Developer forum

Forum » Templates » Shared / fallback design

Shared / fallback design

E-mail notifications
Roy
Reply
Posted on 24/04/2015 15:10:23

Hi,

We're planning to develop our own "wrap" and are searching for some best practices. We'd like to have a default template with the master page, content pages, paragraphs, item types, less/css, javascript, etc and the possibility to easily overrule this default template for website specifics.

1) I've heart that if I create a "shared" folder in the "templates/designs" folder this will be the fallback for other designs. But it doesn't work, so we're currently creating duplicate files in the design folder for the website with an Razor include to the file in the shared folder so we don't have to maintain 2 the same files. How does this shared directory work? And what can be shared? And can it be overwritten by another design?

2) Item types are stored in the "system/items" directory, is it possible to make this design specific so I can put it in the design directories?

3) Item types can use a XML or/and the database. We'd like to use both like: in our shared/wrap design we've general itemtypes (xml, so we can update this in multiple environments) and in the website specific design we've website specific item types (database, so everybody does have it directly).

4) We've still problems with this: http://developer.dynamicweb.com/forum/cms-standard-features/exclude-directory-from-file-manager.aspx, or do you guys advice to make a project specific Gulp file instead of design specific so the "node_modules" folder isn't in the files project.

5) Cross site scripting is possible in the Dynamicweb forums as you've probably noticed when visiting this post (sorry, just playing around). I hope that password are not stored in plain text? cheeky Now SHA512 hashing in Dynamicweb, if there are no salts used it's still unsave! Is this covered in the new versions?

I hope to hear from you shortly.


Replies

 
Nicolai Høeg Pedersen
Posted on 24/04/2015 15:38:46
Reply

Hi Roy

Great - would like to hear about it when you are done.

@1: it is called "_shared" - and can be placed in root of a design or in the root of designs

@2: No, not yet. But we have it on the radar. In the item definition you can decide which item types are valid for a website - and in that way limit them

@3: I do not understand that one... Could you ellaborate?

@4: I have no Gulp/Node experience - but I can see it is a common problem... Do not know how to fix it.

@5: The new SHA512 uses salts. The forums 'supports' XXS by purpose so that you can post all kinds of markup in here... Otherwise you would be fucked :-).

BR Nicolai

 
Roy
Posted on 24/04/2015 15:58:04
Reply

Thanks for your response! I'm going to test some things on Tuesday, I'll come back to you next week.

 
Roy
Posted on 28/04/2015 13:31:53
Reply
  1. Nice, but with what kind of layouts does this work? Is there documentation on this? I've changed the directory name to "_shared" and I see the page templates placed in the root of this directory (it doesn't see it when it's in a "pages" directory), but I don't see my paragraph templates in the "_shared/Paragraph" directory.
  2. When can we expect this? And it's not possible to put these in a design directory? It stays in the "system/items" directory?
  3. It's a weird questions, sorry. But if question 2 is clear this one is answered too.
  4. As suggested in my other topic, it would be nice to have to possibility to exclude files/directories from the file manager. Maybe a idea for the next release?
  5. Nice to hear it's usings salts too! And the XSS vulnerability on the forum: now I can steal your session/cookie information and act like I'm signed in as you. You've probably more permissions, I can have them too...  See: http://en.wikipedia.org/wiki/Cross-site_scripting. Better use markdown or create a whitelist of allowed html tags and attributes for the wysiwyg editor. If you've blocked <script> and <style> tags I can still position elements with the style attribute (as I did with the pink text and the fail above the logo). Attributes like "mouseover" shouldn't be allowed too... 
 
Nicolai Høeg Pedersen
Posted on 28/04/2015 18:49:49
Reply

Hi Roy

Just checked the code, and it seems like I'm telling you stories. The shared folder has been taken out before it was ever released because there where some issues that was not fixed.

_Shared had nothing to do with items, just templates.

@4: It has been noted.

@5: You are behind login - and we specifically configured this Dynamicweb installation to allow all kinds of crap to be posted in the forum - because it is a developer forum and SQL statements, C# code and HTML is posted and should be posted. See configuration attached. I could do all kinds of cleaning code, but would never finish, and you can hack the forums, congrats, but It is not needed to prevent because you are behind login and you are not evil. And you just go ahead styling the logo, be my guest :-).

BR Nicolai

Capture.JPG
 
Roy
Posted on 29/04/2015 09:42:35
Reply

Nicolai,

Thanks again for your reply! I stick with my include solution with Razor and hope to see the exclude files/directories from the file manager in the next version. Security is one of the most important things, apparently not at DW. Posting code can be allowed, but just escape it so it can't be executed.

 

You must be logged in to post in the forum