[pmwiki-users] Editform: clearing a page text variable, escaping directives

Petko Yotov 5ko at free.fr
Sat Apr 28 09:05:54 CDT 2007 

On Saturday 28 April 2007 14:20, Patrick R. Michaud wrote:
> On Sat, Apr 28, 2007 at 11:23:39AM +0200, Petko Yotov wrote:
> > Hello Patrick and all,
> >
> > I looked at and tested the latest code from SVN and I have some
> > questions.
>
> FWIW, I've already abandoned the code that is currently in SVN and
> I'm using a slightly different approach.

Ok, thanks for this information, I'm looking forward to test the new approach.

>
> > 1. It is not possible to clear a page text variable: if one erases the
> > content of the text field, the PTV is not modified. I believe it should
> > be. I can see in the code that that is a wanted behaviour but cannot
> > understand why : in case the $_POST field exist and is empty, one would
> > expect the PTV to be cleared (emptied).
>
> Not necessarily.  If someone opens up a form containing a number of PTV
> fields and fills only some of them in, then it's not always obvious
> (to the author) that leaving the others blank will clear the
> corresponding PTVs.  So, for now I've decided that the way to explicitly
> clear a PTV will be to enter spaces in the field.

In my immagination (and in the provided example Cookbook:RecipeInfoForm), the 
form input box is pre-filled with the PTV's content. If the editor doesn't 
modify it, it will send the same content back. But when the writer explicitly 
modifies it, then it should be modified.

I believe the case when an empty input-box is presented in order to *modify* 
*existing* values is not the general case. If the modification is just a 
typo, the user shouldn't type all the contents again, the content should be 
there. If it is a long text, even worse. Accidentially, that's how currently 
PmWiki procedes: the textarea for modifying the page source is not empty when 
a page already exists and we need to change it. :-)

If people really use empty input boxes to modify existing, non-empty PTVs (I 
still cannot understand why), then probably PmWiki could detect if it had or 
had not pre-filled the form with values, and if it had, to clear the 
emptied-by-the-editor PTVs. Or, at least, maybe, have a configuration 
variable to set in config.php.


> > 2. When one enters ":)" in the textarea, it is translated into ":)"
> > in the wiki-source. But when one re-edits the PTV in the "editform", one
> > sees ":)" (actually, ":)" in HTML). Is it possible to
> > translate it back to ":)"? It would be more readable and usable,
> > especially favorable for inexperienced writers. The "<" and "&" are
> > converted properly to "&lt;" and not to "&amp;lt;" in HTML.
>
> The conversion of ":)" to "&#x3a;)" is actually going to change -- it will
> be "(:" converted to "(&#x3a;".  However, your point remains.

Maybe then escape both, because:
  (:RealVar: Text added by user :) this will be cut from PTV
  and will show in the page. EndRealVar:)

":)" here is also able to cause trouble.

>
> The conversion of "(:" to "(&#x3a;" is going to be an option, enabled
> by default.  The problem is that since these forms will often be used
> to allow people w/o edit privileges to add content to a page, we don't
> want them to be able to add directives.
>
> But converting "(&#x3a;" back to "(:" upon edit would defeat the
> purpose here.  Suppose a malicious person uses a form to insert a
> directive into a page -- it gets converted to "(&#x3a;" and so far
> we're safe.  Then, a privileged author comes along later and makes
> a minor edit to the page.  If the "(&#x3a;" is converted back to
> a "(:", and our later author doesn't notice this, then the malicious
> author will have succeeded in getting a directive added to a page.

I did not mean in the wiki source, but in the editform's input-boxes 
(PmPhilosophy n°1) but currently I cannot see how this could be done. If it 
is not possible, I plan to use "(:" to "(-:" instead of "(&amp;#x3a;" because 
it is more readable and (assuming good faith) the writer probably means to 
write a smiley.

[...]
>
> > 4. In the one-line PTVs it is possible to enter "(:if false:)"
> > or "(:NewPTV:Value:)" or any other directive which are not escaped, and
> > this is probably not the behaviour we intend to have:
>
> In the new version, all input fields are escaped.

I didn't know this, and before writing my previous letter, I had tested these 
at
   http://pmwiki.org/wiki/Test/Editform

So, looking forward to see the new code. As I said, I am gratefull that 
everything is customizeable and if for some reason I don't like something, 
maybe I'll be able to replace it. :-)

Thanks!

Petko

More information about the pmwiki-users mailing list