[pmwiki-users] Again: Parameterizing Content
Joachim Durchholz
jo at durchholz.org
Thu May 18 16:06:54 CDT 2006
Américo Albuquerque schrieb:
> From: Joachim Durchholz
>
> > I don't know how to set up a new page variable though,
>
> You can do that but setting the variable name in the $FmtPV array, like
> $FmtPV['$my_x'] = '$_REQUEST["imp_x"]';
> later you can use the variable in page text using {$my_x}
Good to know.
Though I wouldn't pass through a $_REQUEST variable in this way.
Somebody could place malicious HTML in a link and send it to an
unsuspecting user, who'd then blame the PmWiki site for doing bad things
with his browser. I.e. either do sanity checks on the input, or quote it
like this (warning, untested PHP ahead):
$FmtPV['$blah'] = 'htmlentities($_REQUEST["blah"],ENT_BOTH)';
Regards,
Jo
More information about the pmwiki-users
mailing list