>> Why? What's in there that's problematic? > > There are usernames in it. There is specific file information of the page in > it (Path on the server ...). The ACL ... settings ... > This is a lot of stuff that I think no one should see especially when the > "admin" is not aware that it's being "published" or when the wiki is being > used as corporate website. First, let me explain why I even added it. We get regularly questions from plugin authors on how they can access the current page ID or the namespace from within their JavaScript. I myself recently needed a way to find out if a user was logged in and what his user name was. Both infos were already somehow available to JavaScripts by grabbing it from the DOM, reading certain form fields and even some JavaScript exports (like NS or SIG). But this info was only available in a somewhat messy form. And whenever a plugin needed some more info it had to add an additional metaheader to write out a single variable (overhead of a action plugin) or use an expensive AJAX call. So my idea was to automatically export the $INFO array as it contains all the info one usually need to decide if a certain action should be done or not. Okay. Now let's have a closer look. For everybody's reference I pasted a dump of a typical (but somewhat messy) $INFO array at http://www.dokuwiki.org/devel:infoarray Looking at the exported data, the only thing that I can see that really shouldn't be thereat all is the full file path. Since this is a file system path it wouldn't even be useful for a JavaScript anyway. Then we have a lot of data that is probably not too useful to have in JavaScript, like the page abstract or the TOC array (though I could come up with some ideas how to use that one). OTOH this stuff is hardly security critical anyway. And then theres some data that you probably object to like userinfo, isadmin, ismanager, subscribed. But that's the data that really is useful to have in JavaScript. And it's all data that is specific for the current user. But it's data the user already knows (some of it is BW also available via ?do=check) - it is not secret. I don't really like the idea of introducing a config variable for completely disabling this export because I think some of this data will become really useful for DokuWiki's core functionality, too. Maybe we should condense the array and instead exporting all of $INFO, export just selected keys. But which? Andi PS. Gerry, your site export plugin is a completely different thing. Removing the javascript from within your plugin, or even better completely creating your own meta headers is the sensible thing to do there. -- splitbrain.org -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist