01266: refcount uses invalid XHTML markup

Summary: refcount uses invalid XHTML markup
Created: 2011-09-22 21:50 UTC
Status: Closed - fixed for 2.2.33
Category: Bug
From: RRipley
Priority: 1
Version: 2.2.30
OS: Linux 2.6.28/Apache 2.2/PHP 5.2.17


"?action=refcount" produces invalid XHTML. It looks like "HTML 4.01 Transitional", but PmWiki uses "XHTML 1.0 Transitional". So the function PrintRefCount() in scripts/refcount.php requires an "update":

  • Each empty tag like <input>, <br>, <hr> etc requires an ending it with "/>".
  • <option> lists must be closed by a </option>
  • minimized attributes like "checked", "selected" etc must be written as "checked='checked'"
  • <p> must be closed by </p>

Maybe there are other flaws to be verified, but the few are the obvious ones I've seen.

Additionally there are two other bugs in there:

  1. <form method='post'>
    A <form> requires an "action" attribute, otherwise the W3C markup validator claims an error. Should be $_SERVER['REQUEST_URI'] or similar.
  2. <input type='hidden' action='refcount'>
    There's no attribute "action". It should be
    <input type='hidden' name='action' value='refcount' />

Verifying is easy:

You'll get 371 errors (by now).

  • Then remove the "?action=refcount" portion
  • and "Revalidate".

You'll get "This document was successfully checked as XHTML 1.0 Transitional!"

Thanks! The action now validates, but there still may be some forgotten bug. :-) --Petko September 22, 2011, at 05:14 PM

XSS can easily happen in the <option> values - check the $tlist and $flist processing if you're bored right now ;)
RRipley 2011-09-22 22:30 UTC

At the moment I don't see how, the option values and labels come from the internal ListPages() function, not from $_REQUEST (it is only checked to enable "selected" options). --Petko September 22, 2011, at 05:55 PM

You are right. There's no direct XSS entry point since the $GroupPattern and $NamePattern do not allow HTML markup characters. So, refcount can be declared fixed.
RRipley 2011-09-23 06:10 UTC