[pmwiki-devel] strange conversions: a FmtPageName bug

Hans design5 at softflow.co.uk
Sun Mar 9 10:33:53 CDT 2008


Sunday, March 9, 2008, 2:32:17 PM, Patrick wrote:

> The point is that PmWiki never calls FmtPageName() on arbitrary data
> that comes from directly from a wiki page (including templates) -- 
> the strings are always checked and/or escaped for various characters 
> (including $) first.  Otherwise there's the potential for malicious 
> editors to grab global configuration information and/or insert 
> various XSS, JavaScript, or HTML attacks.

Thanks for this reminder and the hint to use $FmtV.

When I follow function HandleEdit's example using $FmtV like

 $FmtV['$EditForm'] = MarkupToHTML($pagename, $form['text']);

 $PageEditFmt = '$EditForm'; //from forms.php

  SDV($HandleEditFmt, array(&$PageStartFmt, &$PageEditFmt, &$PageEndFmt));
  PrintFmt($pagename, $HandleEditFmt);


then a template string like {$$text} will not get mangled by a global
var substitution. When I miss the $FmtV['$EditForm'] definition
I get the problem.

But what for instance about the title markup?
see here http://www.pmwiki.org/wiki/Test/GlobalVarSubstitutions
Does it not directly oppose what you just said?
And does it cause a security risk?


Hans




More information about the pmwiki-devel mailing list