Foren / Cotonti / Support / HTML parsing vs BBCODE

12NächsteLetzte

what advantages vs risks in using html parsing in Cotonti?

donP
#1 7. April 2010, 19:51
I was tempted by using HTML parsing instead of BBCODE in Cotonti to switch to a WYSIWYG editor like CKeditor or TinyMCE, more usable from beginners webbers.
The advantages are not only facility for beginners, but very best interface (mostly in filling links and images attributes for regulare W3C markup rules), most control in page layout for web administrators (tables, divs, spans etc).
Other advantage is less database consumption (no need to have page_text and page_html tables).
But I'm aftraid of security related issues...
How much Cotonti system is sucured from malicious HTML contents inserted by potential hackers if HTML parsing enabled instead of BBCODE parsing?

Added 1 day later:

No opinions here? :/

Added 15 minutes later:

An what about http://htmlpurifier.org for security issues?
Some CMS/CMF are using that library...
in [color=#729FCF][b]BLUES[/b][/color] I trust

Dieser Beitrag wurde von donP (am 9. April 2010, 15:48, vor 13 Jahre) bearbeitet
Trustmaster
#2 9. April 2010, 23:42
Yes, we need some HTML filter before HTML can be (safely) used for everyone, otherwise with malicious HTML attackers can easily get admin accounts via XSS.

The HTML purifier is way too heavy (~1MB of code) and it's GPL, so it cannot be included in Cotonti. We need a lightweight BSD/MIT solution.
May the Source be with you!
donP
#3 11. April 2010, 01:18
http://htmlpurifier.org/download:
This library is open-source, licensed under the LGPL v2.1+.

...So I think it can be included in Cotonti... at least as a plugin...

Actually other famous CMS use that library:
http://htmlpurifier.org/:
# Phorum (in use at our very own forums!)
# MODx
# Drupal by Bart Jansens
# Wordpress and bbPress by John Godley
# Joomla by Double D
# CodeIgniter by Andy Mathijs
# Symfony by Alexandre Mogère
# CakePHP by Jose Diaz-Gonzalez

That library is the best effective XSS protection solution (compared with others)... and it has got some speed-up the process and have a ligther code (se here: http://htmlpurifier.org/docs/enduser-slow.html).
in [color=#729FCF][b]BLUES[/b][/color] I trust
GHengeveld
#4 11. April 2010, 01:43
I think this is best solved by using a plugin, so users can choose to include it or not. That will also fix the licensing issue.

In my opinion, we should have ditched BBcode long ago, in favor of a decent editor like TinyMCE (my editor of choice).
donP
#5 11. April 2010, 01:57
# Koradhil :In my opinion, we should have ditched BBcode long ago, in favor of a decent editor like TinyMCE (my editor of choice).
I agree ;) Have you already tried to implement TinyMCE in Cotonti?

For HTMLPurifier, a plugin is the faster solution, but I think we can project to include it like a module, if Cotonti is going in that (modules) direction...

Added 1 day later:

Sometimes I feel like asking useless questions to Cotonti Community... :/ :(
in [color=#729FCF][b]BLUES[/b][/color] I trust

Dieser Beitrag wurde von donP (am 12. April 2010, 21:03, vor 13 Jahre) bearbeitet
Trustmaster
#6 12. April 2010, 21:28
Still I'd like to see some alternatives to HTML purifier. It's too massive and such an important component would be better shipped with the main package.

And we cannot just abandon BBcode because there are many Cotonti sites with thousands of pages using BBcode markup.
May the Source be with you!
donP
#7 12. April 2010, 22:07
As I said in the tracker section,
It would't be such a radical transition.
If you enable HTML cache in admin panel (almost every users has got it enabled) you can have the html version of your entire website and then create a simple query to copy/paste the page_html content to page_text and change the page_type from 0 to 1.
I've done like that in my local-test-website to have all pages converted to html.

For HTMLPurifier, as I said before, That library is the best effective XSS protection solution (compared with others)... and it has got some speed-up the process and have a ligther code (se here: http://htmlpurifier.org/docs/enduser-slow.html ).
in [color=#729FCF][b]BLUES[/b][/color] I trust

Dieser Beitrag wurde von donP (am 13. April 2010, 02:49, vor 13 Jahre) bearbeitet
Trustmaster
#8 13. April 2010, 00:48
Personally, I'd love to drop BBcode and muliparser support and stick with HTML, because it would make coder's life much easier. But I think we need to make at least a global poll, considering the point of view of existing site owners.

Thanks for linking to the comparison. I think we can get permissions of shipping HTMLPurifier with Cotonti. But even the Lite version will add 180kb to Cotonti's 7-zip.
May the Source be with you!
donP
#9 13. April 2010, 02:56
Yes, we can make a global poll (the last is a bit outdated).
And we can contestually ask wich WYSIWYG editor we want by default in Cotonti (CKeditor or tinyMCE I think they are the best at this moment).
in [color=#729FCF][b]BLUES[/b][/color] I trust
foxhound
#10 19. April 2010, 01:12
# Trustmaster : Personally, I'd love to drop BBcode and muliparser support and stick with HTML, because it would make coder's life much easier. But I think we need to make at least a global poll, considering the point of view of existing site owners.

I hope bbcode support will stay in, we are just almost done moving our website to Cotonti and now I read this :(
Months (over a year) of work and I sure am not going to change over 10k pages to html, not to mention the increase of workload only html support would give me.

Anyway, I hope bbcode support stays in.
<img src="http://www.armaholic.com/datas/thumbs/green-sea-battalion-uniforms-version-03-preview_4.jpg" alt="green-sea-battalion-uniforms-version-03-" />
ez
#11 30. Juli 2010, 15:24
This is an old discussion, But have a look at :

http://plugins.jquery.com/project/CLEditor

I saw the impressive demo :))

Anyway I hope that BBCODE stays in too, I just like it it gives great control over the output.
And I know.. supporting 2 systems is a nightmare.
==- I say: Keep it EZ -==
ven7ura
#12 1. August 2010, 07:48
# ez : This is an old discussion, But have a look at :

http://plugins.jquery.com/project/CLEditor

I saw the impressive demo :))

Anyway I hope that BBCODE stays in too, I just like it it gives great control over the output.
And I know.. supporting 2 systems is a nightmare.

WoW!

I sure hope this would be implemented for simplicity.
urlkiller
#13 2. August 2010, 06:57
uhm. one thing to thorw in the discussion...

isnt it better to think first about the pfs solution. as i understand it most of the WYS.. Editors have the option to search for files on the server.

this is one of the feastures that makes the difference for users to edit and change fast their contents.

so it maybe better to make a up-to-date version of the pfs that we could integrate in the new WYS.. Editor?

or didt i get it completly wrong and the file manager thing is integrated in the tinyMCE ?
URL shortener: <a href="http://bbm.li/!7AD5C7">http://bbm.li/!7AD5C7</a>
donP
#14 3. August 2010, 17:12
Alex300 did a Good Job with CkEditor, look here:

http://www.cotonti.com/downloads/plugins/pages-lists/CKEditor?highlight=CKEDITOR

I think this would be my choice, I think ckeditor is actually the best, most complete, fastest WYSIWYG free editor around. And, with Alex300 plugin is easy to integrate in Cotonti.
in [color=#729FCF][b]BLUES[/b][/color] I trust
urlkiller
#15 3. August 2010, 17:26
yeah i already checked it out.

but i was thinking about a more cotonti integrated solution... the filemanager packed in his release is a simple upload module and isnt directly connected with the pfs system...
URL shortener: <a href="http://bbm.li/!7AD5C7">http://bbm.li/!7AD5C7</a>

12NächsteLetzte