[pmwiki-users] Idea for javascript in links
Henrik Bechmann
henrik at bechmannsoftware.com
Mon Dec 5 09:55:03 CST 2005
Kinky!
So if I were to filter the parameters of an authorized function for the
equal sign, or for parenthesis, would that be safe? Or are there other
devious ways...?
- Henrik
Patrick R. Michaud wrote:
>On Sun, Dec 04, 2005 at 02:14:43PM -0500, Henrik Bechmann wrote:
>
>
>>I've been dancing around this fairly successfully so far, but I thought
>>I'd float an idea for allowing javascript in links like:
>>
>><a href="javascript:gotocalculatedsite('criteria')"
>>onmouseover="respondtorollover('somearg')">Test active link</a>
>>
>>Namely in PmWiki markup it would look like
>>
>>[[@gotocalculatedsite('criteria')
>>onmouseover=respondtorollover('somearg') | Test active link]]
>>
>>The @is inspired by spreadsheet "at" formula syntax.
>>
>>For security the administer would have to register allowed javascript
>>functions in a config file:
>>
>>$AllowedJavascriptFunctions[]='gotocalculatedsite';
>>$AllowedJavascriptFunctions[]='respondtorollover';
>>
>>
>
>The security would have to be a bit more involved than simply
>checking a list of allowed javascript functions -- we'd have to
>be sure to prevent things like:
>
>[[onmouseover=respondtorollover(location.href='http://www.example.com') | Test active link]]
>
>In general I think it's safer to just create specialized markup
>for any javascripting that needs to take place in a page.
>
>Pm
>
>
>
>
>
More information about the pmwiki-users
mailing list