[pmwiki-users] Custom Markup: $2 does not work correctly (regexp problem?)

Patrick R. Michaud pmichaud at pobox.com
Mon Aug 28 16:37:24 CDT 2006


On Mon, Aug 28, 2006 at 11:22:53PM +0200, Dawid Gajownik wrote:
> Dnia 08/25/2006 03:12 PM, Użytkownik Dominique Faure napisał:
> > Markup("boxfile", "<split",
> >  '/\\(:boxfile\s+([^|]+)\|\s*(.*?):\\)/se',
> >  "'<:block>'.Keep('<div class=\"boxfile\"><p><strong>File:</strong>
> > $1</p><pre>$2</pre></div>')");
> 
> Thank you very much :) Would you be also willing to explain me what is 
> this "<:block>" thing for? I haven't found explanation at pmwiki.org.

"<:block>" is a special marker that PmWiki uses internally to say
"this line contains a block, so don't treat it as a paragraph".

I actually think that in later versions of PmWiki (i.e., after 2.1.0)
this particular markup is no longer needed, and that the markup
rules can automatically detect when the line is a block and not
to be treated as a paragraph.  I.e., I think the following will
also work:

    Markup('boxfile', '<split',
      '/\\:boxfile\s+([^|]+)\\|\\s*(.*?):\\)/se',
      "Keep('<div class=\"boxfile\"><p><strong>File:</strong>
         $1</p><pre>$2</pre></div>')");

> Oh, one more question: how vulnerable can be this example? On 
> http://pmwiki.org/wiki/PmWiki/CustomMarkup someone wrote that /e option 
> can be insecure.

This particular example is pretty secure.  The /e option is
insecure primarily when a $1, $2, etc. variable appears outside 
of any single quotes nested within the double quoted string.  
(Hard to explain, sorry.)  In the above case, the $1 and $2
both appear within the single quotes surrounding the <div>...</div>
pair, so it's safe.

However, another problem with /e is that it tends to put
backslashes in front of quotes in the input string, so that 
(:boxfile O'Hare | 'An Airport':) would tend to get 
displayed as O\'Hare and \'An Airport\' .

The way to fix this is to be sure to use PSS('...') around any
$1, $2 variables coming from a /e match, thus:

    Markup('boxfile', '<split',
      '/\\:boxfile\s+([^|]+)\\|\\s*(.*?):\\)/se',
      "Keep(PSS('<div class=\"boxfile\"><p><strong>File:</strong>
         $1</p><pre>$2</pre></div>'))");

The PSS() call removes any unwanted backslashes that might've
been added by the /e modifier.

(It might be necessary to add the '<:block>' before the Keep()
call, but I really think it's no longer needed.)

Hope this helps, questions welcomed.

Pm




More information about the pmwiki-users mailing list