partially revert #1559

Instead of automatically adding custom templates, we log an error if that template is missing in the available templates. Still mitigates arbitrary file inclusion, as the string is now checked against a fixed allow list.
2026-04-23 22:34:47 -04:00 · 2025-11-10 17:27:11 +01:00
parent d1124382bc
commit db251732d2
4 changed files with 12 additions and 55 deletions
@@ -49,7 +49,8 @@ class View
     */
    public function draw($template)
    {
-        $path = self::getTemplateFilePath($template);
+        $file = substr($template, 0, 10) === 'bootstrap-' ? 'bootstrap' : $template;
+        $path = PATH . 'tpl' . DIRECTORY_SEPARATOR . $file . '.php';
        if (!file_exists($path)) {
            throw new Exception('Template ' . $template . ' not found!', 80);
        }
@@ -57,31 +58,6 @@ class View
        include $path;
    }

-    /**
-     * Get template file path
-     *
-     * @access public
-     * @param  string $template
-     * @return string
-     */
-    public static function getTemplateFilePath(string $template): string
-    {
-        $file = self::isBootstrapTemplate($template) ? 'bootstrap' : basename($template);
-        return PATH . 'tpl' . DIRECTORY_SEPARATOR . $file . '.php';
-    }
-
-    /**
-     * Is the template a variation of the bootstrap template
-     *
-     * @access public
-     * @param  string $template
-     * @return bool
-     */
-    public static function isBootstrapTemplate(string $template): bool
-    {
-        return substr($template, 0, 10) === 'bootstrap-';
-    }
-
    /**
     * echo script tag incl. SRI hash for given script file
     *