Revision history for MagicWords


Revision [19183]

Last edited on 2008-01-28 00:14:41 by JonAmgine [Modified links pointing to docs server]

No Differences

Revision [16941]

Edited on 2007-05-31 23:27:30 by JonAmgine [Reverted]
Additions:
One method brought up in IRC discussion was to provide an alternative markup which could be used to tell the parser to replace the content with the value of a system variable. Placing the variable name inside doubled greaterthan / lessthan symbols leaves it readily parsed and simply substituted. e.g. **<<tag>>** would be substituted with the pagename. This could provide a security risk without some method for blacklisting/whitelisting variables available since the database username and password would theoretically be available, as well as other vulnerabilities.
A second method is more complex, but provides both for greater security and greater security risk: provide an interface for designing magic words on a system. A simple MySQL table could be created with variable names and their substitution values such as:
{{table columns="2" cellpadding="1" cells="VAR;SUBSTITUTE;pagename;$tag;dayofweek;date('l')"}}
Clearly this second method introduces the possibility of php insertion vulnerabilities, so should not be a browser-editable item although I could see such a system being implemented using a wiki page.
== Discuss ==
Please discuss.
One thing I forgot to mention is a substitution syntax. Having any magicwords scheme is going to slow down page parsing on view. Adding a substitution syntax will allow the variable value to be replace the magicword in the actual page source. Use the above example variables, {{subst:pagename}} and {{dayofweek}} would be replaced by the value of $tag and <?php date('l') ?>, respectively. This syntax mirrors the mediawiki syntax, allowing for easier migration, but there may very well be a standard wikitax for the same concept which should be prefered.
Deletions:
One method brought up in IRC discussion was to provide an alternative markup which could be used to tell the parser to replace the content with the value of a system variable. Placing the variable name inside doubled greaterthan / lessthan symbols leaves it readily parsed and simply substituted. e.g. **

Revision [16740]

Edited on 2007-05-31 10:43:23 by MrjSsk [Reverted]
Additions:
One method brought up in IRC discussion was to provide an alternative markup which could be used to tell the parser to replace the content with the value of a system variable. Placing the variable name inside doubled greaterthan / lessthan symbols leaves it readily parsed and simply substituted. e.g. **
Deletions:
One method brought up in IRC discussion was to provide an alternative markup which could be used to tell the parser to replace the content with the value of a system variable. Placing the variable name inside doubled greaterthan / lessthan symbols leaves it readily parsed and simply substituted. e.g. **<<tag>>** would be substituted with the pagename. This could provide a security risk without some method for blacklisting/whitelisting variables available since the database username and password would theoretically be available, as well as other vulnerabilities.
A second method is more complex, but provides both for greater security and greater security risk: provide an interface for designing magic words on a system. A simple MySQL table could be created with variable names and their substitution values such as:
{{table columns="2" cellpadding="1" cells="VAR;SUBSTITUTE;pagename;$tag;dayofweek;date('l')"}}
Clearly this second method introduces the possibility of php insertion vulnerabilities, so should not be a browser-editable item although I could see such a system being implemented using a wiki page.
== Discuss ==
Please discuss.
One thing I forgot to mention is a substitution syntax. Having any magicwords scheme is going to slow down page parsing on view. Adding a substitution syntax will allow the variable value to be replace the magicword in the actual page source. Use the above example variables, {{subst:pagename}} and {{dayofweek}} would be replaced by the value of $tag and <?php date('l') ?>, respectively. This syntax mirrors the mediawiki syntax, allowing for easier migration, but there may very well be a standard wikitax for the same concept which should be prefered.

Revision [15541]

Edited on 2006-10-23 16:43:15 by JonAmgine [html entities]
Additions:
One thing I forgot to mention is a substitution syntax. Having any magicwords scheme is going to slow down page parsing on view. Adding a substitution syntax will allow the variable value to be replace the magicword in the actual page source. Use the above example variables, {{subst:pagename}} and {{dayofweek}} would be replaced by the value of $tag and <?php date('l') ?>, respectively. This syntax mirrors the mediawiki syntax, allowing for easier migration, but there may very well be a standard wikitax for the same concept which should be prefered.
Deletions:
One thing I forgot to mention is a substitution syntax. Having any magicwords scheme is going to slow down page parsing on view. Adding a substitution syntax will allow the variable value to be replace the magicword in the actual page source. Use the above example variables, {{subst:pagename}} and {{dayofweek}} would be replaced by the value of $tag and <:?php date('l') ?>, respectively. This syntax mirrors the mediawiki syntax, allowing for easier migration, but there may very well be a standard wikitax for the same concept which should be prefered. ::::

Revision [15540]

Edited on 2006-10-23 16:39:20 by JonAmgine [siggy]
Additions:
One thing I forgot to mention is a substitution syntax. Having any magicwords scheme is going to slow down page parsing on view. Adding a substitution syntax will allow the variable value to be replace the magicword in the actual page source. Use the above example variables, {{subst:pagename}} and {{dayofweek}} would be replaced by the value of $tag and <:?php date('l') ?>, respectively. This syntax mirrors the mediawiki syntax, allowing for easier migration, but there may very well be a standard wikitax for the same concept which should be prefered. ::::
Deletions:
One thing I forgot to mention is a substitution syntax. Having any magicwords scheme is going to slow down page parsing on view. Adding a substitution syntax will allow the variable value to be replace the magicword in the actual page source. Use the above example variables, {{subst:pagename}} and {{dayofweek}} would be replaced by the value of $tag and <:?php date('l') ?>, respectively. This syntax mirrors the mediawiki syntax, allowing for easier migration, but there may very well be a standard wikitax for the same concept which should be prefered.

Revision [15539]

Edited on 2006-10-23 16:38:30 by JonAmgine [subst: syntax]
Additions:
One thing I forgot to mention is a substitution syntax. Having any magicwords scheme is going to slow down page parsing on view. Adding a substitution syntax will allow the variable value to be replace the magicword in the actual page source. Use the above example variables, {{subst:pagename}} and {{dayofweek}} would be replaced by the value of $tag and <:?php date('l') ?>, respectively. This syntax mirrors the mediawiki syntax, allowing for easier migration, but there may very well be a standard wikitax for the same concept which should be prefered.

Revision [15528]

Edited on 2006-10-19 19:46:10 by JonAmgine [grammar]
Additions:
Clearly this second method introduces the possibility of php insertion vulnerabilities, so should not be a browser-editable item although I could see such a system being implemented using a wiki page.
Deletions:
Clearly this second method introduces the possibility php insertion vulnerabilities, so should not be a browser-editable item although I could see such a system being implemented using a wiki page.

Revision [15527]

Edited on 2006-10-19 19:23:04 by JonAmgine [htmlencode]

No Differences

Revision [15526]

The oldest known version of this page was created on 2006-10-19 19:20:37 by JonAmgine [htmlencode]
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki