Ignore:
Timestamp:
06/04/09 00:10:06 (3 years ago)
Author:
KennethLavrsen
Message:

Item1640: CommentPlugin writes "%" as html-code, which prevents the use of Macros
It was me that created the problem with my default safe mode in URLPARAM
I have analysed the problem and as long as we use URLPARAM in the OUTPUT part of
the CommentPlugin templates and keep the settings inside verbatim tags we do not
expose any XSS attack. So we can give the users back the ability to use Foswiki
Macros in comment input fields.
With this I also merge over some code changes Crawford had done in trunk.
Note that except for the release version all changes in the .pm files are unrelated
to the bug fix, which is why I dare checking in perltidy stuff with a bug fix.
CommentPlugin is now again same in trunk and Release branch

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/CommentPlugin/lib/Foswiki/Plugins/CommentPlugin.pm

    r2957 r4027  
    1313 
    1414our $VERSION = '$Rev$'; 
    15 our $RELEASE = 'Foswiki-1.0.1'; 
     15our $RELEASE = '04 Jun 2009'; 
    1616our $SHORTDESCRIPTION = 
    1717  'Quickly post comments to a page without an edit/preview/save cycle'; 
     
    1919 
    2020sub initPlugin { 
    21  
    2221    #my ( $topic, $web, $user, $installWeb ) = @_; 
    2322    return 1; 
     
    3029 
    3130    my $query = Foswiki::Func::getCgiQuery(); 
    32     return unless ( defined($query) ); 
     31    return unless( defined( $query ) ); 
    3332 
    3433    return unless $_[0] =~ m/%COMMENT({.*?})?%/o; 
     
    3938    # SMELL: unreliable 
    4039    my $previewing = ( $scriptname =~ /\/(preview|gnusave|rdiff|compare)/ ); 
    41     Foswiki::Plugins::CommentPlugin::Comment::prompt( $previewing, $_[0], $web, 
    42         $topic ); 
     40    Foswiki::Plugins::CommentPlugin::Comment::prompt( $previewing, 
     41                                                    $_[0], $web, $topic ); 
    4342} 
    4443 
    4544sub beforeSaveHandler { 
    46  
    4745    #my ( $text, $topic, $web ) = @_; 
    4846 
     
    5452    my $action = $query->param('comment_action'); 
    5553 
    56     return unless ( defined($action) && $action eq 'save' ); 
    57     Foswiki::Plugins::CommentPlugin::Comment::save(@_); 
     54    return unless( defined( $action ) && $action eq 'save' ); 
     55    Foswiki::Plugins::CommentPlugin::Comment::save( @_ ); 
    5856} 
    5957 
Note: See TracChangeset for help on using the changeset viewer.