web commit by BrandenRobinson: Explain why letting users specify regexes is bad.

[ikiwiki.git] / doc / todo.mdwn

diff --git a/doc/todo.mdwn b/doc/todo.mdwn
index 6a14228fb0238f5d3b628deb5fa50eb2dea80846..d7326854efd2c79c5b0481072e82825137c693d3 100644 (file)
--- a/doc/todo.mdwn
+++ b/doc/todo.mdwn
@@ -1,6 +1,5 @@
 ## online page editing
 
-* Missing support for preview.
 * Missing conflict detection, just overwrites changes and does not svn up
   first..
 * Eventually, might want page deletion.
@@ -24,6 +23,10 @@ is built. (As long as all changes to all pages is ok.)
      explicitly named pages would be desirable.
   2. I think that since we're using Perl on the backend, being able to
      let users craft their own arbitrary regexes would be good.
+
+     Joey points out that this is actually a security hole, because Perl
+     regexes let you embed (arbitrary?) Perl expressions inside them.  Yuck!
+
   3. Of course if you do that, you want to have form processing on the user
      page that lets them tune it, and probably choose literal or glob by
      default.
@@ -105,4 +108,8 @@ docs to use as a seed for new wikis.
 * list of all missing pages
 * list of all pages or some kind of page map
 
+## page indexes
+
+Might be nice to support automatically generating an index based on headers in a page, for long pages. The question is, how to turn on such an index?
+
 ## [[Bugs]]