web commit by BrandenRobinson: Explain why letting users specify regexes is bad.

[ikiwiki.git] / doc / todo.mdwn

diff --git a/doc/todo.mdwn b/doc/todo.mdwn
index 44c675d581d38393bc24fa9f430143d8bbce279c..d7326854efd2c79c5b0481072e82825137c693d3 100644 (file)
--- a/doc/todo.mdwn
+++ b/doc/todo.mdwn
@@ -1,6 +1,5 @@
 ## online page editing
 
 ## online page editing
 

-* Missing support for preview.

 * Missing conflict detection, just overwrites changes and does not svn up
   first..
 * Eventually, might want page deletion.
 * Missing conflict detection, just overwrites changes and does not svn up
   first..
 * Eventually, might want page deletion.


@@ -24,6 +23,10 @@ is built. (As long as all changes to all pages is ok.)
      explicitly named pages would be desirable.
   2. I think that since we're using Perl on the backend, being able to
      let users craft their own arbitrary regexes would be good.
      explicitly named pages would be desirable.
   2. I think that since we're using Perl on the backend, being able to
      let users craft their own arbitrary regexes would be good.

+
+     Joey points out that this is actually a security hole, because Perl
+     regexes let you embed (arbitrary?) Perl expressions inside them.  Yuck!
+

   3. Of course if you do that, you want to have form processing on the user
      page that lets them tune it, and probably choose literal or glob by
      default.
   3. Of course if you do that, you want to have form processing on the user
      page that lets them tune it, and probably choose literal or glob by
      default.