The "Rewrite Items via callback function" filter allows site builders to specify a function via a textfield that alters the facet items. Ideally the callbacks should be defined in hooks so they are whitelisted which would prevent arbitrary functions from being invoked. To outline the idea, a hook could be named something like the following...

/**
 * Implements hook_facetapi_rewrite_filter_callbacks().
 */
function mymodule_facetapi_rewrite_filter_callbacks() {
  return array(
    'mycallback' => array(
      'callback' => 'mymodule_rewrite_callback',
      'label' => t("My module's Facet API filter rewrite callback."),
    ),
  );
}

/**
 * My module's Facet API filter rewrite callback.
 */
function mymodule_rewrite_callback(&$build, $widget) {
  // Do stuff here ...
}

Then you could use module_invoke_all() to build a form element where site builders could toggle which functions are invoked. That way it would be whitelisted which would add a layer of security and prevent unintended errors by typing in a wrong function name.

Comments

danielnolde’s picture

danielnolde CreditAttribution: danielnolde commented
Status: Active » Fixed

Okay, very good point, i didn't think enough about basic Security here, thanks, Chris!
Switched from insecure user definable callback function to dedicated hook_facet_items_alter (with documentation in the facet filter's user interface; implementing a hook for defining selectable callbacks and implementing the callback itself adds unnecessary overhead, when an alter hook does the job as well and the specific facet context is available for decisions).

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.