Bob Paige wrote:
The purpose was to provide a macro capability, but not facility cross-site
scripting attacks. Given that we don't know exactly how it would work, how
do you see it as enabling cross-site scripting?
Perhaps my example was misleading since it included a URL, but isn't this
same thing possible in JSPWiki (through an interwiki link) or by just
including the URL in the page:
[Click here!|http://www.google.com/search?q=foo]
The danger isn't in passing URLs per se, it's in potentially passing
hidden URLs, code (e.g., JavaScript), markup, or strings that may
somehow be converted into markup, code, or content that might be
interpreted by the system as a command.
Also, it seems to me the purpose of interwiki links is to abstract away the
URL necessary to link to the other wiki, not provide security, i.e. it is
really only a shortcut to something the user could already do.
I believe a separate question of mine on this list overlaps with the
macro/alias thing, so I will share my recent research here.
Using the InsertPage plugin (as suggested by someone else on this list) I
thought I could build up a library of useful pieces, similar to the macro
ability discussed in this thread. Unfortunatley, it didn't work as I had
hoped for.
The real problem with the InsertPage, TranscludePage, etc. plugins is
that they are not recursive. In other words, the transcluded page may
itself include another page, etc., with each page fully rendered prior
to being passed on to the next inclusion/transclusion.
[...]
Is it possible to write another plugin similar to InsertPage (call it
'MacroPlugin') that inserts the contents of another page *before* any
contained plugins are invoked?
It's *possible* but not easy -- you'd have to hook up the renderer to
process the content recursively backward to the first inclusion. This
would be outside the normal page processing, the plugin responsible
basically for everything.
Murray
...........................................................................
Murray Altheim <murray07 at altheim.com> === = =
http://www.altheim.com/murray/ = = ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = = = =
Boundless wind and moon - the eye within eyes,
Inexhaustible heaven and earth - the light beyond light,
The willow dark, the flower bright - ten thousand houses,
Knock at any door - there's one who will respond.
-- The Blue Cliff Record
