You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jspwiki.apache.org by Bob Paige <bo...@gmail.com> on 2008/07/02 21:35:30 UTC
aliases?
I also use TiddlyWiki (a local Wiki, as opposed to server-based Wikis like
JSPWiki) and one interesting plugin it supports is called 'aliasPlugin'.
Clearly, JSPWiki isn't going to support the same plugin, but I wonder if the
same functionality is available or even possible.
AliasPlugin is a type of marco feature that allows you to define new plugins
on the fly. For example, I might define an alias called 'google' with a
value of "http://www.google.com/search?q=$1". Thus, whenever I put in the
wiki markup "<<google jspwiki>>" (which is how you call a plugin in
TiddlyWiki) it will insert "http://www.google.com/search?q=jspwiki". This
also works with wiki markup; I could use the aliasPlugin to insert wiki
markup which is then interpreted by the wiki engine.
As I work on the wiki for my work, I find myself putting the same footers on
many pages, for example:
----
!!!Pages referencing me
[{ReferringPagesPlugin}]
It would be useful to define a macro that would resolve as this text,
allowing me to redefine this footer without having to re-edit all the pages
that use it.
Does such a beast exist? If not, any leads on how to write it?
--
Bobman
Re: aliases?
Posted by Janne Jalkanen <ja...@iki.fi>.
> In reading about this I didn't see how it could happen, i.e., how this
> could squeak through a JSP-based system even if it did have a SQL backend.
>
> If you have a handy reference it'd be much appreciated. Thanks!
Here's a cool video on the subject from one of Google's security people.
http://www.youtube.com/watch?v=jC6Q1uCnbMo
/Janne
Re: aliases?
Posted by Murray Altheim <mu...@altheim.com>.
Janne Jalkanen wrote:
>> Wouldn't a simple solution to that be to filter for URLs and have the
>> alias declaration fail upon finding any? Similarly, any XML/HTML markup?
>>
>> E.g., if the alias string contains "<", ">", "&" or "://" we kill it.
>
> Nope. Only whitelisting works (that is, approve only [A-Za-z0-9_.] or
> something like that (well, the internationalized version with \{p}).
> And not necessarily even then - there are SQL injection attacks which
> need no quote escapes.
Funny, I've been in a tech meeting for the last couple of days and this
subject came up -- where can I find out how SQL injection attacks could
be propagated within a wiki, in particularly JSPWiki? or JSPs in general?
I'm not currently using a SQL-based backend, but if I were how would
this get passed through JSPWiki? It seems easy enough to filter out.
In reading about this I didn't see how it could happen, i.e., how this
could squeak through a JSP-based system even if it did have a SQL backend.
If you have a handy reference it'd be much appreciated. Thanks!
Murray
----
Wikipedia: http://en.wikipedia.org/wiki/SQL_injection
by example: http://www.unixwiz.net/techtips/sql-injection.html
(noting the section 'Sanitize the input' sounds like your advice)
...........................................................................
Murray Altheim <murray07 at altheim.com> === = =
http://www.altheim.com/murray/ = = ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = = = =
Boundless wind and moon - the eye within eyes,
Inexhaustible heaven and earth - the light beyond light,
The willow dark, the flower bright - ten thousand houses,
Knock at any door - there's one who will respond.
-- The Blue Cliff Record
Re: aliases?
Posted by Janne Jalkanen <Ja...@ecyrd.com>.
> Wouldn't a simple solution to that be to filter for URLs and have the
> alias declaration fail upon finding any? Similarly, any XML/HTML
> markup?
>
> E.g., if the alias string contains "<", ">", "&" or "://" we kill it.
Nope. Only whitelisting works (that is, approve only [A-Za-z0-9_.]
or something like that (well, the internationalized version with \
{p}). And not necessarily even then - there are SQL injection
attacks which need no quote escapes.
/Janne
Re: aliases?
Posted by Murray Altheim <mu...@altheim.com>.
Andrew Jaquith wrote:
> Bob, Murray and all --
>
> While the TiddlyWiki plugin sounds like it is very convenient for users,
> I don't see something like this being part of JSPWiki unless the
> functionality is carefully constrained. In particular, the capability to
> specify external URLs has "cross site scripting" written all over it.
> ACLs would not be the answer, either -- you'd want to create a custom
> Permission type for it, and have the right to use it enshrined in the
> security policy.
Andrew,
Wouldn't a simple solution to that be to filter for URLs and have the
alias declaration fail upon finding any? Similarly, any XML/HTML markup?
E.g., if the alias string contains "<", ">", "&" or "://" we kill it.
Murray
...........................................................................
Murray Altheim <murray07 at altheim.com> === = =
http://www.altheim.com/murray/ = = ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = = = =
Boundless wind and moon - the eye within eyes,
Inexhaustible heaven and earth - the light beyond light,
The willow dark, the flower bright - ten thousand houses,
Knock at any door - there's one who will respond.
-- The Blue Cliff Record
Re: aliases?
Posted by Bob Paige <bo...@gmail.com>.
Christophe,
This is very close to what I want, with the single exception of requiring
that your aliases be defined in the jspwiki.properties file. I dislike this
because 1) then only I (the wiki maintainer) could create them, and 2) I
would have to bounce the server for them to be seen.
Looking at the InsertPage source (specifically, line 139), I think I see why
it doesn't work as I expected. If I am reading this correctly, it is
converting the content of the included page to HTML *before* it includes it.
Given this example, it should be straightforward to copy/paste the
InsertPage plugin to make a Macro plugin that behaves the way I want it to.
So I'm thinking this Macro plugin would work just like the InsertPage plugin
but I would add support for arbitrary parameters:
[{Macro page='some other page' param1='some parameter' param2='some othe
rparameter'}]
The plugin would fetch the content of the named page (checking permissions,
etc. like InsertPage does) and then replace all occurrences of '$param1'
with the corresponding text. Same for 'param2'.
Question to the crowd: do you think the parameters should have specific
names like 'param1', 'param2', or should I look for whatever parameters are
in the command line (i.e. anything that precedes a '=' and does not contain
spaces)?
--
Bobman
On Thu, Jul 3, 2008 at 10:46 AM, Christophe Dupriez <
christophe.dupriez@poisoncentre.be> wrote:
> Hi Bob!
>
> I identified the same need and I implemented it extending the "get variable
> value" mechanism. You can find the discussion and the source code here:
>
> http://markmail.org/message/wkxsa4q26u4boydl#query:jspwiki%20alias%20variable%20dupriez+page:1+mid:tcxbxztuttbftc42+state:results
>
> The idea was to define aliases in jspwiki.properties and to be able to
> "call" them within a text with a relatively simple sequence:
> [{$alias-name$}]
>
> My thought now is that what I really need is a "page type" where there are
> commands added before/after the Wiki page content, depending on page type.
>
> For instance, in http://www.destin.be/DIRE
> I have hundreds of "Cases" referring to thousands "Procédés", sorted by
> "Circonstances" and "Operandes" and "Operations": pages of a same type
> ("Cases" for instance) are all needing the same prefixes/postfixes like:
>
> [{ReferringPagesPlugin include='Procédé*' before='!!' after='%n[{InsertPage
> section=2 page=%p}]%n----%n'}]
>
> [{ReferringPagesPlugin title='!Cité par:%n'
> exclude='Main,LeftMenu,Procédé*'}]
>
> I was thinking to use [{$CasesRef$}] in those pages to include those
> plugins calls. Now, I would prefer to add a switching mechanism in
> PageActionsBottom.jsp (suggestion anyone? My preference would be to base the
> choice of included plugins on the beginning of the page name).
>
> For instance, in another application, in PageActionsBottom.jsp, I added
> just before "</wiki:PageExists>":
> <p><wiki:Plugin plugin="ReferringPagesPlugin" args="before='*'
> after='\n' " /></p>
>
> Any better mechanism that I overlooked ?
>
> Christophe
>
> -----Original Message-----
> From: Bob Paige [mailto:bobpaige@gmail.com]
> Sent: jeudi 3 juillet 2008 15:52
> To: jspwiki-user@incubator.apache.org
> Subject: Re: aliases?
>
> The purpose was to provide a macro capability, but not facility cross-site
> scripting attacks. Given that we don't know exactly how it would work, how
> do you see it as enabling cross-site scripting?
>
> Perhaps my example was misleading since it included a URL, but isn't this
> same thing possible in JSPWiki (through an interwiki link) or by just
> including the URL in the page:
>
> [Click here!|http://www.google.com/search?q=foo]
>
> Also, it seems to me the purpose of interwiki links is to abstract away the
> URL necessary to link to the other wiki, not provide security, i.e. it is
> really only a shortcut to something the user could already do.
>
> I believe a separate question of mine on this list overlaps with the
> macro/alias thing, so I will share my recent research here.
>
> Using the InsertPage plugin (as suggested by someone else on this list) I
> thought I could build up a library of useful pieces, similar to the macro
> ability discussed in this thread. Unfortunatley, it didn't work as I had
> hoped for.
>
> My first test was using the Catagories feature (i.e. the
> ReferringPagesPlugin). Knowing that I will have many pages that have
> related
> 'Spec' pages, I created a new Wiki page called 'SpecList' that included
> only
> the following:
>
> !!!Specifications
> [{ReferringPagesPlugin include='*Spec' before='*' after='\n\n' }]
>
> These two lines are likely to be replicated all over my wiki, and if in the
> future I decide to embellish it a bit, I would like to have them defined in
> only one place.
>
> But when I included this page in another one (with InsertPage), it didn't
> work. It appears the ReferringPagesPlugin is invoked *before* the
> InsertPage
> plugin, so I get a list of pages that refer to the SpecList page, not the
> page I am currently in.
>
> So, InsertPage doesn't work like the macro ability I am describing here,
> but
> does give me hope.
>
> Is it possible to write another plugin similar to InsertPage (call it
> 'MacroPlugin') that inserts the contents of another page *before* any
> contained plugins are invoked?
>
> --
> Bobman
>
> On Wed, Jul 2, 2008 at 9:41 PM, Andrew Jaquith <an...@mac.com>
> wrote:
>
> > Bob, Murray and all --
> >
> > While the TiddlyWiki plugin sounds like it is very convenient for users,
> I
> > don't see something like this being part of JSPWiki unless the
> functionality
> > is carefully constrained. In particular, the capability to specify
> external
> > URLs has "cross site scripting" written all over it. ACLs would not be
> the
> > answer, either -- you'd want to create a custom Permission type for it,
> and
> > have the right to use it enshrined in the security policy.
> >
> > Andrew
> >
> >
> > On Jul 2, 2008, at 5:44 PM, Juan Pablo Santos Rodríguez wrote:
> >
> > Hi Bob,
> >>
> >> may be interwiki links could help you with aliases? i.e., by default
> >> typing
> >> [Google:Bob], should be converted to http://www.google.com/search?q=Bob
> .
> >> Check both jspwiki.properties (Interwiki links section, lines 615-650)
> and
> >> http://www.jspwiki.org/wiki/InterWiki
> >>
> >> regarding the custom footer, as Janne said, you can implement your own
> >> PageFilter or extend BasicPageFilter to add your custom markup
> (overriding
> >> preTranslate method, for example). Another way could be using InsertPage
> >> plugin, available in the core distro. Initial code and some explanations
> >> at
> >> http://www.jspwiki.org/wiki/InsertPagePlugin
> >>
> >> cheers,
> >> jp
> >>
> >> 2008/7/2 Murray Altheim <mu...@altheim.com>:
> >>
> >> Bob Paige wrote:
> >>> [...]
> >>>
> >>> AliasPlugin is a type of marco feature that allows you to define new
> >>>> plugins
> >>>> on the fly. For example, I might define an alias called 'google' with
> a
> >>>> value of "http://www.google.com/search?q=$1". Thus, whenever I put in
> >>>> the
> >>>> wiki markup "<<google jspwiki>>" (which is how you call a plugin in
> >>>> TiddlyWiki) it will insert "http://www.google.com/search?q=jspwiki".
> >>>> This
> >>>> also works with wiki markup; I could use the aliasPlugin to insert
> wiki
> >>>> markup which is then interpreted by the wiki engine.
> >>>>
> >>>> As I work on the wiki for my work, I find myself putting the same
> >>>> footers
> >>>> on
> >>>> many pages, for example:
> >>>> ----
> >>>> !!!Pages referencing me
> >>>> [{ReferringPagesPlugin}]
> >>>>
> >>>> It would be useful to define a macro that would resolve as this text,
> >>>> allowing me to redefine this footer without having to re-edit all the
> >>>> pages
> >>>> that use it.
> >>>>
> >>>> Does such a beast exist? If not, any leads on how to write it?
> >>>>
> >>>>
> >>> Bob,
> >>>
> >>> Since aliases need to be global across the entire wiki you'd need a
> >>> manager to collect them as well as to flag conflicts (e.g., if a
> >>> user creates an alias that already exists, their plugin would fail
> >>> and return an error message).
> >>>
> >>> The manager would be a singleton (for the wiki, not the JVM), and
> >>> there'd be a plugin to declare aliases. You'd then need some way to
> >>> use aliases, probably either a filter or a plugin that would access
> >>> the manager and obtain the replacement text.
> >>>
> >>> You could (as with any plugin) restrict the creation of aliases to
> >>> certain people via ACL or only authenticated users).
> >>>
> >>> You might look into the TagPlugin (which has a TagManager) as a
> >>> model.
> >>>
> >>> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagPlugin
> >>> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagManager
> >>>
> >>> I also note that John Volkar has donated an AliasPlugin to the set
> >>> of CeryleWikiPlugins
> >>>
> >>> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=AliasPlugin
> >>>
> >>> though that doesn't do what you're asking for, just reverse the
> >>> current page alias feature available in JSPWiki, i.e., you declare
> >>> on the page its own aliases.
> >>>
> >>> Hope that is helpful.
> >>>
> >>> Murray
> >>>
> >>>
> >>>
> ...........................................................................
> >>> Murray Altheim <murray07 at altheim.com> ===
> >>> =
> >>> =
> >>> http://www.altheim.com/murray/ = =
> >>> ===
> >>> SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = =
> =
> >>> =
> >>>
> >>> Boundless wind and moon - the eye within eyes,
> >>> Inexhaustible heaven and earth - the light beyond light,
> >>> The willow dark, the flower bright - ten thousand houses,
> >>> Knock at any door - there's one who will respond.
> >>> -- The Blue Cliff Record
> >>>
> >>>
> >
>
> e
>
>
Re: aliases?
Posted by Janne Jalkanen <Ja...@ecyrd.com>.
>> Is it possible to write another plugin similar to InsertPage (call it
>> 'MacroPlugin') that inserts the contents of another page *before* any
>> contained plugins are invoked?
>
> It's *possible* but not easy -- you'd have to hook up the renderer to
> process the content recursively backward to the first inclusion. This
> would be outside the normal page processing, the plugin responsible
> basically for everything.
Actually, it is very easy. Use a filter, e.g.
http://www.jspwiki.org/wiki/StampFilter
You can declare any sort of markup you want. Works inside plugins
and everything; you just have to hook it up to the preTranslate()
callback.
/Janne
Re: aliases?
Posted by Murray Altheim <mu...@altheim.com>.
Bob Paige wrote:
> The purpose was to provide a macro capability, but not facility cross-site
> scripting attacks. Given that we don't know exactly how it would work, how
> do you see it as enabling cross-site scripting?
>
> Perhaps my example was misleading since it included a URL, but isn't this
> same thing possible in JSPWiki (through an interwiki link) or by just
> including the URL in the page:
>
> [Click here!|http://www.google.com/search?q=foo]
The danger isn't in passing URLs per se, it's in potentially passing
hidden URLs, code (e.g., JavaScript), markup, or strings that may
somehow be converted into markup, code, or content that might be
interpreted by the system as a command.
> Also, it seems to me the purpose of interwiki links is to abstract away the
> URL necessary to link to the other wiki, not provide security, i.e. it is
> really only a shortcut to something the user could already do.
>
> I believe a separate question of mine on this list overlaps with the
> macro/alias thing, so I will share my recent research here.
>
> Using the InsertPage plugin (as suggested by someone else on this list) I
> thought I could build up a library of useful pieces, similar to the macro
> ability discussed in this thread. Unfortunatley, it didn't work as I had
> hoped for.
The real problem with the InsertPage, TranscludePage, etc. plugins is
that they are not recursive. In other words, the transcluded page may
itself include another page, etc., with each page fully rendered prior
to being passed on to the next inclusion/transclusion.
[...]
> Is it possible to write another plugin similar to InsertPage (call it
> 'MacroPlugin') that inserts the contents of another page *before* any
> contained plugins are invoked?
It's *possible* but not easy -- you'd have to hook up the renderer to
process the content recursively backward to the first inclusion. This
would be outside the normal page processing, the plugin responsible
basically for everything.
Murray
...........................................................................
Murray Altheim <murray07 at altheim.com> === = =
http://www.altheim.com/murray/ = = ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = = = =
Boundless wind and moon - the eye within eyes,
Inexhaustible heaven and earth - the light beyond light,
The willow dark, the flower bright - ten thousand houses,
Knock at any door - there's one who will respond.
-- The Blue Cliff Record
RE: aliases?
Posted by Christophe Dupriez <ch...@poisoncentre.be>.
Hi Bob!
I identified the same need and I implemented it extending the "get variable value" mechanism. You can find the discussion and the source code here:
http://markmail.org/message/wkxsa4q26u4boydl#query:jspwiki%20alias%20variable%20dupriez+page:1+mid:tcxbxztuttbftc42+state:results
The idea was to define aliases in jspwiki.properties and to be able to "call" them within a text with a relatively simple sequence:
[{$alias-name$}]
My thought now is that what I really need is a "page type" where there are commands added before/after the Wiki page content, depending on page type.
For instance, in http://www.destin.be/DIRE
I have hundreds of "Cases" referring to thousands "Procédés", sorted by "Circonstances" and "Operandes" and "Operations": pages of a same type ("Cases" for instance) are all needing the same prefixes/postfixes like:
[{ReferringPagesPlugin include='Procédé*' before='!!' after='%n[{InsertPage section=2 page=%p}]%n----%n'}]
[{ReferringPagesPlugin title='!Cité par:%n' exclude='Main,LeftMenu,Procédé*'}]
I was thinking to use [{$CasesRef$}] in those pages to include those plugins calls. Now, I would prefer to add a switching mechanism in PageActionsBottom.jsp (suggestion anyone? My preference would be to base the choice of included plugins on the beginning of the page name).
For instance, in another application, in PageActionsBottom.jsp, I added just before "</wiki:PageExists>":
<p><wiki:Plugin plugin="ReferringPagesPlugin" args="before='*' after='\n' " /></p>
Any better mechanism that I overlooked ?
Christophe
-----Original Message-----
From: Bob Paige [mailto:bobpaige@gmail.com]
Sent: jeudi 3 juillet 2008 15:52
To: jspwiki-user@incubator.apache.org
Subject: Re: aliases?
The purpose was to provide a macro capability, but not facility cross-site
scripting attacks. Given that we don't know exactly how it would work, how
do you see it as enabling cross-site scripting?
Perhaps my example was misleading since it included a URL, but isn't this
same thing possible in JSPWiki (through an interwiki link) or by just
including the URL in the page:
[Click here!|http://www.google.com/search?q=foo]
Also, it seems to me the purpose of interwiki links is to abstract away the
URL necessary to link to the other wiki, not provide security, i.e. it is
really only a shortcut to something the user could already do.
I believe a separate question of mine on this list overlaps with the
macro/alias thing, so I will share my recent research here.
Using the InsertPage plugin (as suggested by someone else on this list) I
thought I could build up a library of useful pieces, similar to the macro
ability discussed in this thread. Unfortunatley, it didn't work as I had
hoped for.
My first test was using the Catagories feature (i.e. the
ReferringPagesPlugin). Knowing that I will have many pages that have related
'Spec' pages, I created a new Wiki page called 'SpecList' that included only
the following:
!!!Specifications
[{ReferringPagesPlugin include='*Spec' before='*' after='\n\n' }]
These two lines are likely to be replicated all over my wiki, and if in the
future I decide to embellish it a bit, I would like to have them defined in
only one place.
But when I included this page in another one (with InsertPage), it didn't
work. It appears the ReferringPagesPlugin is invoked *before* the InsertPage
plugin, so I get a list of pages that refer to the SpecList page, not the
page I am currently in.
So, InsertPage doesn't work like the macro ability I am describing here, but
does give me hope.
Is it possible to write another plugin similar to InsertPage (call it
'MacroPlugin') that inserts the contents of another page *before* any
contained plugins are invoked?
--
Bobman
On Wed, Jul 2, 2008 at 9:41 PM, Andrew Jaquith <an...@mac.com>
wrote:
> Bob, Murray and all --
>
> While the TiddlyWiki plugin sounds like it is very convenient for users, I
> don't see something like this being part of JSPWiki unless the functionality
> is carefully constrained. In particular, the capability to specify external
> URLs has "cross site scripting" written all over it. ACLs would not be the
> answer, either -- you'd want to create a custom Permission type for it, and
> have the right to use it enshrined in the security policy.
>
> Andrew
>
>
> On Jul 2, 2008, at 5:44 PM, Juan Pablo Santos Rodríguez wrote:
>
> Hi Bob,
>>
>> may be interwiki links could help you with aliases? i.e., by default
>> typing
>> [Google:Bob], should be converted to http://www.google.com/search?q=Bob.
>> Check both jspwiki.properties (Interwiki links section, lines 615-650) and
>> http://www.jspwiki.org/wiki/InterWiki
>>
>> regarding the custom footer, as Janne said, you can implement your own
>> PageFilter or extend BasicPageFilter to add your custom markup (overriding
>> preTranslate method, for example). Another way could be using InsertPage
>> plugin, available in the core distro. Initial code and some explanations
>> at
>> http://www.jspwiki.org/wiki/InsertPagePlugin
>>
>> cheers,
>> jp
>>
>> 2008/7/2 Murray Altheim <mu...@altheim.com>:
>>
>> Bob Paige wrote:
>>> [...]
>>>
>>> AliasPlugin is a type of marco feature that allows you to define new
>>>> plugins
>>>> on the fly. For example, I might define an alias called 'google' with a
>>>> value of "http://www.google.com/search?q=$1". Thus, whenever I put in
>>>> the
>>>> wiki markup "<<google jspwiki>>" (which is how you call a plugin in
>>>> TiddlyWiki) it will insert "http://www.google.com/search?q=jspwiki".
>>>> This
>>>> also works with wiki markup; I could use the aliasPlugin to insert wiki
>>>> markup which is then interpreted by the wiki engine.
>>>>
>>>> As I work on the wiki for my work, I find myself putting the same
>>>> footers
>>>> on
>>>> many pages, for example:
>>>> ----
>>>> !!!Pages referencing me
>>>> [{ReferringPagesPlugin}]
>>>>
>>>> It would be useful to define a macro that would resolve as this text,
>>>> allowing me to redefine this footer without having to re-edit all the
>>>> pages
>>>> that use it.
>>>>
>>>> Does such a beast exist? If not, any leads on how to write it?
>>>>
>>>>
>>> Bob,
>>>
>>> Since aliases need to be global across the entire wiki you'd need a
>>> manager to collect them as well as to flag conflicts (e.g., if a
>>> user creates an alias that already exists, their plugin would fail
>>> and return an error message).
>>>
>>> The manager would be a singleton (for the wiki, not the JVM), and
>>> there'd be a plugin to declare aliases. You'd then need some way to
>>> use aliases, probably either a filter or a plugin that would access
>>> the manager and obtain the replacement text.
>>>
>>> You could (as with any plugin) restrict the creation of aliases to
>>> certain people via ACL or only authenticated users).
>>>
>>> You might look into the TagPlugin (which has a TagManager) as a
>>> model.
>>>
>>> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagPlugin
>>> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagManager
>>>
>>> I also note that John Volkar has donated an AliasPlugin to the set
>>> of CeryleWikiPlugins
>>>
>>> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=AliasPlugin
>>>
>>> though that doesn't do what you're asking for, just reverse the
>>> current page alias feature available in JSPWiki, i.e., you declare
>>> on the page its own aliases.
>>>
>>> Hope that is helpful.
>>>
>>> Murray
>>>
>>>
>>> ...........................................................................
>>> Murray Altheim <murray07 at altheim.com> ===
>>> =
>>> =
>>> http://www.altheim.com/murray/ = =
>>> ===
>>> SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = = =
>>> =
>>>
>>> Boundless wind and moon - the eye within eyes,
>>> Inexhaustible heaven and earth - the light beyond light,
>>> The willow dark, the flower bright - ten thousand houses,
>>> Knock at any door - there's one who will respond.
>>> -- The Blue Cliff Record
>>>
>>>
>
e
Re: aliases?
Posted by Bob Paige <bo...@gmail.com>.
The purpose was to provide a macro capability, but not facility cross-site
scripting attacks. Given that we don't know exactly how it would work, how
do you see it as enabling cross-site scripting?
Perhaps my example was misleading since it included a URL, but isn't this
same thing possible in JSPWiki (through an interwiki link) or by just
including the URL in the page:
[Click here!|http://www.google.com/search?q=foo]
Also, it seems to me the purpose of interwiki links is to abstract away the
URL necessary to link to the other wiki, not provide security, i.e. it is
really only a shortcut to something the user could already do.
I believe a separate question of mine on this list overlaps with the
macro/alias thing, so I will share my recent research here.
Using the InsertPage plugin (as suggested by someone else on this list) I
thought I could build up a library of useful pieces, similar to the macro
ability discussed in this thread. Unfortunatley, it didn't work as I had
hoped for.
My first test was using the Catagories feature (i.e. the
ReferringPagesPlugin). Knowing that I will have many pages that have related
'Spec' pages, I created a new Wiki page called 'SpecList' that included only
the following:
!!!Specifications
[{ReferringPagesPlugin include='*Spec' before='*' after='\n\n' }]
These two lines are likely to be replicated all over my wiki, and if in the
future I decide to embellish it a bit, I would like to have them defined in
only one place.
But when I included this page in another one (with InsertPage), it didn't
work. It appears the ReferringPagesPlugin is invoked *before* the InsertPage
plugin, so I get a list of pages that refer to the SpecList page, not the
page I am currently in.
So, InsertPage doesn't work like the macro ability I am describing here, but
does give me hope.
Is it possible to write another plugin similar to InsertPage (call it
'MacroPlugin') that inserts the contents of another page *before* any
contained plugins are invoked?
--
Bobman
On Wed, Jul 2, 2008 at 9:41 PM, Andrew Jaquith <an...@mac.com>
wrote:
> Bob, Murray and all --
>
> While the TiddlyWiki plugin sounds like it is very convenient for users, I
> don't see something like this being part of JSPWiki unless the functionality
> is carefully constrained. In particular, the capability to specify external
> URLs has "cross site scripting" written all over it. ACLs would not be the
> answer, either -- you'd want to create a custom Permission type for it, and
> have the right to use it enshrined in the security policy.
>
> Andrew
>
>
> On Jul 2, 2008, at 5:44 PM, Juan Pablo Santos Rodríguez wrote:
>
> Hi Bob,
>>
>> may be interwiki links could help you with aliases? i.e., by default
>> typing
>> [Google:Bob], should be converted to http://www.google.com/search?q=Bob.
>> Check both jspwiki.properties (Interwiki links section, lines 615-650) and
>> http://www.jspwiki.org/wiki/InterWiki
>>
>> regarding the custom footer, as Janne said, you can implement your own
>> PageFilter or extend BasicPageFilter to add your custom markup (overriding
>> preTranslate method, for example). Another way could be using InsertPage
>> plugin, available in the core distro. Initial code and some explanations
>> at
>> http://www.jspwiki.org/wiki/InsertPagePlugin
>>
>> cheers,
>> jp
>>
>> 2008/7/2 Murray Altheim <mu...@altheim.com>:
>>
>> Bob Paige wrote:
>>> [...]
>>>
>>> AliasPlugin is a type of marco feature that allows you to define new
>>>> plugins
>>>> on the fly. For example, I might define an alias called 'google' with a
>>>> value of "http://www.google.com/search?q=$1". Thus, whenever I put in
>>>> the
>>>> wiki markup "<<google jspwiki>>" (which is how you call a plugin in
>>>> TiddlyWiki) it will insert "http://www.google.com/search?q=jspwiki".
>>>> This
>>>> also works with wiki markup; I could use the aliasPlugin to insert wiki
>>>> markup which is then interpreted by the wiki engine.
>>>>
>>>> As I work on the wiki for my work, I find myself putting the same
>>>> footers
>>>> on
>>>> many pages, for example:
>>>> ----
>>>> !!!Pages referencing me
>>>> [{ReferringPagesPlugin}]
>>>>
>>>> It would be useful to define a macro that would resolve as this text,
>>>> allowing me to redefine this footer without having to re-edit all the
>>>> pages
>>>> that use it.
>>>>
>>>> Does such a beast exist? If not, any leads on how to write it?
>>>>
>>>>
>>> Bob,
>>>
>>> Since aliases need to be global across the entire wiki you'd need a
>>> manager to collect them as well as to flag conflicts (e.g., if a
>>> user creates an alias that already exists, their plugin would fail
>>> and return an error message).
>>>
>>> The manager would be a singleton (for the wiki, not the JVM), and
>>> there'd be a plugin to declare aliases. You'd then need some way to
>>> use aliases, probably either a filter or a plugin that would access
>>> the manager and obtain the replacement text.
>>>
>>> You could (as with any plugin) restrict the creation of aliases to
>>> certain people via ACL or only authenticated users).
>>>
>>> You might look into the TagPlugin (which has a TagManager) as a
>>> model.
>>>
>>> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagPlugin
>>> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagManager
>>>
>>> I also note that John Volkar has donated an AliasPlugin to the set
>>> of CeryleWikiPlugins
>>>
>>> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=AliasPlugin
>>>
>>> though that doesn't do what you're asking for, just reverse the
>>> current page alias feature available in JSPWiki, i.e., you declare
>>> on the page its own aliases.
>>>
>>> Hope that is helpful.
>>>
>>> Murray
>>>
>>>
>>> ...........................................................................
>>> Murray Altheim <murray07 at altheim.com> ===
>>> =
>>> =
>>> http://www.altheim.com/murray/ = =
>>> ===
>>> SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = = =
>>> =
>>>
>>> Boundless wind and moon - the eye within eyes,
>>> Inexhaustible heaven and earth - the light beyond light,
>>> The willow dark, the flower bright - ten thousand houses,
>>> Knock at any door - there's one who will respond.
>>> -- The Blue Cliff Record
>>>
>>>
>
Re: aliases?
Posted by Andrew Jaquith <an...@mac.com>.
Bob, Murray and all --
While the TiddlyWiki plugin sounds like it is very convenient for
users, I don't see something like this being part of JSPWiki unless
the functionality is carefully constrained. In particular, the
capability to specify external URLs has "cross site scripting" written
all over it. ACLs would not be the answer, either -- you'd want to
create a custom Permission type for it, and have the right to use it
enshrined in the security policy.
Andrew
On Jul 2, 2008, at 5:44 PM, Juan Pablo Santos Rodríguez wrote:
> Hi Bob,
>
> may be interwiki links could help you with aliases? i.e., by default
> typing
> [Google:Bob], should be converted to http://www.google.com/search?q=Bob
> .
> Check both jspwiki.properties (Interwiki links section, lines
> 615-650) and
> http://www.jspwiki.org/wiki/InterWiki
>
> regarding the custom footer, as Janne said, you can implement your own
> PageFilter or extend BasicPageFilter to add your custom markup
> (overriding
> preTranslate method, for example). Another way could be using
> InsertPage
> plugin, available in the core distro. Initial code and some
> explanations at
> http://www.jspwiki.org/wiki/InsertPagePlugin
>
> cheers,
> jp
>
> 2008/7/2 Murray Altheim <mu...@altheim.com>:
>
>> Bob Paige wrote:
>> [...]
>>
>>> AliasPlugin is a type of marco feature that allows you to define new
>>> plugins
>>> on the fly. For example, I might define an alias called 'google'
>>> with a
>>> value of "http://www.google.com/search?q=$1". Thus, whenever I put
>>> in the
>>> wiki markup "<<google jspwiki>>" (which is how you call a plugin in
>>> TiddlyWiki) it will insert "http://www.google.com/search?
>>> q=jspwiki". This
>>> also works with wiki markup; I could use the aliasPlugin to insert
>>> wiki
>>> markup which is then interpreted by the wiki engine.
>>>
>>> As I work on the wiki for my work, I find myself putting the same
>>> footers
>>> on
>>> many pages, for example:
>>> ----
>>> !!!Pages referencing me
>>> [{ReferringPagesPlugin}]
>>>
>>> It would be useful to define a macro that would resolve as this
>>> text,
>>> allowing me to redefine this footer without having to re-edit all
>>> the
>>> pages
>>> that use it.
>>>
>>> Does such a beast exist? If not, any leads on how to write it?
>>>
>>
>> Bob,
>>
>> Since aliases need to be global across the entire wiki you'd need a
>> manager to collect them as well as to flag conflicts (e.g., if a
>> user creates an alias that already exists, their plugin would fail
>> and return an error message).
>>
>> The manager would be a singleton (for the wiki, not the JVM), and
>> there'd be a plugin to declare aliases. You'd then need some way to
>> use aliases, probably either a filter or a plugin that would access
>> the manager and obtain the replacement text.
>>
>> You could (as with any plugin) restrict the creation of aliases to
>> certain people via ACL or only authenticated users).
>>
>> You might look into the TagPlugin (which has a TagManager) as a
>> model.
>>
>> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagPlugin
>> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagManager
>>
>> I also note that John Volkar has donated an AliasPlugin to the set
>> of CeryleWikiPlugins
>>
>> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=AliasPlugin
>>
>> though that doesn't do what you're asking for, just reverse the
>> current page alias feature available in JSPWiki, i.e., you declare
>> on the page its own aliases.
>>
>> Hope that is helpful.
>>
>> Murray
>>
>> ...........................................................................
>> Murray Altheim <murray07 at altheim.com>
>> === =
>> =
>> http://www.altheim.com/murray/
>> = =
>> ===
>> SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk
>> = = = =
>>
>> Boundless wind and moon - the eye within eyes,
>> Inexhaustible heaven and earth - the light beyond light,
>> The willow dark, the flower bright - ten thousand houses,
>> Knock at any door - there's one who will respond.
>> -- The Blue Cliff Record
>>
Re: aliases?
Posted by Juan Pablo Santos Rodríguez <ju...@gmail.com>.
Hi Bob,
may be interwiki links could help you with aliases? i.e., by default typing
[Google:Bob], should be converted to http://www.google.com/search?q=Bob.
Check both jspwiki.properties (Interwiki links section, lines 615-650) and
http://www.jspwiki.org/wiki/InterWiki
regarding the custom footer, as Janne said, you can implement your own
PageFilter or extend BasicPageFilter to add your custom markup (overriding
preTranslate method, for example). Another way could be using InsertPage
plugin, available in the core distro. Initial code and some explanations at
http://www.jspwiki.org/wiki/InsertPagePlugin
cheers,
jp
2008/7/2 Murray Altheim <mu...@altheim.com>:
> Bob Paige wrote:
> [...]
>
>> AliasPlugin is a type of marco feature that allows you to define new
>> plugins
>> on the fly. For example, I might define an alias called 'google' with a
>> value of "http://www.google.com/search?q=$1". Thus, whenever I put in the
>> wiki markup "<<google jspwiki>>" (which is how you call a plugin in
>> TiddlyWiki) it will insert "http://www.google.com/search?q=jspwiki". This
>> also works with wiki markup; I could use the aliasPlugin to insert wiki
>> markup which is then interpreted by the wiki engine.
>>
>> As I work on the wiki for my work, I find myself putting the same footers
>> on
>> many pages, for example:
>> ----
>> !!!Pages referencing me
>> [{ReferringPagesPlugin}]
>>
>> It would be useful to define a macro that would resolve as this text,
>> allowing me to redefine this footer without having to re-edit all the
>> pages
>> that use it.
>>
>> Does such a beast exist? If not, any leads on how to write it?
>>
>
> Bob,
>
> Since aliases need to be global across the entire wiki you'd need a
> manager to collect them as well as to flag conflicts (e.g., if a
> user creates an alias that already exists, their plugin would fail
> and return an error message).
>
> The manager would be a singleton (for the wiki, not the JVM), and
> there'd be a plugin to declare aliases. You'd then need some way to
> use aliases, probably either a filter or a plugin that would access
> the manager and obtain the replacement text.
>
> You could (as with any plugin) restrict the creation of aliases to
> certain people via ACL or only authenticated users).
>
> You might look into the TagPlugin (which has a TagManager) as a
> model.
>
> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagPlugin
> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagManager
>
> I also note that John Volkar has donated an AliasPlugin to the set
> of CeryleWikiPlugins
>
> http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=AliasPlugin
>
> though that doesn't do what you're asking for, just reverse the
> current page alias feature available in JSPWiki, i.e., you declare
> on the page its own aliases.
>
> Hope that is helpful.
>
> Murray
>
> ...........................................................................
> Murray Altheim <murray07 at altheim.com> === =
> =
> http://www.altheim.com/murray/ = =
> ===
> SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = = = =
>
> Boundless wind and moon - the eye within eyes,
> Inexhaustible heaven and earth - the light beyond light,
> The willow dark, the flower bright - ten thousand houses,
> Knock at any door - there's one who will respond.
> -- The Blue Cliff Record
>
Re: aliases?
Posted by Murray Altheim <mu...@altheim.com>.
Bob Paige wrote:
[...]
> AliasPlugin is a type of marco feature that allows you to define new plugins
> on the fly. For example, I might define an alias called 'google' with a
> value of "http://www.google.com/search?q=$1". Thus, whenever I put in the
> wiki markup "<<google jspwiki>>" (which is how you call a plugin in
> TiddlyWiki) it will insert "http://www.google.com/search?q=jspwiki". This
> also works with wiki markup; I could use the aliasPlugin to insert wiki
> markup which is then interpreted by the wiki engine.
>
> As I work on the wiki for my work, I find myself putting the same footers on
> many pages, for example:
> ----
> !!!Pages referencing me
> [{ReferringPagesPlugin}]
>
> It would be useful to define a macro that would resolve as this text,
> allowing me to redefine this footer without having to re-edit all the pages
> that use it.
>
> Does such a beast exist? If not, any leads on how to write it?
Bob,
Since aliases need to be global across the entire wiki you'd need a
manager to collect them as well as to flag conflicts (e.g., if a
user creates an alias that already exists, their plugin would fail
and return an error message).
The manager would be a singleton (for the wiki, not the JVM), and
there'd be a plugin to declare aliases. You'd then need some way to
use aliases, probably either a filter or a plugin that would access
the manager and obtain the replacement text.
You could (as with any plugin) restrict the creation of aliases to
certain people via ACL or only authenticated users).
You might look into the TagPlugin (which has a TagManager) as a
model.
http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagPlugin
http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=TagManager
I also note that John Volkar has donated an AliasPlugin to the set
of CeryleWikiPlugins
http://www.altheim.com/ceryle/wiki/Wiki.jsp?page=AliasPlugin
though that doesn't do what you're asking for, just reverse the
current page alias feature available in JSPWiki, i.e., you declare
on the page its own aliases.
Hope that is helpful.
Murray
...........................................................................
Murray Altheim <murray07 at altheim.com> === = =
http://www.altheim.com/murray/ = = ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = = = =
Boundless wind and moon - the eye within eyes,
Inexhaustible heaven and earth - the light beyond light,
The willow dark, the flower bright - ten thousand houses,
Knock at any door - there's one who will respond.
-- The Blue Cliff Record