[pmwiki-users] Re: pb with PmWiki

Patrick R. Michaud pmichaud at pobox.com
Mon Feb 7 12:02:22 CST 2005


On Sun, Feb 06, 2005 at 08:22:14PM +0100, Knut Alboldt wrote:
> p.morizot at free.fr schrieb:
> >Thanks Knut for the answer but defining  markups solutions it is like 
> >learning a
> >new programming language
> 
> I can understand that, sometimes that regex-stuff really drives me crazy 
> ! :-) (sorry, PM !)

Try writing a wiki *without* regexes and then we can talk about
crazy!  :-) :-)

> [...] For html there 
> is already a Cookbook-Entry for allowing HTML-code, see 
> http://www.pmwiki.org/wiki/Cookbook/EnableHTML. It's only that you have 
> to define every html-tag, you want to allow the user to add in the var 
> $AllowedTags.

The only reason that the cookbook recipe limits the available HTML tags
is to help administrators see how to keep things secure.  If a site
administrator is willing to treat anything in <...> as an HTML tag, it
can be easily done by changing $AllowedTags in the recipe to allow
any sequence of letters, as in:

    $AllowedTags = "[a-z]+";
    Markup('<html>', '<{$fmt}',
      "/&lt;(\\/?($AllowedTags)\\b.*?)&gt;/e",
      "Keep(PSS('<$1>'))");

> <?php
> php code goes here
> ?>

Handling php code is a *lot* tricker, if only because the complete markup
to text conversion is performed prior to any text being output (which
is different from how one would normally expected embedded php to work).
And it really is terribly dangerous to allow authors to write arbitrary
php code.  But the best bet is indeed to perform an eval, perhaps
inside of an ob_start() and ob_get_contents() wrapper to capture any
output.  You'll also want to decode any &lt;, &amp;, and &gt; sequences
in the markup text.  Perhaps something like (untested):

    // Don't do this unless you *really* know what you're doing!
    function PHPMarkup($pagename, $code) {
      $code = str_replace(array('&lt;', '&gt;', '&amp;'), 
        array('<', '>', '='), $code);
      ob_start();
      eval($code);                    // danger danger danger
      return ob_get_flush();
    }
    Markup('php', '<{$fmt}',
      '/&lt;\\?php(.*?)\\?&gt;/e', 
      "Keep(PHPMarkup(PSS('$1')))");

Pm



More information about the pmwiki-users mailing list