[pmwiki-users] CSS for one (or all) tag in _a single_ page (inline or in head)
Patrick R. Michaud
pmichaud at pobox.com
Thu Aug 24 12:52:19 CDT 2006
On Thu, Aug 24, 2006 at 10:45:52AM -0700, Andrew Standfield wrote:
> I don't think there's any more chance of malicious authors doing bad
> things with css then there is with allowing *any* form of markup.
PmWiki's existing markups are fairly limited in terms of what
can be done -- i.e., it's difficult for an author to perform
a cross-site scripting attack using PmWiki's existing markups.
However, if an author can generate arbitrary CSS, then cross-site
attacks become much more possible.
> I think a bigger issue would be novices to CSS creating unstable
> style sheets. I've actually tried to think of ways to combat that or
> if you just want for the admin to be able to include styles. It would
> be interesting to require some kind of password for the (:stylepage:)
> directive.
That's a bit backwards -- the trick isn't to password protect
the stylepage directive, but to password-protect whatever it
includes. (Stated slightly differently: password-protection of
the directive doesn't prevent someone from editing the page
it's including.)
So, for example, if (:stylepage:) were limited to including pages
from the Site group, then it's much safer because edit access to
Site.* pages is usually well protected.
Pm
> On Aug 24, 2006, at 10:31 AM, Patrick R. Michaud wrote:
>
> >On Thu, Aug 24, 2006 at 10:26:02AM -0700, Andrew Standfield wrote:
> >>Clemens,
> >>
> >>I think what you may want is the stylepage.php solution by Hans. You
> >>can find it near the bottom of the CSS in Wiki Pages Recipe: http://
> >>pmwiki.org/wiki/Cookbook/CSSInWikiPages
> >>
> >>After installing, it allows you to make a wiki page that you put
> >>standard CSS declarations in. You can then call it from any other
> >>page using (:stylepage Group.ExamplePage:).
> >
> >I hadn't noticed this particular recipe -- it's excellent.
> >
> >So far I've been reluctant to allow any sort of direct CSS
> >modification through pages because it might make it possible
> >for malicious authors to do bad things to the site. But having
> >an administrative CSS-via-wiki-page option seems like it could
> >be worthwhile.
> >
> >I'd love to hear others' opinions about this.
> >
> >Pm
> >
>
>
More information about the pmwiki-users
mailing list