Stamp_Guy has asked for the wisdom of the Perl Monks concerning the following question:

Hey guys, I'm working on creating some user-maintainable web sites. I have decided against having the pages dynamically generated for each user (performance) and instead am working on a system that would generate the HTML pages. I have been considering using a separate text file for each thing that would be updatable. This seems a bit clumsy, but I don't have access to a database on the server, not to mention the lack of knowledge on how to use it if I did. What are some other options that would be both portable and simple? Any ideas would be appreciated.

Replies are listed 'Best First'.
Re: User-updatable web sites
by arturo (Vicar) on Mar 26, 2001 at 01:13 UTC

    Conceptually, this isn't that difficult: a basic system would involve CGIs that accept the user input (presumably after validation) and write that information out to static HTML files. The biggest worry will be security; if you don't do a good job validating users and protecting your files, you run the risk of having your pages defaced or worse. A major problem is that this method requires that the user the webserver runs as has permission to modify files in the web tree, so you'll need to be *very* careful setting things up, permissions-wise.

    If there are going to be a number of different pages of the same form that are user-updatable, you're definitely going to want a to use a templating system, such as HTML::Template (basic but effective) or Template Toolkit (more powerful, more difficult to learn -- but worth it). Then you can take the user input, plug in into the template, and voilà!

    You might look into the "wiki" concept, depending on your needs.

    Philosophy can be made out of anything. Or less -- Jerry A. Fodor

[reply]
      Ok, in regards to security, would it be ok to just have my program chmod the files, write to them, then chmod them back? Most of the pages would be different or I would DEFINITELY use a template system. What types of things do I need to validate for? I read Ovid's stuff and it seemed pretty straight forward. Is there anything else I should be aware of?
[reply]
        A few things spring to mind here. This is all based on the assumption that users get to write their own HTML.
        1. I would strip all meta tags from their code. Users can play havoc with redirects, such as redirecting to porn sites or worse, having two accounts and having them redirect to each other's page. A browser could be then caught in an infinite loop of redirects.
        2. If they are allowed to create their own HTML, do they get to include images also? If so, you might have a concern about adult content.
        3. Make sure that server side includes are disabled or at least have the "exec" option turned off. Plus, I would probably just strip SSI tags from their input.
        4. This is the big one: however they create their pages, stick them in a database (after validating page size) or, if they are written out to files, make sure that the user CAN NOT pick their file name. Also, don't let their filename be based on the name they input. They could potentially stick a null byte in their username and cause you all sorts of pain.
        Any other suggestions from fellow monks?

        Cheers,
        Ovid

        Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

[reply]
Re: User-updatable web sites
by stefan k (Curate) on Mar 26, 2001 at 19:32 UTC
    Warning! This posting contains hidden advertising for a self written script!

    ;-)

    Hi,
    I stick with static HTML pages, too. But for the maintainance (like automagically creating the links if a new page appears) I wrote a little perl script which is now published as GPL. I use it to create a whole site from some XML files and some configuration files.

    I know that this is

    1. self-ad
    2. not immediately useful for you (without loads of work)
    but I could imagine that you could setup some default configuration files and a DTD for your users and they would just edit some XML text and w3make (the script) would do the rest.

    I think it would be a huge effort for the start of the thing, yet it may be working. If you're interested have a look at it at http://www.skamphausen.de/software/w3make/index.html.

    Regards Stefan K

[reply]

Back to Seekers of Perl Wisdom