[pmwiki-users] Editform: clearing a page text variable, escaping directives
Patrick R. Michaud
pmichaud at pobox.com
Sat Apr 28 10:02:27 CDT 2007
On Sat, Apr 28, 2007 at 04:05:54PM +0200, Petko Yotov wrote:
> > > 1. It is not possible to clear a page text variable: if one erases the
> > > content of the text field, the PTV is not modified.
>
> In my immagination (and in the provided example Cookbook:RecipeInfoForm), the
> form input box is pre-filled with the PTV's content. If the editor doesn't
> modify it, it will send the same content back. But when the writer explicitly
> modifies it, then it should be modified.
While this will indeed be a common approach (pre-filling the form
with PTV content), there may be other cases where empty input
boxes need to mean "don't modify". The most common one is where
someone is being prompted to modify a password of some sort -- clearly
we don't want to pre-fill the input field in this case, or to
treat an empty field as meaning "clear the password".
So, as with many things, I'm taking the most safe/least disruptive
approach to begin with, and then we can relax things later as we
understand how the feature is being used. And there will definitely
be an option that means "treat empty field as modification to empty".
> If people really use empty input boxes to modify existing, non-empty PTVs (I
> still cannot understand why), then probably PmWiki could detect if it had or
> had not pre-filled the form with values ...
It is _very_ difficult for PmWiki to know if it has pre-filled out a
particular form with values. Doing so requires keeping quite a bit
of session information around for every form that PmWiki generates,
and this session information will tend to grow without bound the
more a particular author interacts with PmWiki.
Also note that simply viewing pages containing a form causes the
session to grow, whether the form is filled out or not.
> > > 2. When one enters ":)" in the textarea, it is translated into ":)"
> > > in the wiki-source. But when one re-edits the PTV in the "editform", one
> > > sees ":)" (actually, ":)" in HTML). Is it possible to
> > > translate it back to ":)"? It would be more readable and usable,
> > > especially favorable for inexperienced writers. The "<" and "&" are
> > > converted properly to "<" and not to "&lt;" in HTML.
> >
> > The conversion of ":)" to ":)" is actually going to change -- it will
> > be "(:" converted to "(:". However, your point remains.
>
> Maybe then escape both, because:
> (:RealVar: Text added by user :) this will be cut from PTV
> and will show in the page. EndRealVar:)
Actually, I was thinking that in the :) case PmWiki might convert
the above to
(::RealVar: Text added by user :) this won't be cut from PTV ::)
i.e., PmWiki would automatically catch the :) and know to switch
the page variable to use (::...::) instead. And this would generalize
to more colons if the input field had "::)", etc. But I still
haven't decided exactly how I want to handle this case, which is why
PmWiki is still in beta, and also why I haven't bundled any of it
into a release. :-)
I'm also thinking that a less disruptive approach might be to
simply convert "(:" and ":)" into "(;" and ";)".
> > But converting "(:" back to "(:" upon edit would defeat the
> > purpose here. Suppose a malicious person uses a form to insert a
> > directive into a page -- it gets converted to "(:" and so far
> > we're safe. Then, a privileged author comes along later and makes
> > a minor edit to the page. If the "(:" is converted back to
> > a "(:", and our later author doesn't notice this, then the malicious
> > author will have succeeded in getting a directive added to a page.
>
> I did not mean in the wiki source, but in the editform's input-boxes
> (PmPhilosophy n°1) but currently I cannot see how this could be done.
The problem is that if it's in the editform's input-boxes, then
when the author (re-)submits the page to PmWiki we cannot know if
the "(:" that comes from the text field is because we previously
converted from (: or because the author really wants a "(:"
to appear there.
Thanks!
Pm
More information about the pmwiki-users
mailing list