Osipov wrote:
> Thank you all, it works. I just created Phyton wrap for my PHP
> functions and use this class as db;
>
> But this is not safe: I tried to parse:
>
> wikicode:
> {| border='cde' onclick='alert(123)'
> | cell 1.1
> | cell 1.2
> |-
> | cell 2.1
> | cell 2.2
> |}
>
> mwlib fixed border, but passed `onclick='alert(123)''. I need to parse
> user input, and it is wrong to pass javascript.
> mwlib fixed border value to integer, it means, that there exists list
> of allowable attributes. How to make it safe?
>
>   
Hi,
I don't exactly understand what you are trying to do, but let me clarify 
the attribute handling of mwlib:

mwlib parses attributes for some nodes and adds the parsed attribute 
string to the node. In the advtree module some attributes are checked 
for validity, like col- and rowspan.

It's up to the writers to parse and evaluate the other attributes. 
mwlib.rl for example parses border attributes. Since there is no 
sophisticated handling of borders, mwlib.rl just tries to find out if 
the markup might mean that a certain element has a border. A border 
attribute value of 'cde' is interpreted as 'yes, let's draw a border'.
Pretty much all other attributes are ignored.

Depending on the writer, attributes may be written. The htmlwriter for 
example seems to write all attributes in Cell (td/Table cell) and Table 
nodes.

This leads me to the question: are you using the htmlwriter or xhtmlwriter?

Regards,
Volker

-- 
volker haas                 brainbot technologies ag
fon +49 6131 2116394        boppstraße 64
fax +49 6131 2116392        55118 mainz
[EMAIL PROTECTED]    http://www.brainbot.com/


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"mwlib" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/mwlib?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to