[pmwiki-users] ZAP nearly ready...

[The Editor]

On 10/22/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Sun, Oct 22, 2006 at 01:27:52PM -0400, The Editor wrote:
> > After several weeks of intensive work and a good number of
> > breakthroughs, ZAP is nearing its official release.  A stripped down
> > "lite" version will also be available. A couple quick questions
> > though...
> >
> > 1) If I'm using PageUpdate for all file changes, do I need to worry
> > about using htmlspecialchars?  My assumptions is PmWiki takes care of
> > all that for me.
>
> That would be an incorrect assumption.  PmWiki's built in markups
> are okay, but if ZAP adds any markups that produce output from
> user-contributed source data, ZAP needs to be handling htmlspecialchars.

Hmmm.  I guess I misunderstood how this worked.  I thought it was used
to parse form submissions after they were received by the engine for
processing. Looking over the php docs more closely I take it now that
it should be used when creating forms input markups, to prevent bad
data from being sent to the engine. So the following would need need
to be fixed:

Markup('select', 'inline', '/\(:select (.*?):\\)/', '<select name=$1>');
Markup('textarea', 'inline', '/\\(:textarea (.*?):\\)/e',
"Keep(PSS(\"<textarea $1>\"))");

I took a stab at it, but not sure I got them right. I wouldn't even
know what to do to test if it was working right!  : )  Do these look
ok?

Markup('select', 'inline', '/\(:select (.*?):\\)/',
"htmlspecialchars(\"<select name=$1>\")");
Markup('textarea', 'inline', '/\\(:textarea (.*?):\\)/e',
"Keep(PSS(htmlspecialchars(\"<textarea $1>\")))");

I also presume these are all ok without need for change...

Markup('option', 'inline', '/\\(:option (.*?):\\)/e',
"Keep(PSS(\"<option value='$1'>\"))");
Markup('selectend', 'inline', '/\(:selectend:\\)/', '</select>');
Markup('textareaend', 'inline', '/\(:textareaend:\\)/', '</textarea>');


> > 2) I have these lines in my code, yet I'm still getting slashes.  Any
> > suggestions?
> >
> >   foreach ($_POST as $field => $value) {
> >     if (get_magic_quotes_gpc()) $_POST[$field] = stripslashes($value);
>
> I have no idea here.  Are the slashes showing up in the data file
> or in the output from the markup?

They are in the data file and occur both with PmWiki text input and
ZAP's textarea input (above).  They occur at my server, but not on my
home machine. Would the slashmagic() work better?  Here is a more full
snippet of how the $_POST info is processed, which is run early on in
the ZAP recipe:

	foreach ($_POST as $field => $value) { ... processes incoming post
			if (get_magic_quotes_gpc()) $_POST[$field] = stripslashes($value);
			                $_POST[$field] = preg_replace('/\\(:/', '(&#x3a;',
$_POST[$field]);
			$_POST[$field] = preg_replace('/\\{(.*?)\\}/e', "\$_POST[$1]", $value);
			if (is_array($value)) $_POST[$field] = implode(",", $value);
			}
	foreach ($_POST as $field => $value) { ... proceeds to engine.

> > 3) I'd like to start adding some VERY simple calculating capabilities
> > in ZAP, and was wondering if there was a way to take a post value like
> > "+ 7" and in a form and execute something like $x = $x + 7; in the
> > recipe.  Some way to execute php commands contained in a string.
>
> There's the PHP eval() function, but it's _very_ dangerous.

Hmmm.  I think I'll pass for now on that--though with ZAP's new
security system I might be willing to consider it.  Guess I just need
to write up some cases for simple arithematic. Or some kind of plug
into ZAP.  Or a javascript snippet...  Perhaps I'll just wait till I
can tackle a zap shopping cart recipe...

Oh one extra question I forgot to ask before...

Can someone help rewrite this expression pattern so it does not
execute for something like {$var}, {=$var} or {$:var}, etc (ie with a
$ sign), but it does execute for {var}.

$_POST[$field] = preg_replace('/\\{(.*?)\\}/e', "\$_POST[$1]", $value);

I can't seem to figure out how to do negatives...

Thanks again so much for all your help!

Cheers,
Caveman