incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bob Paige" <bobpa...@gmail.com>
Subject Re: aliases?
Date Thu, 03 Jul 2008 13:52:11 GMT
The purpose was to provide a macro capability, but not facility cross-site
scripting attacks. Given that we don't know exactly how it would work, how
do you see it as enabling cross-site scripting?

Perhaps my example was misleading since it included a URL, but isn't this
same thing possible in JSPWiki (through an interwiki link) or by just
including the URL in the page:

[Click here!|http://www.google.com/search?q=foo]

Also, it seems to me the purpose of interwiki links is to abstract away the
URL necessary to link to the other wiki, not provide security, i.e. it is
really only a shortcut to something the user could already do.

I believe a separate question of mine on this list overlaps with the
macro/alias thing, so I will share my recent research here.

Using the InsertPage plugin (as suggested by someone else on this list) I
thought I could build up a library of useful pieces, similar to the macro
ability discussed in this thread. Unfortunatley, it didn't work as I had
hoped for.

My first test was using the Catagories feature (i.e. the
ReferringPagesPlugin). Knowing that I will have many pages that have related
'Spec' pages, I created a new Wiki page called 'SpecList' that included only
the following:

!!!Specifications
[{ReferringPagesPlugin include='*Spec' before='*' after='\n\n' }]

These two lines are likely to be replicated all over my wiki, and if in the
future I decide to embellish it a bit, I would like to have them defined in
only one place.

But when I included this page in another one (with InsertPage), it didn't
work. It appears the ReferringPagesPlugin is invoked *before* the InsertPage
plugin, so I get a list of pages that refer to the SpecList page, not the
page I am currently in.

So, InsertPage doesn't work like the macro ability I am describing here, but
does give me hope.

Is it possible to write another plugin similar to InsertPage (call it
'MacroPlugin') that inserts the contents of another page *before* any
contained plugins are invoked?

-- 
Bobman

On Wed, Jul 2, 2008 at 9:41 PM, Andrew Jaquith <andrew.jaquith@mac.com>
wrote:

> Bob, Murray and all --
>
> While the TiddlyWiki plugin sounds like it is very convenient for users, I
> don't see something like this being part of JSPWiki unless the functionality
> is carefully constrained. In particular, the capability to specify external
> URLs has "cross site scripting" written all over it. ACLs would not be the
> answer, either -- you'd want to create a custom Permission type for it, and
> have the right to use it enshrined in the security policy.
>
> Andrew
>
>
> On Jul 2, 2008, at 5:44 PM, Juan Pablo Santos Rodríguez wrote:
>
>  Hi Bob,
>>
>> may be interwiki links could help you with aliases? i.e., by default
>> typing
>> [Google:Bob], should be converted to http://www.google.com/search?q=Bob.
>> Check both jspwiki.properties (Interwiki links section, lines 615-650) and
>> http://www.jspwiki.org/wiki/InterWiki
>>
>> regarding the custom footer, as Janne said, you can implement your own
>> PageFilter or extend BasicPageFilter to add your custom markup (overriding
>> preTranslate method, for example). Another way could be using InsertPage
>> plugin, available in the core distro. Initial code and some explanations
>> at
>> http://www.jspwiki.org/wiki/InsertPagePlugin
>>
>> cheers,
>> jp
>>
>> 2008/7/2 Murray Altheim <murray07@altheim.com>:
>>
>>  Bob Paige wrote:
>>> [...]
>>>
>>>  AliasPlugin is a type of marco feature that allows you to define new
>>>> plugins
>>>> on the fly. For example, I might define an alias called 'google' with a
>>>> value of "http://www.google.com/search?q=$1". Thus, whenever I put in
>>>> the
>>>> wiki markup "<<google jspwiki>>" (which is how you call a plugin
in
>>>> TiddlyWiki) it will insert "http://www.google.com/search?q=jspwiki".
>>>> This
>>>> also works with wiki markup; I could use the aliasPlugin to insert wiki
>>>> markup which is then interpreted by the wiki engine.
>>>>
>>>> As I work on the wiki for my work, I find myself putting the same
>>>> footers
>>>> on
>>>> many pages, for example:
>>>> ----
>>>> !!!Pages referencing me
>>>> [{ReferringPagesPlugin}]
>>>>
>>>> It would be useful to define a macro that would resolve as this text,
>>>> allowing me to redefine this footer without having to re-edit all the
>>>> pages
>>>> that use it.
>>>>
>>>> Does such a beast exist? If not, any leads on how to write it?
>>>>
>>>>
>>> Bob,
>>>
>>> Since aliases need to be global across the entire wiki you'd need a
>>> manager to collect them as well as to flag conflicts (e.g., if a
>>> user creates an alias that already exists, their plugin would fail
>>> and return an error message).
>>>
>>> The manager would be a singleton (for the wiki, not the JVM), and
>>> there'd be a plugin to declare aliases. You'd then need some way to
>>> use aliases, probably either a filter or a plugin that would access
>>> the manager and obtain the replacement text.
>>>
>>> You could (as with any plugin) restrict the creation of aliases to
>>> certain people via ACL or only authenticated users).
>>>
>>> You might look into the TagPlugin (which has a TagManager) as a
>>> model.
>>>
>>>  http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagPlugin
>>>  http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagManager
>>>
>>> I also note that John Volkar has donated an AliasPlugin to the set
>>> of CeryleWikiPlugins
>>>
>>> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=AliasPlugin
>>>
>>> though that doesn't do what you're asking for, just reverse the
>>> current page alias feature available in JSPWiki, i.e., you declare
>>> on the page its own aliases.
>>>
>>> Hope that is helpful.
>>>
>>> Murray
>>>
>>>
>>> ...........................................................................
>>> Murray Altheim <murray07 at altheim.com>                           ===
>>>  =
>>> =
>>> http://www.altheim.com/murray/                                     = =
>>> ===
>>> SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk               = =  =
>>> =
>>>
>>>    Boundless wind and moon - the eye within eyes,
>>>    Inexhaustible heaven and earth - the light beyond light,
>>>    The willow dark, the flower bright - ten thousand houses,
>>>    Knock at any door - there's one who will respond.
>>>                                    -- The Blue Cliff Record
>>>
>>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message