[pmwiki-users] PmWiki as Markup Service - is this a security hole?

michael paulukonis xraysmalevich at gmail.com
Fri Jun 8 09:30:36 CDT 2012

I've recently gotten back to blogging on WordPress, after a gap of about 4
years where I exclusively used PmWiki for my web editing.
WP has some great features, but I hate both visual editor (almost any
visual editor in any application) and the HTML editor.
For one, the HTML is re-processed silently
Second, entering HTML is a damn'd nuisance.
Third, I'm much more used to PmWiki markup at this point.

So, I built a simple WordPress plugin to callout to PmWiki as a markup
service, using the below code.
Basically, the plugin checks for text enclosed by a set of tags, passes
that to the markup service, which them provides HTML back to WordPress.

Despite the AuthUser and HandleAuth the markup service works on a lower
level of authorization, and should any attempts at using an (:include
AuthAccess.Only:) nothing is served up

Other than the simplicity and lack of nuance below (what few params
currently exist are hard-coded), is this a bad idea?
Is there any major security hole that I'm opening up in PmWiki by doing

Since only text is returned, any default or themed css is not available,
nor is any JavaScript that would have been added by cookbook recipes
(On a side note, the number of recipes I use that don't make use of
Unobtrusive JavaScript is annoying. I see a bunch of patching in my future)

Is there any way to obtain arbitrary JavaScript that extension attempt to
add to the page? (other than inline JS applied to markup) ?

I like being able to do markup in a consistent manner across the two
platforms I use.
Although the loss of plugin and extension functionality on either side is

<?php if(!defined('PmWiki'))exit;

## custom action for markup service
## 2012.05.30
## Michael J. Paulukonis
## http://www.xradiograph.com
## http://www.pmwiki.org/wiki/PmWiki/CustomActions
$HandleActions['wikimarkup'] = 'MarkupService';  # if url contains
action=myaction call HandleMyAction timely
## since this is an external call, how to handle authentication?
## can we pass it in via the params???
$AuthUser['wikimarkup'] = crypt('wikimarkup');
$HandleAuth['wikimarkup'] = 'admin';              # authorization level
$auth for HandleMyAction

function MarkupService($pagename, $auth) {     # parameters (signature) of
handler function required by PMWiki

  $wikitext = stripslashes($_GET['wikitext']);
  $pagename = 'WordPress.Post'; // just a place-holder, evaluate


  $markup = MarkupToHTML($pagename, $wikitext);

  header('Content-type: text/html');
  echo $markup;


## eventually, we should be expose these options w/in WordPress
## a mechanism to SetOnce, instead of always passing, might be good
## OTOH, always-passing means individual sections can have different markup
function MarkupServiceOptions() {

  global $LinkWikiWords, $SpaceWikiWords, $EnableUrlApprovalRequired;

        $LinkWikiWords = 0;  ## disable
        $SpaceWikiWords = 0; ## turn off WikiWord spacing
  $EnableUrlApprovalRequired = 0;

-Michael Paulukonis
 <http://goog_2112721603>Interference Patterns (a

Sent from somewhere in the Cloud
(hearthrug, by the fender)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20120608/bb51f751/attachment.html>

More information about the pmwiki-users mailing list