[pmwiki-users] Custom Markup: $2 does not work correctly (regexp problem?)
Patrick R. Michaud
pmichaud at pobox.com
Mon Aug 28 16:37:24 CDT 2006
On Mon, Aug 28, 2006 at 11:22:53PM +0200, Dawid Gajownik wrote:
> Dnia 08/25/2006 03:12 PM, Użytkownik Dominique Faure napisał:
> > Markup("boxfile", "<split",
> > '/\\(:boxfile\s+([^|]+)\|\s*(.*?):\\)/se',
> > "'<:block>'.Keep('<div class=\"boxfile\"><p><strong>File:</strong>
> > $1</p><pre>$2</pre></div>')");
>
> Thank you very much :) Would you be also willing to explain me what is
> this "<:block>" thing for? I haven't found explanation at pmwiki.org.
"<:block>" is a special marker that PmWiki uses internally to say
"this line contains a block, so don't treat it as a paragraph".
I actually think that in later versions of PmWiki (i.e., after 2.1.0)
this particular markup is no longer needed, and that the markup
rules can automatically detect when the line is a block and not
to be treated as a paragraph. I.e., I think the following will
also work:
Markup('boxfile', '<split',
'/\\:boxfile\s+([^|]+)\\|\\s*(.*?):\\)/se',
"Keep('<div class=\"boxfile\"><p><strong>File:</strong>
$1</p><pre>$2</pre></div>')");
> Oh, one more question: how vulnerable can be this example? On
> http://pmwiki.org/wiki/PmWiki/CustomMarkup someone wrote that /e option
> can be insecure.
This particular example is pretty secure. The /e option is
insecure primarily when a $1, $2, etc. variable appears outside
of any single quotes nested within the double quoted string.
(Hard to explain, sorry.) In the above case, the $1 and $2
both appear within the single quotes surrounding the <div>...</div>
pair, so it's safe.
However, another problem with /e is that it tends to put
backslashes in front of quotes in the input string, so that
(:boxfile O'Hare | 'An Airport':) would tend to get
displayed as O\'Hare and \'An Airport\' .
The way to fix this is to be sure to use PSS('...') around any
$1, $2 variables coming from a /e match, thus:
Markup('boxfile', '<split',
'/\\:boxfile\s+([^|]+)\\|\\s*(.*?):\\)/se',
"Keep(PSS('<div class=\"boxfile\"><p><strong>File:</strong>
$1</p><pre>$2</pre></div>'))");
The PSS() call removes any unwanted backslashes that might've
been added by the /e modifier.
(It might be necessary to add the '<:block>' before the Keep()
call, but I really think it's no longer needed.)
Hope this helps, questions welcomed.
Pm
More information about the pmwiki-users
mailing list