[pmwiki-users] Integrating JavaScript function into Custom Markup

Patrick R. Michaud pmichaud at pobox.com
Fri Apr 7 15:15:15 CDT 2006


On Fri, Apr 07, 2006 at 09:00:29PM +0100, Hans wrote:
> Friday, April 7, 2006, 6:49:55 PM, Patrick wrote:
> > Might want to be careful here -- the above could potentially allow
> > an author to inject some javascript code directly into the page
> > output via the map= or title arguments, since they aren't input
> > filtered.
> 
> I don't understand why. The markup function returns specific
> javascript of function map(). Is that not saveguard enough?
> How can other javascript code be injected?

Given:

 Markup('map', 'directives', "/\\(:map (.*?)?\\s*?:\\)/e", "Map('$1')");
 function Map($args) {
      $arg = PSS(ParseArgs($args));
      if (isset($arg['map'])) $map = $arg['map'];
      if (isset($arg['title'])) $maptitle = $arg['title'];
      $out = "<a href='javascript:map(\"map=$map\");' ";
      $out.= "title=\"$maptitle\">Show $maptitle</a>";
      return Keep($out);
      }

consider:

   (:map map='", some_other_function(), "':)

which becomes in HTML:

    <a href='javascript:map("", some_other_function(), "")' ... >

and some_other_function() gets called as an argument to the
map function.  Of course, I can come up with a more complex
example, but this gives the idea.

Pm





More information about the pmwiki-users mailing list