On 02/16/2014 01:32 AM, David Gerard wrote:
There are extensions that allow raw HTML widgets, just
putting them
through unchecked. The hard part will be checking. Note that the
rawness of the somewhat-filtered HTML is a part of WordPress's not so
great security story (though they've had a lot less "update now!" in
the past year). So, may not involve much less parsing.
The difference is that you can run the sanitizer on save, and then only
need to re-run it when a bug in it was fixed (which can happen in a
background job rather than on view). We will maintain a sanitization
level in storage to track the degree to which the HTML is sanitized.
Sanitization is also the last part of parsing from wikitext to HTML. It
is one of the cheapest parts of the parsing process, so running just
that on a DOM is much cheaper than parsing from scratch.
Gabriel