[pmwiki-users] caution for notebook2skin (WAS:Re: notebookskin v1.0.8 uploaded)
V.Krishn
mistyfire at autograf.pl
Mon Mar 21 15:54:44 CST 2005
On Monday 21 March 2005 06:42, you wrote:
> On Thu, Mar 17, 2005 at 12:58:11AM +0530, V.Krishn wrote:
> > notebookskin v1.0.8 uploaded, :)
> > -- Refined Discuss Link Code.
> > -- Minor code clean.
> > [...]
> > Pm could you please upload this version so that I could do some testing.
>
> I'll need some more specific instructions about what I need to do to
> avoid the "security problem" posed by infobox, since I definitely don't
> want to allow arbitrary javascript code to be run from pmwiki.org .
>
> Note that inserting skin-specific code into my config.php
> (as well as changing my default passwords) isn't an option for me,
> since pmwiki.org has to host many skins.
>
> Pm
Thanks for bringing it up,
It struck me and I did a thorough check with phplayermenu which is being used
in Notebook2skin.
Since you have found some time to update the site this is just to remind you
with a CAUTION.....
Please do not enable Notebook2skin.2.0.1 as this also has same problem of
allowing arbitrary javascript code to be run. :-(
But fix is not difficult as all menupages have/would have fixed names.
FIX would be similar to the one for infobox receipe.
If NotebookSkin with InfoBox enabled is allowed (with security code), then I
would post a similar fix for Notebook2Skin.
Presently my webhost is running some weird google ad script that disfunctions
InfoBox module else I would have directed users for a demo to my site.
Repeat AGAIN.... DO NOT ENABLE Notebook2Skin. (javascript hazard).
Thanks.
V.Krishn
More information about the pmwiki-users
mailing list