> Just out of curiosity I thought I would try this. Can you tell me if > it meets your needs (on a fresh install...) > > engine.php, ~1643, near beginning of BOLTpageshortcuts: > > $link = html_entity_decode($link, ENT_QUOTES, 'UTF-8'); > > P.S. One BIG problem is we will lose php4 support. UTF-8 seems to have > been a php5 addition for this function. I don't like the looks of the > workarounds I see...
I don't like that restriction to php5. Still, i did a quick test: page creation via form works, but can't use & nor & in input field. htm entities in links work, but can't use link like [[test.X&Z]] (goes to page test.X). I think it still needs points 1 and 4 of my fixes (removing & from $BOLTutfEscapeChars and adding ampamp markup rule), only the fixes of points 2 and 3 can be avoided. And since it needs php5 it is a no-go anyway. Re: the previous mail: > In summary, > 1) I am concerned about possible security vulnerabilities by allowing > risky chars in page names. With my proposed changes one cannot for instance create a a page foo<script>bar, input of < and > as well as < and > results in invalid page name errors. This is true for all characters listed in $BOLTutfEscapeChars. Only the '&' must not be part of this array, so one can enter html entities. So we do not get risky characters in page names. > 2) I am worried about possible bugs, such as special chars being > entered that have pageshortcut meanings, and confusion with get > variables. do these clash with html entities? Note that the html entity entered in a page name field gets converted to url % code. The most likely place for trouble is link markup. Like [[test.X&Z]] needs the ampamp markup rule in order not to be misinterpreted. > 3) I am concerned that certain pages could be created via a form but > not created via the url bar. I realize however, there's probably > nothing we can do about the url bar, either way. Yes, I never even tried to add html entities in the url bar, knowing it has to fail most likely, or that browsers will interprete such attempts in different ways (some browsers are more forgiving I read). So I restricted adding html entities in form input and link markup. Thanks for your detailed response! I think we agree on the issues now. cheers, ~Hans --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "BoltWire" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/boltwire?hl=en -~----------~----~----~----~------~----~------~--~---
