Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2019-08-22 13:24:09

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,271
GitHub

Are Textile'd images broken on the forum for anyone else?

I don’t do Textile’d images very often, so please correct me if I’m doing this wrong, but I think forum images are broken:

Testing with !https://textpattern.com/img/article-832w/53.jpg!

Offline

#2 2019-08-23 00:59:04

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,208
Website

Re: Are Textile'd images broken on the forum for anyone else?

Hmm, your image surely does not display atm. Let’s see, just in case the server you used doesn’t allow to to do that. Below a colourful rectangle on a server I control:

Hmm nope :-(

The textile syntax is correct, so that is not the issue.

PS – Safari flags this in the error console for this page. You, or your evil twin, might want to look at it.

Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#3 2019-08-23 06:53:31

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,734
Website

Re: Are Textile'd images broken on the forum for anyone else?

Likewise, all textiled images in the form seem to be affected, also in previous posts.

BTW: I don’t see the console message for this thread in Safari.


TXP Builders – finely-crafted code, design and txp

Offline

#4 2019-08-23 08:44:33

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,271
GitHub

Re: Are Textile'd images broken on the forum for anyone else?

jakob wrote #319106:

BTW: I don’t see the console message for this thread in Safari.

Same for me. Strange. And there’s a CSP script-src restriction reportedly preventing Textile image parsing, not an image-src restriction. Odd.

I have a clear console in Mac/Safari and Mac/Firefox. The image-src CSP permits images from everywhere. I’ve made a change that includes unsafe-inline on script-src, which I’m not overjoyed about, but let’s see if that helps.

phiw13: for curiosity’s sake, do you recall what the script filename was in your console, please?

Edit: typo

Last edited by gaekwad (2019-08-23 08:51:58)

Offline

#5 2019-08-23 08:51:23

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,271
GitHub

Re: Are Textile'd images broken on the forum for anyone else?

OK, the script-src change to include unsafe-inline and images still aren’t working here.

jakob, phiw13: would you be able to sanity check this URL…:

cspvalidator.org/#url=https://forum.textpattern.com/viewtopic.php?pid=319107

…and confirm you see:

  • img-src includes data: and *
  • script-src includes unsafe-inline (and others)

(I’d include a screenshot, but…y’know.)

Offline

#6 2019-08-23 08:56:28

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,734
Website

Re: Are Textile'd images broken on the forum for anyone else?

This commit from 7 June seems to be the most recent update of the textile parser for the forum. It revises the way Textile is called to the new method and does include various ->setImages(true) and ->setImages(false) statements for the various situations. At first glance, the changes seem to match the given previous situations, but maybe someone more knowledgeable than me can check that…


TXP Builders – finely-crafted code, design and txp

Offline

#7 2019-08-23 08:57:41

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,208
Website

Re: Are Textile'd images broken on the forum for anyone else?

gaekwad wrote #319107:

Same for me. Strange.[…]

phiw13: for curiosity’s sake, do you recall what the script filename was in your console, please?

hmm. I do have a user style for the forum injected with the Cascadea extension in a <style /> block). But I disabled it earlier today with no changes, the console error was still there.

I don’t remember more about that script, the console pointed to the <html /> tag.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#8 2019-08-23 08:58:48

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,734
Website

Re: Are Textile'd images broken on the forum for anyone else?

gaekwad wrote #319109:

would you be able to sanity check this URL…:

cspvalidator.org/#url=https://forum.textpattern.com/viewtopic.php?pid=319107

…and confirm you see:

  • img-src includes data: and *
  • script-src includes unsafe-inline (and others)

Yes, it does for me: (image)


TXP Builders – finely-crafted code, design and txp

Offline

#9 2019-08-23 22:15:03

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Are Textile'd images broken on the forum for anyone else?

jakob wrote #319110:

This commit from 7 June seems to be the most recent update of the textile parser for the forum. It revises the way Textile is called to the new method and does include various ->setImages(true) and ->setImages(false) statements for the various situations. At first glance, the changes seem to match the given previous situations, but maybe someone more knowledgeable than me can check that…

Ding, ding ding. Those Parser::setImage(bool $enabled) appear to be wrong way around. Images appear to be TRUE for new users, and FALSE for everyone else. All of that is written blind, so it’s the least you could expect.

As far as all that client-side stuff goes; the markup is processed on the server.

Offline

#10 2019-08-24 00:01:27

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,208
Website

Re: Are Textile'd images broken on the forum for anyone else?

gaekwad wrote #319107:

phiw13: for curiosity’s sake, do you recall what the script filename was in your console, please?

I found what inserted some inline script(s) into the page: the StopTheMadness extension (increase privacy).


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#11 2019-08-24 07:32:42

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,734
Website

Re: Are Textile'd images broken on the forum for anyone else?

Gocom wrote #319116:

Ding, ding ding. Those Parser::setImage(bool $enabled) appear to be wrong way around. Images appear to be TRUE for new users, and FALSE for everyone else. All of that is written blind, so it’s the least you could expect.

Thanks Jukka. We’ve obviously got so used to you being spot on!

If I’ve understood you correctly, it looks like true and false in lines 1752 and 1756 of src/setup/patches/feature-textpattern-forum.patch need to be switched.

Perhaps someone with the appropriate access/commit rights can amend that (Phil, Stef, Pete?). Note also Jukka’s comment on reapplying the patch and amending the signatures … you know better than me what’s involved.


TXP Builders – finely-crafted code, design and txp

Offline

#12 2019-08-24 14:38:52

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,271
GitHub

Re: Are Textile'd images broken on the forum for anyone else?

Excellent sleuthing, bravo! Thanks very much, jakob and Gocom.

Taking Jukka’s comment into account, I’ve opened github.com/textpattern/textpattern-forum/issues/310 — forum scaffold is typically Phil’s domain, so I’ll wait to see what the best approach (read: beyond my pay grade, even on UK Bank Holiday weekend rates).

Offline

Board footer

Powered by FluxBB