X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/97622e5aa8e9fb938bce191d320a9b698e55902c..b86b942f1a7e338b06f9a760d1a1b3fc1f3d6787:/doc/todo/simple_text_parsing_or_regex_in_template_or_shortcut.mdwn

diff --git a/doc/todo/simple_text_parsing_or_regex_in_template_or_shortcut.mdwn b/doc/todo/simple_text_parsing_or_regex_in_template_or_shortcut.mdwn
index e6f77dd59..0f8badae8 100644
--- a/doc/todo/simple_text_parsing_or_regex_in_template_or_shortcut.mdwn
+++ b/doc/todo/simple_text_parsing_or_regex_in_template_or_shortcut.mdwn
@@ -7,4 +7,17 @@ shortcuts like these:
 
 For shortcut definitions, a `match` parameter could supply a regex, and then the `url` and `desc` parameters could make use of the named or numbered groups from the match.
 
---[[JoshTriplett]]
\ No newline at end of file
+--[[JoshTriplett]]
+
+I'm not comfortable with exposing regexps to web editing. At the very least
+it's trivial to construct regexps that take indefinitely long to match
+certain strings, which could be used to DOS ikiwiki. At worst, perl code
+can be embedded in regexps in a variety of ways that are painful to filter
+out, and perl's regexp engine could also potentially have bugs that could
+be exploited by user-supplied regexps.
+
+It seems that a better place to put this kind of text munging is in
+special-purpose plugins. It should be very simple to write plugins for the
+above two examples, that look identical to the user as what you described.
+
+--[[Joey]]