X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/a5e27e4c54f3236de7c768536e5e08140b6f3ddc..cc7acaecaebf3fe50f295a40b75cf602faf6f209:/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn

diff --git a/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn b/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn
index f740d75e3..b3804d652 100644
--- a/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn
+++ b/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn
@@ -1,12 +1,70 @@
-Here is a patch [[tag patch]] to add a *forward*ing functionality
+Here is a patch [[!tag patch]] to add a *forward*ing functionality
 to the [[`meta`_plugin|plugins/meta]].
 
+> [[done]], with some changes --[[Joey]]
+
 Find the most recent version at
-<http://www.schwinge.homeip.net/~thomas/tmp/meta_forward.patch>.
+<http://schwinge.homeip.net/~thomas/tmp/meta_forward.patch>.
 
 I can't use `scrub(...)`, as that will strip out the forwarding HTML command.
 How to deal with that?
 
 I can also submit a Git patch, if desired.
 
+
+# Syntax
+
+**URL** = http://some.nice/place/ (*etc.*)
+
+**WHITHER** = \[\[**[[ikiwiki/wikilink]]**]] | **URL**
+
+**D** = natural number (*meaning seconds*)
+
+**OPT_DELAY** = delay=**D** | empty (*immediatelly*)
+
+\[[!meta forward="**WHITHER**" **OPT_DELAY**]]
+
+
+# Extensions and Ideas
+
+It might be doable to add references to pages that refer to the page containg
+the forwarding statement also to the referred-to page.
+
 --[[tschwinge]]
+
+
+# Discussion
+
+> The html scrubber cannot scrub meta headers. So if you emit one
+> containing user-supplied data, it's up to you to scrub it to avoid all
+> possible XSS attacks. Two attacks I'd worry about are cyclic meta refresh
+> loops, which some, but not all web browsers detect and break, and any way
+> to insert javascript via the user-supplied parameters. (Ie, putting
+> something in the delay value that closes the tag can probably insert
+> javascript ATM; and are there ways to embed javascript in the url?)
+> --[[Joey]]
+
+>> OK.  I can add code to make sure that `$delay` **D** indeed is a natural number
+>> and that the passed target address **WHITHER** is nothing but a valid target address.
+>> (How to qualify a valid target address?)
+>> What is a *cyclic meta refresh loop*?  Two pages in turn forwarding to each other?
+>> I think it would be possible to implement such a guard when only in-wiki links
+>> ([[ikiwiki/wikilink]]s) are being used, but how to do so for external links?  --[[tschwinge]]
+
+>>> This seems a lot more securely to do for in-wiki links, since we know
+>>> that a link generated by a wikilink is safe, and can avoid cycles.
+>>> Obviously there's no way to avoid cycles when using external links.
+>>> 
+>>> An example of code that doesn't detect such cycles is LWP::UserAgent,
+>>> which will happily follow cycles forever. There's a LWPx::ParanoidAgent
+>>> that can deal with cycles. I suppose this could be considered a client
+>>> side issue, except that if I were going to turn this redirect feature
+>>> on in my wikis, I'd really prefer to not have to worry about my wiki
+>>> causing such problems for clients. I feel it makes sense to make
+>>> external redirects or other potentially unsafe things an option,
+>>> and have the default behavior be only things that are known to be
+>>> secure.
+>>>
+>>> I haven't checked if there's a way to embed javascript in meta refresh
+>>> links or not. Given all the other places I've seen it be embedded, I'll
+>>> assume it is possible until it's shown not to be though.. --[[Joey]]