[pmwiki-users] Form Input missing 4 types !!!!
jbit at ev1.net
Mon Aug 28 10:05:40 CDT 2006
> introduce a security hole?
> PmWikiPhilosophy #3 is at its heart very conservative. The
> comment I hear most often from people is that they're glad that
> PmWiki avoids bloat, and we do this by avoiding features that
> "might be useful" until a need is actually demonstrated.
> In this case (:input button:) has three strikes against it:
> - nobody has demonstrated a place where it's needed
> makes more sense for it to be handled as a local customization/recipe
> than for it to appear in the core, and have everyone ask
> "okay, how can I use it"?
> from the submit and reset buttons.
> nobody has demonstrated a place where it's needed
I suggested one - AJAX.
>From website: http://www.htmlcodetutorial.com/forms/_INPUT_onClick.html
onClick gives the script to run when the user clicks on the
input. onClick applies to buttons (submit, reset, and button),
checkboxes, radio buttons, and form upload buttons.
onClick is mostly used with plain button type inputs:
onClick is the only event handler for checkboxes and radio
If the input type "button" is a security risk then are not
the other input types - submit, reset, checkbox, radiobutton
also secutiry risks?
So if there is a security vulnerability in currently existing
inputs, then that needs to be fixed.
To fix this security risk PMWiki could make it so the above
various input control event attributes are restricted to:
1) calling a function only from the current url directory ()
other limited commands that are harmless.
This would require a routine/function to restrict such
More information about the pmwiki-users