[pmwiki-users] ZAP conditional syntax

The Editor editor at fast.st
Thu Mar 8 21:38:47 CST 2007


On 3/8/07, Ben Stallings <ben at interdependentweb.com> wrote:
> Dan replied to Jiri,
> > > (:zap condition="condition" fields="field1,field2" true="value1,value2"
> > > false="value3,value4":)
> > Can't really do that without creating a new markup which I would
> > rather avoid.  According to my markup definition, it has to look like
> > (:zap if*="text...":).
>
> At the risk of getting too techie for the users list...
>
> When I wrote UpdateForm's (:update:) markup definition, I copied it (and
> the series of function calls that parse it) shamelessly from that for
> (:input:) tags, which is very flexible -- it allows for any number of
> parameters.  I think if you used the same thing for (:zap:) you would
> find that you could still handle if* parameters (for backward
> compatibility) while gaining the ability to handle multiple-parameter
> tags like the one above.  You're all about flexibility, Dan; why limit
> your tags to one parameter?  :-)

You may be right about multiple parameters and flexibility but
personally I find it much easier to do the parsing in ZAP than working
in markups.  Also, theoretically at least, any (:zap :) field should
also be submittable as a post value where I only have field=value
available to me.  I also would have to think about how I store all
those session variables connected with that one field (not an simple
task)--where right now it's just a flat array of field=value pairs. So
in short it's just easier and more consistent with the work I've done
to not try and switch to multiple parameters.

> Good luck figuring something workable out of all these suggestions!  --Ben

Things went way better than expected.  I have a working model on my
machine that takes syntax like this:

(:zap if="equal Boo {Test} ? Test1=Admin , Test2=Hope : Test1=Member ,
Test2=Joy":)
or
(:zap validateTest="/expression/ ? Test1=Admin , Test2=Hope :
Test1=Member , Test2=Joy":)

It works exactly as you would expect... However, there is a
*theoretical* vulnerability in that someone could enter something into
the Test field like "Boo ? Field=Value , " and be able to execute a
malicious command or two--which could be dangerous in light of all the
capabilities ZAP has...  There may be other contexts where something
could be entered also...  I think doing some kind of check on field
replacements for if and validate commands might be adequate--just to
prevent monkey business.  Or another option might be to stop
processing if there is a " ? " somewhere its not supposed to be...
Hmmm.

Other than this though--it works beautifully.  Full access to any
conditional in PmWiki (even ones you design), and unlimited execution
of ZAP commands on both true/false. Cool!  Thank you Ben for the great
syntax!

Think we can live with this?

Cheers,
Dan



More information about the pmwiki-users mailing list