Re: [fossil-users] How to allow script tag in Fossil Wiki
Hello Stephan, Lately I have been working on integrating Bootstrap (from Twitter) to modernize the look feel and add a responsive design to my Fossil web interfaces. For that, I hacked the markup generated by fossil, mainly adding a few class attributes - these modifications could probably be written in javascript. The main thing I'm really missing is a way to inject raw html within the wiki markups, html that would not be parsed, because the parser is a bit to restrictive and may remove some markup/attributes considered armfuls or unknowns. A concrete example : div class=span12 ol class=carousel-indicators li data-target=#carousel data-slide-to=0 class=active/li li data-target=#carousel data-slide-to=1/li li data-target=#carousel data-slide-to=2/li /ol /div With the current implementation the div markup and the data-target, data-slide-to attributes are stripped from the rendered output. Meanwhile, I have been following your dev of the JSON API as this is probably the right solution in the long term (to have fossil as library/web service). But in the short term is this kind of hack worth considering (I have a prototype implemented for Fossil Wiki markup) ? Regards, Samuel Le 30/08/2013 16:31, Stephan Beal a écrit : On Fri, Aug 30, 2013 at 3:58 PM, Samuel Debionne samuel.debio...@ujf-grenoble.fr mailto:samuel.debio...@ujf-grenoble.fr wrote: Too bad. Would that mean that if I submit a patch that would make it an extra option with an extra warning it has no chance to be accepted ? That would be Richard's decision. i wouldn't be against it. My own use of the wiki nowadays mostly uses the JSON API to store/fetch GoogleCode-formatted wiki pages and render them on the client using JavaScript. Example: http://fossil.wanderinghorse.net/wikis/cson/?page=cson That's a fossil repository who's sole purpose is to hold the wiki pages for that project (the sources are another repo), and it's only rendered using the custom (wiki-only) front-end. -- - stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users attachment: samuel_debionne.vcf___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] How to allow script tag in Fossil Wiki
On Mon, Sep 9, 2013 at 4:26 PM, Samuel Debionne samuel.debio...@ujf-grenoble.fr wrote: ol class=carousel-indicators li data-target=#carousel data-slide-to=0 class=active/li li data-target=#carousel data-slide-to=1/li li data-target=#carousel data-slide-to=2/li /ol Correct - fossil elides all tags which are not listed here: http://fossil-scm.org/index.html/wiki_rules and it strips all but a few benign attributes. At the time that was written, data- was not yet standardized and not in common usage. (Sidebar: the HTML4 standard is ambiguous on how exactly browsers should parse that: the wording allows a browser to ignore such attributes but does not specify whether ignore means skip while parsing or parse but apply no meaning to, but everyone seems to expect/rely on the latter behaviour.) Perhaps Richard could be convinced that data- is necessary for modern JS usage. Then again, because data- is basically there solely for the sake of JS, one could argue that the risk of cross-site-scripting problems is higher with those tags. (That said: i have no opinion on the topic - i'm an utter idiot when it comes to XSS and similar topics.) Meanwhile, I have been following your dev of the JSON API as this is probably the right solution in the long term (to have fossil as library/web service). But in the short term is this kind of hack worth considering (I have a prototype implemented for Fossil Wiki markup) ? Personally, i wouldn't bother, but people do all sorts of things i wouldn't ever bother trying to do ;). If you JUST want a Wiki, an AJAX/JSON-only solution is currently realistic. Longer term (but not this year) libfossil should be able to offer potential solution for you. The plan is to move the wiki parsing into a higher-level API, such that the client can plug in their own renderers/filters for specified wiki text types (wikis have a mime-type field which we can use to dispatch to the proper renderer). But the networking components are still a very long way down the TODO list. -- - stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] How to allow script tag in Fossil Wiki
Hello all, I would like to use script tags (and CSS/javascript in general) within the Wiki pages (using the Fossil markup). I understand that this can have some impact on the security, but I trust my fellow co-writters. Is there an option to disable the sanitization of the code without going all HTML ? Regards, Samuel Debionne ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] How to allow script tag in Fossil Wiki
Hi! Login, then visit Admin == Configuration there's an option there (with a big warning label) to enable all HTML tags. On Fri, Aug 30, 2013 at 10:11 AM, Samuel Debionne samuel.debio...@ujf-grenoble.fr wrote: Hello all, I would like to use script tags (and CSS/javascript in general) within the Wiki pages (using the Fossil markup). I understand that this can have some impact on the security, but I trust my fellow co-writters. Is there an option to disable the sanitization of the code without going all HTML ? Regards, Samuel Debionne ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- - stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] How to allow script tag in Fossil Wiki
Hi Stephen, Thanks for the fast answer. Login, then visit Admin == Configuration there's an option there (with a big warning label) to enable all HTML tags. The option says Use HTML as wiki markup language, which is not what I want (I'd like to keep the Wiki markup). Is there a way to disable sanitization independently of the choice of the markup ? Samuel attachment: samuel_debionne.vcf___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] How to allow script tag in Fossil Wiki
On Fri, Aug 30, 2013 at 3:45 PM, Samuel Debionne samuel.debio...@ujf-grenoble.fr wrote: The option says Use HTML as wiki markup language, which is not what I want (I'd like to keep the Wiki markup). Is there a way to disable sanitization independently of the choice of the markup ? Nope :(. Yeah, i'd like it, too, but i agree with Richard's original decision to be quite strict on the wiki filtering. -- - stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] How to allow script tag in Fossil Wiki
On Fri, Aug 30, 2013 at 3:53 PM, Stephan Beal sgb...@googlemail.com wrote: On Fri, Aug 30, 2013 at 3:45 PM, Samuel Debionne samuel.debio...@ujf-grenoble.fr wrote: The option says Use HTML as wiki markup language, which is not what I want (I'd like to keep the Wiki markup). Is there a way to disable sanitization independently of the choice of the markup ? Nope :(. Yeah, i'd like it, too, but i agree with Richard's original decision to be quite strict on the wiki filtering. That said, the built-in wiki format isn't all that far removed from HTML, providing only handful of conveniences, e.g. [linking] and single-depth lists, but not providing tables, *bold*, _underline_, and some other common ones. And i'm pretty sure (but not 100%) that wiki links still get processed if you turn on HTML formatting (i seem to remember trying it once but turned it off because i wanted to bypass all wiki processing of the text). -- - stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] How to allow script tag in Fossil Wiki
Le 30/08/2013 15:53, Stephan Beal a écrit : On Fri, Aug 30, 2013 at 3:45 PM, Samuel Debionne samuel.debio...@ujf-grenoble.fr mailto:samuel.debio...@ujf-grenoble.fr wrote: The option says Use HTML as wiki markup language, which is not what I want (I'd like to keep the Wiki markup). Is there a way to disable sanitization independently of the choice of the markup ? Nope :(. Yeah, i'd like it, too, but i agree with Richard's original decision to be quite strict on the wiki filtering. Too bad. Would that mean that if I submit a patch that would make it an extra option with an extra warning it has no chance to be accepted ? ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] How to allow script tag in Fossil Wiki
On Fri, Aug 30, 2013 at 3:58 PM, Samuel Debionne samuel.debio...@ujf-grenoble.fr wrote: Too bad. Would that mean that if I submit a patch that would make it an extra option with an extra warning it has no chance to be accepted ? That would be Richard's decision. i wouldn't be against it. My own use of the wiki nowadays mostly uses the JSON API to store/fetch GoogleCode-formatted wiki pages and render them on the client using JavaScript. Example: http://fossil.wanderinghorse.net/wikis/cson/?page=cson That's a fossil repository who's sole purpose is to hold the wiki pages for that project (the sources are another repo), and it's only rendered using the custom (wiki-only) front-end. -- - stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users