I'm a rank beginner at regex, but I seem to recall a warning that hackers might
exploit an argument if you use "/e" in Markup. Thus I currently restrict my
argument (which is supposed to be a page name) to digits:
Markup('mydirective', 'directives',
'/\\(:mydirective (\\d+):\\)/e',
"mydirective('$1')");
I assume there is a way for my directive to support any page name without
introducing a security hole. I probably only need to support a page Name,
rather than Group.Name, but for future reference it would be good to know how
to support either.
Could someone please tell me a safe expression, or else point me to a script
that could serve as a model for a safe expression?
Randy
_______________________________________________
pmwiki-devel mailing list
pmwiki-devel@pmichaud.com
http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
