On Sun, Mar 09, 2008 at 11:55:17AM +0000, Hans wrote: > Sunday, March 9, 2008, 2:33:29 AM, Patrick wrote: > > > Also, as a general rule it's unwise to be calling FmtPageName() > > on strings that are coming from page markup, as this exposes > > the ability for people to view the values of variables that > > perhaps they shouldn't see. This is also why page variables > > (which come from markup) use PageVar() and PageTextVar() and > > don't go through FmtPageName(). > > I am not sure what to make of this. > I am only trying to read an edit template. > As I said originally: > > I am trying to load an edit form with > > $HandleEditFmt = array(&$PageStartFmt, &$PageEditFmt, &$PageEndFmt); > PrintFmt($pagename, $HandleEditFmt); > > $PageEditFmt gets retrieved from a template on a EditForm page.
The point is that PmWiki never calls FmtPageName() on arbitrary data that comes from directly from a wiki page (including templates) -- the strings are always checked and/or escaped for various characters (including $) first. Otherwise there's the potential for malicious editors to grab global configuration information and/or insert various XSS, JavaScript, or HTML attacks. Pm _______________________________________________ pmwiki-devel mailing list pmwiki-devel@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-devel