[pmwiki-users] Hiearchical Groups Proposal.
Patrick R. Michaud
pmichaud at pobox.com
Wed Oct 18 14:26:47 CDT 2006
On Wed, Oct 18, 2006 at 08:50:24PM +0200, Joachim Durchholz wrote:
> Patrick R. Michaud schrieb:
> >>> Also, for security reasons we have to encode/decode the contents of
> >>> the markup text anyway,
> >> Why that?
> >
> > Suppose we have a page named "Group.PHP". Because the file appears
> > to have a .php extension, if the file is accessible directly via
> > the webserver then any <?php ... ?> sequences that appear in the file
> > can be treated as PHP code to be executed.
>
> Ah. I didn't know that PmWiki had this hole plugged by escaping anything
> "dangerous" inside the page.
>
> > PmWiki's PageStore circumvents this problem by encoding all '<'
> > characters as '%3a'. This works out quite nicely, since we also
> > want a way to represent newlines in data values, we can just use
> > %0a, and then a simple (and presumably somewhat fast) call to
> > urldecode() is all that is needed to decode the values.
>
> I do hope that PmWiki also encodes all % characters.
Of course!
> And that the encoding is done for everything (passwords, user agent
> strings, etc.) when the file is written.
Of course! As far as the PageStore is concerned, pages are just
hashes to be (mostly transparently) written and read from disk, it
doesn't give special treatment to text= over other attributes.
Pm
More information about the pmwiki-users
mailing list