[pmwiki-devel] Safe way to take a page name as an argument in Markup
Randy Brown
randy at brownragfilms.com
Wed Jan 27 22:31:49 CST 2010
Thanks, Petko -
Do you have any general guidance as to what is safe and what isn't?
I ask because I've got another directive in which I'd like to let markup appear on the page normally unless condition X exists:
(:mydirective if X is true, let this markup evaluate:)
where the markup could be any valid PmWiki markup.
Here is how I am currently obtaining the argument:
Markup('mydirective', 'directives',
'/\\(:mydirective (.*?):\\)/e',
"mydirective('$1')");
I assume (I hope not too naively) that it's safe concatenate the argument, for example:
saferesult = $Prefix.$arg.$Suffix;
But I'm not so sure whether this is safe:
return PRR($arg);
Do I need to restrict the argument, or pass it through a filter before giving it to PRR()?
Randy
On Jan 27, 2010, at 9:47 PM, Petko Yotov wrote:
> On Sunday 24 January 2010 06:55:36, Randy Brown wrote :
>> I'm a rank beginner at regex, but I seem to recall a warning that hackers
>> might exploit an argument if you use "/e" in Markup. \
>
> Hello. You can pass the string through MakePageName()
More information about the pmwiki-devel
mailing list