I neglected to thank you for the help (summer 2012!). I haven't done further work on the project, but have been using it, and hope to extend it further this year.
cheers! -Michael Paulukonis http://www.xradiograph.com <http://goog_2112721603>Interference Patterns (a blog)<http://www.xradiograph.com%5Cinterference> @XraysMonaLisa <https://twitter.com/XraysMonaLisa> http://michaelpaulukonis.com <http://www.BestAndroidResources.com> Sent from somewhere in the Cloud (hearthrug, by the fender) On Tue, Jun 12, 2012 at 7:33 AM, Petko Yotov <5...@5ko.fr> wrote: > michael paulukonis writes: > >> Basically, the plugin checks for text enclosed by a set of tags, passes >> that >> to the markup service, which them provides HTML back to WordPress. >> > > It looks you're getting the output HTML via a network connexion (browser or > server)? > > > Is there any major security hole that I'm opening up in PmWiki by doing >> this? >> > ... > > Is there any way to obtain arbitrary JavaScript that extension attempt to >> add to the page? >> > > No, not any more than leaving the standard PmWiki open to viewing. How > secure > is that, depends on how secure are the recipes you enabled. > > > (other than inline JS applied to markup) ? >> > > If you have inline JS, some of these PmWiki recipes also inject JavaScript > into the header or footer of the rendered full page. Without it, some > functionnalities may not work in the HTML returned by MarkupToHTML(). But > this > is not a security issue. > > About security, in your case, I'd probably limit the PmWiki installation to > only do the 'wikimarkup' action. Something like this in config.php: > > $action = 'wikimarkup'; # OR > if($action != 'wikimarkup') $action = 'wikimarkup'; > > Alternatively, it may be possible to include pmwiki.php and use only the > markup engine. In your WordPress php configuration file, you can add > something > like this: > > $EnableActions = 0; > include_once("pmwiki/pmwiki.**php"); > > This will load PmWiki but will disable all automatc processing, allowing > you > to call selected functions yourself, for example MarkupToHTML(). > > Note tht PmWiki will look for configuration files at two places: > > local/config.php - the directory 'local' is related index.php of WordPress > local/farmconfig.php - 'local' here is related to where pmwiki.php is > > And if you include recipes, you'll need to use the $FarmD variable: > > include_once("$FarmD/cookbook/**my-recipe.php"); > > See the following discussion on the mailing list: > > http://thread.gmane.org/gmane.**comp.web.wiki.pmwiki.user/** > 37668/focus=37694<http://thread.gmane.org/gmane.comp.web.wiki.pmwiki.user/37668/focus=37694> > > Petko > > ______________________________**_________________ > pmwiki-devel mailing list > pmwiki-devel@pmichaud.com > http://www.pmichaud.com/**mailman/listinfo/pmwiki-devel<http://www.pmichaud.com/mailman/listinfo/pmwiki-devel> >
_______________________________________________ pmwiki-devel mailing list pmwiki-devel@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
