[pmwiki-devel] Safe way to take a page name as an argument in Markup
Randy Brown
randy at brownragfilms.com
Sat Jan 23 23:55:36 CST 2010
I'm a rank beginner at regex, but I seem to recall a warning that hackers might exploit an argument if you use "/e" in Markup. Thus I currently restrict my argument (which is supposed to be a page name) to digits:
Markup('mydirective', 'directives',
'/\\(:mydirective (\\d+):\\)/e',
"mydirective('$1')");
I assume there is a way for my directive to support any page name without introducing a security hole. I probably only need to support a page Name, rather than Group.Name, but for future reference it would be good to know how to support either.
Could someone please tell me a safe expression, or else point me to a script that could serve as a model for a safe expression?
Randy
More information about the pmwiki-devel
mailing list