Osipov wrote:
> Thank you all, it works. I just created Phyton wrap for my PHP
> functions and use this class as db;
>
> But this is not safe: I tried to parse:
>
> wikicode:
> {| border='cde' onclick='alert(123)'
> | cell 1.1
> | cell 1.2
> |-
> | cell 2.1
> | cell 2.2
> |}
>
> mwlib fixed border, but passed `onclick='alert(123)''. I need to parse
> user input, and it is wrong to pass javascript.
> mwlib fixed border value to integer, it means, that there exists list
> of allowable attributes. How to make it safe?
>
>
Hi,
I don't exactly understand what you are trying to do, but let me clarify
the attribute handling of mwlib:
mwlib parses attributes for some nodes and adds the parsed attribute
string to the node. In the advtree module some attributes are checked
for validity, like col- and rowspan.
It's up to the writers to parse and evaluate the other attributes.
mwlib.rl for example parses border attributes. Since there is no
sophisticated handling of borders, mwlib.rl just tries to find out if
the markup might mean that a certain element has a border. A border
attribute value of 'cde' is interpreted as 'yes, let's draw a border'.
Pretty much all other attributes are ignored.
Depending on the writer, attributes may be written. The htmlwriter for
example seems to write all attributes in Cell (td/Table cell) and Table
nodes.
This leads me to the question: are you using the htmlwriter or xhtmlwriter?
Regards,
Volker
--
volker haas brainbot technologies ag
fon +49 6131 2116394 boppstraße 64
fax +49 6131 2116392 55118 mainz
[EMAIL PROTECTED] http://www.brainbot.com/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"mwlib" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/mwlib?hl=en
-~----------~----~----~----~------~----~------~--~---
