[pmwiki-users] ZAP nearly ready...

Patrick R. Michaud pmichaud at pobox.com
Sun Oct 22 13:30:31 CDT 2006


On Sun, Oct 22, 2006 at 01:27:52PM -0400, The Editor wrote:
> After several weeks of intensive work and a good number of
> breakthroughs, ZAP is nearing its official release.  A stripped down
> "lite" version will also be available. A couple quick questions
> though...
> 
> 1) If I'm using PageUpdate for all file changes, do I need to worry
> about using htmlspecialchars?  My assumptions is PmWiki takes care of
> all that for me.

That would be an incorrect assumption.  PmWiki's built in markups
are okay, but if ZAP adds any markups that produce output from
user-contributed source data, ZAP needs to be handling htmlspecialchars.

> 2) I have these lines in my code, yet I'm still getting slashes.  Any
> suggestions?
> 
>   foreach ($_POST as $field => $value) {
>     if (get_magic_quotes_gpc()) $_POST[$field] = stripslashes($value);

I have no idea here.  Are the slashes showing up in the data file
or in the output from the markup?

> 3) I'd like to start adding some VERY simple calculating capabilities
> in ZAP, and was wondering if there was a way to take a post value like
> "+ 7" and in a form and execute something like $x = $x + 7; in the
> recipe.  Some way to execute php commands contained in a string.

There's the PHP eval() function, but it's _very_ dangerous.

Pm




More information about the pmwiki-users mailing list