On Wed, Jan 6, 2010 at 11:11 AM, Danny <[email protected]> wrote:
>>
>> As for security, we have troubles either way. In this case, we don't
>> have to worry about making sure everything that writes to a page is
>> properly encoded, because it gets encoded on the way out. I think
>> apache is probably secure enough. And for other potential security
>> risks, I suspect we can put up simple but effective road blocks.
>>
>> For these reasons keeping the source simplest appears more attractive
>> to me. I think this could greatly simplify the core code. That may
>> change when we get around to implementing it, but I get the feeling
>> now that this will work very nicely.
>
> I've tried a famous wiki system Dokuwiki and it stores the source in
> this way (escape only on load). And for security, maybe we could give
> all pages the extension '.txt' which gives 2 benefits. One is to be
> secure if someone occasionally opens the source. The second is that at
> least in Windows OS, all '.txt' files would be automatically opened by
> a predefined system application.
This is a good idea. I'm not excited about renaming all the pages,
personally, but I see your point. I'm open to others chiming in. At
this point we are still in discussion mode on the character encoding
point. It's good to know dokuwiki follows this approach.
> And even though pages are stored as source, we probably still need to
> escape them after loading them and write markup rules in < and >
> for convenience (prevent the markup output with < and > to be
> incidentally again input) and for security. That's not important, just
> a notice.
Of course, this was understood (on my part).
>> > Also, the current data/info loading is buggy since ">" are not escaped
>> > so <b>xxx</b> in data/info would not be parsed as markups.
>>
>> Hmmm, you are right. This can be fixed by inserting the second line
>> below into BOLTvarCache (in engine.php):
>>
>> $d = substr($d, strpos($d, "\n~data~\n") + 8);
>> $d = str_replace('<', '<', $d);
>>
> No, I meant '>', not '<'. Since '<' are stored escaped but data/infos
> are not escaped after loaded, and markup rules only recognize >
Oops you are right! Big mistake on my part... This line works better:
$d = str_replace('>', '>', $d);
Cheers,
Dan
--
You received this message because you are subscribed to the Google Groups
"BoltWire" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/boltwire?hl=en.
