[pmwiki-users] variables for customization

Patrick R. Michaud pmichaud at pobox.com
Tue Jul 12 21:34:24 CDT 2005


On Wed, Jul 13, 2005 at 12:02:42AM +0530, V.Krishn wrote:
> On Thursday 07 July 2005 20:50, pmichaud at pobox.com:
> > > >1. Things like "{$Group}" and "{$LastModified}" are *markup*.  
> > > > You can call them "variables" or "markup variables" if it pleases
> > > > you, but they don't really exist as variables anywhere in the
> > > > PmWiki code, nor is there an enforced correspondence between them
> > > > and any PHP variable.  
> > >
> > > My suggestion is to establish such a correspondence.
> >
> > Sorry, won't go there -- I fear it might be a bad idea from a
> > security perspective. 
>
> hmmmm..... in my recipe I had introduced a file version.php having code:
> Pm could you please guide me if this is ok :
> 
> global $InfoBoxVersion;
> $InfoBoxVersion = "infobox-2.0.3";
> Markup('{$InfoBoxVersion}','>{$fmt}','/{\\$(InfoBoxVersion)}/e',"\$GLOBALS['$1']");

This is just fine.  There's no problem at all with having a markup
like '{$InfoBoxVersion}' corresponding with a global variable of
the same name.

The point I was trying (and failing) to make was that it's 
not a good idea to say that every global variable should
have a corresponding markup, as this would expose the values of
some variables that should perhaps remain hidden.  For example,
a shortcut version of the '{$var}' markup *could* have been

   Markup('{$var}', '>{$fmt}', 
     '/{\\$([[:upper:]]\\w*)}/e', 
     "\$GLOBALS['$1']");

which would be sufficient to handle all '{$VarName}' markups.
Unfortunately, it also provides access to lots of global variables
that perhaps should not be available through the markup, thus I
use the more specific

   Markup('{$var}', '>{$fmt}', 
     '/{\\$(Version|Author|UrlPage|DefaultName|DefaultGroup|AuthId)}/e', 
     "\$GLOBALS['$1']");

which sanely limits the variables an author can access.

Pm



More information about the pmwiki-users mailing list