Saturday, July 19, 2008, 2:22:07 PM, Hans wrote:
> I wonder if the ApplyStyles function could
> be changed so that it will not accept values set by style markup for
> certain attributes, in which I would put all javascript event
> handlers.
Perhaps it could be done like this,as a proposal for core change :
add to function ApplyStyles after
$m = array_shift($match);
this:
if (is_array($UnsafeWikiStyleAttr) && in_array($m[1],$UnsafeWikiStyleAttr))
continue;
and add to globals: $UnsafeWikiStyleAttr
Then an admin can define array $UnsafeWikiStyleAttr possibly like
this in config:
$UnsafeWikiStyleAttr,
array('onload','onunload','onclick','ondblclick','onmousedown',
'onmouseup','onmouseover','onmousemove','onmouseout','onfocus','onblur',
'onkeypress','onkeydown','onkeyup','onsubmit','onreset','onselect','onchange');
and can add event handlers as attributes and define the scripts, like
$WikiStyleAttr['onclick'] = 'a';
$WikiStyle['confirm']['onclick'] = ' return confirm("Are you sure?") ';
So this would need a one line addition to the core function, which
adds a filter to filter out unwanted attribute keywords.
It can be left to the admin to implement adding any needed javascript
event handlers, and set necessary restrictions.
Hans
_______________________________________________
pmwiki-devel mailing list
pmwiki-devel@pmichaud.com
http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
