[pmwiki-users] Comments-UseCases page

Crisses crisses at kinhost.org
Tue May 27 07:40:28 CDT 2014


Security issue in the comment template in PmForm.Templates:
(:template require text match="-*http:*" errmsg="Please don't post external links":)

This will still allow https:// links, and other naughty entries.  I think it's best to eliminate if there's a colon in it and @ i.e. "-*:*,-*@*,-*<*,-*>*" so that it also covers all PmWiki InterMapped services and email addresses.  It doesn't stop "www.example.com" but at least then it's not clickable (unless you have a plugin that changes www->link).  One could also eliminate "." depending on which field it is (on my RSVP form it's a "Name" field so it would prevent someone from saying "Rev. Criss" or "Ms. Fuller, P.C.").  I took out angle brackets just for good measure -- it will stop much spam dead in its tracks.  I may also add a honeypot to the form (a hidden field like "Subject" that spam software would attempt to fill in and an error message that says "please leave Subject blank" in case someone real tries to fill it in).

Crisses

> [...]
> Thank you for your time,
> Crisses

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20140527/d7b021b1/attachment.html>


More information about the pmwiki-users mailing list