in reply to User-updatable web sites

Conceptually, this isn't that difficult: a basic system would involve CGIs that accept the user input (presumably after validation) and write that information out to static HTML files. The biggest worry will be security; if you don't do a good job validating users and protecting your files, you run the risk of having your pages defaced or worse. A major problem is that this method requires that the user the webserver runs as has permission to modify files in the web tree, so you'll need to be *very* careful setting things up, permissions-wise.

If there are going to be a number of different pages of the same form that are user-updatable, you're definitely going to want a to use a templating system, such as HTML::Template (basic but effective) or Template Toolkit (more powerful, more difficult to learn -- but worth it). Then you can take the user input, plug in into the template, and voilà!

You might look into the "wiki" concept, depending on your needs.

Philosophy can be made out of anything. Or less -- Jerry A. Fodor

Replies are listed 'Best First'.
Re: Re: User-updatable web sites
by Stamp_Guy (Monk) on Mar 26, 2001 at 02:42 UTC
    Ok, in regards to security, would it be ok to just have my program chmod the files, write to them, then chmod them back? Most of the pages would be different or I would DEFINITELY use a template system. What types of things do I need to validate for? I read Ovid's stuff and it seemed pretty straight forward. Is there anything else I should be aware of?
[reply]
      A few things spring to mind here. This is all based on the assumption that users get to write their own HTML.
      1. I would strip all meta tags from their code. Users can play havoc with redirects, such as redirecting to porn sites or worse, having two accounts and having them redirect to each other's page. A browser could be then caught in an infinite loop of redirects.
      2. If they are allowed to create their own HTML, do they get to include images also? If so, you might have a concern about adult content.
      3. Make sure that server side includes are disabled or at least have the "exec" option turned off. Plus, I would probably just strip SSI tags from their input.
      4. This is the big one: however they create their pages, stick them in a database (after validating page size) or, if they are written out to files, make sure that the user CAN NOT pick their file name. Also, don't let their filename be based on the name they input. They could potentially stick a null byte in their username and cause you all sorts of pain.
      Any other suggestions from fellow monks?

      Cheers,
      Ovid

      Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

[reply]
        Personally, I would just have a set / static header.txt & footer.txt file(s) and have the user modify the content. Thus, if I wanted to change the navigation/banners/layout, as long as I had the new templates written to properly display the included content files, things would propagate seamlessly.

        Server Side Includes would be a must for this application. Each user would have their index.html file, and all it would consist of would be SSI calls to include:

        header.txt
        content.txt
        footer.txt

        Its really not that complicated. But takes some getting used to. This way meta tags cant really be used, and I would take into consideration the notes from the node above as well..
        I hope this sheds some light on the subject,

        _14k4 - webmaster@860.org (www.poorheart.com)
[reply]
[d/l]
        I should have been a little more clear about what I meant by user-maintainable web sites. What I meant was that the person I designed the site for would be able to maintain the content of the site. They would not be able to add new pages, name the files, etc. I would design the entire thing and they basically could change any text or graphics that were necessary to update.
[reply]

In Section Seekers of Perl Wisdom