Thanks, Petko -
Do you have any general guidance as to what is safe and what isn't?
I ask because I've got another directive in which I'd like to let markup appear
on the page normally unless condition X exists:
(:mydirective if X is true, let this markup evaluate:)
where the markup could be any valid PmWiki markup.
Here is how I am currently obtaining the argument:
Markup('mydirective', 'directives',
'/\\(:mydirective (.*?):\\)/e',
"mydirective('$1')");
I assume (I hope not too naively) that it's safe concatenate the argument, for
example:
saferesult = $Prefix.$arg.$Suffix;
But I'm not so sure whether this is safe:
return PRR($arg);
Do I need to restrict the argument, or pass it through a filter before giving
it to PRR()?
Randy
On Jan 27, 2010, at 9:47 PM, Petko Yotov wrote:
> On Sunday 24 January 2010 06:55:36, Randy Brown wrote :
>> I'm a rank beginner at regex, but I seem to recall a warning that hackers
>> might exploit an argument if you use "/e" in Markup. \
>
> Hello. You can pass the string through MakePageName()
_______________________________________________
pmwiki-devel mailing list
pmwiki-devel@pmichaud.com
http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
