On 05/19/2014 04:54 PM, Gabriel Wicke wrote:
The move to HTML-based (self-contained) transclusions expansions will avoid this issue completely. That's a few months out though. Maybe we can find a stop-gap solution that moves in that direction, without introducing special tags in expandtemplates that we'll have to support for a long time.
Here's a proposal:
* Introduce a <domparse> extension tag that causes its content to be parsed all the way to a self-contained DOM structure. Example: <domparse>{{T}}</domparse>
* Emit this tag for HTML page transclusions. Avoids the security issue as there's no way to inject verbatim HTML. Works with Parsoid out of the box.
* Use <domparse> to support parsing unbalanced templates by inserting it into wikitext: <domparse> {{table-start}} {{table-row}} {{table-end}} </domparse>
* Build a solid HTML-only expansion API end point, and start using that for all transclusions that are not wrapped in <domparse>
* Stop wrapping non-wikitext transclusions into <domparse> in action=expandtemplates once those can be directly expanded to a self-contained DOM.
Gabriel