[pmwiki-devel] Safely adding a %confirm% custom WikiStyle
Hans
design5 at softflow.co.uk
Sat Jul 19 09:28:13 CDT 2008
Saturday, July 19, 2008, 2:22:07 PM, Hans wrote:
> I wonder if the ApplyStyles function could
> be changed so that it will not accept values set by style markup for
> certain attributes, in which I would put all javascript event
> handlers.
Perhaps it could be done like this,as a proposal for core change :
add to function ApplyStyles after
$m = array_shift($match);
this:
if (is_array($UnsafeWikiStyleAttr) && in_array($m[1],$UnsafeWikiStyleAttr)) continue;
and add to globals: $UnsafeWikiStyleAttr
Then an admin can define array $UnsafeWikiStyleAttr possibly like
this in config:
$UnsafeWikiStyleAttr, array('onload','onunload','onclick','ondblclick','onmousedown',
'onmouseup','onmouseover','onmousemove','onmouseout','onfocus','onblur',
'onkeypress','onkeydown','onkeyup','onsubmit','onreset','onselect','onchange');
and can add event handlers as attributes and define the scripts, like
$WikiStyleAttr['onclick'] = 'a';
$WikiStyle['confirm']['onclick'] = ' return confirm("Are you sure?") ';
So this would need a one line addition to the core function, which
adds a filter to filter out unwanted attribute keywords.
It can be left to the admin to implement adding any needed javascript
event handlers, and set necessary restrictions.
Hans
More information about the pmwiki-devel
mailing list