From: Filipus K. <ch...@gm...> - 2010-12-10 18:57:42
|
The newly added option to keep using unescaped menu items will be available on new installs and seen in the admin panel. As the risk is grave when non-admins can edit a menu, I put a prominent warning that the option shouldn't be enabled. At the same time, putting a red warning in CAPS will be ugly, getting even the attention of admins not interested in the option but looking at the panel. But having a "please note" that the option "might be insecure" inside a parenthesis is a little too weak. And the preference name should be kept short, the description elaborating on the risk. Do we have any way to mark a *preference* as dangerous/experimental? The preference is *not* a feature. Or does anyone see a solution? On 2010-12-10 09:33, lu...@us... wrote: > Revision: 31347 > http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=31347&view=rev > Author: luciash > Date: 2010-12-10 14:33:48 +0000 (Fri, 10 Dec 2010) > > Log Message: > ----------- > menus: slightly polished translation string (no need to yell INSECURE there) > > Modified Paths: > -------------- > branches/6.x/lib/prefs/menus.php > > Modified: branches/6.x/lib/prefs/menus.php > =================================================================== > --- branches/6.x/lib/prefs/menus.php 2010-12-10 14:01:04 UTC (rev 31346) > +++ branches/6.x/lib/prefs/menus.php 2010-12-10 14:33:48 UTC (rev 31347) > @@ -1,5 +1,5 @@ > <?php > -// (c) Copyright 2002-2010 by authors of the Tiki Wiki/CMS/Groupware Project > +// (c) Copyright 2002-2010 by authors of the Tiki Wiki CMS Groupware project > // > // All Rights Reserved. See copyright.txt for details and a complete list of authors. > // Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for details. > @@ -17,7 +17,7 @@ > 'type' => 'text', > ), > 'menus_item_names_raw' => array( > - 'name' => tra('Allow HTML in menu items (INSECURE)'), > + 'name' => tra('Allow HTML in menu items (Please note: this might be insecure if you allow more people to edit menus)'), > 'description' => tra('If enabled, treat menu item names as HTML item content and do not escape them (do not replace HTML special characters), allowing to use HTML in menu items to put images for example. Code must be valid. This allows menu item editors to put arbitrary HTML; only enable if you know what you are doing.'), > 'help' => 'Menus', > 'type' => 'flag', > |