[pmwiki-users] Editform: clearing a page text variable, escaping directives
Patrick R. Michaud
pmichaud at pobox.com
Sat Apr 28 07:20:02 CDT 2007
On Sat, Apr 28, 2007 at 11:23:39AM +0200, Petko Yotov wrote:
> Hello Patrick and all,
>
> I looked at and tested the latest code from SVN and I have some questions.
FWIW, I've already abandoned the code that is currently in SVN and
I'm using a slightly different approach.
> 1. It is not possible to clear a page text variable: if one erases the content
> of the text field, the PTV is not modified. I believe it should be. I can see
> in the code that that is a wanted behaviour but cannot understand why : in
> case the $_POST field exist and is empty, one would expect the PTV to be
> cleared (emptied).
Not necessarily. If someone opens up a form containing a number of PTV
fields and fills only some of them in, then it's not always obvious
(to the author) that leaving the others blank will clear the
corresponding PTVs. So, for now I've decided that the way to explicitly
clear a PTV will be to enter spaces in the field.
> 2. When one enters ":)" in the textarea, it is translated into ":)" in
> the wiki-source. But when one re-edits the PTV in the "editform", one
> sees ":)" (actually, ":)" in HTML). Is it possible to translate
> it back to ":)"? It would be more readable and usable, especially favorable
> for inexperienced writers. The "<" and "&" are converted properly to "<"
> and not to "&lt;" in HTML.
The conversion of ":)" to ":)" is actually going to change -- it will
be "(:" converted to "(:". However, your point remains.
The conversion of "(:" to "(:" is going to be an option, enabled
by default. The problem is that since these forms will often be used
to allow people w/o edit privileges to add content to a page, we don't
want them to be able to add directives.
But converting "(:" back to "(:" upon edit would defeat the
purpose here. Suppose a malicious person uses a form to insert a
directive into a page -- it gets converted to "(:" and so far
we're safe. Then, a privileged author comes along later and makes
a minor edit to the page. If the "(:" is converted back to
a "(:", and our later author doesn't notice this, then the malicious
author will have succeeded in getting a directive added to a page.
> 3. In the multiline PTVs it is possible to enter in the
> editform "(:SameVarName:" and this breaks the previous PTV. The "(:" should
> probably be also escaped.
See above.
> 4. In the one-line PTVs it is possible to enter "(:if false:)"
> or "(:NewPTV:Value:)" or any other directive which are not escaped, and this
> is probably not the behaviour we intend to have:
In the new version, all input fields are escaped.
> This may be worth adding to the core, because I believe a PTV should not
> contain directives. However, I am gratefull that it is possible to
> personnalize the $ROEPatterns and by this to even rewrite the PTVPOSTVar()
> function.
As I said, the code that is in SVN isn't what will end up in the release,
so don't rely on it.
Thanks!
Pm
More information about the pmwiki-users
mailing list