[pmwiki-users] Permissions, edits and comments
mike at widowitz.com
Sat Sep 30 12:58:12 CDT 2006
while I'm sure that having BlockList incorporated into the core, I don't
feel that blocking all possibly undesired markups is the best way to go.
Wouldn't it be simpler and more transparent to somehow "escape" the
stuff a user enters? Which means, that if the user enters (:title foo:),
well, then it shows up as a comment saying "(:title foo:)".
I've used this approach with the PHP function htmlspecialchars, which is
a similar logic to what I'm trying to describe....
Patrick R. Michaud wrote on 30.09.2006 18:59:
> On Sat, Sep 30, 2006 at 11:44:37AM -0500, Patrick R. Michaud wrote:
>> On Sat, Sep 30, 2006 at 10:02:39AM -0500, Patrick R. Michaud wrote:
>>> On Sat, Sep 30, 2006 at 04:52:39PM +0200, Mike wrote:
>>>> As posted before,
>>>> CommentBox seems to have a possible security issue by allowing users to
>>>> post directives,
>> If you're running 2.2.0-beta7 or later and want to try an
>> automatically downloaded blocklist for commentbox, this
>> ought to now be possible with:
>> $EnableBlocklist = 1;
>> if ($action == 'comment')
>> $BlocklistDownload['Site.Blocklist-comment'] = array('format' => 'pmwiki');
> OOOOPS. No, this won't work yet. Turns out that
> commentboxplus.php is using HandleEdit, which means
> that the above will prevent people from adding comments
> to pages that already have a (:title:) directive on them.
> I'll have think a bit more about how we might handle
> per-action blocklists -- this really isn't something
> that we had explicitly contemplated before now (at
> least I wasn't aware of it).
> (Pm prepares to hit 'send' on this message... and then...)
> Oh! Yes, I do know how to handle it. Okay, I'll add the
> capability into an upcoming beta where we can test it.
More information about the pmwiki-users