[pmwiki-devel] strange conversions: a FmtPageName bug
Patrick R. Michaud
pmichaud at pobox.com
Sun Mar 9 09:32:17 CDT 2008
On Sun, Mar 09, 2008 at 11:55:17AM +0000, Hans wrote:
> Sunday, March 9, 2008, 2:33:29 AM, Patrick wrote:
>
> > Also, as a general rule it's unwise to be calling FmtPageName()
> > on strings that are coming from page markup, as this exposes
> > the ability for people to view the values of variables that
> > perhaps they shouldn't see. This is also why page variables
> > (which come from markup) use PageVar() and PageTextVar() and
> > don't go through FmtPageName().
>
> I am not sure what to make of this.
> I am only trying to read an edit template.
> As I said originally:
>
> I am trying to load an edit form with
>
> $HandleEditFmt = array(&$PageStartFmt, &$PageEditFmt, &$PageEndFmt);
> PrintFmt($pagename, $HandleEditFmt);
>
> $PageEditFmt gets retrieved from a template on a EditForm page.
The point is that PmWiki never calls FmtPageName() on arbitrary data
that comes from directly from a wiki page (including templates) --
the strings are always checked and/or escaped for various characters
(including $) first. Otherwise there's the potential for malicious
editors to grab global configuration information and/or insert
various XSS, JavaScript, or HTML attacks.
Pm
More information about the pmwiki-devel
mailing list