[pmwiki-users] Form Input missing 4 types !!!!
Ben at InterdependentWeb.com
Mon Aug 28 11:26:56 CDT 2006
PM replied to JB:
>> To fix this security risk PMWiki could make it so the above
>> various input control event attributes are restricted to:
>> 1) calling a function only from the current url directory ()
> based on their source.
function that is called by a different name in the wiki markup.
In the most recent version of the UpdateForm recipe, which I hope to
post later today, there's a "mask" parameter added to the (:update
text:) tag which allows you to specify an input mask for a text field in
a form. For example, a North American phone number could be masked like
(:update text phone mask=(###)###-####:)
an external file; if the wiki owner chooses not to use it, simply
comment out a line of the recipe.
in the wiki markup, it's added during the processing of the markup. If
work, hence no security hole.
So it seems to me that if JB really wants an (:input button:) markup,
s/he should write a recipe that translates keywords into specific
functions that have been approved by the wiki owner... so
(:input button KillEveryone:) could kill everyone, and
(:input button DestroyUniverse:) could destroy the universe, but all the
really dangerous functions would remain blocked. --Ben
More information about the pmwiki-users