[whatwg] Embedding images within editable content

[Shital Shah]

I'm wondering if there are any ideas being discussed to add an ability so
users can embed images in editable areas. 

 

Many modern web applications including blogs and wikis allow users to
visually edit content with rich formatting. However present limitation with
all browsers is lack of ability to insert images and other media when
editing this content. This limitation to insert images visually and
naturally within editable content holds back several novice and even expert
users to create rich content in web effortlessly. Please comment if any
ideas being considered to solve this problem within HTML5 or future
specifications roadmap.

Re: [whatwg] Thoughts on HTML 5

[Giovanni Campagna]

2008/12/21 Garrett Smith dhtmlkitc...@gmail.com


 Styling is done in css.


Dynamic styling is currently done with the style property of HTMLElement.
This is currently implemented in DOM2HTML and HTML5, but I once read they're
going to write a separate CSS-Object Model, whose spec is not ready yet, but
it is mentioned in the CSS current work.

I don't have time to go into the all the problems with CSSOM here.
 Shortcomings of the CSSOM 'views' module were discussed on www-style.
 'VIews' is not the only CSSOM module that has problems.

Most of CSS is already implemented (like HTML, they're just standarizing
what browser already do)


  you don't need collection either: just use appropriate DOMNodeLists,
 while
  for DOMStringMap you may use binding specific features (all Object are
 hash
  maps in ECMAScript3): it works this way even in HTML5

 Where are you getting this information?

What information?
a) DOMNodeList are collection of ordered Nodes -- see DOM3Core for
definition - if you want only Element Nodes see the Element Traversal
specification by the WebApps WG
b) ECMAScript Object are implemented as associative arrays (hash map /
binary tree) -- see Mozilla Developer Center: it is only about Firefox, but
I think all browser behave like this since they must reference arbitrary
properties that are not known at compile time (if they compile)
c) DOMStringMap is defined to be like ECMAScript Object -- look at its IDL:
it has no members, no properties, no methods

 but scripts use certain features only on their own browsing context, so
 that
  may be moved from that to global scope, removing the whole window object
  from scope (for current javascript you can write
  window.window.window.window.window... and get the same as nothing)

The closest definition to 'nothing' would be the value undefined. I do
 not know of a browser where - window.window.window === undefined is
 true by default. I get window.


a) undefined != undefined is true in ECMAScript
b) i didn't mean undefined, i mean literally nothing, eg this script
window.window.window.window.window.window.window.alert(hello, world);
is exactly the same as
alert(hello, world);


 The closes thing we got to an example of invalid html is TJ post about
 jquery validation plugin. If you click throuh, there is an demo using
 a minlength custom attribute. The attribute may have the effect the
 author wanted it to have in a set of browses he is concerned about.
 That effect and the set of browsers could be more clearly
 demonstrated in an example that shows only that, as well as edge cases
 where results may vary.

I don't see your point...


 If you can't define clearly what can be reasonably expected of a piece
 of (invalid) code, then nothing can be reasonably expected of it. It's
 not a good to write code that can't have an expected outcome.

HTML5 is here to define what browser must and must not do with de-facto
standards (called DOM Level 0, but also features that once were
browser-specific like embed)
Instead what I'm asking is only for the developer point of view.


Giovanni

[whatwg] 8.2.4.4 Close tag open state

[Edward Z. Yang]

The condition here is relly long. Is there any way we can make it
shorter?

Cheers,
Edward

Re: [whatwg] Embedding images within editable content

[Tab Atkins Jr.]

On Mon, Dec 22, 2008 at 2:53 AM, Shital Shah syte...@yahoo.com wrote:
 I'm wondering if there are any ideas being discussed to add an ability so
 users can embed images in editable areas.



 Many modern web applications including blogs and wikis allow users to
 visually edit content with rich formatting. However present limitation with
 all browsers is lack of ability to insert images and other media when
 editing this content. This limitation to insert images visually and
 naturally within editable content holds back several novice and even expert
 users to create rich content in web effortlessly. Please comment if any
 ideas being considered to solve this problem within HTML5 or future
 specifications roadmap.

I'm confused about what you're asking.  All decent WYSIWYG editors
*do* allow users to insert images, and often other media.  You can see
the image right in the display next to all the text while you're
editting it.

~TJ

Re: [whatwg] Embedding images within editable content

[Martin Atkins]

Tab Atkins Jr. wrote:

On Mon, Dec 22, 2008 at 2:53 AM, Shital Shah syte...@yahoo.com wrote:

I'm wondering if there are any ideas being discussed to add an ability so
users can embed images in editable areas.


[snip]


I'm confused about what you're asking.  All decent WYSIWYG editors
*do* allow users to insert images, and often other media.  You can see
the image right in the display next to all the text while you're
editting it.



I don't know what the original poster was asking about, but one issue 
I've encountered in this area is that users want to embed images from 
their own local drives rather than having to separately upload them to 
the server first.


Unfortunately, the in-browser editors often make it look like this is 
going to work; users manage to get embedded images with file:// URLs 
that seem to work for that user but obviously will not work for any 
other user.


However, I'm not sure what the solution is here. If contentEditable was 
a real form widget you could imagine it supporting a 
multipart/form-data upload of all of its contained images, or something. 
However, as long as client-side code is manually shifting the data to 
and from real widgets it's not clear how to do this since you can't just 
create a file-upload control with the filename pre-populated and submit 
it transparently.

Re: [whatwg] Embedding images within editable content

[Tab Atkins Jr.]

On Mon, Dec 22, 2008 at 1:33 PM, Martin Atkins m...@degeneration.co.uk wrote:
 However, I'm not sure what the solution is here. If contentEditable was a
 real form widget you could imagine it supporting a multipart/form-data
 upload of all of its contained images, or something. However, as long as
 client-side code is manually shifting the data to and from real widgets it's
 not clear how to do this since you can't just create a file-upload control
 with the filename pre-populated and submit it transparently.

You can't create a file input with the filename pre-filled for obvious
security reasons, but you *can* still do some clever stuff here.  In
order to add a picture you'll probably need them to go through a file
dialog anyway to select the picture, and you can make this *actually*
be the file dialog of a hidden file input.  You can then move this
input around in the DOM without clearing its value, and submit it
transparently.

It's a bit hacky, but hey, web security is Serious Business.

~TJ

Re: [whatwg] Embedding images within editable content

[Douglas Mayle]

I replied to the originator of this thread, but forgot to include the  
list.  Shital was talking about rich paste and the ability to embed  
images.  As of IE8, all of the major browsers support data URI's for  
images, but none of them will generate that on paste...


I work on Xinha(WYSIWYG editor), and I know that it's possible to  
generate this with Gears, or maybe also with Canvas, but I don't see  
how we could do anything in HTML5...


On Dec 22, 2008, at 2:33 PM, Martin Atkins wrote:


Tab Atkins Jr. wrote:
On Mon, Dec 22, 2008 at 2:53 AM, Shital Shah syte...@yahoo.com  
wrote:
I'm wondering if there are any ideas being discussed to add an  
ability so

users can embed images in editable areas.


[snip]

I'm confused about what you're asking.  All decent WYSIWYG editors
*do* allow users to insert images, and often other media.  You can  
see

the image right in the display next to all the text while you're
editting it.


I don't know what the original poster was asking about, but one  
issue I've encountered in this area is that users want to embed  
images from their own local drives rather than having to separately  
upload them to the server first.


Unfortunately, the in-browser editors often make it look like this  
is going to work; users manage to get embedded images with file://  
URLs that seem to work for that user but obviously will not work for  
any other user.


However, I'm not sure what the solution is here. If contentEditable  
was a real form widget you could imagine it supporting a multipart/ 
form-data upload of all of its contained images, or something.  
However, as long as client-side code is manually shifting the data  
to and from real widgets it's not clear how to do this since you  
can't just create a file-upload control with the filename pre- 
populated and submit it transparently.

Re: [whatwg] 8.2.4.4 Close tag open state

[Henri Sivonen]

On Dec 22, 2008, at 19:31, Edward Z. Yang wrote:

The condition here is relly long. Is there any way we can make  
it shorter?



Not really, but it's possible to flatten out the lookahead by adding  
states so that the condition in each state becomes simpler. (In fact,  
it's possible to remove lookahead from the tokenizer altogether by  
adding more states.) See Tokenizer.java in the Validator.nu HTML Parser.


SVN URL: http://svn.versiondude.net/whattf/htmlparser/trunk/

--
Henri Sivonen
hsivo...@iki.fi
http://hsivonen.iki.fi/

Re: [whatwg] Embedding images within editable content

[ddailey]

Observe the following:
http://granite.sru.edu/~ddailey/svg/clipembed.html

In IE 4 - 7 (with the Adobe SVG plugin enabled), the end user can select an 
image from her own hard drive using a file upload.
In IE 4, I had a similar thing (sans SVG) that worked also in Netscape. It 
doesn't work in the other (more standards compliant?) browsers though, and 
folks have cited the obvious security reasons.


I had complained a year or two ago here that the spec no longer seemed to 
enable this.  I recall someone becoming quite indignant that an author would 
even WANT to allow users to have access to images. The reason for the 
security concern as well as the indignation eluded me, and the security 
seems not to be SO terrible, I thought, if old Netscape and comparatively 
new IE7 still allowed me to do it.


The ability of the browser to be able to support user-selected image content 
(without making a roundtrip to the server which to me seems like a bigger 
security risk than having local images displayed and manipulated ) seems to 
be at the core essence of what I would define as web hypertext 
applications.


Hixie, responded to this thread a year or so ago, with supportive remarks 
(that I confess I didn't totally understand) saying that it looked as though 
there would be a way to do this through some mechanism that I gathered was 
outside the scope of WHATWG or HTML5.


While we're on the subject, I would really like to be able to read pixel 
values from local images by plugging them into (as through a input 
type=file) a canvas. Having access to pixel values, allows certain filter 
effects to be defined in JavaScript rather than relying on the preexisting 
filters build into canvas and SVG. Not only that but analysis of image data 
(as in scientific image processing) would be enabled.


Overall, while I respect the need for security, I think functionality is the 
primary objective and that security should be designed around functionality 
rather than the reverse. Let's make that a design principle!


cheers
David

- Original Message - 
From: Tab Atkins Jr. jackalm...@gmail.com

To: Martin Atkins m...@degeneration.co.uk
Cc: wha...@whatwg.org
Sent: Monday, December 22, 2008 2:39 PM
Subject: Re: [whatwg] Embedding images within editable content


On Mon, Dec 22, 2008 at 1:33 PM, Martin Atkins m...@degeneration.co.uk 
wrote:

However, I'm not sure what the solution is here. If contentEditable was a
real form widget you could imagine it supporting a multipart/form-data
upload of all of its contained images, or something. However, as long as
client-side code is manually shifting the data to and from real widgets 
it's
not clear how to do this since you can't just create a file-upload 
control

with the filename pre-populated and submit it transparently.


You can't create a file input with the filename pre-filled for obvious
security reasons, but you *can* still do some clever stuff here.  In
order to add a picture you'll probably need them to go through a file
dialog anyway to select the picture, and you can make this *actually*
be the file dialog of a hidden file input.  You can then move this
input around in the DOM without clearing its value, and submit it
transparently.

It's a bit hacky, but hey, web security is Serious Business.

~TJ

Re: [whatwg] Embedding images within editable content

[Martin Atkins]

Tab Atkins Jr. wrote:

On Mon, Dec 22, 2008 at 1:33 PM, Martin Atkins m...@degeneration.co.uk wrote:

However, I'm not sure what the solution is here. If contentEditable was a
real form widget you could imagine it supporting a multipart/form-data
upload of all of its contained images, or something. However, as long as
client-side code is manually shifting the data to and from real widgets it's
not clear how to do this since you can't just create a file-upload control
with the filename pre-populated and submit it transparently.


You can't create a file input with the filename pre-filled for obvious
security reasons, but you *can* still do some clever stuff here.  In
order to add a picture you'll probably need them to go through a file
dialog anyway to select the picture, and you can make this *actually*
be the file dialog of a hidden file input.  You can then move this
input around in the DOM without clearing its value, and submit it
transparently.

It's a bit hacky, but hey, web security is Serious Business.



This is indeed the solution I employed in a webapp I developed some time 
ago. The main irritation with it was that I needed to submit the image 
to the server before it could be displayed in the WYSIWYG view, which 
required considerable hoop-jumping to put the image in a transient 
location that would eventually be cleaned up if the user didn't actually 
end up using the image on the page, or didn't save the page at all. It 
also didn't work in the copy-paste case, though admittedly in that 
situation we usually just ended up linking to off-site images rather 
than file: URLs, since the copy-pasting was from other websites.


In an ideal world, the content and all embedded media would be submitted 
together in the ultimate form submission. One approach would be to use 
multipart/form-data and have the browser act as if the images were in 
file upload form widgets, and another approach suggested by another 
poster was to include the image using a data: URL. In both cases I would 
still want to do some server-side work after submission to extract the 
images and store them separately, but at least the user experience 
matches the expectation that the image is part of the document.


Of course, neither of these approaches have particularly great fallback 
behavior. The data: URL approach looks the most promising, but apps that 
are not written with that in mind will presumably end up serving the 
content with data: URLs and confusing downlevel browsers. At least it'll 
do something sensible in modern browsers, though, while still making the 
images available for extraction server-side if desired.

Re: [whatwg] 8.2.4.37: EOF handling

[Philip Taylor]

On Mon, Dec 22, 2008 at 9:33 PM, Edward Z. Yang
edwardzy...@thewritingpot.com wrote:
 Hello all,

 I think EOF should be handled explicitly in the states after we Consume
 the U+0023 NUMBER SIGN, since the spec as it stands right now implies
 that there will always be another character after the number sign. Or am
 I being a little redundant?

EOF is always treated as if it were a character, e.g. lots of places
say Consume the next input character: ... EOF - ... Reconsume the
EOF character in the data state. If you have # at the end of a
file, the next character is the EOF character, which is not 'x' or 'X'
and so it is anything else. So it seems consistent and unambiguous
to me.

-- 
Philip Taylor
exc...@gmail.com

[whatwg] 8.2.4.37: EOF handling

[Edward Z. Yang]

Hello all,

I think EOF should be handled explicitly in the states after we Consume
the U+0023 NUMBER SIGN, since the spec as it stands right now implies
that there will always be another character after the number sign. Or am
I being a little redundant?

Cheers,
Edward

Re: [whatwg] 8.2.4.37: EOF handling

[Edward Z. Yang]

Philip Taylor wrote:
 EOF is always treated as if it were a character, e.g. lots of places
 say Consume the next input character: ... EOF - ... Reconsume the
 EOF character in the data state. 

That seems fair, although most implementations won't have an actual end
of file character; they'll be checking their string index to see if
they've gone out of bounds. But the spec is internally consistent (I'm
just used to seeing an EOF special case on almost every state).

Thanks,
Edward

[whatwg] 8.2.5.10 - Adding textarea

[Kartikaya Gupta]

For the steps under 'A start tag whose tag name is textarea' in 8.2.5.10 (in 
body insertion mode), step 3 seems wrong to me, since step 1 already includes 
an append operation. As specified now, it will cause two textarea elements to 
be added (assuming new element refers to the textarea).

Cheers,
kats

[whatwg] Consuming ampersands

[Edward Z. Yang]

Hello all,

When I'm consuming a character reference, when does the ampersand get
consumed? This doesn't seem to be obvious from the documentation, which
talks of consuming character references and number hash signs, but never
the ampersand.

Cheers,
Edward

Re: [whatwg] Consuming ampersands

[Philip Taylor]

On Tue, Dec 23, 2008 at 1:08 AM, Edward Z. Yang
edwardzy...@thewritingpot.com wrote:
 Hello all,

 When I'm consuming a character reference, when does the ampersand get
 consumed? This doesn't seem to be obvious from the documentation, which
 talks of consuming character references and number hash signs, but never
 the ampersand.

They're consumed in the state that comes before the character
reference state, e.g.:

  8.2.4.1 Data state
  Consume the next input character:
   - U+0026 AMPERSAND () ... switch to the character reference data state.

-- 
Philip Taylor
exc...@gmail.com

[whatwg] Minor typo in 8.2.4.37

[Edward Z. Yang]

 in the range 0x to 0x0008,  U+000B,  U+000E to 0x001F,  0x007F  to
0x009F, 0xD800 to 0xDFFF , 0xFDD0 to 0xFDDFin the range 0x to
0x0008,  U+000B,  U+000E to 0x001F,  0x007F  to 0x009F, 0xD800 to 0xDFFF
, 0xFDD0 to 0xFDDFin the range 0x to 0x0008,  U+000B,  U+000E to
0x001F,  0x007F  to 0x009F, 0xD800 to 0xDFFF , 0xFDD0 to 0xFDDF

U+000B is not a range.

Cheers,
Edward

[whatwg] Code defined for one document called after that document is no longer the one being displayed

[Ian Hickson]

On Thu, 15 May 2008, Jonas Sicking wrote:
 
 Generally saying that scripts won't run once you've navigated away from 
 a page is wrong. For example I think that if you mutate the DOM of 
 document that has been navigated away from mutation-event handlers will 
 still fire. And UserDataHandlers will likely fire as described by spec.

The HTML5 spec now defines that once you navigate away, the scripts are 
frozen, meaning that scripts defined by the page itself won't fire. 
Scripts from other pages still will, though.


 Not to mention that there can still be script executing for a page when the
 page is navigated away from. For example:
 
 var value = hello nurse;
 onload = function() {
   alert(i'm still the active page);
   document.write(new page);
   alert(I'm script running in the context of a page that has been  +
 navigated away from. See, |value| is still there: + value);
 }

Right, per spec, that should work fine. (The complications are if this 
code then calls some script in another document -- then if that code calls 
back into this code, an exception will be raised. At least, per spec. I 
tried doing what IE does, but IE's behavior is wacky, the two asserts in 
this example both are true:

  document.open();
  document.write(scriptfunction b(w) { assert(w === window); w.w = window; 
}\/script);
  window.b(window);
  assert(window !== window.w);

...which makes no sense to me.


 [ inner windows and outer windows ]
 [...] Some of this stuff is there for web compat. Such as the fact that 
 this results in the code executing after the document.write above still 
 is able to access global variables that were defined before the call. 
 I.e. the |value| in the second alert still works.

Per spec, document.open() doesn't replace the Window object... In fact, 
right now even the global variables aren't ever nuked by document.open() 
per spec. It's not really clear to me when that should happen... The 
behavior of the browsers today is not interoperable at anything but a 
superficial level, and the low-level behaviors are all kinda weird (e.g. 
IE's behavior as described above). Of note, Safari doesn't seem to blow 
away the global variables:

   http://www.hixie.ch/tests/adhoc/dom/level0/document/open/008.html
   http://www.hixie.ch/tests/adhoc/dom/level0/document/open/009.html

Mozilla seems to handle 'var x' differently from 'window.x', though per 
the JS spec I can't find any justification for this (they should be the 
same except for the former having DontDelete set).


On Tue, 5 Aug 2008, Ian Hickson wrote:
 
 I would like some input from browser vendors.
 
 Right now, if you navigate an iframe to a document, and take a 
 reference to a method defined in that document, and then navigate that 
 iframe to another document, and then call the method, browsers differ in 
 what they do.
 
 There are several behaviours:
 
  - In one browser, the Window object changes with each navigation,
and the global object is that object, and the method runs fine.
 
  - In one browser, the method call fails, saying that methods can't be 
called while the document that defined them isn't the active document 
of the browsing context whose global object is the method's.
 
  - In one browser, the Window object acts as a kind of view on the global 
object, which changes with each navigation, leading the method to see 
the original global object in its scope chain, but the new one if it
uses the 'window' object. (In this environment, 'this' at the top scope 
returns the 'window' object, not the global object.)
 
  - In one browser, the global object and the Window are the same, but the 
global object is totally wiped out with each navigation, preventing the
method from accessing its global object's data. (In this browser, the 
results are slightly different when navigating top-level windows 
instead of frames.)
 
 These results were derived from:
http://damowmow.com/playground/demos/global-object/004.html
 
 I propose to adopt the second behaviour above. It seems by far the 
 simplest behaviour to define and implement. Are there any objections to 
 this? Given the lack of interoperability here, it seems like we aren't 
 really constrained to pick something due to compatibility.
 
 The change would be that if a method is invoked when the script 
 execution context that the method was running in has a Document object 
 that is not the active Document object of its browsing context, then 
 that method immediately throws an exception. Access to variables 
 obtained from such script execution contexts would be unaffected.

I've now done this.


On Tue, 5 Aug 2008, Aaron Boodman wrote:
 
 By 'method' do you mean any function object, defined anywhere in that 
 window? For example, does document.getElementById count? Does the foo in 
 var myglobal = {foo:function(){...}}; ? What about getters?

I mean any code entry-point defined by a script. So lambdas yes, getters 
and