[pmwiki-users] Possible bug/security hole? CommentBox allows posting of directives!

[Mike]

Hello all,

it might be that I detected a bug or slight "security hole" in the
CommentBox recipe. When posting on pages without edit rights, obviously
one does not want to allow the poster any rights except to have their
comment show up. However, when the user types in something like

(:title blabla:)

then the user actually changes the title of the page. The same goes for
all other directives - they can be entered by the user.

How could this behavior be avoided? I guess one would need to escape the
code the user enters...

Cheers,
Mike


-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20060930/ae6feb41/attachment.html