Following the documentation on shortcodes, I added a kfunctions.php to the root folder of my domain (http://example.com/kfunctions.php) in order to embed YouTube videos via shortcode in a rich textarea. The documentation states:

With version 1.2, Couch has begun opening up its architecture to allow extending it. As a part of this initiative, Couch runtime now searches for a PHP file named kfunctions.php within the website managed by it (i.e. the main website folder - not the couch installation folder). If the file is found, Couch includes it within its execution flow.

So I assume this refers to the website's root location and not the couchcms-folder.

Here is my kfunctions.php, which I adapted from the sample file. I simply deleted the functions I don't need:

Code: Select all

<?php
  
   // 1.
   // IFrame shortcode
   // Usage: [iframe src="http://www.somesite.com/" width="100" height="100" scrolling="yes" frameborder="1" marginheight="2"]
   $FUNCS->register_shortcode( 'iframe', 'iframe_handler' );
   function iframe_handler( $params, $content=null ){
      global $FUNCS;

      extract( $FUNCS->get_named_vars(array( 
         'src' => '',
         'width' => '100%',
         'height' => '500',         
         'scrolling' => 'no',
         'frameborder' => '0',
         'marginheight' => '0'
      ), $params) );

      $html =<<<EOS
      <iframe src="$src" title="" width="$width" height="$height" scrolling="$scrolling" frameborder="$frameborder" marginheight="$marginheight">
         <a href="$src" target="_blank">$src</a>
      </iframe>
EOS;
       return $html;
   }

   // 2.
   // Google map shortcode
   // Usage: [googlemap src="http://maps.google.com/?ll=23.250652,77.402072&spn=0.019912,0.038581&z=15"]
   $FUNCS->register_shortcode( 'googlemap', 'googlemap_handler' );
   function googlemap_handler( $params, $content=null ){
      global $FUNCS;

      extract( $FUNCS->get_named_vars(array( 
         'src' => '',
         'width' => '425',
         'height' => '350'         
      ), $params) );

      return '<iframe width="'.$width.'" height="'.$height.'" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="'.$src.'&output=embed"></iframe>';
   }
   
   // 3.
   // YouTube Shortcode
   // Usage:   [youtube video="http://www.youtube.com/watch?v=5PsnxDQvQpw"]
   //          [youtube http://www.youtube.com/watch?v=1aBSPn2P9bg]
   //          [youtube 1aBSPn2P9bg]
   $FUNCS->register_shortcode( 'youtube', 'youtube_handler' );
   function youtube_handler( $params, $content=null ){
      global $FUNCS;
      
      extract( $FUNCS->get_named_vars(array( 
         'video' => 'http://',
         'width' => '475',
         'height' => '350',
      ), $params) );

      // Video parameter is link or ID?
      if ( (substr($video, 0, 7) == 'http://') || (substr($video, 0, 8) == 'https://') ){
         /*
         Example links that can be handled:
         http://www.youtube.com/watch?v=5PsnxDQvQpw
         http://youtube.com/watch?v=5PsnxDQvQpw
         http://youtube.com/watch?gl=US&hl=en-US&v=5PsnxDQvQpw
         http://youtube.com/v/5PsnxDQvQpw&rel=1
         */
         if( !preg_match('#https?://(?:[^\.]+\.)?youtube.com.*(?:\?v=|&v=|/v/)([\w_-]+)#i', $video, $matches) ) return;
         $video = $matches[1];
      }

      // Sanitize parameters
      $video = htmlspecialchars( $video, ENT_QUOTES );
      $width = (int)$width;
      $height = (int)$height;
      
      // Output HTML
      $html =<<<EOS
      <iframe class="youtube-player" type="text/html" width="$width" height="$height" src="http://www.youtube.com/embed/$video" frameborder="0"></iframe>
EOS;
      return $html;
   }

Visiting http://example.com/kfunctions.php returns a 500 error and the shortcodes are literally printed in the content sections, i.e. the video is not embedded.

Any idea what is wrong?

I forgot to wrap the textarea in <cms:do_shortcodes> tags.

However, I am still wondering about the 500 error.

Any solution to that?

The kfunctions.php file is not meant to be loaded directly. No one should ever be visiting kfunctions.php in their browser, so don't do it!

Having said that, I tried it myself and I didn't get a 500 error. Instead, the script tried and failed to run, returning a PHP error. That doesn't seem right, either. Shouldn't we be adding

Code: Select all

if ( !defined('K_COUCH_DIR') ) die(); // cannot be loaded directly

to the beginning of kfunctions.php?

I used the original kfunctions-file that was provided as part of the documentation:

http://docs.couchcms.com/miscellaneous/shortcodes.html

I would appreciate if KK could add is opinion on how to protect this file.

Although the file should not be accessed directly, you always have to expect the worst from your users. I would feel better if the file could be placed in the couchcms-folder or another protected area.

Or maybe add a redirect in .htaccess?

Place what @Tim said at the top

Code: Select all

if ( !defined('K_COUCH_DIR') ) die(); // cannot be loaded directly

Of the file, should stop anyone loading the file directly in the browser.

EDIT: Make sure it's after the opening <?php tag

I used the original kfunctions-file that was provided as part of the documentation

Me too. I think that's just an oversight in the documentation. Pretty much every other Couch file, even ones in the couch folder, includes that line to prevent accessing them directly in the browser. Add that line and you'll get just a blank page if you try to open it directly.