[pmwiki-users] ZAP and htmlspecialchars...
Patrick R. Michaud
pmichaud at pobox.com
Mon Oct 30 13:01:11 CST 2006
On Mon, Oct 30, 2006 at 02:39:52PM -0400, The Editor wrote:
> On 10/30/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> > On 10/22/06, The Editor <editor at fast.st> wrote:
> > > Markup('textarea', 'inline', '/\\(:textarea (.*?):\\)/e',
> > > "Keep(PSS(htmlspecialchars(\"<textarea $1>\")))");
> > > Markup('option', 'inline', '/\\(:option (.*?):\\)/e',
> > > "Keep(PSS(\"<option value='$1'>\"))");
> >
> > These also have the XSS vulnerability (and don't need
> > htmlspecialchars, because they're drawing from markup of
> > the current page).
> [...]
> As for the textareas, if the only vulnerability is in the markup, not
> the data that's typed in, there's probably no need to fix it--as only
> admins should be using these. And one day these will be replaced by
> your new forms script. But if it should be closed, how do you do it?
PmWiki has a PQA() function (PQA=="prepare quoted arguments")
that parses html argument parameters and makes sure they're properly
quoted and protected against onXYZ=... attacks. So, perhaps
Markup('textarea', 'inline',
'/\\(:textarea (.*?):\\)/e',
"Keep('<textarea '.PQA(PSS('$1')).'>')");
Markup('option', 'inline',
'/\\(:option (.*?):\\)/e',
"Keep('<option '.PQA(PSS('$1')).' />')");
Pm
More information about the pmwiki-users
mailing list