Home > Fluid Dynamics Search Engine > Help > 1070

Customizing HTML: Customizing appearance based on selected Realm

The current value of the "Realm" variable is available in the templates as %realm%.

This can be used to modify the appearance of pages. For example, header.htm can contain:

<link rel="stylesheet" type="text/css" href="style_%realm%.css" />

In this example, you would have to create a stylesheet named "style_.css" for when no realm is selected -- as with initial visits to the search page -- and another stylesheet named "style_All.css" for when users have selected "All" realms. Additional stylesheets would be required for each realm. File names and realm names must match exactly, including having the same case and spaces. If you use this feature extensively, you should probably standardize on realm names that do not include spaces.

This same idea can be used to include custom images.

Because the PrintTemplate subroutine handles replacement values first, before include files, you can even customize server-side HTML structure based on these values. For example:

<!--#include file="html_footer_%realm%.txt" -->

The %realm% variable is available for all public templates: header.htm; tips.htm; footer.htm; linkline1.txt; linkline2.txt; searchform.htm; and line_listing.txt.

Security Considerations:

The %realm% variable contains an HTML-encoded version of whatever the user selected as a realm. Clever users can cause this variable to have virtually any value by typing in the desired value in the browser's Address/Location bar.

The first security concern is whether this can be used to create an XSS security hole, such as with "Realm=<script>alert('hi');</script>". This is not a risk here, because FDSE will HTML-encode the value of the Realm parameter before populating the %realm% variable.

A second security concern is whether creative Realm values can be passed in, in conjunction with a file-include customization like:

<!--#include file="html_footer_%realm%.txt" -->

This is a huge risk if the include statement is written in an "open" format like:

<!--#include file="%realm%" -->

In this case, a hacker could set Realm=/etc/passwd.txt and read in the contents of a secret password file. Placing extra text before and after the variable, like "html_footer_" and ".txt", makes it much more difficult for a hacker to exploit this.

Note that FDSE's SSI file inclusion algorithm is independent of the web server, and so it will search for files outside web folders. See Customizing HTML: Parsing Server-Side Includes (SSI) for background information on FDSE's SSI algorithm.

In general, using the %realm% variable within client-side such as <link> or <img> is much safer than within server-side includes such as <!--#include ... >.

Applies to FDSE version 2.0.0.0042 and newer.


    "Customizing HTML: Customizing appearance based on selected Realm"
    http://www.xav.com/scripts/search/help/1070.html