• Hello Fabrik Community

    Fabrik is now in the hands of the development team that brought you Fabrik for Joomla 4. We have recently transitioned the Fabrik site over to a new server and are busy trying to clean it up. We have upgraded the site to Joomla 4 and are running the latest version of Fabrik 4. We have also upgraded the Xenforo forum software to the latest version. Many of the widgets you might have been used to on the forum are no longer operational, many abandoned by the developers. We hope to bring back some of the important ones as we have time.

    Exciting times to be sure.

    The Fabrik 4.0 Official release is now available. In addition, the Fabrik codebase is now available in a public repository. See the notices about these in the announcements section

    We wish to shout out a very big Thank You to all of you who have made donations. They have really helped. But we can always use more...wink..wink..

    Also a big Thank You to those of you who have been assisting others in the forum. This takes a very big burden off of us as we work on bugs, the website and the future of Fabrik.

processing {plugins} in form input

skyrun

Active Member
i can't seem to get it to stop processing plugins if they are in the content of a form field.
works (ie shows the actual data, does not process the plugin) when i view the form on the backend, but when viewed on the front-end, the plugins are getting evaluated and the content displayed in the field (when RO or RW) is the result of the plugin in the field, not the raw data.

i have set 'Process joomla plugins' to 'No' on the form. i am using the std 'bootstrap' layout.
 
Last edited:
Do you mean plugins like {fabrik view...} or placeholders {table___ element}?

Gesendet von meinem SM-G930F mit Tapatalk
 
no joy. commented out that line, and it still processes joomla plugins on the input box on the form.
 
OK, then it probably isn't Fabrik doing it. That's the only place we run J! plugins on the form or details views.

You might wanna poking around in whatever 3rd party system plugins you have, or maybe test a different site template, see if that's the issue.

-- hugh
 
m. ok.

seems like any joomla form would have it happen then if a {xxxxx} is in the data in the form... and i doubt it does. certainly doesn't when you use JCE or any of the editors when you put the {xxxxx}'s in. it doesn't render them. so i am still suspecting fabrik.

it does it when i run the form on protostar also.
 
I just tested (for a field and a WYSIWYG textarea with JCE) and can't replicate:
with "process Joomla plugins" = no in form settings (Options) and in list settings (Advanced) it's displaying the raw {fabrik view=....} literally in list, form and details view.
 
And I've searched through the code, and there is nowhere in form or details view we process plugins except that line I pointed at.

Do you have anything "unusual" on the form, like any form plugins or element types that are out of the ordinary / not normal kinda stuff?

-- hugh
 
thanks hugh,

you're right that it is not fabrik.

i've discovered that sourceerer (from regular labs) processes everything in joomla by default when the plugin is on. form text, and even form input that is output/included when the form is loaded. this seems like really dangerous behaviour to me, but they're not seeing it that way. so i could type php code, invoking sourcerer that does bad stuff into any joomla form on any site that uses sourcerer. yikes! their response is that i can turn it off by component. so i could turn off fsourcerer for fabrik. but it's all or nothing and i use php code in my form and list heading text...

they have hardcoded/removed the known/common joomla forms by form id like the logon and contact form and all joomla forms, but forms on other components that don't happen to use one of their hardcoded form ids are all processed. they feel it's a feature. and maybe it is, but should be able to be turned off and shouldn't be the default for unsuspecting users.

but they did take some quick action to provide a solution that is not perfect but is workable if you are aware of it. to accomodate me they have added a class 'no-sourcerer' that if ttat's on the form (in their development/beta version for now). seems pretty easy to remove in inspector though...

anyway, perhaps this is something other fabrik users (that happen to use sourcerer) should be aware of. but on the other hand, we don't want to expose a vulnerability that others have nto locked down.

if you could add a way to add a 'class' to a form, that would be great, but since i don't think there is an easy way, i have added class = 'no-sourcerer' to my fabrik templates to protect my forms. (bootstrap_no-sourcerer) to get around this imo dangerous default behavior.

AND THE BEST DEFENSE is that sourcer allows you to override their default tag. so instead of {source}<?php ...code...?>{/source}, you can change that to {fubar} or whatever. that's the most quick and simple security against this behavior being used against you by people that don't know your plugin word.
 
Hmmm, that is bad. I might talk to them. Meanwhile I'll add the ability to add a class to a form.

Is there a forum thread you were discussing this with them I could join in on?

-- hugh
 
We are in need of some funding.
More details.

Thank you.

Members online

Back
Top