stealing theme.html how-to [Theme designer talk] - XOOPS Web Application System

XOOPS

Forum

Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk

1

stealing theme.html how-to

2004/4/30 8:20
CeBepuH
Not too shy to talk
Posts: 128
Since: 2002/6/10

I don't if somebody has already thought of this but... taking a peek into the theme.html is quite easy.

Load any XOOPS2 site, view the source and look in the head part for something like:


<link rel="stylesheet" type="text/css" media="all" href="http://url_of_xoops_site/themes/the_theme_of_the_site/style.css" />

Then just type in the browserhttp://url_of_xoops_site/themes/the_theme_of_the_site/theme.html and voila!

Anyway, any able designer can recreate a theme of a site even without looking at theme.html

BUT

What if in the theme.html you have:


<{php}>

some top secret php code... if it is serverside it should stay serverside, don't you think?

<{/php}>

So don't put php in the theme.html

Or I suppose you could protect the_theme_of_the_site with a simple .htaccess file...

2

Re: stealing theme.html how-to

2004/4/30 8:30
brash
Friend of XOOPS
Posts: 2206
Since: 2003/4/10

Sure you CAN do that, but doing so without first contacting the owner of the website is very unethical. I'm not 100% familiar with the GPL license, but I'm pretty sure this is also illegal and the owner of the theme would be within their full rights to take legal action against you. I would not suggest stealing anyones work, and just because you can doesn't mean you should.

3

Re: stealing theme.html how-to

2004/4/30 8:41
CeBepuH
Not too shy to talk
Posts: 128
Since: 2002/6/10

I know it is illegal.

Hacking is illegal too. But still there are people who would do it.

[red]I'm simply pointing[/red] at a... hmmm.. how should I put it? It could become a security hole depending on what php codes one puts in the theme.html

Besides, I suppose there are people who woudn't like anybody seeing theme.html

4

Re: stealing theme.html how-to

2004/4/30 9:10
CBlue
Posts: 1244
Since: 2003/6/28

How could anyone edit another person's theme.html on their own server without having access to that server?

5

Re: stealing theme.html how-to

2004/4/30 9:20
Mithrandir
XOOPS is my life!
Posts: 6320
Since: 2003/6/21

Not edit, Cblue - steal.

I wasn't aware that the <{php}> code would also show in the theme.html (but just checked and you are right)

I personally dislike the <{php}> code in templates unless it is the absolutely last resort.

Separate code from presentation - if it isn't directly related to presentation, it has no place in theme.html - but thanks for the headsup.

6

Re: stealing theme.html how-to

2004/4/30 9:22
Herko
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1

The General Public Licence states that if you release the module/theme (which is considered part of the whole application), you have to release it as GPL. However, with themes there is a serious issue concerning image copyrights. You can copy a theme, nothing illegal there (even by doing it the way you described), but the creator can take legal action against unauthorised use of copyrighted images. All the designer has to do is prove the images are his/her creation.

The security hole you describe is minimal IMO, as no-one ever puts sensitive data in php scripts in a theme.html file. At least, I have never heard of such a thing.

Herko

7

Re: stealing theme.html how-to

2004/4/30 9:23
CBlue
Posts: 1244
Since: 2003/6/28

Okay...I thought he was saying that someone could put malicious code into someone's theme.html file.

8

Re: stealing theme.html how-to

2004/4/30 11:43
karuna
Not too shy to talk
Posts: 171
Since: 2002/5/29

hmm
i have changed the images files and css to another folder

<{$xoops_url}>/images/themes/images/

9

Re: stealing theme.html how-to

2004/4/30 13:48
Stewdio
Community Support Member
Posts: 1560
Since: 2003/5/7 1

I've known about this for months and never thought anything of it.

Of course if you punch in the actual path/to/the/theme.html it's going to display it contents, thats just common sense. It only renders as text, after all the browser is outputting what it thinks it should.

Theres no code to steal, most of it is part of the basic XOOPS code anyhow; unless a person has a heavily modified theme.html, but in most case such a person is experienced enough not to do domething like that.

The basic XOOPS code thats already displayed is so minimal, it is not an issue to me personally because anyone can download the XOOPS package and look it up themselves anyway.

I just assumed after all these many months that it was widely known. Not even an issue as far I'm concerned, but others may make it more then what it seems.

It's not stealing code when it's freely available anyway. Any coder worth his salt is not going to put custom PHP functionality in the theme.html

Just my .02 cents.

Login

Username

Password

Remember me

Register now! | Lost Password?

Search

Advanced Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

3/16 2:02 Mamba
Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

3/14 20:34 hnn_gerd
Re: NewBB v 5.1.0 b 6

3/7 12:07 Mamba
Re: NewBB v 5.1.0 b 6

2/23 2:57 Mamba
NewBB v 5.1.0 b 6

2/17 18:57 spierrard
Re: XOOPS 2.5.11 search user is not working

2/14 13:11 Mamba
Re: oledrion

2/14 11:29 Mamba
Re: oledrion

2/13 15:22 oswaldo
Re: oledrion

2/12 19:20 Mamba
Re: oledrion

2/12 16:02 oswaldo

Who's Online

191 user(s) are online (127 user(s) are browsing Support Forums)

Members: 0

Guests: 191

Donat-O-Meter

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}

{{ record.commit.author.name }} {{ record.commit.author.date | formatDate }}