[pmwiki-users] Editform: clearing a page text variable, escaping directives

Patrick R. Michaud pmichaud at pobox.com
Sun Apr 29 11:29:13 CDT 2007


On Sun, Apr 29, 2007 at 09:50:52AM -0400, The Editor wrote:
> >It is _very_ difficult for PmWiki to know if it has pre-filled out a
> >particular form with values.  Doing so requires keeping quite a bit
> >of session information around for every form that PmWiki generates,
> >and this session information will tend to grow without bound the
> >more a particular author interacts with PmWiki.
> >
> >Also note that simply viewing pages containing a form causes the
> >session to grow, whether the form is filled out or not.
> 
> For what it's worth, ZAP stores it's ZAP inputs as a session variable
> array keyed to each page.  Everytime a form is submitted, all such
> session variables are unset, for every pages (not just the current
> one). This keeps it from growing too much.

FWIW, this could be a bit annoying if I have multiple tabs open 
in my browser, and submitting a form in one tab causes all of the
forms in other tabs to be invalidated (requiring me to reload the
page).

> 2) Directives inside the PTV (option1) would need to be escaped so
> they are not accidently executed when viewing the page

Since any directives are already inside of a hidden PTV, they'll
be removed before being evaluated anyway.

> 3) Another disadvantage (possible) to the first option is that
> retrieving the PTV would automatically execute the internal directives
> which is part of the security problem.

Retrieving the PTV doesn't execute the internal directives -- 
displaying them does.

> However the thought just occurred to me a custom markup like (::
> {$:var} ::) could be set up just before the directives begin in the
> markup table which only does a simple string replacement to restore (
> : : )'s in the PTV to (: :).  [...]
> 
> This sounds like a pretty cool solution!  What do you think Pm?

It's not something that I'm too worried about resolving.
The answer is likely to be simply that any "(:" and ":)"
are translated to "( :" and ": )", and by default it won't 
be possible to put directives into PTVs using my forms 
processing engine (configurable of course).

Thanks!

Pm



More information about the pmwiki-users mailing list