michael paulukonis writes:
Basically, the plugin checks for text enclosed by a set of tags, passes that to the markup service, which them provides HTML back to WordPress.
It looks you're getting the output HTML via a network connexion (browser or server)?
Is there any major security hole that I'm opening up in PmWiki by doing this?
...
Is there any way to obtain arbitrary JavaScript that extension attempt to add to the page?
No, not any more than leaving the standard PmWiki open to viewing. How secure is that, depends on how secure are the recipes you enabled.
(other than inline JS applied to markup) ?
If you have inline JS, some of these PmWiki recipes also inject JavaScript into the header or footer of the rendered full page. Without it, some functionnalities may not work in the HTML returned by MarkupToHTML(). But this is not a security issue. About security, in your case, I'd probably limit the PmWiki installation to only do the 'wikimarkup' action. Something like this in config.php: $action = 'wikimarkup'; # OR if($action != 'wikimarkup') $action = 'wikimarkup'; Alternatively, it may be possible to include pmwiki.php and use only the markup engine. In your WordPress php configuration file, you can add something like this: $EnableActions = 0; include_once("pmwiki/pmwiki.php"); This will load PmWiki but will disable all automatc processing, allowing you to call selected functions yourself, for example MarkupToHTML(). Note tht PmWiki will look for configuration files at two places: local/config.php - the directory 'local' is related index.php of WordPress local/farmconfig.php - 'local' here is related to where pmwiki.php is And if you include recipes, you'll need to use the $FarmD variable: include_once("$FarmD/cookbook/my-recipe.php"); See the following discussion on the mailing list: http://thread.gmane.org/gmane.comp.web.wiki.pmwiki.user/37668/focus=37694 Petko _______________________________________________ pmwiki-devel mailing list pmwiki-devel@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-devel