Here is a patch [[!tag patch]] to add a forwarding functionality
to the [[meta
_plugin|plugins/meta]].
[[done]], with some changes --[[Joey]]
Find the most recent version at
http://schwinge.homeip.net/~thomas/tmp/meta_forward.patch.
I can't use scrub(...)
, as that will strip out the forwarding HTML command.
How to deal with that?
I can also submit a Git patch, if desired.
Syntax
URL = http://some.nice/place/ (etc.)
WHITHER = [[[[ikiwiki/wikilink]]]] | URL
D = natural number (meaning seconds)
OPT_DELAY = delay=D | empty (immediatelly)
[[!meta forward="WHITHER" OPT_DELAY]]
Extensions and Ideas
It might be doable to add references to pages that refer to the page containg
the forwarding statement also to the referred-to page.
--[[tschwinge]]
Discussion
The html scrubber cannot scrub meta headers. So if you emit one
containing user-supplied data, it's up to you to scrub it to avoid all
possible XSS attacks. Two attacks I'd worry about are cyclic meta refresh
loops, which some, but not all web browsers detect and break, and any way
to insert javascript via the user-supplied parameters. (Ie, putting
something in the delay value that closes the tag can probably insert
javascript ATM; and are there ways to embed javascript in the url?)
--[[Joey]]
OK. I can add code to make sure that $delay
D indeed is a natural number
and that the passed target address WHITHER is nothing but a valid target address.
(How to qualify a valid target address?)
What is a cyclic meta refresh loop? Two pages in turn forwarding to each other?
I think it would be possible to implement such a guard when only in-wiki links
([[ikiwiki/wikilink]]s) are being used, but how to do so for external links? --[[tschwinge]]
This seems a lot more securely to do for in-wiki links, since we know
that a link generated by a wikilink is safe, and can avoid cycles.
Obviously there's no way to avoid cycles when using external links.
An example of code that doesn't detect such cycles is LWP::UserAgent,
which will happily follow cycles forever. There's a LWPx::ParanoidAgent
that can deal with cycles. I suppose this could be considered a client
side issue, except that if I were going to turn this redirect feature
on in my wikis, I'd really prefer to not have to worry about my wiki
causing such problems for clients. I feel it makes sense to make
external redirects or other potentially unsafe things an option,
and have the default behavior be only things that are known to be
secure.
I haven't checked if there's a way to embed javascript in meta refresh
links or not. Given all the other places I've seen it be embedded, I'll
assume it is possible until it's shown not to be though.. --[[Joey]]