Yesterday, we released a new version of the Yth library (short for Yireo Template Helper), a PHP-library that helps developers to create their own PHP-logic in their own Joomla! templates, without using a complex templating framework. Upgrading is advised because this version also fixes a potential security issue.

Security issue in css.php version 0.2

With the help of a well-known template-club, we discovered a security issue with the PHP-script css.php which is part of Yth. Within this file, CSS-stylesheets could be included. But on outdated PHP-environments where PHP-functions are still vulnerable to NULL-byte attacks this mechanism allows for non-CSS files to be included as well. If you are using PHP open_basedir or newer PHP-versions, there is no threat. But upgrading Yth is recommended.

New features

Yth now includes some new features as well: The splitmenu-mechanism was not working correctly under Joomla! 2.5, and this is now fixed. Also, two new methods image() and datauri() allow you to include images in the template quickly: The second method allows you to convert URL-based images into data-URIs included within the generated HTML.

For CSS merging and crunching (and/or applying data-URIs within the CSS-code as well), we actually recommend the usage of our ScriptMerge plugin instead. New features will not be added anymore to the css.php file. Only the yth.php will be expanded with new features.

Posted on May 27, 2012

About the author

Author Jisse Reitsma

Jisse Reitsma is the founder of Yireo, extension developer, developer trainer and 3x Magento Master. His passion is for technology and open source. And he loves talking as well.

Sponsor Yireo

Looking for a training in-house?

Let's get to it!

We schrijven niet te commerciële dingen, we richten ons op de technologie (waar we dol op zijn) en we komen regelmatig met innovatieve oplossingen. Via onze nieuwsbrief kun je op de hoogte blijven van al deze coolness. Inschrijven kost maar een paar seconden.

Do not miss out on what we say

This will be the most interesting spam you have ever read

We schrijven niet te commerciële dingen, we richten ons op de technologie (waar we dol op zijn) en we komen regelmatig met innovatieve oplossingen. Via onze nieuwsbrief kun je op de hoogte blijven van al deze coolness. Inschrijven kost maar een paar seconden.