Wysiwyg TinyMCE implementation
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.
If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.
If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
Re: Wysiwyg TinyMCE implementation
I think the ideal WYSIWYG editor for phpBB would indeed send BBCode to the server. Convert it to temporary HTML for displaying and maybe even also translate inserted HTML (e.g. from Word) into BBCode as well as possible given the available BBCodes. There has been a little discussion of this with the people working on CKEditor: http://cksource.com/forums/viewforum.php?f=15
Re: Wysiwyg TinyMCE implementation
as others have already pointed out, there are editors, including tinyMCE that support bbcode http://tinymce.moxiecode.com/examples/example_09.php# .. but IMO the whole point of incorporating an wysiwyg is to move away from bbcode itself.onehundredandtwo wrote:As already explained, TinyMCE is a HTML WYSIWYG editor, not BBCode. If phpBB reintroducted HTML into the system, like in phpBB2, there would be bloat.
If phpBB wished to have a WYSIWYG editor in phpBB, they would have to build one themselves (unless there are BBCode WYSIWYG editors out there, which I doubt).
So the two largely supported editors already mentioned are;
- tinyMCE http://tinymce.moxiecode.com/index.php
- CKEeditor http://ckeditor.com/
user friendly, easy to use, visually appealing.
close to or equal page load
same functionality, with the ability to expand
would anyone object?
Re: Wysiwyg TinyMCE implementation
To be quite honest I think it is far too early to be discussing something that will not exist until the late stages of development, if at all. While I understand people would rather get to the features rather than the architecture, at this point there's really no benefit in it -- for all we know JS-powered mind-reading text editors will be status quo by the time such a discussion is relevant.
My phpbb.com account
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.
Re: Wysiwyg TinyMCE implementation
bbcode is as much a security feature as it is a convenience feature, in phpBB. With phpBB3, the developers have taken the choice to not take HTML input and filter that, but take bbcode input and translate that into "approved" HTML. Although the "need" for bbcode as a convenience-feature (it's supposed to be easier than HTML) is removed with a WYSIWYG editor, the security considerations are not.bobtheman wrote:but IMO the whole point of incorporating an wysiwyg is to move away from bbcode itself.
That said, there are many projects that are quite succesful at allowing HTML and filtering it. I personally very mich like Drupal's sytem of input filters; it allows the administrator to plug in "translatators" that will take the user input and turn it into HTML output. In whichever way it deems useful. This way, you can implement any type of input format, including bbcode, markdown, HTML filtering, etc.
Re: Wysiwyg TinyMCE implementation
Chris and I were talking about that yesterday and we feel that one should definately be able to easily replace the posting format with another one. Either globally or perhaps per-user.
Re: Wysiwyg TinyMCE implementation
Or even per post. Actually, the way Drupal works is that it allows the admin to define "input formats", which are combinations of the aforementioned input-output-translators. Permissions can be defined per input format, so that different users can use different input formats. A user gets to pick the input format they wish to use per post.
Re: Wysiwyg TinyMCE implementation
It'd be abstracted out at a post level, anyway. Interface is another matter.Eelke wrote:Or even per post.
Re: Wysiwyg TinyMCE implementation
This gives some good information that seems to be relevant. http://wiki.moxiecode.com/index.php/TinyMCE:SecurityEelke wrote:bbcode is as much a security feature as it is a convenience feature, in phpBB. With phpBB3, the developers have taken the choice to not take HTML input and filter that, but take bbcode input and translate that into "approved" HTML. Although the "need" for bbcode as a convenience-feature (it's supposed to be easier than HTML) is removed with a WYSIWYG editor, the security considerations are not.bobtheman wrote:but IMO the whole point of incorporating an wysiwyg is to move away from bbcode itself.
That said, there are many projects that are quite succesful at allowing HTML and filtering it. I personally very mich like Drupal's sytem of input filters; it allows the administrator to plug in "translatators" that will take the user input and turn it into HTML output. In whichever way it deems useful. This way, you can implement any type of input format, including bbcode, markdown, HTML filtering, etc.
Re: Wysiwyg TinyMCE implementation
Edit: maybe I sought too much into your post, sorry about that. Yes, it does seem to be relevant 
---
The central sentence I found from that link: "Regardless, the safest method for handling information sent to you from TinyMCE is to filter it." Yes, I said as much
BBcode is one way of having control over the HTML that makes it onto your site. I didn't say it was the only way, in fact I explicitly said it isn't 
No matter what you do, it will always be possible for someone to use your inputs to send you malicious HTML (Hiding the textarea? What if someone just crafts the POST request without using your form at all?). It will be your job, at the server side, to make sure such HTML can not make it to your users.
---
The central sentence I found from that link: "Regardless, the safest method for handling information sent to you from TinyMCE is to filter it." Yes, I said as much
No matter what you do, it will always be possible for someone to use your inputs to send you malicious HTML (Hiding the textarea? What if someone just crafts the POST request without using your form at all?). It will be your job, at the server side, to make sure such HTML can not make it to your users.
Re: Wysiwyg TinyMCE implementation
i'll create a wiki account tonight (if i have time) and add wysiwyg editor to the dev wiki... anyone else that has time please feel free.
im 100 percent confident that we can implement a new editor with many benefits while keeping the security tight.
im 100 percent confident that we can implement a new editor with many benefits while keeping the security tight.