[pmwiki-users] Form Input missing 4 types !!!!

JB jbit at ev1.net
Mon Aug 28 10:05:40 CDT 2006


> What will be the syntax for calling javascript?  And
> how can we make sure that calling the javascript doesn't
> introduce a security hole?
> PmWikiPhilosophy #3 is at its heart very conservative.  The
> comment I hear most often from people is that they're glad that
> PmWiki avoids bloat, and we do this by avoiding features that
> "might be useful" until a need is actually demonstrated.
> In this case (:input button:) has three strikes against it:
>    - nobody has demonstrated a place where it's needed
>    - it requires JavaScript in order to be usable
>    - the requirement for Javascript introduces security issues
> Since (:input button:) will require JavaScript *anyway*, it
> makes more sense for it to be handled as a local customization/recipe
> than for it to appear in the core, and have everyone ask
> "okay, how can I use it"?
> The Javascript aspect makes (:input button:) *very* different
> from the submit and reset buttons.


> nobody has demonstrated a place where it's needed

I suggested one - AJAX.

>From website:  http://www.htmlcodetutorial.com/forms/_INPUT_onClick.html

    onClick gives the script to run when the user clicks on the 
    input. onClick applies to buttons (submit, reset, and button), 
    checkboxes, radio buttons, and form upload buttons.
 
    onClick is mostly used with plain button type inputs: 
    onClick is the only event handler for checkboxes and radio 
    buttons.


If the input type "button" is a security risk then are not 
the other input types - submit, reset, checkbox, radiobutton
also secutiry risks?


So if there is a security vulnerability in currently existing
inputs, then that needs to be fixed.


To fix this security risk PMWiki could make it so the above 
various input control event attributes are restricted to:

  1) calling a function only from the current url directory ()
  2) limit inline javascript to "alert()" and maybe a few
     other limited commands that are harmless.

This would require a routine/function to restrict such
activity.





More information about the pmwiki-users mailing list