01266: refcount uses invalid XHTML markup (Closed - fixed for 2.2.33)
"?action=refcount" produces invalid XHTML. It looks like "HTML 4.01 Transitional", but PmWiki uses "XHTML 1.0 Transitional". So the function
PrintRefCount() in scripts/refcount.php requires an "update":
- Each empty tag like <input>, <br>, <hr> etc requires an ending it with "/>".
- <option> lists must be closed by a </option>
- minimized attributes like "checked", "selected" etc must be written as "checked='checked'"
- <p> must be closed by </p>
Maybe there are other flaws to be verified, but the few are the obvious ones I've seen.
Additionally there are two other bugs in there:
- <form method='post'>
A <form> requires an "action" attribute, otherwise the W3C markup validator claims an error. Should be
<input type='hidden' action='refcount'>
There's no attribute "action". It should be
<input type='hidden' name='action' value='refcount' />
Verifying is easy:
- Visit http://validator.w3.org/ ,
- then enter "http://www.pmwiki.org/wiki/?action=refcount"
- and finally "Check".
You'll get 371 errors (by now).
- Then remove the "?action=refcount" portion
- and "Revalidate".
You'll get "This document was successfully checked as XHTML 1.0 Transitional!"
XSS can easily happen in the <option> values - check the $tlist and $flist processing if you're bored right now ;)
RRipley 2011-09-22 22:30 UTC
At the moment I don't see how, the option values and labels come from the internal ListPages() function, not from $_REQUEST (it is only checked to enable "selected" options). --Petko September 22, 2011, at 05:55 PM