Hi Yury,
I, too, would be interested to hear what other people have to say. I'll
just point out that issue 2 that you raise is actually an argument for
keeping 1 and 3 as they are. Because SF's page parsing is not perfect,
there's a strong argument to always allowing users to edit the wikitext
directly if things go wrong.
-Yaron
On Oct 31, 2012 10:07 AM, "Yury Katkov" <katkov.ju...@gmail.com> wrote:
> Hi Yaron!
>
> I want to also listen the comments from the community. Currently in Forms:
> 1) it's impossible to require the editing only with the forms and not
> with "action=edit" or with MW API
> 2) the values entered in forms like "}}", "|-" etc can broke the templates
> 3) there is no validation of the required values
>
> So now SF is an extension that create forms to ADVICE users what has
> to be in the article and not REQUIRE them to follow the form.
> That's possible approach, however strange it may be seemed for the
> enterprise uses.
>
> I think that many wikis want Forms to be something strict and provide
> some guarantees. Here the argument "it's a wiki" is not sufficient:
> some wikis prefer not to show the markup to the users at all. These
> malicious edits are hard to recognize and very hard to alter if you
> use only Forms' features.
>
> I think that the additional configuration settings will be a good
> compromise:
> - $wgSFAllowOnlyFormEdit - to disable "action=edit"
> - $wgSFValidatePossibleValues - to turn on the validation of
> possible values, mandatory fields etc
> - something with escaping (a bit complicated subject)
>
> -----
> Yury Katkov, WikiVote
>
>
>
> On Tue, Oct 30, 2012 at 8:33 PM, Yaron Koren <ya...@wikiworks.com> wrote:
> > Hi Yury,
> >
> > Yes, it's true that malicious (or inquisitive) users can turn off all of
> > SF's validation. SF's main validation is Javascript-based, and as far as
> I
> > know that one can be shut off by users just as easily as the HTML changes
> > you mentioned. I've made no effort to try to make SF more secure in that
> > regard, for two related reasons:
> >
> > - unless there's some custom coding done, users will always be able to
> go to
> > "action=edit" and modify the page directly, however they want.
> >
> > - more generally, it's a wiki: the default approach is to let everyone
> edit
> > any page however they want. When malicious edits are made, they're easy
> to
> > spot and revert, and the user who made the edit can then be blocked.
> >
> > And there's a third reason, which is that these kinds of "clever"
> malicious
> > edits are, from my experience, extremely rare: vandalism tends to be
> done by
> > users who are idiots and/or spammers.
> >
> > Any thoughts on that?
> >
> > -Yaron
> >
> >
> > On Tue, Oct 30, 2012 at 11:34 AM, Yury Katkov <katkov.ju...@gmail.com>
> > wrote:
> >>
> >> Hi Yaron and everyone!
> >>
> >> We experimented a bit with Semantic Forms and found that the forms do
> >> not validate the correctness of the values for 'values from category'.
> >> Here is an example: I define a form with the field
> >>
> >> {{field|nameofthefield|values from category=Mycategory|input
> >> type=dropdown}}
> >>
> >> My intuition is that it's impossible to enter the value that is not
> >> listed in a dropdown, so I want to rely on some validation mechanism
> >> of SF.
> >> It's not so, unfortunately.
> >>
> >> Using Firebug or Chrome Developer (see [1]) I can alter any <option>
> >> in a dropdown and send the data that is not allowed (see [2]).
> >>
> >> Yaron, is the enhanced secuirity and validation of Forms currently in
> >> the roadmap? IMHO it's a serious issue for those who use semantic
> >> forms to really restrict the editing of the pages.
> >>
> >>
> >> [1] http://i.imm.io/Jdm3.png
> >> [2] http://i.imgur.com/WkPpG.png
> >> -----
> >> Yury Katkov, WikiVote
> >
> >
> >
> >
> > --
> > WikiWorks · MediaWiki Consulting · http://wikiworks.com
>
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Semediawiki-devel mailing list
Semediawiki-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/semediawiki-devel
