[pmwiki-users] Permissions, edits and comments

Mike mike at widowitz.com
Sat Sep 30 12:58:12 CDT 2006


while I'm sure that having BlockList incorporated into the core, I don't
feel that blocking all possibly undesired markups is the best way to go.
Wouldn't it be simpler and more transparent to somehow "escape" the
stuff a user enters? Which means, that if the user enters (:title foo:),
well, then it shows up as a comment saying "(:title foo:)".
I've used this approach with the PHP function htmlspecialchars, which is
a similar logic to what I'm trying to describe....


Patrick R. Michaud wrote on 30.09.2006 18:59:
> On Sat, Sep 30, 2006 at 11:44:37AM -0500, Patrick R. Michaud wrote:
>> On Sat, Sep 30, 2006 at 10:02:39AM -0500, Patrick R. Michaud wrote:
>>> On Sat, Sep 30, 2006 at 04:52:39PM +0200, Mike wrote:
>>>> As posted before,
>>>> CommentBox seems to have a possible security issue by allowing users to
>>>> post directives, 
>> If you're running 2.2.0-beta7 or later and want to try an
>> automatically downloaded blocklist for commentbox, this
>> ought to now be possible with:
>>   $EnableBlocklist = 1;   
>>   if ($action == 'comment')
>>     $BlocklistDownload['Site.Blocklist-comment'] = array('format' => 'pmwiki');
> OOOOPS.  No, this won't work yet.  Turns out that
> commentboxplus.php is using HandleEdit, which means
> that the above will prevent people from adding comments
> to pages that already have a (:title:) directive on them.
> I'll have think a bit more about how we might handle
> per-action blocklists -- this really isn't something 
> that we had explicitly contemplated before now (at
> least I wasn't aware of it).
> (Pm prepares to hit 'send' on this message... and then...)
> Oh!  Yes, I do know how to handle it.  Okay, I'll add the
> capability into an upcoming beta where we can test it.
> Thanks,
> Pm

More information about the pmwiki-users mailing list