[pmwiki-devel] how is the e modifier a security issue?

JB jbit at bitlink.com
Wed Nov 15 14:41:40 CST 2006


In the PMWiki documentation at url:

         http://www.pmwiki.org/wiki/PmWiki/CustomMarkup

It has a note:

     "Note: Be very careful with the /e modifier in regular expressions;
      malicious authors may be able to pass strings that cause arbitrary
      and undesirable PHP functions to be executed."


How is this a security issue?

In my recipe AdvancedTableDirectives I was told to put all user
attributes through the PMWiki routine "PQA()" to make it secure.
Is there something like that to use for CustomMarkup?




More information about the pmwiki-devel mailing list