Template approach for a PHP application

Question

Hi everyone,

We're in the middle of making a new e-commerce related PHP application and we have come to the point where we have started to think about how we should solve templating for our customers needs.

What we would like to do is offer our customers the possibility of uploading/modifying templates to suit their company:s profile. The initial thought is that we shall not reinvent the wheel, so instead letting our customers upload their templates with FTP, so there will be basic HTML skills required. For those customers that want to modify/customize template and doesnt have the knowledge, we offer that service as well.

I know that there's a number of issues to solve before this could be considered safe, like preventing XSS and writing scripts that check through each uploaded file for potential security threats and so on. Of course, there are some part that probably will be to complex for the customer to modify by themselves, so maybe this approach won't apply to >>all<< template files in the frontend application.

But besides that, what would be a good way to handle this?

Answer 1

I thought, if you only want to be able to change images, colours, fonts, div placement etc, you could let your customers edit the css files, also solving your problems with security.

Answer 2

You really need to prevent your customers from incorporating any php or javascript into their website. Any image uploads should be format converted to something else then back again on upload.

Problem is that most editors will not allow you to build up fragments of a page. As Samuel suggests you could restrict them to only editing the CSS (and publishing their own graphic content) - but this can be rather restrictive. One approach to solving this problem is ESI - but that requires a high level of skill with the technology for anyone involved - and try to restrict peolpe from doing stuff they shouldn't is rather difficult.

Another approach is for you to provide a set of html fragments (which should contain matched tags and no positional / font info other than classes) and have the customer provide an HTML page with a set of placeholders where you insert your content, e.g. customer provides:

<html>
<title>{%PAGE_TITLE%}</title>
<link rel="stylesheet" href="{%STANDARD_CSS%}">
<link rel="stylesheet" href="{%CUSTOMER_CSS%}">
<script src="{%STANDARD_JS%}"></script>
....

Another approach would be to provide the customer with an online thru-the-web editor. You might want to have a look at some of the mash-up tools available, e.g. Radria.

HTH

C.

Answer 3

You may find it helpful to take a look at the TinyButStrong templating engine. TBS differs from most other templating engines in that it doesn't try to implement an additional scripting language inside the template, but uses a system of place-holders plus attributes which are cleanly separated from the HTML code between square brackets, such as

[blk.myfieldname;block=tr]

This makes the system extremely straightforward to use with WYSIWYG tools such as Dreamweaver, as it's very easy for the designer to see where the PHP dependent code is in the template - basically 'don't touch anything inside the square brackets'

Although not quite in the same situation as yourself I've work on several projects where I've completed pages to be fully functional with a basic layout, then handed the HTML templates (+css) over to the designer who's subsequently modified them for the final site. Because of the clear separation of code and place-holder variables that TBS offers there's little to go astray with the approach. The lack of any template scripting language also means your security concerns are much more controlled.