Summary: Talk page for BackgroundImages.
Users: (View? / Edit)

This space is for User-contributed commentary and notes. Please include your name and a date along with your comment.


The background markup has some potential for misuse, as it can render the page unusable, if backgrounds are chosen which makes the page unreadable. Similar caution applies to use of absolutely positioned divisions.

Note: By making your configuration file only include the background markup expression when the action is browse, you can enable authors to undo any damage if the background is set maliciously. In fact, you may want to have the background invoked only when browsing anyway.

My question: Could a malicious user enter a value to be assigned by the directive to $HTMLStylesFmt[] that can cause more serious problems? If anyone sees a security risk, please comment. -- RandyB November 14, 2014, at 09:32 PM

On a strict side any recipe that generates anything that is a user input and to be processed on client end should only be output to client in action=browse, eg by setting if ($action == 'edit') { return; } . This also improves full page edit performance, but preview would not be available. -- VKrishn November 15, 2014, at 05:54 AM

Let me ask a specific question: Does an author's ability to assign a value to $HTMLStylesFmt[] open up the site to a cross-scripting attack? -- RandyB November 15, 2014, at 09:29 AM

No. The potential inserted HTML/JavaScript <script> is escaped. At most one can insert a broken/invalid CSS code. --Petko November 15, 2014, at 09:45 AM

How can I set that background image for a single wiki page (ie for the <html> tag)?

Hmmm, do you mean to the whole page? It depends if the skin template has a wrapper division. If so you could use that (in FixFlowSkin and GeminiSkin you can use 'wrapper'). In css you normally use the body tag, but this won't work with the above markup, since the markup puts a # symbol in front of the div name. you could try and change the markup, write $HTMLStylesFmt[] = " $divname { background:$value } \n "; , i.e. without the #. and then use div names with the # if you need them, like #content, and try body for a whole page background. Note this is untested. ~HansB

This is how I got the background to work for the whole page:
I set a body id <body id="WholePage"> - you mean in the skin's .tmpl file? Yes.
I inserted the markup in config.php exactly as shown. - which markup, as shown where? The code that is placed in the config shown at the top of this page.
This is the code to put an image as a background:
(:background WholePage='url(/images/background.jpg)':) so for instance (:background WholePage='':)? No, like (:background WholePage='url(':). It also works with a hex value for a color.
It worked great! It did. Thanks.
Hope this helps with the above question. ~Jennifer Humphrey

could use a little more help!

  • This recipe was last tested on PmWiki version: 2 beta51
  • This recipe requires at least PmWiki version: 2 beta43

Talk page for the BackgroundImages recipe (users?).