D0BA8BE00ED84B3886777557F11693AB
  • RedDot CMS Blog
  • 30.01.2017
  • EN

rdb: Escaping RedDot

In today’s episode, we will cover:

  • How to safely(ish) use the output of content elements in scripts within our RedDot templates.
  • How not to use the output of content elements in scripts within our RedDot templates.
  • Reinforce that Preview is not the same as Publish!

Nothing like a little frustration to spur a new blog post. It all began last week as I was adding some localisation to a RedDot 6.5 project. Everything was working beautifully in SmartEdit and Preview. Then I published and it all went so very wrong…

By wrong I mean there was an error in the pre-execute code. Ie on the published page, anything within pre-execute tags was blank, missing, gone. But preview worked! And preview and publish are the same, right?

Using a slow process of elimination (anyone know where the publish pre-execute temporary files are kept?) I eventually discovered the issue. Sadly, it was one that had bitten me before – and hence will be immortalised here so that you and I should not fall prey to it again. But first, some background…

Every now and then (okay, all of the time) I find the need to take the content of a placeholder and either use it elsewhere (outside of the template it is defined in) or manipulate it in some way. Part of (okay, all of) the charm of RedDot’s templating system is that you have a whole scripting engine at your disposal – ASP (VBScript and JScript) or you can setup PHP (or even ASPX I believe…) Assigning a placeholder to a variable is a piece of cake:

 ASP 
<!IoRangePreExecute>
	<%
		myVar = "<%myPlaceholder%>"
	%>
<!/IoRangePreExecute>

 

 PHP 
<!IoRangePreExecute>
	<?php
		$myVar = '<%myPlaceholder%>';
	?>
<!/IoRangePreExecute>


Or is it? What happens when the content of myPlaceholder contains double quotation marks? Or worse, if you are using PHP, a dollar sign or an apostrophe? (depending on which form of assignment you are using) Unfortunately, RedDot doesn’t allow you to specify the escaping of placeholders, so here are a few tricks all RedDot developers should know:

For this we rely on the fact we get JScript for free…

 JScript 
<!IoRangePreExecute>
	<script language="jscript" runat="server">
		function myPlaceholder() { /*<%myPlaceholder%>*/ }
		function getVar(id) {
			var re = //*(.*)*//m;
			return re.exec(eval(id + ".toString()"))[1];
		}
	</script>
	<%
		myVar = getVar("myPlaceholder")
	%>
<!/IoRangePreExecute>

Or, much more simply in:

 PHP 
<!IoRangePreExecute>
	<?php
		$myVar = <<<EOD
		<%myPlaceholder%>
		EOD;
	?>
<!/IoRangePreExecute>

If you don’t need to manipulate the value, ie you want to output it later or based on some criteria or even output a chunk of HTML and/or placeholders, you can surround it with a function or subroutine:

VBScript (won’t be broken by */ or anything else in the content):

 VBScript 
<!IoRangePreExecute>
	<%
		Sub header()
	%>
	<div id="header"><h1><%myPlaceholder%></h1></div>
	<%
		End Sub
		header()
	%>
<!/IoRangePreExecute>

PHP (won’t be broken by EOD; or anything else in the content – or whatever you used with the <<< operator):

 PHP 
<!IoRangePreExecute>
	<?php
		function header() {
	?>
	<div id="header"><h1><%myPlaceholder%></h1></div>
	<?php
		}
		header();
	?>
<!/IoRangePreExecute>

I find the above particularly good for reducing the number of container placeholders in my base pages (to one – but that is another post). You can also do some neat tricks with the red dots themselves – but again, another post.

Ok – now for the caveat. When doing variable assignment above, using the VBScript/JScript method, you can’t use any form of string manipulation on variables containing links to RedDot assets. Specifically, you can’t perform any of the following actions:

  • Regular expression matching (ie our JScript example)
  • Any VBScript string function – InStr, Mid, Replace, Split etc

On any variable that contains any of the following placeholders:

  • Anchors (whether to RedDot pages or external URLs)
  • Images
  • Media
  • Text – where the text may contain any of the above.

The most annoying thing is that it will work in Preview, lulling you into a false sense of security. That last one (Text placeholders) was one that had caught me out before – because the Publish suddenly stopped working for no apparent reason (it was fine with all the samples prior to that that did not contain links or images…)

This time around, it was anchor and image placeholders that I had used in the JScript functions – once I removed these (I replaced them with the subroutine method – as I didn’t actually need to manipulate them) everything was fine again.

If you must manipulate dodgy placeholders, you have a couple of options:

  • Switch to PHP – the issue only seems to affect ASP (VBScript/JScript). I can’t speak for ASPX.
  • Perform your manipulations on the web server (save as .asp or any other scripting language you like – once it is on the web server, it is free of RedDot issues – well unless you are using LiveServer of course!)

Here endeth the lesson.

       

Downloads

 

QuickLinks

 

Channel