Hi all, After my previous e-mail about Wikiforum [1] I got many feedbacks from users, but only few from developers. I made all requested fix, then, …nothing. I can't personally force developers to look closely at this extension likewise I can't force them to install it even if there is no problem. Hoping a strong mobilization of the French community can do that, we organized a pool few days ago [2]. The result is limpid: 55 French users are now requesting this extension (0 against and 5 that prefer "real" forum or Usenet). 55 users for a pool in 2 days is very a lot for the French community (ie. vote to decide arbitrators' rules have actually 30 votes in 9 days) and I hope you will respect it by: - Install this extension "as it" on French Wikipedia. or: - Look at the source [3] and give me a list of needed security/performance fix. You can still test this extension on Amgine's server [4]. Thanks,
Aoineko
[1] Description: -- French: http://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Wikiforum -- English (few information): http://meta.wikimedia.org/wiki/Wikiforum [2] Pool to implement Wikiforum on French Wikipedia: http://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Prise_de_d%C3%A9cision/Mise_en_p...
[3] Sources are on the CVS repository at "/extensions/wikiforum" (please don't change the pagination while I'm developing) [4] Test server: http://test-wikipedia.saewyc.net/index.php/Special:Forum
On Fri, 18 Feb 2005 14:48:32 +0900 Guillaume Blanchard gblanchard@arcsy.co.jp wrote:
Hi all
That's my feeling too. We all need a forum system compatible with the wiki principes. Guillaume worked on it, and provides now a first version which is useable. French wikipedians have massive voted YES to try this new feature. So, I hope too, that our main developpers will bring it on fr:
Best regards
Kelson
Hi all, After my previous e-mail about Wikiforum [1] I got many feedbacks from users, but only few from developers. I made all requested fix, then, _nothing. I can't personally force developers to look closely at this extension likewise I can't force them to install it even if there is no problem. Hoping a strong mobilization of the French community can do that, we organized a pool few days ago [2]. The result is limpid: 55 French users are now requesting this extension (0 against and 5 that prefer "real" forum or Usenet). 55 users for a pool in 2 days is very a lot for the French community (ie. vote to decide arbitrators' rules have actually 30 votes in 9 days) and I hope you will respect it by:
- Install this extension "as it" on French Wikipedia.
or:
- Look at the source [3] and give me a list of needed
security/performance fix. You can still test this extension on Amgine's server [4]. Thanks,
Aoineko
[1] Description: -- French: http://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Wikiforum -- English (few information): http://meta.wikimedia.org/wiki/Wikiforum [2] Pool to implement Wikiforum on French Wikipedia: http://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Prise_de_d%C3%A9cision/Mise_en_p...
[3] Sources are on the CVS repository at "/extensions/wikiforum" (please don't change the pagination while I'm developing) [4] Test server: http://test-wikipedia.saewyc.net/index.php/Special:Forum _______________________________________________ Wikitech-l mailing list Wikitech-l@wikimedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Guillaume Blanchard wrote:
- Look at the source [3] and give me a list of needed
security/performance fix.
I fixed a couple of the most obvious security problems:
* The Special:Newthread edit form provided a very nice cross-site scripting injection point. Once a user is tricked into visiting a certain URL (can be via a redirection or frame) their authentication cookies can be stolen, or nearly any authenticated action on the wiki can be performed as that user via JavaScript manipulation from the hacked form.
* The Special:Newthread form submission didn't use the edit token, allowing for cross-site request forgery to submit new threads under a victim's user account if they visit an offsite page containing a form and a little JavaScript.
Before anyone should consider deploying this in the field, there are other very significant problems with how it accepts edits:
* It doesn't check for read-only mode
* It doesn't check if the user is blocked
* It doesn't check whitelist-edit mode
* It doesn't check content against the spam blacklist or filter callback
And some general functional issues:
* The localized text doesn't fit with MediaWiki as a whole; the user's selected language is ignored, and the messages aren't customizable through the MediaWiki: interface.
* Edit comments aren't formatted in the Special:Forum list the way they are elsewhere
* Edit comments are cut off manually at a byte offset, which could break UTF-8 characters. Instead, use $wgContLang->truncate() or show the complete comment.
* The code that outputs the table on Special:Forum is very fragile. Many pieces are done with wikitext which can break when some characters are used (try for instance making a thread titled "''Spiffy''"; the link becomes broken in the list).
* The use of the unlabeled magnification icon to show/hide a chunk of in-place text is very nonintuitive. Consider using the arrows from the enhanced recent changes display.
* Obviously these don't work at all if the client has JavaScript disabled; consider not displaying the unmanipulable bits in this case.
* Whatever it looks like, a tiny icon is a tough target to click on; I constantly have the urge to click on the _title_ and assume it will expand the text, but this links to the separate page.
More generally it seems a bit confusing; at the demo site at http://test-wikipedia.saewyc.net/index.php/Special:Forum there are two entire tables of threads one after the other without an obvious reason or explanation. One has expando-bits, the other doesn't.
-- brion vibber (brion @ pobox.com)
Thak you, I'll fix.
Aoineko
Brion Vibber a écrit :
Guillaume Blanchard wrote:
- Look at the source [3] and give me a list of needed
security/performance fix.
I fixed a couple of the most obvious security problems:
- The Special:Newthread edit form provided a very nice cross-site
scripting injection point. Once a user is tricked into visiting a certain URL (can be via a redirection or frame) their authentication cookies can be stolen, or nearly any authenticated action on the wiki can be performed as that user via JavaScript manipulation from the hacked form.
- The Special:Newthread form submission didn't use the edit token,
allowing for cross-site request forgery to submit new threads under a victim's user account if they visit an offsite page containing a form and a little JavaScript.
Before anyone should consider deploying this in the field, there are other very significant problems with how it accepts edits:
It doesn't check for read-only mode
It doesn't check if the user is blocked
It doesn't check whitelist-edit mode
It doesn't check content against the spam blacklist or filter callback
And some general functional issues:
- The localized text doesn't fit with MediaWiki as a whole; the user's
selected language is ignored, and the messages aren't customizable through the MediaWiki: interface.
- Edit comments aren't formatted in the Special:Forum list the way they
are elsewhere
- Edit comments are cut off manually at a byte offset, which could break
UTF-8 characters. Instead, use $wgContLang->truncate() or show the complete comment.
- The code that outputs the table on Special:Forum is very fragile. Many
pieces are done with wikitext which can break when some characters are used (try for instance making a thread titled "''Spiffy''"; the link becomes broken in the list).
- The use of the unlabeled magnification icon to show/hide a chunk of
in-place text is very nonintuitive. Consider using the arrows from the enhanced recent changes display.
- Obviously these don't work at all if the client has JavaScript
disabled; consider not displaying the unmanipulable bits in this case.
- Whatever it looks like, a tiny icon is a tough target to click on; I
constantly have the urge to click on the _title_ and assume it will expand the text, but this links to the separate page.
More generally it seems a bit confusing; at the demo site at http://test-wikipedia.saewyc.net/index.php/Special:Forum there are two entire tables of threads one after the other without an obvious reason or explanation. One has expando-bits, the other doesn't.
-- brion vibber (brion @ pobox.com)
Wikitech-l mailing list Wikitech-l@wikimedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
If you found other security/performance problems, please add them at: http://meta.wikimedia.org/wiki/Wikiforum
For other problems (like what this extension may be), use the talk page: http://meta.wikimedia.org/wiki/Talk:Wikiforum
Aoineko
Guillaume Blanchard a écrit :
Thak you, I'll fix.
Aoineko
Brion Vibber a écrit :
Guillaume Blanchard wrote:
- Look at the source [3] and give me a list of needed
security/performance fix.
I fixed a couple of the most obvious security problems:
- The Special:Newthread edit form provided a very nice cross-site
scripting injection point. Once a user is tricked into visiting a certain URL (can be via a redirection or frame) their authentication cookies can be stolen, or nearly any authenticated action on the wiki can be performed as that user via JavaScript manipulation from the hacked form.
- The Special:Newthread form submission didn't use the edit token,
allowing for cross-site request forgery to submit new threads under a victim's user account if they visit an offsite page containing a form and a little JavaScript.
Before anyone should consider deploying this in the field, there are other very significant problems with how it accepts edits:
It doesn't check for read-only mode
It doesn't check if the user is blocked
It doesn't check whitelist-edit mode
It doesn't check content against the spam blacklist or filter callback
And some general functional issues:
- The localized text doesn't fit with MediaWiki as a whole; the user's
selected language is ignored, and the messages aren't customizable through the MediaWiki: interface.
- Edit comments aren't formatted in the Special:Forum list the way they
are elsewhere
- Edit comments are cut off manually at a byte offset, which could break
UTF-8 characters. Instead, use $wgContLang->truncate() or show the complete comment.
- The code that outputs the table on Special:Forum is very fragile. Many
pieces are done with wikitext which can break when some characters are used (try for instance making a thread titled "''Spiffy''"; the link becomes broken in the list).
- The use of the unlabeled magnification icon to show/hide a chunk of
in-place text is very nonintuitive. Consider using the arrows from the enhanced recent changes display.
- Obviously these don't work at all if the client has JavaScript
disabled; consider not displaying the unmanipulable bits in this case.
- Whatever it looks like, a tiny icon is a tough target to click on; I
constantly have the urge to click on the _title_ and assume it will expand the text, but this links to the separate page.
More generally it seems a bit confusing; at the demo site at http://test-wikipedia.saewyc.net/index.php/Special:Forum there are two entire tables of threads one after the other without an obvious reason or explanation. One has expando-bits, the other doesn't.
-- brion vibber (brion @ pobox.com)
Wikitech-l mailing list Wikitech-l@wikimedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@wikimedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
After my previous e-mail about Wikiforum [1] I got many feedbacks from users, but only few from developers. I made all requested fix, then ...
it is probably necessary to create request for enhancement in bugzilla.
Hi Aoineko,
let me be clear: I share your goal of improving Wikimedia's discussion systems. I think there are a number of serious usability issues with Wikiforum as it is right now, though:
1) The current two-table setup is very confusing. It is not intuitively clear why some threads have preview and some do not, nor is the preview function itself obvious from the icon. The function of the top box is not visually distinguished from the function of the bottom box in any way. I suggest combining the two boxes into one, and making the preview function clearer (an eye may be a better visual representation, additional text might also help).
2) One of the key features of forums is the ability to sort threads by their publication date. Wikiforum uses "Oldest First", and it does not appear to be possible to change that. The page is titled "50 latest threads", which creates an intuitive expectation of "Newest First". I think "Newest First" should be the default, as it is in most forums, but it would be nice to be able to sort the table by whatever criteria desirable. (The default sorting order could also be voted on after the system has been in use for a while.)
3) Being able to chronologically go beyond the 50 threads displayed on the index page ("Next 50") seems like a fairly critical feature to me.
4) The "Post a comment" ("+" in Monobook) link is missing. This is quite a serious issue, as it makes Thread: pages *more* cumbersome than talk pages, which have that link. Besides easy appending, it also encourages users to add a section title, which increases the editability of long pages.
5) There is no reason for a Thread: page to have a separate Thread talk: page - that just adds confusion.
Design-wise, Wikiforum should be ready to handle subforums on different topics, rather than just having one big forum on Special:Forum, but that feature doesn't need to exist immediately.
I do agree with the idea of trialling the system on one wiki before putting it into use on all wikis. The key question is: How will Wikiforum affect our discussion workflow? Will threads just disappear into nowhere, where previously people at least made a token effort to move threads to relevant talk pages or build structured archives? Will the Thread: namespace become a huge mess that nobody can wade through? Category: tags could potentially prevent that, and collaborative thread categorization is an interesting approach to handling discussions.
I'm therefore not saying Wikiforum will fail, but I do believe that we need to collect data about its use, and that the above usability issues should be addressed before taking it live anywhere.
Regards,
Erik
wikitech-l@lists.wikimedia.org