71 lines
2.8 KiB
Markdown
71 lines
2.8 KiB
Markdown
Here is a patch [[!tag patch]] to add a *forward*ing functionality
|
|
to the [[`meta`_plugin|plugins/meta]].
|
|
|
|
> [[done]], with some changes --[[Joey]]
|
|
|
|
Find the most recent version at
|
|
<http://www.schwinge.homeip.net/~thomas/tmp/meta_forward.patch>.
|
|
|
|
I can't use `scrub(...)`, as that will strip out the forwarding HTML command.
|
|
How to deal with that?
|
|
|
|
I can also submit a Git patch, if desired.
|
|
|
|
|
|
# Syntax
|
|
|
|
**URL** = http://some.nice/place/ (*etc.*)
|
|
|
|
**WHITHER** = \[\[**[[ikiwiki/wikilink]]**]] | **URL**
|
|
|
|
**D** = natural number (*meaning seconds*)
|
|
|
|
**OPT_DELAY** = delay=**D** | empty (*immediatelly*)
|
|
|
|
\[[!meta forward="**WHITHER**" **OPT_DELAY**]]
|
|
|
|
|
|
# Extensions and Ideas
|
|
|
|
It might be doable to add references to pages that refer to the page containg
|
|
the forwarding statement also to the referred-to page.
|
|
|
|
--[[tschwinge]]
|
|
|
|
|
|
# Discussion
|
|
|
|
> The html scrubber cannot scrub meta headers. So if you emit one
|
|
> containing user-supplied data, it's up to you to scrub it to avoid all
|
|
> possible XSS attacks. Two attacks I'd worry about are cyclic meta refresh
|
|
> loops, which some, but not all web browsers detect and break, and any way
|
|
> to insert javascript via the user-supplied parameters. (Ie, putting
|
|
> something in the delay value that closes the tag can probably insert
|
|
> javascript ATM; and are there ways to embed javascript in the url?)
|
|
> --[[Joey]]
|
|
|
|
>> OK. I can add code to make sure that `$delay` **D** indeed is a natural number
|
|
>> and that the passed target address **WHITHER** is nothing but a valid target address.
|
|
>> (How to qualify a valid target address?)
|
|
>> What is a *cyclic meta refresh loop*? Two pages in turn forwarding to each other?
|
|
>> I think it would be possible to implement such a guard when only in-wiki links
|
|
>> ([[ikiwiki/wikilink]]s) are being used, but how to do so for external links? --[[tschwinge]]
|
|
|
|
>>> This seems a lot more securely to do for in-wiki links, since we know
|
|
>>> that a link generated by a wikilink is safe, and can avoid cycles.
|
|
>>> Obviously there's no way to avoid cycles when using external links.
|
|
>>>
|
|
>>> An example of code that doesn't detect such cycles is LWP::UserAgent,
|
|
>>> which will happily follow cycles forever. There's a LWPx::ParanoidAgent
|
|
>>> that can deal with cycles. I suppose this could be considered a client
|
|
>>> side issue, except that if I were going to turn this redirect feature
|
|
>>> on in my wikis, I'd really prefer to not have to worry about my wiki
|
|
>>> causing such problems for clients. I feel it makes sense to make
|
|
>>> external redirects or other potentially unsafe things an option,
|
|
>>> and have the default behavior be only things that are known to be
|
|
>>> secure.
|
|
>>>
|
|
>>> I haven't checked if there's a way to embed javascript in meta refresh
|
|
>>> links or not. Given all the other places I've seen it be embedded, I'll
|
|
>>> assume it is possible until it's shown not to be though.. --[[Joey]]
|