Description: ------------ The raw markup rule is a very simple way to inject any html code to a wiki page (even if the html rule is disabled!). I found this in the Text_Wiki documentation about the html rule: ---- Warning: This very powerful rule is disabled by default. If you enable it, be careful; you will be working with "real" HTML within the block, and as such can include JavaScript or other possibly malicious code. ---- So, why can't I find the same warning for the raw markup rule? You should find a way to fix it ASAP! I quick fix is to disable this rule, but that will brake any "Editing Help" or "Sample" pages, which is fatal. Test script: --------------- ``<script type="text/javascript">window.open('http://www.heise.de', 'xss');</script>`` Expected result: ---------------- <script type="text/javascript">window.open('http://www.heise.de', 'xss'); Actual result: -------------- The code doesn't show to the user but opens a new window!

This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.