Are Textile'd images broken on the forum for anyone else?

gaekwad · 2019-08-22 13:24:09

I don’t do Textile’d images very often, so please correct me if I’m doing this wrong, but I think forum images are broken:

Testing with !https://textpattern.com/img/article-832w/53.jpg!

phiw13 · 2019-08-23 00:59:04

Hmm, your image surely does not display atm. Let’s see, just in case the server you used doesn’t allow to to do that. Below a colourful rectangle on a server I control:

Hmm nope :-(

The textile syntax is correct, so that is not the issue.

PS – Safari flags this in the error console for this page. You, or your evil twin, might want to look at it.

Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

jakob · 2019-08-23 06:53:31

Likewise, all textiled images in the form seem to be affected, also in previous posts.

BTW: I don’t see the console message for this thread in Safari.

gaekwad · 2019-08-23 08:44:33

jakob wrote #319106:

BTW: I don’t see the console message for this thread in Safari.

Same for me. Strange. And there’s a CSP script-src restriction reportedly preventing Textile image parsing, not an image-src restriction. Odd.

I have a clear console in Mac/Safari and Mac/Firefox. The image-src CSP permits images from everywhere. I’ve made a change that includes unsafe-inline on script-src, which I’m not overjoyed about, but let’s see if that helps.

phiw13: for curiosity’s sake, do you recall what the script filename was in your console, please?

Edit: typo

Last edited by gaekwad (2019-08-23 08:51:58)

gaekwad · 2019-08-23 08:51:23

OK, the script-src change to include unsafe-inline and images still aren’t working here.

jakob, phiw13: would you be able to sanity check this URL…:

cspvalidator.org/#url=https://forum.textpattern.com/viewtopic.php?pid=319107

…and confirm you see:

img-src includes data: and *
script-src includes unsafe-inline (and others)

(I’d include a screenshot, but…y’know.)

jakob · 2019-08-23 08:56:28

This commit from 7 June seems to be the most recent update of the textile parser for the forum. It revises the way Textile is called to the new method and does include various ->setImages(true) and ->setImages(false) statements for the various situations. At first glance, the changes seem to match the given previous situations, but maybe someone more knowledgeable than me can check that…

phiw13 · 2019-08-23 08:57:41

gaekwad wrote #319107:

Same for me. Strange.[…]

phiw13: for curiosity’s sake, do you recall what the script filename was in your console, please?

hmm. I do have a user style for the forum injected with the Cascadea extension in a <style /> block). But I disabled it earlier today with no changes, the console error was still there.

I don’t remember more about that script, the console pointed to the <html /> tag.

jakob · 2019-08-23 08:58:48

gaekwad wrote #319109:

would you be able to sanity check this URL…:

cspvalidator.org/#url=https://forum.textpattern.com/viewtopic.php?pid=319107

…and confirm you see:

img-src includes data: and *

script-src includes unsafe-inline (and others)

Yes, it does for me: (image)

Gocom · 2019-08-23 22:15:03

jakob wrote #319110:

This commit from 7 June seems to be the most recent update of the textile parser for the forum. It revises the way Textile is called to the new method and does include various ->setImages(true) and ->setImages(false) statements for the various situations. At first glance, the changes seem to match the given previous situations, but maybe someone more knowledgeable than me can check that…

Ding, ding ding. Those Parser::setImage(bool $enabled) appear to be wrong way around. Images appear to be TRUE for new users, and FALSE for everyone else. All of that is written blind, so it’s the least you could expect.

As far as all that client-side stuff goes; the markup is processed on the server.

phiw13 · 2019-08-24 00:01:27

gaekwad wrote #319107:

phiw13: for curiosity’s sake, do you recall what the script filename was in your console, please?

I found what inserted some inline script(s) into the page: the StopTheMadness extension (increase privacy).

jakob · 2019-08-24 07:32:42

Gocom wrote #319116:

Ding, ding ding. Those Parser::setImage(bool $enabled) appear to be wrong way around. Images appear to be TRUE for new users, and FALSE for everyone else. All of that is written blind, so it’s the least you could expect.

Thanks Jukka. We’ve obviously got so used to you being spot on!

If I’ve understood you correctly, it looks like true and false in lines 1752 and 1756 of src/setup/patches/feature-textpattern-forum.patch need to be switched.

Perhaps someone with the appropriate access/commit rights can amend that (Phil, Stef, Pete?). Note also Jukka’s comment on reapplying the patch and amending the signatures … you know better than me what’s involved.

gaekwad · 2019-08-24 14:38:52

Excellent sleuthing, bravo! Thanks very much, jakob and Gocom.

Taking Jukka’s comment into account, I’ve opened github.com/textpattern/textpattern-forum/issues/310 — forum scaffold is typically Phil’s domain, so I’ll wait to see what the best approach (read: beyond my pay grade, even on UK Bank Holiday weekend rates).

Textpattern CMS

Textpattern CMS support forum

#1 2019-08-22 13:24:09