[pmwiki-users] Form Input missing 4 types !!!!

Ben Stallings Ben at InterdependentWeb.com
Mon Aug 28 11:26:56 CDT 2006


PM replied to JB:
>> To fix this security risk PMWiki could make it so the above 
>> various input control event attributes are restricted to:
>>
>>   1) calling a function only from the current url directory ()
>>     
> As far as I know, it's not possible to restrict JavaScript functions
> based on their source.
>   
No, but it is possible to make the wiki insert a specific JavaScript 
function that is called by a different name in the wiki markup.

In the most recent version of the UpdateForm recipe, which I hope to 
post later today, there's a "mask" parameter added to the (:update 
text:) tag which allows you to specify an input mask for a text field in 
a form.  For example, a North American phone number could be masked like 
this:
(:update text phone mask=(###)###-####:)
The mask is enforced via an open-source JavaScript I found, contained in 
an external file; if the wiki owner chooses not to use it, simply 
comment out a line of the recipe.

But the reason this is relevant is that the JavaScript is not included 
in the wiki markup, it's added during the processing of the markup.  If 
you try to add another JavaScript action to a form element, it won't 
work, hence no security hole.

So it seems to me that if JB really wants an (:input button:) markup, 
s/he should write a recipe that translates keywords into specific 
functions that have been approved by the wiki owner... so
(:input button KillEveryone:) could kill everyone, and
(:input button DestroyUniverse:) could destroy the universe, but all the 
really dangerous functions would remain blocked.  --Ben




More information about the pmwiki-users mailing list