them in Interchange pages (to say, display [page]
links for internal hyperlinks in your product descriptions), you need to enable this pragma.
Some things to consider, though:
It might be better to use the safe_data
attribute available to certain tags, or perhaps the [pragma]
for a whole page or [tag pragma safe_data]
[/tag]
for a small block of ITL code on a page, instead of setting a catalog-wide safe_data
pragma.
In any case, it is strongly recommended that you surround the area in a [restrict]
tag to only allow specific set of tags to appear "in-band" (which should be relatively safe), such as [page]
or [area]
. Expect security compromises if you allow [calc]
, [perl]
or any other extremely powerful tags.
Be certain that you absolutely know where the data from your databases will be used. Consider the following:
Will it always be possible to interpolate?
What about e-mailed plain-text receipts? Will literal "[page ]
" tags show up in product descriptions on the receipt?
Would the desired output of <a href="..."> be any better than a simple plain text?
What if you access your database from applications other than Interchange? You'd then have to decide what to do with such tags; perhaps you could simply strip them, but will the missing output cause trouble?
To sum up, safe_data
is disabled by default for a reason, and you should be very careful if you decide to enable it.
Example: Enabling safe_data page-wide
Add the following anywhere on an Interchange page:
[pragma safe_data]
Watch out for parse order with tag pragma
or restrict
when used with lists that retrieve data from the database (such as [PREFIX-*]
, [loop]
, or the flypage). Loops parse before regular tags like [tag]
, and are thus not affected by them (so you must include the whole loop code in the "critical section").
Interchange 5.9.0 (1/1 contexts shown):
Source: lib/Vend/Interpolate.pm
Line 1746 (context shows lines 1736-1750 in ed():1745)
if ($opt->{no_return}) { $Vend::Session->{mv_perl_result} = $result; $result = join "", @Vend::Document::Out; @Vend::Document::Out = (); } #::logDebug("tag_perl succeeded result=$result\nEND"); return $result; } sub ed { return $_[0] if ! $_[0] or $Safe_data or $::Pragma->{safe_data}; $_[0] =~ s/\[/[/g; return $_[0]; }