[pmwiki-users] Security questions

Crisses crisses at kinhost.org
Thu Sep 28 21:36:17 CDT 2006


On Sep 28, 2006, at 1:49 PM, Patrick R. Michaud wrote:

> On Thu, Sep 28, 2006 at 01:39:41PM -0400, The Editor wrote:
>> Just a couple questions.  Only one on security actually.
>>
>> I'm wanting to dataproof form submissions to prevent harmful things
>> from being posted to a page through a form.  I'm using WritePage to
>> save the page, and was wondering if I needed any further precautions?
>> I was wondering if the data is save in some kind of coded from to be
>> unoperational, when it is retrieved and displayed in a page (through
>> Readpage), is it decoded?  So that a malicious person might be  
>> able to
>> introduce something into it?
> ...
> The upshot of this is that WritePage only makes sure the files in
> wiki.d/ aren't easily exploited, but does nothing about any values
> you may send to a browser.  For that you typically want to use
> htmlspecialchars(...) around anything generated from user input.

Blocklist(2,3) only works on certain action='s

If you create custom actions and want the Blocklist to activate,  
there may be some custom coding involved.  Blocklist only checks the  
IP address of the person who submits edit (& commentbox?) and the  
text submitted via $_POST['text'].

Which reminds me that I have to change a form to only be submitted by  
someone with certain permissions.  Any clue how to do that? :)

Crisses




More information about the pmwiki-users mailing list