Here is a patch to add a forwarding functionality
to the meta
plugin.
I can't use scrub(...)
, as that will strip out the forwarding HTML command.
How to deal with that?
I can also submit a Git patch, if desired.
Syntax
URL = http://some.nice/place/ (etc.)
WHITHER = [[wikilink]] | URL
D = natural number (meaning seconds)
OPT_DELAY = delay=D | empty (immediatelly)
[[!meta forward="WHITHER" OPT_DELAY]]
Extensions and Ideas
It might be doable to add references to pages that refer to the page containg the forwarding statement also to the referred-to page.
Discussion
The html scrubber cannot scrub meta headers. So if you emit one containing user-supplied data, it's up to you to scrub it to avoid all possible XSS attacks. Two attacks I'd worry about are cyclic meta refresh loops, which some, but not all web browsers detect and break, and any way to insert javascript via the user-supplied parameters. (Ie, putting something in the delay value that closes the tag can probably insert javascript ATM; and are there ways to embed javascript in the url?) --Joey
OK. I can add code to make sure that
$delay
D indeed is a natural number and that the passed target address WHITHER is nothing but a valid target address. (How to qualify a valid target address?) What is a cyclic meta refresh loop? Two pages in turn forwarding to each other? I think it would be possible to implement such a guard when only in-wiki links (wikilinks) are being used, but how to do so for external links? --tschwingeThis seems a lot more securely to do for in-wiki links, since we know that a link generated by a wikilink is safe, and can avoid cycles. Obviously there's no way to avoid cycles when using external links.
An example of code that doesn't detect such cycles is LWP::UserAgent, which will happily follow cycles forever. There's a LWPx::ParanoidAgent that can deal with cycles. I suppose this could be considered a client side issue, except that if I were going to turn this redirect feature on in my wikis, I'd really prefer to not have to worry about my wiki causing such problems for clients. I feel it makes sense to make external redirects or other potentially unsafe things an option, and have the default behavior be only things that are known to be secure.
I haven't checked if there's a way to embed javascript in meta refresh links or not. Given all the other places I've seen it be embedded, I'll assume it is possible until it's shown not to be though.. --Joey