Re: [fossil-users] How to allow script tag in Fossil Wiki

2013-08-30 Thread Stephan Beal 
Hi!

Login, then visit Admin ==> Configuration

there's an option there (with a big warning label) to enable all HTML tags.



On Fri, Aug 30, 2013 at 10:11 AM, Samuel Debionne <
samuel.debio...@ujf-grenoble.fr> wrote:

> Hello all,
> I would like to use script tags (and CSS/javascript in general) within
> the Wiki pages (using the Fossil markup). I understand that this can
> have some impact on the security, but I trust my fellow co-writters. Is
> there an option to disable the sanitization of the code  without going
> all HTML ?
> Regards,
> Samuel Debionne
> ___
> fossil-users mailing list
> fossil-users@lists.fossil-scm.org
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
>



-- 
- stephan beal
http://wanderinghorse.net/home/stephan/
http://gplus.to/sgbeal
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] How to allow script tag in Fossil Wiki

2013-08-30 Thread Samuel Debionne 
Hi Stephen,
Thanks for the fast answer.

> Login, then visit Admin ==> Configuration
> there's an option there (with a big warning label) to enable all HTML tags.

The option says "Use HTML as wiki markup language", which is not what I
want (I'd like to keep the Wiki markup). Is there a way to disable
sanitization independently of the choice of the markup ?

Samuel
<>___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] How to allow script tag in Fossil Wiki

2013-08-30 Thread Stephan Beal 
On Fri, Aug 30, 2013 at 3:45 PM, Samuel Debionne <
samuel.debio...@ujf-grenoble.fr> wrote:

> The option says "Use HTML as wiki markup language", which is not what I
> want (I'd like to keep the Wiki markup). Is there a way to disable
> sanitization independently of the choice of the markup ?
>

Nope :(. Yeah, i'd like it, too, but i agree with Richard's original
decision to be quite strict on the wiki filtering.

-- 
- stephan beal
http://wanderinghorse.net/home/stephan/
http://gplus.to/sgbeal
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] How to allow script tag in Fossil Wiki

2013-08-30 Thread Stephan Beal 
On Fri, Aug 30, 2013 at 3:53 PM, Stephan Beal  wrote:

> On Fri, Aug 30, 2013 at 3:45 PM, Samuel Debionne <
> samuel.debio...@ujf-grenoble.fr> wrote:
>
>> The option says "Use HTML as wiki markup language", which is not what I
>> want (I'd like to keep the Wiki markup). Is there a way to disable
>> sanitization independently of the choice of the markup ?
>>
>
> Nope :(. Yeah, i'd like it, too, but i agree with Richard's original
> decision to be quite strict on the wiki filtering.
>

That said, the built-in wiki format isn't all that far removed from HTML,
providing only handful of conveniences, e.g. [linking] and single-depth
lists, but not providing tables, *bold*, _underline_, and some other common
ones. And i'm pretty sure (but not 100%) that wiki links still get
processed if you turn on HTML formatting (i seem to remember trying it once
but turned it off because i wanted to bypass all wiki processing of the
text).

-- 
- stephan beal
http://wanderinghorse.net/home/stephan/
http://gplus.to/sgbeal
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] How to allow script tag in Fossil Wiki

2013-08-30 Thread Samuel Debionne 
Le 30/08/2013 15:53, Stephan Beal a écrit :
> On Fri, Aug 30, 2013 at 3:45 PM, Samuel Debionne
>  > wrote:
> 
> The option says "Use HTML as wiki markup language", which is not what I
> want (I'd like to keep the Wiki markup). Is there a way to disable
> sanitization independently of the choice of the markup ?
> 
> 
> Nope :(. Yeah, i'd like it, too, but i agree with Richard's original
> decision to be quite strict on the wiki filtering.

Too bad. Would that mean that if I submit a patch that would make it an
extra option with an "extra warning" it has no chance to be accepted ?

___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] How to allow script tag in Fossil Wiki

2013-08-30 Thread Stephan Beal 
On Fri, Aug 30, 2013 at 3:58 PM, Samuel Debionne <
samuel.debio...@ujf-grenoble.fr> wrote:

> Too bad. Would that mean that if I submit a patch that would make it an
> extra option with an "extra warning" it has no chance to be accepted ?
>

That would be Richard's decision. i wouldn't be against it. My own use of
the wiki nowadays mostly uses the JSON API to store/fetch
GoogleCode-formatted wiki pages and render them on the client using
JavaScript. Example:

http://fossil.wanderinghorse.net/wikis/cson/?page=cson

That's a fossil repository who's sole purpose is to hold the wiki pages for
that project (the sources are another repo), and it's only rendered using
the custom (wiki-only) front-end.

-- 
- stephan beal
http://wanderinghorse.net/home/stephan/
http://gplus.to/sgbeal
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] How to allow script tag in Fossil Wiki

2013-09-09 Thread Samuel Debionne 
Hello Stephan,
Lately I have been working on integrating Bootstrap (from Twitter) to
modernize the look & feel and add a responsive design to my Fossil web
interfaces. For that, I hacked the markup generated by fossil, mainly
adding a few class attributes - these modifications could probably be
written in javascript. The main thing I'm really missing is a way to
inject raw html within the wiki markups, html that would not be parsed,
because the parser is a bit to restrictive and may remove some
markup/attributes considered armfuls or unknowns. A concrete example :





  


With the current implementation the div markup and the data-target,
data-slide-to attributes are stripped from the rendered output.

Meanwhile, I have been following your dev of the JSON API as this is
probably the right solution in the long term (to have fossil as
library/web service). But in the short term is this kind of hack worth
considering (I have a prototype implemented for Fossil Wiki markup) ?

Regards,
Samuel

Le 30/08/2013 16:31, Stephan Beal a écrit :
> On Fri, Aug 30, 2013 at 3:58 PM, Samuel Debionne
>  > wrote:
> 
> Too bad. Would that mean that if I submit a patch that would make it an
> extra option with an "extra warning" it has no chance to be accepted ?
> 
> 
> That would be Richard's decision. i wouldn't be against it. My own use
> of the wiki nowadays mostly uses the JSON API to store/fetch
> GoogleCode-formatted wiki pages and render them on the client using
> JavaScript. Example:
> 
> http://fossil.wanderinghorse.net/wikis/cson/?page=cson
> 
> That's a fossil repository who's sole purpose is to hold the wiki pages
> for that project (the sources are another repo), and it's only rendered
> using the custom (wiki-only) front-end.
> 
> -- 
> - stephan beal
> http://wanderinghorse.net/home/stephan/
> http://gplus.to/sgbeal
> 
> 
> ___
> fossil-users mailing list
> fossil-users@lists.fossil-scm.org
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
> 

<>___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] How to allow script tag in Fossil Wiki

2013-09-09 Thread Stephan Beal 
On Mon, Sep 9, 2013 at 4:26 PM, Samuel Debionne <
samuel.debio...@ujf-grenoble.fr> wrote:

>   
> 
> 
> 
>   
>

Correct - fossil elides all tags which are not listed here:

http://fossil-scm.org/index.html/wiki_rules

and it strips all but "a few benign" attributes. At the time that was
written, "data-" was not yet standardized and not in common usage.
(Sidebar: the HTML4 standard is ambiguous on how exactly browsers should
parse that: the wording allows a browser to "ignore" such attributes but
does not specify whether "ignore" means "skip while parsing" or "parse but
apply no meaning to," but everyone seems to expect/rely on the latter
behaviour.) Perhaps Richard could be convinced that "data-" is necessary
for modern JS usage. Then again, because data- is basically there solely
for the sake of JS, one could argue that the risk of cross-site-scripting
problems is higher with those tags. (That said: i have no opinion on the
topic - i'm an utter idiot when it comes to XSS and similar topics.)



> Meanwhile, I have been following your dev of the JSON API as this is
> probably the right solution in the long term (to have fossil as
> library/web service). But in the short term is this kind of hack worth
> considering (I have a prototype implemented for Fossil Wiki markup) ?
>

Personally, i wouldn't bother, but people do all sorts of things i wouldn't
ever bother trying to do ;). If you JUST want a Wiki, an AJAX/JSON-only
solution is currently realistic. Longer term (but not this year) libfossil
should be able to offer potential solution for you. The plan is to move the
wiki parsing into a higher-level API, such that the client can plug in
their own renderers/filters for specified wiki text types (wikis have a
mime-type field which we can use to dispatch to the proper renderer). But
the networking components are still a very long way down the TODO list.

-- 
- stephan beal
http://wanderinghorse.net/home/stephan/
http://gplus.to/sgbeal
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users