[pmwiki-users] Form Input missing 4 types !!!!

[Patrick R. Michaud]

On Mon, Aug 28, 2006 at 10:05:40AM -0500, JB wrote:
> > nobody has demonstrated a place where it's needed
> 
> I suggested one - AJAX.

AJAX is a web communications protocol, it's not an application.
I'd need to see an example where someone is actively developing an
application with PmWIki that will benefit from the existence 
of an (:input button:), as opposed to a hypothetical example
where it might be useful.

> >From website:  http://www.htmlcodetutorial.com/forms/_INPUT_onClick.html
> 
>     onClick gives the script to run when the user clicks on the 
>     input. onClick applies to buttons (submit, reset, and button), 
>     checkboxes, radio buttons, and form upload buttons.
>  
> If the input type "button" is a security risk then are not 
> the other input types - submit, reset, checkbox, radiobutton
> also secutiry risks?

No, because PmWiki doesn't provide any way for an author to
add an "onClick" attribute to those button types.

> To fix this security risk PMWiki could make it so the above 
> various input control event attributes are restricted to:
> 
>   1) calling a function only from the current url directory ()

As far as I know, it's not possible to restrict JavaScript functions
based on their source.

>   2) limit inline javascript to "alert()" and maybe a few
>      other limited commands that are harmless.

"alert()" doesn't seem all that useful.  I'd want to see a list
of actual commands that would be generic and useful before adding
this to the core.  (If they aren't generally useful, they belong 
in recipes.)

All in all, it seems like an *awful* lot of coding for a feature
for which we don't even have a working useful example yet.
PmWikiPhilosophy #3 definitely applies here.

Pm