[pmwiki-users] Fwd: ZAP nearly ready...

The Editor editor at fast.st
Mon Oct 23 18:14:11 CDT 2006

These are two old questions on my todo list for ZAP, and one new one.
Thought I'd repost them again to see if anyone can give me some


---------- Forwarded message ----------
From: The Editor <editor at fast.st>
Date: Oct 22, 2006 4:58 PM


I) guess I misunderstood how htmlspecialchars worked.  I thought it
parsed form submissions after they were received by the engine for
processing. Looking over the php docs more closely I take it now that
it should be used when creating forms input markups, to prevent bad
data from being sent to the engine. If so, the following would need
to be fixed:

     Markup('select', 'inline', '/\(:select (.*?):\\)/', '<select name=$1>');
     Markup('textarea', 'inline', '/\\(:textarea (.*?):\\)/e',
"Keep(PSS(\"<textarea $1>\"))");

I took a stab at it, but not sure I got them right. I wouldn't even
know how to test if it was right!  : )  Do these look ok?

     Markup('select', 'inline', '/\(:select (.*?):\\)/',
"htmlspecialchars(\"<select name=$1>\")");
     Markup('textarea', 'inline', '/\\(:textarea (.*?):\\)/e',
"Keep(PSS(htmlspecialchars(\"<textarea $1>\")))");

I also presume these are all ok, with no need for change...

Markup('option', 'inline', '/\\(:option (.*?):\\)/e',
"Keep(PSS(\"<option value='$1'>\"))");
Markup('selectend', 'inline', '/\(:selectend:\\)/', '</select>');
Markup('textareaend', 'inline', '/\(:textareaend:\\)/', '</textarea>');

2) I have these lines in my code, yet I'm still getting slashes.  Any

   foreach ($_POST as $field => $value) {
       if (get_magic_quotes_gpc()) $_POST[$field] = stripslashes($value);

Evidently they are in the form submission, because they show up when
the data values (fields) are saved on the page.  They can be seen when
retrieved using regular text variables.  They are created both with
PmWiki's (:input text:) and ZAP's (:textarea:) input.  They occur on
my server (linux), but not on my home machine (XP). Would the
slashmagic() work better? I'm wondering if perhaps it is a problem
with the markup?  the /e part? (But then why the problem with Pm's
markup?)  Don't like slashes!

3) I noticed this pattern does not seem to be working either (it comes
right after the stripslashes line above.  (I know the conditional is
being met because line 3 is processing properly). Anyway, this line is
supposed to disable pmwiki directives, but it's not.  Is there a typo

    ->       $_POST[$field] = preg_replace('/\\(:/', '(&#x3a;', $_POST[$field]);

Thanks all! Has any looked at the snippets yet?

More information about the pmwiki-users mailing list