[pmwiki-users] ZAP and htmlspecialchars...
The Editor
editor at fast.st
Fri Oct 27 18:13:04 CDT 2006
Well, ZAP is coming along. Just uploaded a couple fixes. Will try
and provide Christopher's request over the weekend (for an anti-spam
feature) and hopefully have that finished without too much trouble.
Just for the sake of completeness, I do have one unresolved
question/post about ZAP I'd appreciate a bit more help with. I'll
resend the pertinent thread below as the rest of the orignal post has
all been answered.
Thanks again to everyone! Have a great weekend.
Cheers,
Caveman
On 10/22/06, The Editor <editor at fast.st> wrote:
> On 10/22/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> > > 1) If I'm using PageUpdate for all file changes, do I need to worry
> > > about using htmlspecialchars? My assumptions is PmWiki takes care of
> > > all that for me.
> >
> > That would be an incorrect assumption. PmWiki's built in markups
> > are okay, but if ZAP adds any markups that produce output from
> > user-contributed source data, ZAP needs to be handling htmlspecialchars.
>
> Hmmm. I guess I misunderstood how this worked. I thought it was used
> to parse form submissions after they were received by the engine for
> processing. Looking over the php docs more closely I take it now that
> it should be used when creating forms input markups, to prevent bad
> data from being sent to the engine. So the following would need need
> to be fixed:
>
> Markup('select', 'inline', '/\(:select (.*?):\\)/', '<select name=$1>');
> Markup('textarea', 'inline', '/\\(:textarea (.*?):\\)/e',
> "Keep(PSS(\"<textarea $1>\"))");
>
> I took a stab at it, but not sure I got them right. I wouldn't even
> know what to do to test if it was working right! : ) Do these look
> ok?
>
Markup('select', 'inline', '/\(:select (.*?):\\)/',
"htmlspecialchars(\"<select name=$1>\")");
Markup('textarea', 'inline', '/\\(:textarea (.*?):\\)/e',
"Keep(PSS(htmlspecialchars(\"<textarea $1>\")))");
>
> I also presume these are all ok without need for change...
>
> Markup('option', 'inline', '/\\(:option (.*?):\\)/e',
> "Keep(PSS(\"<option value='$1'>\"))");
> Markup('selectend', 'inline', '/\(:selectend:\\)/', '</select>');
> Markup('textareaend', 'inline', '/\(:textareaend:\\)/', '</textarea>');
More information about the pmwiki-users
mailing list