[pmwiki-devel] Search forms and FmtPageList()

Hans design5 at softflow.co.uk
Fri Sep 25 03:07:00 CDT 2009


Friday, September 25, 2009, 12:58:12 AM, Petko wrote:

> Hello. Could you possibly use in recipe.php something like :

>   if ($action=="search")
>     $_REQUEST['q'] = 'whatever transformation I need';

> ?

> First things I think of :
> * quote initial Group/ to "Group/"
> * prepend it, Group/ to myrecipe=Group/
> * store it in a local variable and remove it from $_REQUEST['q']
> * etc.

thanks. Yes, I can undo the transformation FmtPageList() did,
it just adds extra code, a config var would be simpler.
I came up with this for recipe function FPLTextExtract(),
which handles fmt=extract from pagelist and searchbox
($_REQUEST is by then merged into $opt):

  if ($opt['group']) {
    if (substr($opt['q'],0,strlen($opt['group'])+1) == $opt['group']."/") {
      $qq = explode(' ',$opt['q']);
      if (count($qq)>1) array_unshift($opt[''],$qq[0]);
      else $opt[''][0] = $qq[0];
      $opt['group'] = '';
    }
  }


> Question: what happens if a user actually searches for stuff in a Group/ ?
> (Because it is written in the documentation etc.)

This is a search form with a separate field for any group or page name
input, so it is obvious that one uses the query field for just that,
and the name field for group or wildcard names.
Of course the deviation will be documented.
I think it is more important to be able query for instance for
'scripts/auth' and get an answer, rather than being told there are no
matches (because 'scripts' is not a wiki group).


>> Would it be feasable to apply stripmagic to all $_REQUEST
>> input?  And htmlspecialchars()?
>
> Yes, it would be feasible, and you can apply it from your recipe.
>
>   $my_input = stripmagic(@$_REQUEST['user_input']);

one related question:
In FmtPageList the query string from $_REQUEST['q'] is transformed
with htmlspecialchars().
What are the risks if the search script reverses this for each query
argument with htmlspecialchars_decode(), in order to be able to
search for instance for terms including < and > characters?
In testing this it seems to work fine and I am not able to mount a
simple XSS attack. Queries including < and > are displayed in the page
htmlencoded with &lt; and &gt;, Pmwiki seems to be doing this
automatically when rendering output.
So should I worry to allow unencoded < and > characters?

Hans




More information about the pmwiki-devel mailing list