On Mon, Aug 27, 2007 at 08:03:54PM -0400, Sandy wrote: > http://pmwiki.org/wiki/Cookbook/IncludeUpload > and > http://pmwiki.org/wiki/Cookbook/EnableHTML > > The second one is more limited, but also safer. You give it a list of > HTML codes to pass through. The first one, I'm not sure if it'll pass > through something dangerous or not (I trust the programmer, but I don't > see anywhere if this was a quickie utility for her own site, or > something more robust.)
Well, it was initially a quickie utility for my own site, but it has become more robust since. 8-) However, the level of security is along the lines of whether a given file is allowed to be included, there is no checking of the HTML content of it. So it's an all-or-nothing thing in that regard. There are two ways of including a HTML file with IncludeUpload: A) it's an uploaded (attached) file. In this case, the file is only included if the viewer has 'includeupload' authorization (which defaults to the same as 'read') for the page associated with the uploaded file. In this case, the security of the content of the file depends on how trustworthy the people who have *upload* authorization; those who upload the files determine what their content is. B) It's a file from elsewhere on the website. This goes through the webserver to ensure that only files which are allowed to be displayed (given the webserver's permissions) are included. The assumption here is that non-PmWiki content is under the control of the website admin, and therefore would be safe. Basically the purpose of IncludeUpload is to save effort for content that you already have that you don't want to have to convert into PmWiki format. Another purpose that I use it for is to make files available in both text and HTML format; the text file is attached to the page, and then I tell IncludeUpload to use a text-to-html converter on it when it includes that file. That's only useful for text files that aren't too large, since otherwise too much time is spent in doing the conversion. Kathryn Andersen -- _--_|\ | Kathryn Andersen <http://www.katspace.com> / \ | \_.--.*/ | GenFicCrit mailing list <http://www.katspace.com/gen_fic_crit/> v | ------------| Melbourne -> Victoria -> Australia -> Southern Hemisphere Maranatha! | -> Earth -> Sol -> Milky Way Galaxy -> Universe _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
