[pmwiki-devel] Safe way to take a page name as an argument in Markup
Petko Yotov
5ko at 5ko.fr
Wed Jan 27 23:08:55 CST 2010
On Thursday 28 January 2010 05:31:49, Randy Brown wrote :
> Do you have any general guidance as to what is safe and what isn't?
I have: if it is written by Pm, it is safe. :-)
No, the actual code needs to be examined and it takes you time and effort, and
you read and learn in the process, yet nothing is completely bug-free.
But that's fine: when people find a bug, they tell you and you fix it. :-)
> I ask because I've got another directive in which I'd like to let markup
> appear on the page normally unless condition X exists:
>
> (:mydirective if X is true, let this markup evaluate:)
>
> where the markup could be any valid PmWiki markup.
>
> Here is how I am currently obtaining the argument:
>
> Markup('mydirective', 'directives',
> '/\\(:mydirective (.*?):\\)/e',
> "mydirective('$1')");
>
> I assume (I hope not too naively) that it's safe concatenate the argument,
> for example:
>
> saferesult = $Prefix.$arg.$Suffix;
>
> But I'm not so sure whether this is safe:
>
> return PRR($arg);
>
> Do I need to restrict the argument, or pass it through a filter before
> giving it to PRR()?
No, it should be ok -- although you may want to pass it through PSS() before,
to strip possible slashes added by the regexp engine.
Petko
> On Jan 27, 2010, at 9:47 PM, Petko Yotov wrote:
> > Hello. You can pass the string through MakePageName()
>
More information about the pmwiki-devel
mailing list