[pmwiki-users] CSS for one (or all) tag in _a single_ page (inline or in head)

Andrew Standfield andy at scruffyco.com
Thu Aug 24 12:57:41 CDT 2006


> So, for example, if (:stylepage:) were limited to including pages
> from the Site group, then it's much safer because edit access to
> Site.* pages is usually well protected.

Excellent point. That would also be much easier to do...

/me glances at Hans hoping he'll implement that...

:)


Andy Standfield
http://www.vertigo25.com/
http://www.ipodnirvana.com/


On Aug 24, 2006, at 10:52 AM, Patrick R. Michaud wrote:

> On Thu, Aug 24, 2006 at 10:45:52AM -0700, Andrew Standfield wrote:
>> I don't think there's any more chance of malicious authors doing bad
>> things with css then there is with allowing *any* form of markup.
>
> PmWiki's existing markups are fairly limited in terms of what
> can be done -- i.e., it's difficult for an author to perform
> a cross-site scripting attack using PmWiki's existing markups.
>
> However, if an author can generate arbitrary CSS, then cross-site
> attacks become much more possible.
>
>> I think a bigger issue would be novices to CSS creating unstable
>> style sheets. I've actually tried to think of ways to combat that or
>> if you just want for the admin to be able to include styles. It would
>> be interesting to require some kind of password for the (:stylepage:)
>> directive.
>
> That's a bit backwards -- the trick isn't to password protect
> the stylepage directive, but to password-protect whatever it
> includes.  (Stated slightly differently:  password-protection of
> the directive doesn't prevent someone from editing the page
> it's including.)
>
> So, for example, if (:stylepage:) were limited to including pages
> from the Site group, then it's much safer because edit access to
> Site.* pages is usually well protected.
>
> Pm
>
>
>
>> On Aug 24, 2006, at 10:31 AM, Patrick R. Michaud wrote:
>>
>>> On Thu, Aug 24, 2006 at 10:26:02AM -0700, Andrew Standfield wrote:
>>>> Clemens,
>>>>
>>>> I think what you may want is the stylepage.php solution by Hans.  
>>>> You
>>>> can find it near the bottom of the CSS in Wiki Pages Recipe:  
>>>> http://
>>>> pmwiki.org/wiki/Cookbook/CSSInWikiPages
>>>>
>>>> After installing, it allows you to make a wiki page that you put
>>>> standard CSS declarations in. You can then call it from any other
>>>> page using (:stylepage Group.ExamplePage:).
>>>
>>> I hadn't noticed this particular recipe -- it's excellent.
>>>
>>> So far I've been reluctant to allow any sort of direct CSS
>>> modification through pages because it might make it possible
>>> for malicious authors to do bad things to the site.  But having
>>> an administrative CSS-via-wiki-page option seems like it could
>>> be worthwhile.
>>>
>>> I'd love to hear others' opinions about this.
>>>
>>> Pm
>>>
>>
>>





More information about the pmwiki-users mailing list