[pmwiki-devel] ZAP configuration fields (was: PmWiki request)
Patrick R. Michaud
pmichaud at pobox.com
Tue Dec 12 10:48:33 CST 2006
On Tue, Dec 12, 2006 at 10:31:25AM -0600, Ben Stallings wrote:
> Hans wrote,
> > You know, seeing conditionals inside (:input :) markup makes me cringe.
> > I know you try to create shorter syntax for ZAP.
> > But you go against what people learned and know in PmWiki.
> > You seem to have hijacked PmWiki's (:input:) markup
> > and made something quite different out of it.
> >
> > To me any (:input ... :) should be only used to create form elements.
> > Conditions as to when a form element shall be added to HTML output
> > should stay out of the markup, as it is already possible with
> > (:if ... :) markup. Manipulating any page variable used inside (:input
> > :) should also stay outside of the markup.
>
> It's easy to misunderstand what ZAP does with these tags... I did at
> first, as well. All the (:input hidden :) tags in a ZAP form produce
> actual hidden fields, via the core forms.php script, that are then
> submitted with the form. The conditionals Caveman is proposing are not
> for use when the form is displayed, they are for use when the form has
> already been submitted. ...
FWIW, even if ZAP uses hidden form fields to do its thing, it
still may make more sense to create a special directive for it
rather than try to fit everything into (:input hidden:). For
example
(:zapcheck ifexists pagename "warn:page exists":)
can still produce a hidden input field in the form, but it can
also do any reformatting -- e.g., it could output
<input type='hidden' name='zap_ifexists' value='pagename|warn:page exists' />
and thereby avoid input control name conflicts and any special
syntax needed to communicate the control.
> I've been lobbying Caveman off-list to move all of his configuration
> variables out of hidden input fields and into page text variables,
> because as input fields they potentially conflict with other field
> names.
The above approach solves that particular problem. :-)
> So in the syntax I'm waving in Caveman's direction, the tag
> (:input hidden ifexists "parameter|action":)
> would simply become
> (:ifexists: "parameter|action":)
> This would have the added benefit of removing the configuration
> variables from the HTML code where people can tamper with them.
This is an important point -- as hidden fields in a form it means
that people could potentially spoof or remove them.
Pm
More information about the pmwiki-devel
mailing list