[pmwiki-devel] Safely adding a %confirm% custom WikiStyle

Hans design5 at softflow.co.uk
Sat Jul 19 09:28:13 CDT 2008


Saturday, July 19, 2008, 2:22:07 PM, Hans wrote:

>  I wonder if the  ApplyStyles function could
> be changed so that it will not accept values set by style markup for
> certain attributes, in which I would put all javascript event
> handlers.

Perhaps it could be done like this,as a proposal for core change :

add to function ApplyStyles after
 $m = array_shift($match);
this:
 if (is_array($UnsafeWikiStyleAttr) && in_array($m[1],$UnsafeWikiStyleAttr)) continue;

and add to globals:  $UnsafeWikiStyleAttr

Then an admin can define array $UnsafeWikiStyleAttr possibly like
this in config:

$UnsafeWikiStyleAttr, array('onload','onunload','onclick','ondblclick','onmousedown',
     'onmouseup','onmouseover','onmousemove','onmouseout','onfocus','onblur',
     'onkeypress','onkeydown','onkeyup','onsubmit','onreset','onselect','onchange');

and can add event handlers as attributes and define the scripts, like

$WikiStyleAttr['onclick'] = 'a';
$WikiStyle['confirm']['onclick'] = ' return confirm("Are you sure?") ';

So this would need a one line addition to the core function, which
adds a filter to filter out unwanted attribute keywords.

It can be left to the admin to implement adding any needed javascript
event handlers, and set necessary restrictions.


Hans




More information about the pmwiki-devel mailing list