[pmwiki-devel] Safely adding a %confirm% custom WikiStyle
design5 at softflow.co.uk
Sat Jul 19 08:22:07 CDT 2008
Friday, July 18, 2008, 8:39:37 AM, Eemeli wrote:
> The $WikiStyleAttr array already has 'rel' linked to A elements by
> default, which means that using %rel=something confirm% will result in
> <a rel='' onclick='return confirm("Are you sure?")' href='...'>,
> overwriting the 'something'. This isn't a problem for me as I'm not
> using the rel attribute. A slightly nicer way might be to use the more
> arcane 'rev' instead and also set $WikiStyleAttr['rev'] = 'a'; .
> I can't use the 'onclick' attribute directly, as that would require me
> to set $WikiStyleAttr['onclick'] = 'a'; as well, which would lead to
> want to allow. Or am I missing something?
I see it the same as you. Hijacking the 'rev' attribute is probably
better than hijacking the 'rel' attribute, as it is not used much.
handlers. As you say, it is possible to add 'onclick' as an
inserted in wiki pages. I wonder if the ApplyStyles function could
be changed so that it will not accept values set by style markup for
That would make $WikiStyleAttr['onclick'] = 'a'; valid, but block any
%onclick=....% markup, and allow admin defined settings like
$WikiStyle['confirm']['onclick'] = 'return confirm("Are you sure?")';
More information about the pmwiki-devel