Pm has been kind enough to study the ZAP code and found a serious security vulnerability. We are still looking for a solution.
Basically the problem is in PmWiki's ability to impose page content from an editable page onto a page that is not editable and load that page as if it were in the source code. You could argue this is a PmWiki vulnerability, (which allow users to insert a ZAPform onto a page they cannot edit) but regardless it will need to be fixed. Unfortunately there is no immediate good solution (I've explored several). ZAP users should therefore use extreme caution about enabling ANY pages on a ZAP enabled site for editing--even if ZAP is only enabled on one page. ZAP should still be safe on sites were editing is not enabled anywhere except by untrusted users. My apologies to the community for this problem, and my commendations to Pm for finding it. I will be posting some stopgap fixes as soon as possible--but I'll be leaving out of town for a week and may have limited internet access while away. Hopefully I can find some time to work on this... Cheers, Dan _______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users