[pmwiki-users] CSS for one (or all) tag in _a single_ page (inline or in head)

Patrick R. Michaud pmichaud at pobox.com
Thu Aug 24 12:52:19 CDT 2006

On Thu, Aug 24, 2006 at 10:45:52AM -0700, Andrew Standfield wrote:
> I don't think there's any more chance of malicious authors doing bad  
> things with css then there is with allowing *any* form of markup. 

PmWiki's existing markups are fairly limited in terms of what
can be done -- i.e., it's difficult for an author to perform 
a cross-site scripting attack using PmWiki's existing markups.

However, if an author can generate arbitrary CSS, then cross-site
attacks become much more possible.

> I think a bigger issue would be novices to CSS creating unstable  
> style sheets. I've actually tried to think of ways to combat that or  
> if you just want for the admin to be able to include styles. It would  
> be interesting to require some kind of password for the (:stylepage:)  
> directive. 

That's a bit backwards -- the trick isn't to password protect
the stylepage directive, but to password-protect whatever it 
includes.  (Stated slightly differently:  password-protection of
the directive doesn't prevent someone from editing the page
it's including.)

So, for example, if (:stylepage:) were limited to including pages
from the Site group, then it's much safer because edit access to
Site.* pages is usually well protected.


> On Aug 24, 2006, at 10:31 AM, Patrick R. Michaud wrote:
> >On Thu, Aug 24, 2006 at 10:26:02AM -0700, Andrew Standfield wrote:
> >>Clemens,
> >>
> >>I think what you may want is the stylepage.php solution by Hans. You
> >>can find it near the bottom of the CSS in Wiki Pages Recipe: http://
> >>pmwiki.org/wiki/Cookbook/CSSInWikiPages
> >>
> >>After installing, it allows you to make a wiki page that you put
> >>standard CSS declarations in. You can then call it from any other
> >>page using (:stylepage Group.ExamplePage:).
> >
> >I hadn't noticed this particular recipe -- it's excellent.
> >
> >So far I've been reluctant to allow any sort of direct CSS
> >modification through pages because it might make it possible
> >for malicious authors to do bad things to the site.  But having
> >an administrative CSS-via-wiki-page option seems like it could
> >be worthwhile.
> >
> >I'd love to hear others' opinions about this.
> >
> >Pm
> >

More information about the pmwiki-users mailing list