On Jan 20, 2015 5:53 PM, "Brian Wolff" bawolff@gmail.com wrote:
On Jan 20, 2015 4:22 PM, "James Forrester" jforrester@wikimedia.org
wrote:
On 20 January 2015 at 12:04, Jeroen De Dauw jeroendedauw@gmail.com
wrote:
>
- Get rid of wikitext on the server-side.
- HTML storage only. Remove MWParser from the codebase. All extensions that hook into wikitext (so, almost all of them?)
will
need to be re-written.
Just to confirm: this is not actually on the WMF roadmap right? :)
It's certainly not what I'm working on for the next year or so. It is unlikely to be something we do for WMF usage; it's more valuable to
people
that want VisualEditor but want PHP-only (or don't want Node) for the server.
J.
Hypothetically how would this work? Wouldnt you still need parsoid to
verify the html corresponds to some legit wikitext? Otherwise how would you know its safe?
Since we are somewhat having a discussion about this (i recognize that
this isnt a "real" discussion in the sense that there isnt a full technical proposal, or any concrete plans to actually do it in near future, just a wild idea that some people like), one of the reasons im somewhat skeptical about this idea, is if there is an xss issue, you seem much more screwed with html storage, since now the bad stuff is in the canonical representation, instead of wikitext storage where you can just fix the parser, potentially purge parser cache, and then you are 100% certain your wiki is clean.
My second reason for being skeptical is im mostly unclear on what the
benefits are over wikitext storage (this is the first time ive heard of the ve w/o parsoid thing. Are there other benefits? Simplifying parser cache by not having parser cache?)
I may be misinterpreting how such a thing is proposed to work. Im not
very familar with parsoid and associated things.
--bawolff
And the other thread which i hadn't read at the time of writing this answers my question in that html verification is something yet to be determined :)
--bawolff