ComicCMS User Manual


Variable Operators :: String Operators

Simply replacing parts of your HTML with anything is pretty dangerous. Say, for instance, a malicious person commented on your site with the comment: Hi, <script>alert('Haxxord');</script> Every time you load that comic's page an alert box will come up saying "Haxxord". Annoying, yes, but not dangerous. But with that javascript access they could steal your cookies and then be able to log into your ComicCMS admin panel. That is called XSS and it is beyond a joke.

By default ComicCMS stops this and converts all HTML to text to keep you safe, what the user types in is what is seen on the page, not what happens in the HTML. But this means you can't use HTML at all, which means you can't create hyperlinks or add images. That would be a shame and that is why we have variable operators.

Notice: Now is a good time to remind yourselves that the Header/Footer templates do not support any variable operators! Read more about them at Editing Templates :: Global Templates

Some useful operators are: (using the variable {{news_post}} as an example, any variable can use these operators)

{{news_post}}Will be converted to plaintext, no HTML formatting can happen
{{news_post:rich}}Will be formated as BBCode to allow formatting safely
{{news_post:full}}Will be left as HTML but line breaks will be preserved
{{news_post:html}}Will be treated as plain HTML

Notice: It is very rarely recommended to use the :html or :full operators as this leaves your site vulnerable to attack! Most formatting is supported by using the :rich operator which we will describe on the next page

ComicCMS, free php webcomic management software Copyright © 2007 Steve H