X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/432577e23feee85c0a7f33ae356989dcd0939957..328cb70e6da25998e96d0d490d6d4a85b2036860:/doc/bugs/404_when_cancel_create_page.mdwn?ds=sidebyside diff --git a/doc/bugs/404_when_cancel_create_page.mdwn b/doc/bugs/404_when_cancel_create_page.mdwn index b802de787..acf5ac9b3 100644 --- a/doc/bugs/404_when_cancel_create_page.mdwn +++ b/doc/bugs/404_when_cancel_create_page.mdwn @@ -25,7 +25,12 @@ if it is known. } elsif ($form->submitted eq "Preview") { +> I think you mean to use `$newfile`? I've applied a modieid version +> that also deal with creating a new page with no defined $from location. +> [[bugs/done]] --[[Joey]] +>> Yes of course, that's what I get for submitting an untested patch! +>> I must stop doing that. [P.S. just above that is @@ -43,4 +48,13 @@ is there aren't going to be many possible extensions. Something like `/(.\w+)+/` (groups of dot separated alpha-num chars if my perl-foo isn't failing me). You could at least exclude `/` and `..`. I'm happy to turn this in to a patch if you agree.] +> The reason it's safe to use `possibly_foolish_untaint` here is because +> of the check for $hooks{htmlize}{$type}. This limits it to types +> that have a registered htmlize hook (mdwn, etc), and not whatever random +> garbage an attacker might try to put in. If it wasn't for that check, +> using `possibly_foolish_untaint` there would be _very_ foolish indeed.. +> --[[Joey]] +>> Nice, sorry I missed it. +>> I must say thankyou for creating ikiwiki. +>> The more I look at it, the more I admire what you are doing with it and how you are going about it