From 26774c931ce1aa4b91e7129ad602a23b244008b2 Mon Sep 17 00:00:00 2001
From: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>
Date: Sat, 16 Sep 2006 01:23:14 +0000
Subject:   * Patch from James Westby to deal with the case where you're
 editing a     new page, hit cancel, and need to be redirected to somewhere
 sane.

---
 doc/bugs/404_when_cancel_create_page.mdwn | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'doc')

diff --git a/doc/bugs/404_when_cancel_create_page.mdwn b/doc/bugs/404_when_cancel_create_page.mdwn
index b802de787..091254cb5 100644
--- a/doc/bugs/404_when_cancel_create_page.mdwn
+++ b/doc/bugs/404_when_cancel_create_page.mdwn
@@ -25,7 +25,9 @@ if it is known.
                 }
                 elsif ($form->submitted eq "Preview") {
 
-
+> I think you mean to use `$newfile`? I've applied a modieid version
+> that also deal with creating a new page with no defined $from location.
+> [[bugs/done]] --[[Joey]] 
 
 [P.S. just above that is 
 
@@ -43,4 +45,9 @@ is there aren't going to be many possible extensions. Something like `/(.\w+)+/`
 (groups of dot separated alpha-num chars if my perl-foo isn't failing me). You could
 at least exclude `/` and `..`. I'm happy to turn this in to a patch if you agree.]
 
-
+> The reason it's safe to use possibly_foolish_untaint here is because
+> of the check for $hooks{htmlize}{$type}. This limits it to types
+> that have a registered htmlize hook (mdwn, etc), and not whatever random
+> garbage an attacker might try to put in. If it wasn't for that check,
+> using possibly_foolish_untaint there would be _very_ foolish indeed.. 
+> --[[Joey]]
-- 
cgit v1.2.3