summaryrefslogtreecommitdiff
path: root/doc/todo
diff options
context:
space:
mode:
authorJoey Hess <joey@kodama.kitenet.net>2007-11-13 14:37:02 -0500
committerJoey Hess <joey@kodama.kitenet.net>2007-11-13 14:37:02 -0500
commit93f970ea2f8018f778246b689b980360aea158fe (patch)
tree3fd93f6af8aaa2967aef963dd0926515e50b826c /doc/todo
parentd47b4ae39f848a09e71cf194556ea276d1489349 (diff)
response
Diffstat (limited to 'doc/todo')
-rw-r--r--doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn18
1 files changed, 18 insertions, 0 deletions
diff --git a/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn b/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn
index 0fa79a1b7..c3c2b82f3 100644
--- a/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn
+++ b/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn
@@ -48,3 +48,21 @@ the forwarding statement also to the referred-to page.
>> What is a *cyclic meta refresh loop*? Two pages in turn forwarding to each other?
>> I think it would be possible to implement such a guard when only in-wiki links
>> ([[wikilink]]s) are being used, but how to do so for external links? --[[tschwinge]]
+
+>>> This seems a lot more securely to do for in-wiki links, since we know
+>>> that a link generated by a wikilink is safe, and can avoid cycles.
+>>> Obviously there's no way to avoid cycles when using external links.
+>>>
+>>> An example of code that doesn't detect such cycles is LWP::UserAgent,
+>>> which will happily follow cycles forever. There's a LWPx::ParanoidAgent
+>>> that can deal with cycles. I suppose this could be considered a client
+>>> side issue, except that if I were going to turn this redirect feature
+>>> on in my wikis, I'd really prefer to not have to worry about my wiki
+>>> causing such problems for clients. I feel it makes sense to make
+>>> external redirects or other potentially unsafe things an option,
+>>> and have the default behavior be only things that are known to be
+>>> secure.
+>>>
+>>> I haven't checked if there's a way to embed javascript in meta refresh
+>>> links or not. Given all the other places I've seen it be embedded, I'll
+>>> assume it is possible until it's shown not to be though.. --[[Joey]]