jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Murray Altheim <murra...@altheim.com>
Subject Re: aliases?
Date Thu, 03 Jul 2008 20:57:41 GMT
Bob Paige wrote:
> The purpose was to provide a macro capability, but not facility cross-site
> scripting attacks. Given that we don't know exactly how it would work, how
> do you see it as enabling cross-site scripting?
> 
> Perhaps my example was misleading since it included a URL, but isn't this
> same thing possible in JSPWiki (through an interwiki link) or by just
> including the URL in the page:
> 
> [Click here!|http://www.google.com/search?q=foo]

The danger isn't in passing URLs per se, it's in potentially passing
hidden URLs, code (e.g., JavaScript), markup, or strings that may
somehow be converted into markup, code, or content that might be
interpreted by the system as a command.

> Also, it seems to me the purpose of interwiki links is to abstract away the
> URL necessary to link to the other wiki, not provide security, i.e. it is
> really only a shortcut to something the user could already do.
> 
> I believe a separate question of mine on this list overlaps with the
> macro/alias thing, so I will share my recent research here.
> 
> Using the InsertPage plugin (as suggested by someone else on this list) I
> thought I could build up a library of useful pieces, similar to the macro
> ability discussed in this thread. Unfortunatley, it didn't work as I had
> hoped for.

The real problem with the InsertPage, TranscludePage, etc. plugins is
that they are not recursive. In other words, the transcluded page may
itself include another page, etc., with each page fully rendered prior
to being passed on to the next inclusion/transclusion.

[...]
> Is it possible to write another plugin similar to InsertPage (call it
> 'MacroPlugin') that inserts the contents of another page *before* any
> contained plugins are invoked?

It's *possible* but not easy -- you'd have to hook up the renderer to
process the content recursively backward to the first inclusion. This
would be outside the normal page processing, the plugin responsible
basically for everything.

Murray

...........................................................................
Murray Altheim <murray07 at altheim.com>                           ===  = =
http://www.altheim.com/murray/                                     = =  ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk               = =  = =

       Boundless wind and moon - the eye within eyes,
       Inexhaustible heaven and earth - the light beyond light,
       The willow dark, the flower bright - ten thousand houses,
       Knock at any door - there's one who will respond.
                                       -- The Blue Cliff Record

Mime
View raw message