[pmwiki-users] MarkupExpressionsExtensions
The Editor
editor at fast.st
Tue Apr 17 03:11:52 CDT 2007
On 4/17/07, Petko Yotov <5ko at free.fr> wrote:
> On Tuesday 17 April 2007 09:20, Hans wrote:
> > Monday, April 16, 2007, 3:00:34 PM, The wrote:
> > > 5) As far as Han's concern about using eval in the math function, I'm
> > > pretty sure the function's pattern matching check on the input value
> > > will eliminate any possible risk. It is a very nice, concise, and
> > > functional bit of code--and it's been asked for by several people over
> > > the last few months. Of course, if someone comes up with a better
> > > solution, I'd be happy to see it changed.
> >
> > I would really like someone else's opinion on this.
> >
> > Is the math function safe?
> >
> > ~Hans
>
> We are talking about the Cookbook/MarkupExpressionsExtensions recipe right?
>
> It depends.
>
> It is safe to not break anything existant, neither reveal private information,
> as it allows the eval'd string to contain only numbers and operators. No PHP
> function can be executed, no internal variable can be printed.
>
> It is not safe because if the expression is not mathematically correct, it
> will however try to execute it, and this will result in a Fatal Error. Try
> with
> {(math '12+(*')}
> But you can tell your users not to write such incorrect expressions.
Is there a way to avoid this by doing something like,
onerr return '';
Cheers,
Dan
More information about the pmwiki-users
mailing list