[pmwiki-users] ZAP and htmlspecialchars...

Patrick R. Michaud pmichaud at pobox.com
Mon Oct 30 13:01:11 CST 2006


On Mon, Oct 30, 2006 at 02:39:52PM -0400, The Editor wrote:
> On 10/30/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> > On 10/22/06, The Editor <editor at fast.st> wrote:
> > > Markup('textarea', 'inline', '/\\(:textarea (.*?):\\)/e',
> > >    "Keep(PSS(htmlspecialchars(\"<textarea $1>\")))");
> > > Markup('option', 'inline', '/\\(:option (.*?):\\)/e',
> > >   "Keep(PSS(\"<option value='$1'>\"))");
> >
> > These also have the XSS vulnerability (and don't need
> > htmlspecialchars, because they're drawing from markup of
> > the current page).
> [...]
> As for the textareas, if the only vulnerability is in the markup, not
> the data that's typed in, there's probably no need to fix it--as only
> admins should be using these.  And one day these will be replaced by
> your new forms script.  But if it should be closed, how do you do it?

PmWiki has a PQA() function  (PQA=="prepare quoted arguments")
that parses html argument parameters and makes sure they're properly
quoted and protected against onXYZ=... attacks.  So, perhaps

    Markup('textarea', 'inline',
      '/\\(:textarea (.*?):\\)/e',
      "Keep('<textarea '.PQA(PSS('$1')).'>')");

    Markup('option', 'inline',
      '/\\(:option (.*?):\\)/e',
      "Keep('<option '.PQA(PSS('$1')).' />')");

Pm




More information about the pmwiki-users mailing list