[pmwiki-users] Editform: clearing a page text variable, escaping directives
Petko Yotov
5ko at free.fr
Sat Apr 28 09:05:54 CDT 2007
On Saturday 28 April 2007 14:20, Patrick R. Michaud wrote:
> On Sat, Apr 28, 2007 at 11:23:39AM +0200, Petko Yotov wrote:
> > Hello Patrick and all,
> >
> > I looked at and tested the latest code from SVN and I have some
> > questions.
>
> FWIW, I've already abandoned the code that is currently in SVN and
> I'm using a slightly different approach.
Ok, thanks for this information, I'm looking forward to test the new approach.
>
> > 1. It is not possible to clear a page text variable: if one erases the
> > content of the text field, the PTV is not modified. I believe it should
> > be. I can see in the code that that is a wanted behaviour but cannot
> > understand why : in case the $_POST field exist and is empty, one would
> > expect the PTV to be cleared (emptied).
>
> Not necessarily. If someone opens up a form containing a number of PTV
> fields and fills only some of them in, then it's not always obvious
> (to the author) that leaving the others blank will clear the
> corresponding PTVs. So, for now I've decided that the way to explicitly
> clear a PTV will be to enter spaces in the field.
In my immagination (and in the provided example Cookbook:RecipeInfoForm), the
form input box is pre-filled with the PTV's content. If the editor doesn't
modify it, it will send the same content back. But when the writer explicitly
modifies it, then it should be modified.
I believe the case when an empty input-box is presented in order to *modify*
*existing* values is not the general case. If the modification is just a
typo, the user shouldn't type all the contents again, the content should be
there. If it is a long text, even worse. Accidentially, that's how currently
PmWiki procedes: the textarea for modifying the page source is not empty when
a page already exists and we need to change it. :-)
If people really use empty input boxes to modify existing, non-empty PTVs (I
still cannot understand why), then probably PmWiki could detect if it had or
had not pre-filled the form with values, and if it had, to clear the
emptied-by-the-editor PTVs. Or, at least, maybe, have a configuration
variable to set in config.php.
> > 2. When one enters ":)" in the textarea, it is translated into ":)"
> > in the wiki-source. But when one re-edits the PTV in the "editform", one
> > sees ":)" (actually, ":)" in HTML). Is it possible to
> > translate it back to ":)"? It would be more readable and usable,
> > especially favorable for inexperienced writers. The "<" and "&" are
> > converted properly to "<" and not to "&lt;" in HTML.
>
> The conversion of ":)" to ":)" is actually going to change -- it will
> be "(:" converted to "(:". However, your point remains.
Maybe then escape both, because:
(:RealVar: Text added by user :) this will be cut from PTV
and will show in the page. EndRealVar:)
":)" here is also able to cause trouble.
>
> The conversion of "(:" to "(:" is going to be an option, enabled
> by default. The problem is that since these forms will often be used
> to allow people w/o edit privileges to add content to a page, we don't
> want them to be able to add directives.
>
> But converting "(:" back to "(:" upon edit would defeat the
> purpose here. Suppose a malicious person uses a form to insert a
> directive into a page -- it gets converted to "(:" and so far
> we're safe. Then, a privileged author comes along later and makes
> a minor edit to the page. If the "(:" is converted back to
> a "(:", and our later author doesn't notice this, then the malicious
> author will have succeeded in getting a directive added to a page.
I did not mean in the wiki source, but in the editform's input-boxes
(PmPhilosophy n°1) but currently I cannot see how this could be done. If it
is not possible, I plan to use "(:" to "(-:" instead of "(&#x3a;" because
it is more readable and (assuming good faith) the writer probably means to
write a smiley.
[...]
>
> > 4. In the one-line PTVs it is possible to enter "(:if false:)"
> > or "(:NewPTV:Value:)" or any other directive which are not escaped, and
> > this is probably not the behaviour we intend to have:
>
> In the new version, all input fields are escaped.
I didn't know this, and before writing my previous letter, I had tested these
at
http://pmwiki.org/wiki/Test/Editform
So, looking forward to see the new code. As I said, I am gratefull that
everything is customizeable and if for some reason I don't like something,
maybe I'll be able to replace it. :-)
Thanks!
Petko
More information about the pmwiki-users
mailing list