I want to allow members of my site to add widgets to their profile page.

My registration system is based on PunBB, stripped down, integrated with other PHP scripts. It's a mess. ;-)

I could let members just input the code in a text field into MySQL and then echo on the profile page. That should work, but it's probably unsafe.

What are the issues to watch out for? What code would be unsafe? How can I block bad code?

I tried some searches on this subject. There is a lot of information out there how to create your own widgets. I'm NOT interested in that!

I'm trying to find out how to safely host users' widgets. Are there already ready-made PHP scripts for that?

(I'm not a PHP coder. I can only edit/customize existing scripts, up to a point.)

If you mean by "add widgets" by letting other users to upload php code to run on execution, then you are playing with fire and there really is no safe way of preventing any mis-usage.

The only way I would allow personally is to have a bank of pre written widgets and allow uses to pick and choose to which they would perfer to install. Kinda like Facebook apps.

Quote:

Originally Posted by mgraphic

If you mean by "add widgets" by letting other users to upload php code to run on execution, then you are playing with fire and there really is no safe way of preventing any mis-usage.

The only way I would allow personally is to have a bank of pre written widgets and allow uses to pick and choose to which they would perfer to install. Kinda like Facebook apps.

Thanks for the quick reply!

I've gotten this answer before and it kinda misses the point. Widgets are by definition code that that users can upload (or put on their site) to run on execution. Not necessarily PHP. It could be Javascript, Flash, whatever.

And yes, I kinda understand the risks, that's why I asked. The fact is, sites do allow widgets. You mentioned Facebook. There are many others. My question is how can I do what they do?

Are there ways to isolate uploaded code? Or to block bad code? It should be possible to check the code and allow only certain types of widgets. If other sites can do it, why can't I?

It's apparently OK for the kids to create widgets and put them on their blogs and profile pages, but we have to leave hosting widgets to the grownups?

This just reminds me of myspace. When myspace first started out you were able to do alot, but today they block just about anything just for security reasons.

You can't use iframes, javascript, manipulate some div's by their id, links will be hashed to "msplinks.com/xxxx..." etc.


If you allow widgets to be uploaded but don't put enough security into it there will be exploits after exploits until its just so limited that its not worth having anymore.

I would suggest you make some custom variable type stuff, lets say you wanted your widget to display how many posts you have... have a macro/variable you can put in your widget something like: {USER_GETPOSTS} that will output the number of posts.

Kind of a bad example, but hopefully you get what I mean...

Thanks RadGH.

Again, I understand it's problematic and I'm not interested in creating my own widgets.

How does Facebook make it "safe" to let users add widgets? I know they have a closed platform and widgets have to be written for their platform, but I don't know the details.

Is there any way to emulate something like the Facebook apps system in PHP? Is anyone working on PHP scripts for that?

Should I look into OpenSocial?

Edit: I've looked at OpenSocial's FAQ. It's all about creating apps. There's only this:

Quote:

Where do OpenSocial apps run?
One of the initial environments for social apps which use the OpenSocial APIs is Orkut. Other OpenSocial enabled websites are expected to launch support for developers soon.

So it's a one-way street. The kids can all develop apps, but Google etc. will control where they'll run?

How can I "OpenSocial enable" my website?

Edit2: Oh wait, I guess this is what I need.

More thoughts and suggestions still welcome!