TextileRestricted

jm · 2008-05-23 02:51:13

Why are we stuck with Textile Restricted for plugins? I know I can use HTML, but it’s a hassle :).

Mary · 2008-05-23 08:05:50

Complaints of XSS “vulnerability”, IIRC.

jm · 2008-05-23 08:42:12

Plugin authors can just write a malicious script with raw HTML help though, since JS isn’t disabled. Isn’t it more likely the plugin itself would be dangerous? “Here’s my new plugin, jmd_smile_im_stealing_your_data. Get its sister plugin jmd_db_esplode.” (Or other clever and enticing names.)

Mary · 2008-05-25 10:25:54

Yep. Didn’t make much sense to me either, especially since we’ve got the preview of both before install.

wet · 2008-05-25 18:27:23

The difference is, that raw HTML help is previewed as source, while Textile help is previewed as rendered markup. So, rendering Textile help with full Textile could expose your site to a malicious script before you had any chance to check its contents. Sadly, it took some time to figure this out ;-)

jm · 2008-05-25 18:43:23

Couldn’t you just do this for the preview?

$help_source = $textile->TextileThis($help_raw, false, false, true);
$help_source = highlight_string($help_source, true);

Edit: Whoops…forgot to give some context.

Last edited by jm (2008-05-25 18:53:12)

wet · 2008-05-25 18:55:44

I think that the benefit of a legible help text upon preview outweighs the advantages of full Textile. But that’s certainly a matter of arguments, so what would be the real benefit of full Textile for plugin authors from your POV?

jm · 2008-05-25 18:59:16

For me, I just need an occasional style attribute. The admin CSS doesn’t play well with headings following tables (too little spacing). Additionally, h2. @code@ needs a smaller font-size.

Edit: When you install a plugin with raw_html (e.g., zem_contact_lang), highlight_string is used. So Textile and HTML plugin help on preview would be equivalent.

Last edited by jm (2008-05-25 19:00:50)

Mary · 2008-05-26 13:43:17

I think that the benefit of a legible help text upon preview outweighs the advantages of full Textile.

When you install a plugin with raw_html (e.g., zem_contact_lang), highlight_string is used. So Textile and HTML plugin help on preview would be equivalent.

As Jon-Michael says. The entire reason we added preview was for security reasons (to let you checkout what the plugin and help would actually be doing), not to let you read the help text before hand.

I’m not sure that “human-readable” help before install is even a benefit, since you can’t do anything with plugin settings or tags until it is installed anyway. If there’s something you should know before install, the onus has always been on the plugin developer to convey it in a different manner.

jm · 2008-05-31 21:45:29

Ooh! Commit spree today. Could this be considered again?

ruud · 2008-05-31 22:04:45

Not during this commit spree (which is not over yet).

jm · 2008-06-02 02:59:24

Will a new patch help? :)

Textpattern CMS

Textpattern CMS support forum

#1 2008-05-23 02:51:13

TextileRestricted

#2 2008-05-23 08:05:50

Re: TextileRestricted

#3 2008-05-23 08:42:12

Re: TextileRestricted

#4 2008-05-25 10:25:54

Re: TextileRestricted

#5 2008-05-25 18:27:23

Re: TextileRestricted

#6 2008-05-25 18:43:23

Re: TextileRestricted

#7 2008-05-25 18:55:44

Re: TextileRestricted

#8 2008-05-25 18:59:16

Re: TextileRestricted

#9 2008-05-26 13:43:17

Re: TextileRestricted

#10 2008-05-31 21:45:29

Re: TextileRestricted

#11 2008-05-31 22:04:45

Re: TextileRestricted

#12 2008-06-02 02:59:24

Re: TextileRestricted

Board footer