On Thu, Oct 22, 2009 at 3:35 AM, Hans <[email protected]> wrote:
>
>> Just out of curiosity I thought I would try this. Can you tell me if
>> it meets your needs (on a fresh install...)
>>
>> engine.php, ~1643, near beginning of BOLTpageshortcuts:
>>
>> $link = html_entity_decode($link, ENT_QUOTES, 'UTF-8');
>>
>> P.S. One BIG problem is we will lose php4 support. UTF-8 seems to have
>> been a php5 addition for this function. I don't like the looks of the
>> workarounds I see...
>
> I don't like that restriction to php5.
Agreed, but if you notice your proposed change for point 3 uses
essentially the same line! :).
It may be possible to do if phpversion > 5... then convert, otherwise
don't. Meaning in php5 BoltWire could have html entities but not in
php4. Just don't know if that will still throw an error message.
Hopefully not...
Now if I could just figure out how to do try/catch in php 4!
> Still, i did a quick test:
> page creation via form works, but can't use & nor & in input field.
> htm entities in links work, but can't use link like [[test.X&Z]]
> (goes to page test.X).
> I think it still needs points 1 and 4 of my fixes (removing & from
> $BOLTutfEscapeChars and adding ampamp markup rule), only the fixes of
> points 2 and 3 can be avoided. And since it needs php5 it is a no-go
> anyway.
Well we are getting closer. Now we are down to one character. &.
My inclination is to leave this out of the core. As both 1 & 4 can be
done via plugin, or config file, I suggest we do that. My hesitancy is
just that I anticipate the bugs to outweigh the advantages.
> Re: the previous mail:
>> In summary,
>> 1) I am concerned about possible security vulnerabilities by allowing
>> risky chars in page names.
>
> With my proposed changes one cannot for instance create a a page
> foo<script>bar,
> input of < and > as well as < and > results in invalid page name
> errors. This is true for all characters listed in $BOLTutfEscapeChars.
> Only the '&' must not be part of this array, so one can enter html
> entities. So we do not get risky characters in page names.
Ok, you are right. Whether with your fix or mine, the blocked chars
are blocked. But mine (and probably yours) works fine with or without
& blocked. (Except for the exception of & of course).
>> 2) I am worried about possible bugs, such as special chars being
>> entered that have pageshortcut meanings, and confusion with get
>> variables.
>
> do these clash with html entities? Note that the html entity entered
> in a page name field gets converted to url % code. The most likely
> place for trouble is link markup. Like [[test.X&Z]] needs the
> ampamp markup rule in order not to be misinterpreted.
Well, all of our pageshortcut symbols are blocked, so given point one
above, this seems to be moot.
>> 3) I am concerned that certain pages could be created via a form but
>> not created via the url bar. I realize however, there's probably
>> nothing we can do about the url bar, either way.
>
> Yes, I never even tried to add html entities in the url bar, knowing
> it has to fail most likely, or that browsers will interprete such
> attempts in different ways (some browsers are more forgiving I read).
> So I restricted adding html entities in form input and link markup.
Granted. Can't do anything here.
> Thanks for your detailed response! I think we agree on the issues now.
Well we are down to two points now. One, how to get around the php4
problem. And what to do with the single character &. I'm hoping a
conditional checking phpversion can block error messages on php4 and
proposing that we make the inclusion of & in page names an option for
plugins.
Cheers,
Dan
If anyone cares to add this line to a BoltWire config file running on
a PHP4 installation and tell me if it generates an error message, I'd
be grateful:
if (false) html_entity_decode('string', ENT_QUOTES, 'UTF-8');
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"BoltWire" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/boltwire?hl=en
-~----------~----~----~----~------~----~------~--~---
