[pmwiki-devel] Safely adding a %confirm% custom WikiStyle

Hans design5 at softflow.co.uk
Sat Jul 19 08:22:07 CDT 2008

Friday, July 18, 2008, 8:39:37 AM, Eemeli wrote:

> The $WikiStyleAttr array already has 'rel' linked to A elements by
> default, which means that using %rel=something confirm% will result in
> <a rel='' onclick='return confirm("Are you sure?")'  href='...'>,
> overwriting the 'something'. This isn't a problem for me as I'm not
> using the rel attribute. A slightly nicer way might be to use the more
> arcane 'rev' instead and also set $WikiStyleAttr['rev'] = 'a'; .

> I can't use the 'onclick' attribute directly, as that would require me
> to set $WikiStyleAttr['onclick'] = 'a'; as well, which would lead to
> the possibility of writing inline javascript in pages, which I don't
> want to allow. Or am I missing something?

I see it the same as you. Hijacking the 'rev' attribute is probably
better than hijacking the 'rel' attribute, as it is not used much.

But what I think we need is a safe way to add javascript event
handlers. As you say, it is possible to add 'onclick' as an
attribute, but it leaves the door open to have javascript code
inserted in wiki pages. I wonder if the  ApplyStyles function could
be changed so that it will not accept values set by style markup for
certain attributes, in which I would put all javascript event

That would make $WikiStyleAttr['onclick'] = 'a'; valid, but block any
%onclick=....% markup, and allow  admin defined settings like
$WikiStyle['confirm']['onclick'] = 'return confirm("Are you sure?")';


More information about the pmwiki-devel mailing list