[pmwiki-devel] ZAP configuration fields (was: PmWiki request)

Patrick R. Michaud pmichaud at pobox.com
Tue Dec 12 10:48:33 CST 2006


On Tue, Dec 12, 2006 at 10:31:25AM -0600, Ben Stallings wrote:
> Hans wrote,
> > You know, seeing conditionals inside (:input :) markup makes me cringe.
> > I know you try to create shorter syntax for ZAP.
> > But you go against what people learned and know in PmWiki.
> > You seem to have hijacked PmWiki's (:input:) markup
> > and made something quite different out of it.
> > 
> > To me any (:input ... :) should be only used to create form elements.
> > Conditions as to when a form element shall be added to HTML output
> > should stay out of the markup, as it is already possible with
> > (:if ... :) markup. Manipulating any page variable used inside (:input
> > :) should also stay outside of the markup.
> 
> It's easy to misunderstand what ZAP does with these tags... I did at 
> first, as well.  All the (:input hidden :) tags in a ZAP form produce 
> actual hidden fields, via the core forms.php script, that are then 
> submitted with the form.  The conditionals Caveman is proposing are not 
> for use when the form is displayed, they are for use when the form has 
> already been submitted.  ...

FWIW, even if ZAP uses hidden form fields to do its thing, it
still may make more sense to create a special directive for it
rather than try to fit everything into (:input hidden:).  For
example

    (:zapcheck ifexists pagename "warn:page exists":)

can still produce a hidden input field in the form, but it can
also do any reformatting -- e.g., it could output

 <input type='hidden' name='zap_ifexists' value='pagename|warn:page exists' />

and thereby avoid input control name conflicts and any special
syntax needed to communicate the control.

> I've been lobbying Caveman off-list to move all of his configuration 
> variables out of hidden input fields and into page text variables, 
> because as input fields they potentially conflict with other field 
> names.  

The above approach solves that particular problem.  :-)

> So in the syntax I'm waving in Caveman's direction, the tag
> (:input hidden ifexists "parameter|action":)
> would simply become
> (:ifexists: "parameter|action":)
> This would have the added benefit of removing the configuration 
> variables from the HTML code where people can tamper with them.

This is an important point -- as hidden fields in a form it means
that people could potentially spoof or remove them.

Pm



More information about the pmwiki-devel mailing list