[pmwiki-users] Editform: clearing a page text variable, escaping directives
Petko Yotov
5ko at free.fr
Sat Apr 28 04:23:39 CDT 2007
Hello Patrick and all,
I looked at and tested the latest code from SVN and I have some questions.
1. It is not possible to clear a page text variable: if one erases the content
of the text field, the PTV is not modified. I believe it should be. I can see
in the code that that is a wanted behaviour but cannot understand why : in
case the $_POST field exist and is empty, one would expect the PTV to be
cleared (emptied).
2. When one enters ":)" in the textarea, it is translated into ":)" in
the wiki-source. But when one re-edits the PTV in the "editform", one
sees ":)" (actually, ":)" in HTML). Is it possible to translate
it back to ":)"? It would be more readable and usable, especially favorable
for inexperienced writers. The "<" and "&" are converted properly to "<"
and not to "&lt;" in HTML.
Next observations come from the idea that in the very close future there will
be an Auth level to edit page variables without permissions to edit the wiki
source. (Always thinking in the perspective of real applications.)
3. In the multiline PTVs it is possible to enter in the
editform "(:SameVarName:" and this breaks the previous PTV. The "(:" should
probably be also escaped.
4. In the one-line PTVs it is possible to enter "(:if false:)"
or "(:NewPTV:Value:)" or any other directive which are not escaped, and this
is probably not the behaviour we intend to have:
:Name:Petko (:if false:)
!!Title
Page content
...
...
Categories: (:ifend:)
If the editform allows to edit the PageTextVariables $:Name and $:Categories,
it is possible to break the page, and even to (:redirect http://spam:).
This may be worth adding to the core, because I believe a PTV should not
contain directives. However, I am gratefull that it is possible to
personnalize the $ROEPatterns and by this to even rewrite the PTVPOSTVar()
function.
Thanks,
Petko
More information about the pmwiki-users
mailing list