On 02/16/2014 01:32 AM, David Gerard wrote:
There are extensions that allow raw HTML widgets, just putting them through unchecked. The hard part will be checking. Note that the rawness of the somewhat-filtered HTML is a part of WordPress's not so great security story (though they've had a lot less "update now!" in the past year). So, may not involve much less parsing.
The difference is that you can run the sanitizer on save, and then only need to re-run it when a bug in it was fixed (which can happen in a background job rather than on view). We will maintain a sanitization level in storage to track the degree to which the HTML is sanitized.
Sanitization is also the last part of parsing from wikitext to HTML. It is one of the cheapest parts of the parsing process, so running just that on a DOM is much cheaper than parsing from scratch.
Gabriel