Re: [sfWiki-devel] TODO before release for sfWiki

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> It looks like we need to limit the characters that can be in a wikiname
> and any user input, limiting it to "a-zA-Z -_." would be a good start.
> I'm sure with the right type of quoting someone could get the database
> to do something bad.
> 
> It's also possible to break a page by writing special characters
> "?%><", so maybe we should quote anything that's not safe or a correct
> html tag?

	OK, I can't even get edit.php to show up using the URL you
posted, for some reason, though just chopping off the stuff after `topic='
makes it work fine.  WikiNames are limited to alphabetical and numerical
characters, but I do need to filter the topic and web (etc) variables to
make sure they're OK, especially before passing them to the database.  I
thought I had already quoted out unrecognized HTML tags, but I'll check
again and make sure, and take a look at % and ? as well.

	Thanks for your help, Robert.  You find anything else worth
mentioning?

-_Quinn