Wysiwyg TinyMCE implementation

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The next feature release of phpBB 3 will be 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.2.x. If you need support for phpBB 3.2.x please visit the 3.2.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: Wysiwyg TinyMCE implementation

Post by naderman » Mon Dec 21, 2009 9:40 pm

I think the ideal WYSIWYG editor for phpBB would indeed send BBCode to the server. Convert it to temporary HTML for displaying and maybe even also translate inserted HTML (e.g. from Word) into BBCode as well as possible given the available BBCodes. There has been a little discussion of this with the people working on CKEditor: http://cksource.com/forums/viewforum.php?f=15

bobtheman
Registered User
Posts: 63
Joined: Sat Dec 19, 2009 4:00 pm

Re: Wysiwyg TinyMCE implementation

Post by bobtheman » Tue Dec 22, 2009 3:51 am

onehundredandtwo wrote:As already explained, TinyMCE is a HTML WYSIWYG editor, not BBCode. If phpBB reintroducted HTML into the system, like in phpBB2, there would be bloat.

If phpBB wished to have a WYSIWYG editor in phpBB, they would have to build one themselves (unless there are BBCode WYSIWYG editors out there, which I doubt).
as others have already pointed out, there are editors, including tinyMCE that support bbcode http://tinymce.moxiecode.com/examples/example_09.php# .. but IMO the whole point of incorporating an wysiwyg is to move away from bbcode itself.

So the two largely supported editors already mentioned are; it seems tinyMCE and phpbb's licenses agree with each other; now.. if including an wysiwyg editor accomplishes the following

user friendly, easy to use, visually appealing.
close to or equal page load
same functionality, with the ability to expand

would anyone object?

Phil
Registered User
Posts: 185
Joined: Sun Mar 11, 2007 3:20 am
Contact:

Re: Wysiwyg TinyMCE implementation

Post by Phil » Tue Dec 22, 2009 4:48 am

To be quite honest I think it is far too early to be discussing something that will not exist until the late stages of development, if at all. While I understand people would rather get to the features rather than the architecture, at this point there's really no benefit in it -- for all we know JS-powered mind-reading text editors will be status quo by the time such a discussion is relevant.
My phpbb.com account
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.

User avatar
Eelke
Registered User
Posts: 606
Joined: Thu Dec 20, 2001 8:00 am
Location: Bussum, NL
Contact:

Re: Wysiwyg TinyMCE implementation

Post by Eelke » Tue Dec 22, 2009 7:34 am

bobtheman wrote:but IMO the whole point of incorporating an wysiwyg is to move away from bbcode itself.
bbcode is as much a security feature as it is a convenience feature, in phpBB. With phpBB3, the developers have taken the choice to not take HTML input and filter that, but take bbcode input and translate that into "approved" HTML. Although the "need" for bbcode as a convenience-feature (it's supposed to be easier than HTML) is removed with a WYSIWYG editor, the security considerations are not.

That said, there are many projects that are quite succesful at allowing HTML and filtering it. I personally very mich like Drupal's sytem of input filters; it allows the administrator to plug in "translatators" that will take the user input and turn it into HTML output. In whichever way it deems useful. This way, you can implement any type of input format, including bbcode, markdown, HTML filtering, etc.

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: Wysiwyg TinyMCE implementation

Post by naderman » Tue Dec 22, 2009 9:37 am

Chris and I were talking about that yesterday and we feel that one should definately be able to easily replace the posting format with another one. Either globally or perhaps per-user.

User avatar
Eelke
Registered User
Posts: 606
Joined: Thu Dec 20, 2001 8:00 am
Location: Bussum, NL
Contact:

Re: Wysiwyg TinyMCE implementation

Post by Eelke » Tue Dec 22, 2009 10:46 am

Or even per post. Actually, the way Drupal works is that it allows the admin to define "input formats", which are combinations of the aforementioned input-output-translators. Permissions can be defined per input format, so that different users can use different input formats. A user gets to pick the input format they wish to use per post.

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: Wysiwyg TinyMCE implementation

Post by ToonArmy » Tue Dec 22, 2009 11:08 am

Eelke wrote:Or even per post.
It'd be abstracted out at a post level, anyway. Interface is another matter.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

bobtheman
Registered User
Posts: 63
Joined: Sat Dec 19, 2009 4:00 pm

Re: Wysiwyg TinyMCE implementation

Post by bobtheman » Wed Dec 23, 2009 3:28 am

Eelke wrote:
bobtheman wrote:but IMO the whole point of incorporating an wysiwyg is to move away from bbcode itself.
bbcode is as much a security feature as it is a convenience feature, in phpBB. With phpBB3, the developers have taken the choice to not take HTML input and filter that, but take bbcode input and translate that into "approved" HTML. Although the "need" for bbcode as a convenience-feature (it's supposed to be easier than HTML) is removed with a WYSIWYG editor, the security considerations are not.

That said, there are many projects that are quite succesful at allowing HTML and filtering it. I personally very mich like Drupal's sytem of input filters; it allows the administrator to plug in "translatators" that will take the user input and turn it into HTML output. In whichever way it deems useful. This way, you can implement any type of input format, including bbcode, markdown, HTML filtering, etc.
This gives some good information that seems to be relevant. http://wiki.moxiecode.com/index.php/TinyMCE:Security

User avatar
Eelke
Registered User
Posts: 606
Joined: Thu Dec 20, 2001 8:00 am
Location: Bussum, NL
Contact:

Re: Wysiwyg TinyMCE implementation

Post by Eelke » Wed Dec 23, 2009 7:44 am

Edit: maybe I sought too much into your post, sorry about that. Yes, it does seem to be relevant :)
---
The central sentence I found from that link: "Regardless, the safest method for handling information sent to you from TinyMCE is to filter it." Yes, I said as much :) BBcode is one way of having control over the HTML that makes it onto your site. I didn't say it was the only way, in fact I explicitly said it isn't :)

No matter what you do, it will always be possible for someone to use your inputs to send you malicious HTML (Hiding the textarea? What if someone just crafts the POST request without using your form at all?). It will be your job, at the server side, to make sure such HTML can not make it to your users.

bobtheman
Registered User
Posts: 63
Joined: Sat Dec 19, 2009 4:00 pm

Re: Wysiwyg TinyMCE implementation

Post by bobtheman » Wed Dec 23, 2009 2:07 pm

i'll create a wiki account tonight (if i have time) and add wysiwyg editor to the dev wiki... anyone else that has time please feel free.

im 100 percent confident that we can implement a new editor with many benefits while keeping the security tight.

Post Reply