[pmwiki-users] Security questions
crisses at kinhost.org
Thu Sep 28 21:36:17 CDT 2006
On Sep 28, 2006, at 1:49 PM, Patrick R. Michaud wrote:
> On Thu, Sep 28, 2006 at 01:39:41PM -0400, The Editor wrote:
>> Just a couple questions. Only one on security actually.
>> I'm wanting to dataproof form submissions to prevent harmful things
>> from being posted to a page through a form. I'm using WritePage to
>> save the page, and was wondering if I needed any further precautions?
>> I was wondering if the data is save in some kind of coded from to be
>> unoperational, when it is retrieved and displayed in a page (through
>> Readpage), is it decoded? So that a malicious person might be
>> able to
>> introduce something into it?
> The upshot of this is that WritePage only makes sure the files in
> wiki.d/ aren't easily exploited, but does nothing about any values
> you may send to a browser. For that you typically want to use
> htmlspecialchars(...) around anything generated from user input.
Blocklist(2,3) only works on certain action='s
If you create custom actions and want the Blocklist to activate,
there may be some custom coding involved. Blocklist only checks the
IP address of the person who submits edit (& commentbox?) and the
text submitted via $_POST['text'].
Which reminds me that I have to change a form to only be submitted by
someone with certain permissions. Any clue how to do that? :)
More information about the pmwiki-users