>
> As for security, we have troubles either way. In this case, we don't
> have to worry about making sure everything that writes to a page is
> properly encoded, because it gets encoded on the way out. I think
> apache is probably secure enough. And for other potential security
> risks, I suspect we can put up simple but effective road blocks.
>
> For these reasons keeping the source simplest appears more attractive
> to me. I think this could greatly simplify the core code. That may
> change when we get around to implementing it, but I get the feeling
> now that this will work very nicely.
I've tried a famous wiki system Dokuwiki and it stores the source in
this way (escape only on load). And for security, maybe we could give
all pages the extension '.txt' which gives 2 benefits. One is to be
secure if someone occasionally opens the source. The second is that at
least in Windows OS, all '.txt' files would be automatically opened by
a predefined system application.
And even though pages are stored as source, we probably still need to
escape them after loading them and write markup rules in < and >
for convenience (prevent the markup output with < and > to be
incidentally again input) and for security. That's not important, just
a notice.
>
> > Also, the current data/info loading is buggy since ">" are not escaped
> > so <b>xxx</b> in data/info would not be parsed as markups.
>
> Hmmm, you are right. This can be fixed by inserting the second line
> below into BOLTvarCache (in engine.php):
>
> $d = substr($d, strpos($d, "\n~data~\n") + 8);
> $d = str_replace('<', '<', $d);
>
No, I meant '>', not '<'. Since '<' are stored escaped but data/infos
are not escaped after loaded, and markup rules only recognize >
--
You received this message because you are subscribed to the Google Groups
"BoltWire" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/boltwire?hl=en.
