[pmwiki-users] Editform: clearing a page text variable, escaping directives
Petko Yotov
5ko at free.fr
Sat Apr 28 10:58:16 CDT 2007
On Saturday 28 April 2007 17:02, Patrick R. Michaud wrote:
> > If people really use empty input boxes to modify existing, non-empty PTVs
> > (I still cannot understand why), then probably PmWiki could detect if it
> > had or had not pre-filled the form with values ...
>
> It is _very_ difficult for PmWiki to know if it has pre-filled out a
> particular form with values. Doing so requires keeping quite a bit
> of session information around for every form that PmWiki generates,
> and this session information will tend to grow without bound the
> more a particular author interacts with PmWiki.
>
> Also note that simply viewing pages containing a form causes the
> session to grow, whether the form is filled out or not.
I was thinking not of session data, but more of a hidden form field as in:
(:input default request=1 source=DataPage:)
translated to:
<input type="hidden" name="_ptv_were_prefilled" value="1"/>
when there is a "source=DataPage" parameter, it was pre-filled.
> ...
> > > But converting "(:" back to "(:" upon edit would defeat the
> > > purpose here. Suppose a malicious person uses a form to insert a
> > > directive into a page -- it gets converted to "(:" and so far
> > > we're safe. Then, a privileged author comes along later and makes
> > > a minor edit to the page. If the "(:" is converted back to
> > > a "(:", and our later author doesn't notice this, then the malicious
> > > author will have succeeded in getting a directive added to a page.
> >
> > I did not mean in the wiki source, but in the editform's input-boxes
> > (PmPhilosophy n°1) but currently I cannot see how this could be done.
>
> The problem is that if it's in the editform's input-boxes, then
> when the author (re-)submits the page to PmWiki we cannot know if
> the "(:" that comes from the text field is because we previously
> converted from (: or because the author really wants a "(:"
> to appear there.
>
I understand what you mean, however this is still a puzzle: what if
the "advanced" editor adds "(:" in the page source? It will display "(:" in
the input box, and then, when saved, will transform into "(:" and
eventually will break something.
For me, the most consistent behaviour would be, from a posted "editform", to
always escape "(:" inside PTVs, advanced editor or not. If it is always
escaped, there is no problem, only in the "editform" mode, to "unescape" back
the "(:" into "(:".
Hopefully, we will have more ideas to brainstorm. :-)
Thanks!
Petko
More information about the pmwiki-users
mailing list