[pmwiki-devel] strange conversions: a FmtPageName bug
Hans
design5 at softflow.co.uk
Sun Mar 9 10:33:53 CDT 2008
Sunday, March 9, 2008, 2:32:17 PM, Patrick wrote:
> The point is that PmWiki never calls FmtPageName() on arbitrary data
> that comes from directly from a wiki page (including templates) --
> the strings are always checked and/or escaped for various characters
> (including $) first. Otherwise there's the potential for malicious
> editors to grab global configuration information and/or insert
> various XSS, JavaScript, or HTML attacks.
Thanks for this reminder and the hint to use $FmtV.
When I follow function HandleEdit's example using $FmtV like
$FmtV['$EditForm'] = MarkupToHTML($pagename, $form['text']);
$PageEditFmt = '$EditForm'; //from forms.php
SDV($HandleEditFmt, array(&$PageStartFmt, &$PageEditFmt, &$PageEndFmt));
PrintFmt($pagename, $HandleEditFmt);
then a template string like {$$text} will not get mangled by a global
var substitution. When I miss the $FmtV['$EditForm'] definition
I get the problem.
But what for instance about the title markup?
see here http://www.pmwiki.org/wiki/Test/GlobalVarSubstitutions
Does it not directly oppose what you just said?
And does it cause a security risk?
Hans
More information about the pmwiki-devel
mailing list