[pmwiki-users] Editform: clearing a page text variable, escaping directives
The Editor
editor at fast.st
Sun Apr 29 08:50:52 CDT 2007
> It is _very_ difficult for PmWiki to know if it has pre-filled out a
> particular form with values. Doing so requires keeping quite a bit
> of session information around for every form that PmWiki generates,
> and this session information will tend to grow without bound the
> more a particular author interacts with PmWiki.
>
> Also note that simply viewing pages containing a form causes the
> session to grow, whether the form is filled out or not.
For what it's worth, ZAP stores it's ZAP inputs as a session variable
array keyed to each page. Everytime a form is submitted, all such
session variables are unset, for every pages (not just the current
one). This keeps it from growing too much.
> Actually, I was thinking that in the :) case PmWiki might convert
> the above to
>
> (::RealVar: Text added by user :) this won't be cut from PTV ::)
>
> My current thought is that we simply add spaces, so that
> "(:" and ":) are converted to "( :" and ": )" and leave it
> at that. That preserves safety, still looks reasonable when
> editing, and makes it relatively clear as to what is going on.
Again, just for feedback, ZAP follows the latter method ( : : ). And
it works fine well.
The first option looks cleaner, but
1) ZAP would probably have a more difficult time taking advantage of it.
2) Directives inside the PTV (option1) would need to be escaped so
they are not accidently executed when viewing the page
3) Another disadvantage (possible) to the first option is that
retrieving the PTV would automatically execute the internal directives
which is part of the security problem.
The problem with option one of course is it doesn't give a good
solution when you want directives in a PTV!
ZAP's approach for this has been a yucky, configurable {(wiki
directive params)} which automatically transforms into the directive
when the PTV is retrieved into a page. Note {( )} is also escaped to
{ ( ) } so directives cannot be inserted using this syntax by a ZAP
form either...
However the thought just occurred to me a custom markup like (::
{$:var} ::) could be set up just before the directives begin in the
markup table which only does a simple string replacement to restore (
: : )'s in the PTV to (: :). That keeps the values safe when
submitted, minimizes the visual distortion of the PTV, but also make
it possible to activate them without ZAP's {( )} approach. Plus the
syntax is shorter, and more semantically connected. Oh, and (:: ::)'s
are automatically escaped as well!
This sounds like a pretty cool solution! What do you think Pm?
Cheers,
Dan
More information about the pmwiki-users
mailing list