Patrick R. Michaud
pmichaud at pobox.com
Mon Dec 5 10:09:54 CST 2005
On Mon, Dec 05, 2005 at 10:55:03AM -0500, Henrik Bechmann wrote:
> So if I were to filter the parameters of an authorized function for the
> equal sign, or for parenthesis, would that be safe? Or are there other
> devious ways...?
The traditional difficulty with filtering out bad things is that
there's always the chance that some combination will be missed.
Usually it's better to enable only what is allowed, rather than
try to filter what is disallowed.
safe or not safe here. If I were to do something like this, I'd
be a single argument, in quotes, and limited to alphanumeric
characters and spaces. But inevitably someone would show up
needing a way to include other non-alphabetic characters into
So, I just hide behind PmWikiPhilosophy #2 for this one, and let
develop appropriate customizations for it. :-)
> Patrick R. Michaud wrote:
> >On Sun, Dec 04, 2005 at 02:14:43PM -0500, Henrik Bechmann wrote:
> >>I've been dancing around this fairly successfully so far, but I thought
> >>onmouseover="respondtorollover('somearg')">Test active link</a>
> >>Namely in PmWiki markup it would look like
> >>onmouseover=respondtorollover('somearg') | Test active link]]
> >>The @is inspired by spreadsheet "at" formula syntax.
> >>functions in a config file:
> >The security would have to be a bit more involved than simply
> >be sure to prevent things like:
> >[[onmouseover=respondtorollover(location.href='http://www.example.com') |
> >Test active link]]
> >In general I think it's safer to just create specialized markup
More information about the pmwiki-users