Andrew Jaquith wrote:
Bob, Murray and all --
While the TiddlyWiki plugin sounds like it is very convenient for users,
I don't see something like this being part of JSPWiki unless the
functionality is carefully constrained. In particular, the capability to
specify external URLs has "cross site scripting" written all over it.
ACLs would not be the answer, either -- you'd want to create a custom
Permission type for it, and have the right to use it enshrined in the
security policy.
Andrew,
Wouldn't a simple solution to that be to filter for URLs and have the
alias declaration fail upon finding any? Similarly, any XML/HTML markup?
E.g., if the alias string contains "<", ">", "&" or "://" we kill it.
Murray
...........................................................................
Murray Altheim <murray07 at altheim.com> === = =
http://www.altheim.com/murray/ = = ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = = = =
Boundless wind and moon - the eye within eyes,
Inexhaustible heaven and earth - the light beyond light,
The willow dark, the flower bright - ten thousand houses,
Knock at any door - there's one who will respond.
-- The Blue Cliff Record
