I'd like to use html comment into raw wiki text, to use them as effective, server-unexpensive "data containers" that could be read and parsed by a js script in view mode. But I see that html comment, written into raw wiki text, are stripped away by parsing routines. I can access to raw code of current page in view mode by js with a index.php or an api.php call, and I do, but this is much more server-expensive IMHO.
Is there any sound reason to strip html comments away? If there is no sound reason, could such a stripping be avoided?
Alex brollo
Perhaps, you chose the wrong approach. Dig in HTML5 data attributes, for examples. That's a better data interface between wikipage code and the View. You can then access them with $(selector).data() method.
On Sun, Dec 30, 2012 at 12:23 AM, Alex Brollo alex.brollo@gmail.com wrote:
I'd like to use html comment into raw wiki text, to use them as effective, server-unexpensive "data containers" that could be read and parsed by a js script in view mode. But I see that html comment, written into raw wiki text, are stripped away by parsing routines. I can access to raw code of current page in view mode by js with a index.php or an api.php call, and I do, but this is much more server-expensive IMHO.
Is there any sound reason to strip html comments away? If there is no sound reason, could such a stripping be avoided?
Alex brollo _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Sun, Dec 30, 2012 at 4:20 AM, Paul Selitskas p.selitskas@gmail.comwrote:
Perhaps, you chose the wrong approach. Dig in HTML5 data attributes, for examples. That's a better data interface between wikipage code and the View. You can then access them with $(selector).data() method.
+1. I've been using this on a few gadgets I've been writing and it is wonderful. This was possible only recently, though - ever since HTML5 was enabled on WMF wikis.
also +1 on using data attributes. these are exactly what they are made for. On Dec 30, 2012 11:19 AM, "Yuvi Panda" yuvipanda@gmail.com wrote:
On Sun, Dec 30, 2012 at 4:20 AM, Paul Selitskas <p.selitskas@gmail.com
wrote:
Perhaps, you chose the wrong approach. Dig in HTML5 data attributes, for examples. That's a better data interface between wikipage code and the View. You can then access them with $(selector).data() method.
+1. I've been using this on a few gadgets I've been writing and it is wonderful. This was possible only recently, though - ever since HTML5 was enabled on WMF wikis.
-- Yuvi Panda T http://yuvi.in/blog _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Thanks for suggestion to dig into HTML5 data stuff; I'll study the matter. Nevertheless: is HTML5 already in use? If it isn't, when it will be introduced into any wiki?
I dind't find in your answers a sound reason to strip away html comments but that they will be useless when using html5; I'm viewed as a "data maniac" into it.wikisource, we use any trick to manage data/metadata (cookies, microformats, labeled sections...) , and a good serialized JSON object, automatically built by js at upload of pages and wrapped into a html comment, would be very useful for our in the past with no overload of code/of servers.
Alex brollo
Perfect! A data- attribute can contain anything and it runbs perfectly. It can contain too a JSON-stringified object added into edit mode into a <span> (so that a while dictionary can be passed into a single data- attribute). It's just what I needed.
Alex brollo
Exactly.
Nevertheless: is HTML5 already in use? If it isn't, when it will be
introduced into any wiki? HTML5 was introduced into Wikipedia (and MediaWiki by default, see $wgHtml5[1]) lately. FYI, in be.wikisource data fields are used to make a link to both Belarusian Wikipedias in a link hover![2]
---- [1] http://www.mediawiki.org/wiki/Manual:$wgHtml5 [2] http://be.wikisource.org/wiki/MediaWiki:Common.js (bottom of the code)
On Mon, Dec 31, 2012 at 2:17 PM, Alex Brollo alex.brollo@gmail.com wrote:
Perfect! A data- attribute can contain anything and it runbs perfectly. It can contain too a JSON-stringified object added into edit mode into a <span> (so that a while dictionary can be passed into a single data- attribute). It's just what I needed.
Alex brollo _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
2013/1/1 Paul Selitskas p.selitskas@gmail.com
Exactly.
Nevertheless: is HTML5 already in use? If it isn't, when it will be
introduced into any wiki? HTML5 was introduced into Wikipedia (and MediaWiki by default, see $wgHtml5[1]) lately. FYI, in be.wikisource data fields are used to make a link to both Belarusian Wikipedias in a link hover![2]
[1] http://www.mediawiki.org/wiki/Manual:$wgHtml5 [2] http://be.wikisource.org/wiki/MediaWiki:Common.js (bottom of the code)
As I told, I don't know if HTML5 is in use or not; but try to save a <span id="container" data-test="This a test data"></span> into the raw code of any page, then save it, and then use js console of Chrome from the resultin page in view mode with this:
$("#container").attr("data-test")
and you'll get "This is a test data".
This is largely sufficient (thanks again for suggestion!) :-)
Alex brollo
On 01/01/2013 01:29 PM, Alex Brollo wrote:
As I told, I don't know if HTML5 is in use or not; but try to save a <span id="container" data-test="This a test data"></span> into the raw code of any page, then save it, and then use js console of Chrome from the resultin page in view mode with this:
$("#container").attr("data-test")
It's not a big deal for this use case, but you can also do:
console.log($("#container").data("test"));
Besides saving a little typing, it will do automatic JSON decoding of the value.
Matt Flaschen
I tried to build a template which wraps template parameters into data- attributes. First results have been incouraging, then I find something logical but unexpected, crushing the whole idea.
I wrote into the code of an infobox-like template something like this:
<span data-author="{{{author}}}" data-birthdate="{{{birthDate}}}"....></span>
and I very happily see that html code had my data wrapped into such span tags.
But.... I was testing my code with clean templates, t.i.: templates which have no wikicode into parameter values (as usually occurs into it.wikisource). As soon as I tested my idea into another project (Commons) I found that any wikicode (template call, parameter, link....) present into the value of infobox parameter breaks the stuff, since it is parsed and expanded by parser with unpredictable results.
So... I ask you again: is there any sound reason (i.e. safety related,or server loading related ) reason to avoid that HTML comments, wrapped into raw page wikicode are sent back into html rendering as-they-are?
Alex brollo
On Mon, 21 Jan 2013 21:50:32 -0800, Alex Brollo alex.brollo@gmail.com wrote:
I tried to build a template which wraps template parameters into data- attributes. First results have been incouraging, then I find something logical but unexpected, crushing the whole idea.
I wrote into the code of an infobox-like template something like this:
<span data-author="{{{author}}}" data-birthdate="{{{birthDate}}}"....></span>
and I very happily see that html code had my data wrapped into such span tags.
But.... I was testing my code with clean templates, t.i.: templates which have no wikicode into parameter values (as usually occurs into it.wikisource). As soon as I tested my idea into another project (Commons) I found that any wikicode (template call, parameter, link....) present into the value of infobox parameter breaks the stuff, since it is parsed and expanded by parser with unpredictable results.
So... I ask you again: is there any sound reason (i.e. safety related,or server loading related ) reason to avoid that HTML comments, wrapped into raw page wikicode are sent back into html rendering as-they-are?
Alex brollo
Yes.
Thanks to IE, even comments can actually be treated as raw html and end up executing scripts opening up XSS holes in the wiki.
On Tue, Jan 22, 2013 at 3:53 AM, Daniel Friesen daniel@nadir-seen-fire.com wrote:
On Mon, 21 Jan 2013 21:50:32 -0800, Alex Brollo alex.brollo@gmail.com wrote:
I tried to build a template which wraps template parameters into data- attributes. First results have been incouraging, then I find something logical but unexpected, crushing the whole idea.
I wrote into the code of an infobox-like template something like this:
<span data-author="{{{author}}}" data-birthdate="{{{birthDate}}}"....></span>
and I very happily see that html code had my data wrapped into such span tags.
But.... I was testing my code with clean templates, t.i.: templates which have no wikicode into parameter values (as usually occurs into it.wikisource). As soon as I tested my idea into another project (Commons) I found that any wikicode (template call, parameter, link....) present into the value of infobox parameter breaks the stuff, since it is parsed and expanded by parser with unpredictable results.
So... I ask you again: is there any sound reason (i.e. safety related,or server loading related ) reason to avoid that HTML comments, wrapped into raw page wikicode are sent back into html rendering as-they-are?
Alex brollo
Yes.
Thanks to IE, even comments can actually be treated as raw html and end up executing scripts opening up XSS holes in the wiki.
Seconded. There is really no safe way to allow comments through.
What do you mean by
any wikicode (template call, parameter, link....) present into the value of infobox parameter breaks the stuff, since it is parsed and expanded by parser with unpredictable results.
If your {{{author}}} doesn't have anything and it's aсceptable, then make it {{{author|}}}, or {{#if:{{{author|}}}|<span .....}}. Please clarify the statement above.
On Tue, Jan 22, 2013 at 8:50 AM, Alex Brollo alex.brollo@gmail.com wrote:
I tried to build a template which wraps template parameters into data- attributes. First results have been incouraging, then I find something logical but unexpected, crushing the whole idea.
I wrote into the code of an infobox-like template something like this:
<span data-author="{{{author}}}" data-birthdate="{{{birthDate}}}"....></span>
and I very happily see that html code had my data wrapped into such span tags.
But.... I was testing my code with clean templates, t.i.: templates which have no wikicode into parameter values (as usually occurs into it.wikisource). As soon as I tested my idea into another project (Commons) I found that any wikicode (template call, parameter, link....) present into the value of infobox parameter breaks the stuff, since it is parsed and expanded by parser with unpredictable results.
So... I ask you again: is there any sound reason (i.e. safety related,or server loading related ) reason to avoid that HTML comments, wrapped into raw page wikicode are sent back into html rendering as-they-are?
Alex brollo _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
2013/1/22 Paul Selitskas p.selitskas@gmail.com
What do you mean by
any wikicode (template call, parameter, link....) present into the value of infobox parameter breaks the stuff, since it is parsed and expanded by parser with unpredictable results.
If your {{{author}}} doesn't have anything and it's aсceptable, then make it {{{author|}}}, or {{#if:{{{author|}}}|<span .....}}. Please clarify the statement above.
Imagine that my infobox had a parameter author=, and imagine a "clean" content as this:
author=Alessandro Manzoni
With my template code: <span data-author="{{{author}}}"></span>
I get into parsed html: <span data-author="Alessandro Manzoni"></span>
Perfect!
But imagine that my template parameter is: author=[[Alessandro Manzoni]]
When I pass the parameter content to <span data-author="{{{author}}}"></span>, I dont' get into html page what I'll like: <span data-author="[[Alessandro Manzoni]]"></span>
since wikicode [[Alessandro Manzoni]] will be interpreted by the server, and parsed/expanded into a html link as usual, resulting into a big mess.
The same occurs for any wikicode and/or html passed into a infobox template parameter.
Alex brollo
On 2013-01-22 6:03 PM, "Alex Brollo" alex.brollo@gmail.com wrote:
2013/1/22 Paul Selitskas p.selitskas@gmail.com
What do you mean by
any wikicode (template call, parameter, link....) present into the value of infobox parameter breaks the stuff, since it is parsed
and
expanded by parser with unpredictable results.
If your {{{author}}} doesn't have anything and it's aсceptable, then
make
it {{{author|}}}, or {{#if:{{{author|}}}|<span .....}}. Please clarify
the
statement above.
Imagine that my infobox had a parameter author=, and imagine a "clean" content as this:
author=Alessandro Manzoni
With my template code: <span data-author="{{{author}}}"></span>
I get into parsed html: <span data-author="Alessandro Manzoni"></span>
Perfect!
But imagine that my template parameter is: author=[[Alessandro Manzoni]]
When I pass the parameter content to <span data-author="{{{author}}}"></span>, I dont' get into html page what I'll like: <span data-author="[[Alessandro Manzoni]]"></span>
since wikicode [[Alessandro Manzoni]] will be interpreted by the server, and parsed/expanded into a html link as usual, resulting into a big mess.
The same occurs for any wikicode and/or html passed into a infobox
template
parameter.
Alex brollo _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Have you tried {{#tag:nowiki|{{{author}}}}} to prevent interpretation?
There may still be issues with quotes. Im not sure.
-bawolff
It will just strip the whole attribute if there is a quote in. That is why we have {{urlencode:{{{1}}}|WIKI}} (or any other mode).
On Wed, Jan 23, 2013 at 1:18 AM, Bawolff Bawolff bawolff@gmail.com wrote:
On 2013-01-22 6:03 PM, "Alex Brollo" alex.brollo@gmail.com wrote:
2013/1/22 Paul Selitskas p.selitskas@gmail.com
What do you mean by
any wikicode (template call, parameter, link....) present into the value of infobox parameter breaks the stuff, since it is parsed
and
expanded by parser with unpredictable results.
If your {{{author}}} doesn't have anything and it's aсceptable, then
make
it {{{author|}}}, or {{#if:{{{author|}}}|<span .....}}. Please clarify
the
statement above.
Imagine that my infobox had a parameter author=, and imagine a "clean" content as this:
author=Alessandro Manzoni
With my template code: <span data-author="{{{author}}}"></span>
I get into parsed html: <span data-author="Alessandro Manzoni"></span>
Perfect!
But imagine that my template parameter is: author=[[Alessandro Manzoni]]
When I pass the parameter content to <span data-author="{{{author}}}"></span>, I dont' get into html page what I'll like: <span data-author="[[Alessandro Manzoni]]"></span>
since wikicode [[Alessandro Manzoni]] will be interpreted by the server, and parsed/expanded into a html link as usual, resulting into a big mess.
The same occurs for any wikicode and/or html passed into a infobox
template
parameter.
Alex brollo _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Have you tried {{#tag:nowiki|{{{author}}}}} to prevent interpretation?
There may still be issues with quotes. Im not sure.
-bawolff _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 01/22/2013 05:24 PM, Paul Selitskas wrote:
It will just strip the whole attribute if there is a quote in. That is why we have {{urlencode:{{{1}}}|WIKI}} (or any other mode).
URL-encoding is not the same as HTML-encoding for an attribute. I'm not sure if we have a parser function for the latter, though.
Matt
Filed a bug report: https://bugzilla.wikimedia.org/show_bug.cgi?id=44262.
On Wed, Jan 23, 2013 at 1:34 AM, Matthew Flaschen mflaschen@wikimedia.orgwrote:
On 01/22/2013 05:24 PM, Paul Selitskas wrote:
It will just strip the whole attribute if there is a quote in. That is
why
we have {{urlencode:{{{1}}}|WIKI}} (or any other mode).
URL-encoding is not the same as HTML-encoding for an attribute. I'm not sure if we have a parser function for the latter, though.
Matt
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 01/22/2013 07:52 PM, Paul Selitskas wrote:
Filed a bug report: https://bugzilla.wikimedia.org/show_bug.cgi?id=44262.
On Wed, Jan 23, 2013 at 1:34 AM, Matthew Flaschen mflaschen@wikimedia.orgwrote:
On 01/22/2013 05:24 PM, Paul Selitskas wrote:
It will just strip the whole attribute if there is a quote in. That is
why
we have {{urlencode:{{{1}}}|WIKI}} (or any other mode).
URL-encoding is not the same as HTML-encoding for an attribute. I'm not sure if we have a parser function for the latter, though.
Thanks. I CCed Chris Steipp, the security guy, since this was one of the topics he covered in a recent documentation sprint.
Matt Flaschen
There will be no mess. You'll just get <span data-author="[[Alessandro Manzoni]]"></span> (did you even lift^Wtry, bro? :)), at least at Wikipedia that is what I get. If it could pass raw HTML into attributes, you'd get a huge hole for XSSploits lovers.
On Wed, Jan 23, 2013 at 1:03 AM, Alex Brollo alex.brollo@gmail.com wrote:
2013/1/22 Paul Selitskas p.selitskas@gmail.com
What do you mean by
any wikicode (template call, parameter, link....) present into the value of infobox parameter breaks the stuff, since it is parsed
and
expanded by parser with unpredictable results.
If your {{{author}}} doesn't have anything and it's aсceptable, then make it {{{author|}}}, or {{#if:{{{author|}}}|<span .....}}. Please clarify
the
statement above.
Imagine that my infobox had a parameter author=, and imagine a "clean" content as this:
author=Alessandro Manzoni
With my template code: <span data-author="{{{author}}}"></span>
I get into parsed html: <span data-author="Alessandro Manzoni"></span>
Perfect!
But imagine that my template parameter is: author=[[Alessandro Manzoni]]
When I pass the parameter content to <span data-author="{{{author}}}"></span>, I dont' get into html page what I'll like: <span data-author="[[Alessandro Manzoni]]"></span>
since wikicode [[Alessandro Manzoni]] will be interpreted by the server, and parsed/expanded into a html link as usual, resulting into a big mess.
The same occurs for any wikicode and/or html passed into a infobox template parameter.
Alex brollo _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
2013/1/22 Paul Selitskas p.selitskas@gmail.com
There will be no mess. You'll just get <span data-author="[[Alessandro Manzoni]]"></span> (did you even lift^Wtry, bro? :)), at least at Wikipedia that is what I get. If it could pass raw HTML into attributes, you'd get a huge hole for XSSploits lovers.
Your're right, I used a wrong example. I got troubles from html codes, quotes and templates; not from links.
Well.... it seems that {{urlencode:{{{1|}}}|WIKI}} solves anything. Thanks. I'll test it on our main infoboxes.
I apologyze for my question (perhaps not so deep).
Alex brollo
On 29/12/12 22:23, Alex Brollo wrote:
I'd like to use html comment into raw wiki text, to use them as effective, server-unexpensive "data containers" that could be read and parsed by a js script in view mode. But I see that html comment, written into raw wiki text, are stripped away by parsing routines. I can access to raw code of current page in view mode by js with a index.php or an api.php call, and I do, but this is much more server-expensive IMHO.
Is there any sound reason to strip html comments away? If there is no sound reason, could such a stripping be avoided?
They are wikitext comments, defined to be stripped for the final user.
I think there is an extension allowing to output html comments. You can also use some tag properties as containers.
On Sat, Dec 29, 2012 at 6:59 PM, Platonides Platonides@gmail.com wrote:
Is there any sound reason to strip html comments away? If there is no sound reason, could such a stripping be avoided?
Comments can sometimes be used to get XSS in unexpected ways (like conditional comments for IE). I think they're stripped because that was easier then writing a sanitizer for them, and they're pretty useless.
If all else fails, you can do the hacky thing of stuffing information into either a class attribute or title attribute of an element. (data even better, but I don't know if that's allowed in wikitext or not)
--bawolff
On 30/12/12 08:23, Alex Brollo wrote:
I'd like to use html comment into raw wiki text, to use them as effective, server-unexpensive "data containers" that could be read and parsed by a js script in view mode. But I see that html comment, written into raw wiki text, are stripped away by parsing routines. I can access to raw code of current page in view mode by js with a index.php or an api.php call, and I do, but this is much more server-expensive IMHO.
Is there any sound reason to strip html comments away? If there is no sound reason, could such a stripping be avoided?
They're stripped by the preprocessor because otherwise, all the parser functions break.
In pre-save-transform mode, there is no choice but to preserve comments, so the parser functions do actually break. But that's less visible than what would happen if you omitted comment stripping in HTML mode.
It would be easy enough to sanitize HTML comments so that they don't cause XSS vulnerabilities, that's not the issue.
-- Tim Starling
In the meantime, I tested the urlencode:...|WIKI trick, it runs perfectly for quotes, html tags as <br /> and links wikicode. Now it can be used both for tl|Autore and tl|Intestazione into it.wikisource, and I hope into tl|MediaWiki:Proofreadpage_index_template too. But it fails with templates; templates passed as a parameter are parsed before urlencode can do its masking job. See [[:commons:User:Alex brollo/Sandbox]] for my test, which uses an instance of a modified tl|Book (my interest is focused to Book and Creator templates).
Presently my way for data recovering is a simple AJAX query but as an ecologist I'd like to save both band and server load. :-)
Alex brollo
It definitely needs a redesign or a different approach. I believe that putting rendered view into data attributes is the worst practice ever. Data is for data, and if you want to put rendering onto client's shoulders (that is why you want these data attributes, right?), then you should not mix client- and server-site together.
On Wed, Jan 23, 2013 at 4:46 PM, Alex Brollo alex.brollo@gmail.com wrote:
In the meantime, I tested the urlencode:...|WIKI trick, it runs perfectly for quotes, html tags as <br /> and links wikicode. Now it can be used both for tl|Autore and tl|Intestazione into it.wikisource, and I hope into tl|MediaWiki:Proofreadpage_index_template too. But it fails with templates; templates passed as a parameter are parsed before urlencode can do its masking job. See [[:commons:User:Alex brollo/Sandbox]] for my test, which uses an instance of a modified tl|Book (my interest is focused to Book and Creator templates).
Presently my way for data recovering is a simple AJAX query but as an ecologist I'd like to save both band and server load. :-)
Alex brollo _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
2013/1/23 Paul Selitskas p.selitskas@gmail.com
It definitely needs a redesign or a different approach. I believe that putting rendered view into data attributes is the worst practice ever. Data is for data, and if you want to put rendering onto client's shoulders (that is why you want these data attributes, right?), then you should not mix client- and server-site together.
No, I don't at all. I only need to get "clean parameters value" wrapped into rendered page, so avoiding a difficult (sometimes, impossible) reverse engineering to get them, and avoiding an AJAX call to get them as-they-are. I see Infoboxes as potentially excellent records.... where data are impossible to read and use (for a large variety of interesting uses); and I think that's a pity and someway a resource-wasting situation. Rendering is only one of dozens of possible uses - but no data, no use of data.
The whole thing is very simple and effective is infobox template code is designed from the beginning to accept "clean string data" without any wikicode or html code inside; but I see that very few infoboxes are designed to get such "clean" data and nothing other.
Alex brollo
wikitech-l@lists.wikimedia.org