Comments (9)
Thank you for your interest in Textpattern. While we explicitly delegate to admins all content validation, it's difficult to argue here. The preview step might look safer than it is for newcomers.
So, what could we do?
- Implement a strict CSP on the admin side. Actually, some (commented) directives are already in dev
config-dist.php
file and core works fine, but they could break many old plugins. - Do the preview on the public side, somehow protecting it from hammering.
- Restrict Textile in previews, or even reserve 'text' mode to the article author.
- Clean up the previewed code, removing html event attributes.
- Something else?
from textpattern.
I think you named everything necessary for the issue to be fixed.
from textpattern.
- Restrict Textile in previews, or even reserve 'text' mode to the article author.
- Clean up the previewed code, removing html event attributes.
How much fallout/blowback would there be if we started here? The point of a preview is to show what the article will look like on the site so if there's additional functionality that is part of the site, it would fail if we stripped off event handling. But the preview itself is limited by nature, so is that a reasonable restriction? It already doesn't render some things (article images?) so maybe this loss isn't so bad.
Although "correct", the strict CSP makes me a little nervous to include by default at this stage - especially without much warning to plugin authors.
from textpattern.
The body/excerpt preview does not parse txp tags anyway, so the rendition can be very different from the public side. IMO, its main interest is to show how the content will look for those not fluent in Textile/HTML. Anyway, we should sandbox the preview window from the rest of the page (risk of id/style/js/etc collisions).
Few things I have tested:
- a sandboxed
<iframe sandbox />
. Would be ideal, but it's difficult to style properly and is poor UX-wise: on each preview refresh the viewport jumps to the top of the frame. This could be solved if we had access to the frame content via js, butsandbox
attribute forbids it. If anyone knows how to autoresize an iframe in pure css, I'm all ears. - loading the preview content in a
<template />
and attaching it as shadow to the preview window. This isolates the preview styles/ids from the rest of the page, but js is still executed. - purifying the preview content either admin or client-side. Needs some third-party libraries, adding ~200kb to txp. As a bonus admins could be warned if an article includes potentially unsafe content.
Ideas welcome
from textpattern.
Hello Guys, is issue fixed now?
from textpattern.
Hi @grozdniyandy, mostly yes, up to some cosmetic changes. Please test if you can, and thank you for the report. We will mention it in our HISTORY.txt
file.
from textpattern.
Thanks for the reply, I tested and it seems to be fixed.
from textpattern.
@bloatware This is mint. The preview window kicks ass now there's the ability to clean up and report the number of infractions. Top stuff, thank you.
from textpattern.
Thanks! Handy, uh? TO DO: new (unsaved) article preview.
from textpattern.
Related Issues (20)
- Update HISTORY and/or README.md that Textpattern will not run as expected with PHP 8.3.0 under some circumstances. HOT 2
- Prep work and actions for MySQL 8.3 support
- Progressively get rid of MD5 HOT 2
- jQuery 4.0.0 is coming soon HOT 13
- How to customize <title></title> HOT 1
- how to install EDITOR HOT 2
- Safari 15.7 / iOS 15 preview text view not loading HOT 2
- Show spam form action (or rather page URL) is not updated on clear search HOT 6
- Function strftime() has been DEPRECATED as of PHP 8.1.0 but is still used in safe_strftime HOT 8
- Textpattern 4.9.0 release flight plan HOT 17
- Incorrect layout on the plugins panel HOT 3
- RFC: Textpattern 4.9 is final 4.x release; Textpattern 5.0 next 'big' release HOT 6
- Edit file / missing file: non functional “delete” button
- Edit file / missing file: SQL error and warning when pressing ‘save’ HOT 1
- Edit file panel - some HTML & layout issues HOT 1
- utf8_en/decode() are deprecated in PHP 8.2 HOT 7
- PHP 8.4 compatibility tracking HOT 4
- Articles with status 'Hidden' do not return a `404 Not Found` response when requested but a `200 OK` HOT 1
- RFC: would these third party libraries / helpers solve any problems? HOT 2
- Form names may contain hyphens or other 'strange' characters. Such form names do not work as 'txp::' shortcuts. HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from textpattern.