[pmwiki-users] Idea for javascript in links

Patrick R. Michaud pmichaud at pobox.com
Mon Dec 5 10:09:54 CST 2005


On Mon, Dec 05, 2005 at 10:55:03AM -0500, Henrik Bechmann wrote:
> Kinky!
> 
> So if I were to filter the parameters of an authorized function for the 
> equal sign, or for parenthesis, would that be safe? Or are there other 
> devious ways...?

The traditional difficulty with filtering out bad things is that
there's always the chance that some combination will be missed.
Usually it's better to enable only what is allowed, rather than
try to filter what is disallowed.

I'm really not expert enough on javascript to know what might be
safe or not safe here.  If I were to do something like this, I'd
probably restrict javascript functions called in this manner to
be a single argument, in quotes, and limited to alphanumeric 
characters and spaces.  But inevitably someone would show up
needing a way to include other non-alphabetic characters into
the javascript arguments, or multiple arguments, and things get
difficult again.

So, I just hide behind PmWikiPhilosophy #2 for this one, and let
sites that need specialized javascript or other page features
develop appropriate customizations for it.  :-)

Pm


> Patrick R. Michaud wrote:
> 
> >On Sun, Dec 04, 2005 at 02:14:43PM -0500, Henrik Bechmann wrote:
> > 
> >
> >>I've been dancing around this fairly successfully so far, but I thought 
> >>I'd float an idea for allowing javascript in links like:
> >>
> >><a href="javascript:gotocalculatedsite('criteria')" 
> >>onmouseover="respondtorollover('somearg')">Test active link</a>
> >>
> >>Namely in PmWiki markup it would look like
> >>
> >>[[@gotocalculatedsite('criteria') 
> >>onmouseover=respondtorollover('somearg') | Test active link]]
> >>
> >>The @is inspired by spreadsheet "at" formula syntax.
> >>
> >>For security the administer would have to register allowed javascript 
> >>functions in a config file:
> >>
> >>$AllowedJavascriptFunctions[]='gotocalculatedsite';
> >>$AllowedJavascriptFunctions[]='respondtorollover';
> >>   
> >>
> >
> >The security would have to be a bit more involved than simply
> >checking a list of allowed javascript functions -- we'd have to
> >be sure to prevent things like:
> >
> >[[onmouseover=respondtorollover(location.href='http://www.example.com') | 
> >Test active link]]
> >
> >In general I think it's safer to just create specialized markup
> >for any javascripting that needs to take place in a page.
> >
> >Pm
> >
> >
> >
> > 
> >
>   
> 




More information about the pmwiki-users mailing list