Feature Proposal: ENCODE and URLPARAM Variables with new "moderate" encoding
Motivation
Thetype="safe" is the default mode for ENCODE and URLPARAM. It escapes some characters to reduce the chance of cross-site scripting attacks. With this, TWiki variables are escaped as well because the percent character is escaped.
This proposal adds a type="moderate" mode that acts like type="safe" but excludes the percent character. That way, %BR% and other TWiki variables function properly when added in a CommentPlugin comment box.
TWikibug:Item6276 (cannot specify percentBRpercent for newline value) currently fixes this issue by using type="off", which opens comment boxes to cross-site scripting attacks. I recommend to add type="moderate" mode, which is a relatively safe middle ground.
Description and Documentation
In VarENCODE add this:| Parameter: | Description: | Default: |
|---|---|---|
type="moderate" |
Encode special characters into HTML entities to avoid XSS exploits: "<", ">", single quote (') and double quote ("). The percent character (%) is not escaped, useful to allow TWiki variables in comment boxes. |
type="url" |
| Parameter: | Description: | Default: |
|---|---|---|
encode="moderate" |
Encode special characters into HTML entities to avoid XSS exploits: "<", ">", single quote (') and double quote ("). The percent character (%) is not escaped, useful to allow TWiki variables in comment boxes. |
encode="safe" |
Examples
Impact
Implementation
-- Contributors: PeterThoeny - 2010-03-01Discussion
Topic revision: r3 - 2010-03-07 - PeterThoeny
Home 
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Jerusalem Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2012 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.