From: Brian Salter-D. <b_...@bi...> - 2008-11-29 01:45:44
|
The question of having Jmol used on wikipedia has again been raised on the commons email list. On contributor to the discussion says that the jmol mediawiki extension now only works with an older version of mediawiki. Certainly my examples at:- http://wiki.jmol.org:81/index.php/User:Bduke are not working. I still very much want to get jmol working on wikipedia and would like to also get it on wikiversity for some teaching materials I have started to add there. However, I have been very much out of touch recently. Could someone please update me on what the situation is with the jmol mediawiki extension and point me to an example of it working, so I can point the wikipedia technical folks to have a look at the examples? Also, last time I tried to get jmol on wikipedia I was told there were security issues with the extension. Have these been addressed? Regards, Brian. -- Brian Salter-Duke (Brian Duke) b_...@bi... Honorary Researcher Fellow Department of Medicinal Chemistry, Parkville Campus, Monash University, VIC 3052, Australia |
From: Rzepa, H. <h....@im...> - 2008-11-29 08:12:30
|
Brian, We are currently running courses with no issue using the "old" implementation http://www.ch.ic.ac.uk/wiki/ (which has proved VERY robust. We often have classes of 50 students all hammering pages with 10 or more embedded Jmols, with no issues). but have also been struggling to implement the new version http://www.ch.ic.ac.uk/wiki2/index.php/Mod:jmol I currently have it down to a "silly mistake" somewhere, probably a variable in LocalSettings.php. The correct source code is being generated, including the Jmolinitialize script etc, but it just does not start (if someone CAN spot a mistake in the source for the page above, I would be very grateful!) The current environment is as usual at http://www.ch.ic.ac.uk/wiki2/index.php/Special:Version Perhaps its an issue with the combinationin of Jmol and StubManager? Although I love Mediawiki (and its use HAS revolutionalized how we grade student "molecular modelling"), it remains a very fragile environment. Thus a single misbehaving extension and mediawiki has a propensity for displaying NOTHING. I am very keen to extend our course so that the wiki can start to display eg MO surfaces, vibrations, etc, but all this is predicated on being able to update the Jmol. Oh, and I need to get all this working, since I hope to present on this topic at the ACS next spring! One final question. Students are asked to paste a boiler plate 3 lines to include their own molecules. Inevitably, they sometimes truncate this, missing out either the start or the end of the syntax. MediaWiki contrives to accept this without issue, but then complains inevitably that the XML is broken and will refuse to allow the broken page to be edited. One then has to access the history list manually, and revert to a working version. Its messy. But why cannot the php parser validate the XML in the first place, and refused to deposit it into the MySQL if it does not validate? On 29 Nov 2008, at 01:41, Brian Salter-Duke wrote: > The question of having Jmol used on wikipedia has again been raised on > the commons email list. On contributor to the discussion says that the > jmol mediawiki extension now only works with an older version of > mediawiki. Certainly my examples at:- > > http://wiki.jmol.org:81/index.php/User:Bduke > > are not working. I still very much want to get jmol working on > wikipedia > and would like to also get it on wikiversity for some teaching > materials > I have started to add there. However, I have been very much out of > touch > recently. Could someone please update me on what the situation is with > the jmol mediawiki extension and point me to an example of it working, > so I can point the wikipedia technical folks to have a look at the > examples? > > Also, last time I tried to get jmol on wikipedia I was told there were > security issues with the extension. Have these been addressed? > |
From: A. H. <ang...@ua...> - 2008-11-29 13:09:33
|
On 29 Nov 2008 at 8:12, Rzepa, Henry wrote: > http://www.ch.ic.ac.uk/wiki2/index.php/Mod:jmol > > I currently have it down to a "silly mistake" somewhere, probably a > variable in LocalSettings.php. The correct source code is being > generated, including the Jmolinitialize script etc, but it just does > not start (if someone CAN spot a mistake in the source for the page > above, I would be very grateful!) Henry, I'm probably been naïve, but your page source code says <script language='Javascript' type='text/javascript' src='/extensions/Jmol/Jmol.js'></script> and when I try the url http://www.ch.ic.ac.uk/extensions/Jmol/Jmol.js I get an error: The requested URL /extensions/Jmol/Jmol.js was not found on this server. So where am I confused? That explains the js console errors I get: Error: jmolInitialize is not defined Archivo de origen: http://www.ch.ic.ac.uk/wiki2/index.php/Mod:jmol Línea: 58 Error: jmolCheckBrowser is not defined Archivo de origen: http://www.ch.ic.ac.uk/wiki2/index.php/Mod:jmol Línea: 75 |
From: Rzepa, H. <h....@im...> - 2008-11-29 14:53:30
|
On 29 Nov 2008, at 01:41, Brian Salter-Duke wrote: > The question of having Jmol used on wikipedia has again been raised on > the commons email list. On contributor to the discussion says that the > jmol mediawiki extension now only works with an older version of > mediawiki. Certainly my examples at:- > > http://wiki.jmol.org:81/index.php/User:Bduke I have gotten things to work myself (Thanks Angel for the remark that gave the clue). In the distribution http://jmol.svn.sourceforge.net/viewvc/jmol/trunk/Jmol-extensions/wiki/MediaWiki/ edit the file Jmol.php to make the change from $wgJmolExtensionPath = "/extensions/Jmol"; to $wgJmolExtensionPath = $wgScriptPath."/extensions/Jmol"; |
From: Brian Salter-D. <b_...@bi...> - 2008-11-29 22:48:29
|
On Sat, Nov 29, 2008 at 02:53:18PM +0000, Rzepa, Henry wrote: > > On 29 Nov 2008, at 01:41, Brian Salter-Duke wrote: > >> The question of having Jmol used on wikipedia has again been raised on >> the commons email list. On contributor to the discussion says that the >> jmol mediawiki extension now only works with an older version of >> mediawiki. Certainly my examples at:- >> >> http://wiki.jmol.org:81/index.php/User:Bduke > > > I have gotten things to work myself (Thanks Angel for the remark that > gave the clue). > > In the distribution http://jmol.svn.sourceforge.net/viewvc/jmol/trunk/Jmol-extensions/wiki/MediaWiki/ > > edit the file Jmol.php to make the change from > > $wgJmolExtensionPath = "/extensions/Jmol"; > > to > > $wgJmolExtensionPath = $wgScriptPath."/extensions/Jmol"; That is great news. Thanks, Henry. My page on the Jmol wiki is now working and I have something I can point the wikipedia tech folks to so that they can look at Jmol. The question of security still remains. Has this been addresed by anyone? Does anyone on this list think it is an issue? It is quite clear that Kmol will never be added to wikipedia until the tech folks are totally convinced that there are no security issues. I just do not know much about security and I do not speak php. Regards, Brian. -- On two occasions I have been asked [by members of Parliament], "Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?". I am not able rightly to comprehend the kind of confusion of ideas that could provoke such a question. -- Charles Babbage Brian Salter-Duke (Brian Duke) Email: b_duke(AT)bigpond(DOT)net(DOT)au |
From: A. H. <ang...@ua...> - 2008-11-30 00:04:41
|
On 30 Nov 2008 at 9:48, Brian Salter-Duke wrote: > That is great news. Thanks, Henry. My page on the Jmol wiki is now > working and I have something I can point the wikipedia tech folks to so > that they can look at Jmol. Brian, I'm quite surprised that your page has started to work NOW. Unless Nico has updated the Wiki without saying a word, what I updated earlier this evening was the php file in the Jmol SVN pages. I would not expect that to affect the Wiki automatically. > The question of security still remains. Has > this been addresed by anyone? Does anyone on this list think it is an > issue? A recent addition to the Wiki questions security on the basis that any javascript can be run from Jmol script. I'm not sure, though, what security issues that raises. See http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_demo The latest post in the Talk page http://wiki.jmol.org:81/index.php/User_talk:Ilmari_Karonen/JS_injection_demo sounds very threatening, but I don't understand it fully. It may, however, be a big obstacle for Wikipedia adoption. |
From: Brian Salter-D. <b_...@bi...> - 2008-11-30 01:35:15
|
On Sun, Nov 30, 2008 at 01:16:21AM +0100, Angel Herráez wrote: > On 30 Nov 2008 at 9:48, Brian Salter-Duke wrote: > > That is great news. Thanks, Henry. My page on the Jmol wiki is now > > working and I have something I can point the wikipedia tech folks to so > > that they can look at Jmol. > Brian, I'm quite surprised that your page has started to work NOW. > Unless Nico has updated the Wiki without saying a word, what I > updated earlier this evening was the php file in the Jmol SVN pages. I > would not expect that to affect the Wiki automatically. > > > The question of security still remains. Has > > this been addresed by anyone? Does anyone on this list think it is an > > issue? > A recent addition to the Wiki questions security on the basis that any > javascript can be run from Jmol script. I'm not sure, though, what > security issues that raises. > See > http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_demo > > The latest post in the Talk page > http://wiki.jmol.org:81/index.php/User_talk:Ilmari_Karonen/JS_injection_demo > sounds very threatening, but I don't understand it fully. It may, > however, be a big obstacle for Wikipedia adoption. Discussion has been going on at both:- Wikimedia Commons Discussion List <com...@li...> and Wikimedia developers <wik...@li...> This discussion may illustrate the problem:- [Post to commons list] See https://bugzilla.wikimedia.org/show_bug.cgi?id=16491 That users can embed javascript is not acceptable to run it on Wikipedia. Other parameters, like urlContents or signed wouldn't be used but at least they can be disabled. [Me] I am afraid this is all beyond my expertise. Are you saying that there is no way Jmol can ever be used on WMF projects? [Reply from someone else] There is, as soon as the Javascript embedding possibility gets disabled and the extension gets a proper review (TM). This link:- https://bugzilla.wikimedia.org/show_bug.cgi?id=16491 mentioned there is interesting but the question of the CML extension is getting confused with the Jmol extension as both were mentioned in the original post on the Commons list. While Jmol on wikipedia would be great, I would really like it on wikiversity to illustrate some teeaching materials I have started to put there. Brian. -- "If people are good only because they fear punishment, and hope for reward, then we are a sorry lot indeed." -- Albert Einstein Brian Salter-Duke (Brian Duke) Email: b_duke(AT)bigpond(DOT)net(DOT)au |
From: Nicolas V. <nve...@gm...> - 2008-11-30 21:53:33
|
Hi everyone, I have been quite busy for several months on other matters than Jmol, so I haven't worked at all on the extension. I am happy to see people interested in making it work, and bringing it to Wikipedia. On the matter of security issues, there are at least 2 things to do : - Being able to entirely deactivate the possibility to let arbitrary Javascript being called by Jmol. I don't know if there's a way in Jmol to disable this. There's a need to completely disable the 'javascript' command in Jmol scripts. The problem is demonstrated by http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_demo - Ensuring that the extension doesn't allow for true Javascript injection (whatever text is entered by someone in the <jmol> tags, this only creates Jmol applet and Jmol scripts, nothing else). I think this means ensuring that in the generated page, the text is always correctly escaped to prevent Javascript injection. Both things clearly need to be done in order to hope to see Jmol on Wikipedia : having every editor being able to add arbitrary Javascript that will be run by everyone viewing a page is a security issue. The first problem needs first to be answered in the Jmol applet itself. Is there a way to add an option in the applet construction to remove the 'javascript' command in Jmol scripts ? Bob ? The second problem nees to be treated in the extension. My knowledge on PHP and the security issues is limited (and I don't have much time avaiable), so some help from someone knowing how to deal with the script injection would be very useful. Nico |
From: Brian Salter-D. <b_...@bi...> - 2008-11-30 22:49:29
|
On Sun, Nov 30, 2008 at 10:53:29PM +0100, Nicolas Vervelle wrote: > Hi everyone, > > I have been quite busy for several months on other matters than Jmol, so I > haven't worked at all on the extension. > I am happy to see people interested in making it work, and bringing it to > Wikipedia. > > On the matter of security issues, there are at least 2 things to do : > > - Being able to entirely deactivate the possibility to let arbitrary > Javascript being called by Jmol. I don't know if there's a way in Jmol to > disable this. There's a need to completely disable the 'javascript' command > in Jmol scripts. The problem is demonstrated by > http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_demo > - Ensuring that the extension doesn't allow for true Javascript injection > (whatever text is entered by someone in the <jmol> tags, this only creates > Jmol applet and Jmol scripts, nothing else). I think this means ensuring > that in the generated page, the text is always correctly escaped to prevent > Javascript injection. > > Both things clearly need to be done in order to hope to see Jmol on > Wikipedia : having every editor being able to add arbitrary Javascript that > will be run by everyone viewing a page is a security issue. > > The first problem needs first to be answered in the Jmol applet itself. Is > there a way to add an option in the applet construction to remove the > 'javascript' command in Jmol scripts ? Bob ? > > The second problem nees to be treated in the extension. My knowledge on PHP > and the security issues is limited (and I don't have much time avaiable), so > some help from someone knowing how to deal with the script injection would > be very useful. > > Nico I am just thinking aloud here. I think there could be a solution to add a chaneg to medciawiki itself to have some specific Jmol tags, something like: <jmolimage> ... </jmolimage> avoiding all calls to Jmol itself. The parameters for jmolimage would give everything that was needed, method, file names, etc. Mediawiki itself would then be doing any chaecks that were needed. It would also be easier for wikipedia editors and I suspect the wikipedia techs would prefer this solution. Is this worth following up? I do not know mediawiki and could be just talking nonsense. Another advantage of this approach is that wikipedia could limit the mehtods available and perhaps limit them to file upload only. The mediawiki code would need changing anyway to allow use of Jmol files on Commons as well as wikipedia. Some mediawiki changes are going to be needed anyway. Brian. -- Real Programmers can write FORTRAN in any language. -- unknown Brian Salter-Duke (Brian Duke) Email: b_duke(AT)bigpond(DOT)net(DOT)au |
From: Brian Salter-D. <b_...@bi...> - 2008-12-01 00:25:14
|
Hi folks, Gerard Meijssen <ger...@gm...> has asked me to pass this on to the Jmol list. I responded to this discussion on the Commons-l list:- [Commons-l] Support for Chemical Markup Language - followup ------------------------------------------------------------------ Hoi, If you want to get the JMOL software internationalised and localised, you may want to consider talking to the Betawiki people. We do the localisation of MediaWiki and we do the localisation of many of its extensions. We would be interested in working on JMOL as it is a lively and relevant software / community. I am also involved in a testing envirionment for MediaWiki extensions, if you are interested in using this environment, let me know.. I take it that you will convey my message to the JMOL mailing list ? Thanks, Gerard ------------------------------------------------------------------ This does seem to be a useful idea. I'll have a look at betawiki but I'm very busy this week and early next week. Cheers, Brian. -- Brian Salter-Duke (Brian Duke) 626 Melbourne Rd, Spotswood, VIC, 3015, Australia. Email: b_...@bi... Phone: 03-93992847 Web: http://www.salter-duke.bigpondhosting.com/brian/index.htm |
From: Angel H. <ang...@ua...> - 2008-12-01 12:02:04
|
Hi Gerard Thanks for the suggestions. Jmol is already fully internationalized and localized, over 10 languages: http://wiki.jmol.org:81/index.php/Internationalisation/Current_Status I'm not sure if the MediaWiki extension would need any further localization. Does the testing environment that you mention need a web Wiki setup, or can it be tested locally? I would be interested on it, but haven't got a Wiki to implement it --nor the time to involvemyself into such a task--. El 1 Dec 2008 a las 11:24, Brian Salter-Duke escribió: > Hi folks, > > Gerard Meijssen <ger...@gm...> has asked me to pass this on > to the Jmol list. I responded to this discussion on the Commons-l list:- > > [Commons-l] Support for Chemical Markup Language - followup > > ------------------------------------------------------------------ > Hoi, > > If you want to get the JMOL software internationalised and localised, > you may want to consider talking to the Betawiki people. We do the > localisation of MediaWiki and we do the localisation of many of its > extensions. We would be interested in working on JMOL as it is a lively > and relevant software / community. > > I am also involved in a testing envirionment for MediaWiki extensions, > if you are interested in using this environment, let me know.. I take it > that you will convey my message to the JMOL mailing list ? Thanks, > Gerard |
From: Brian Salter-D. <b_...@bi...> - 2008-12-01 23:38:21
|
Take a look at this blog:- http://ultimategerardm.blogspot.com/2008/12/jmol.html More publicity to get Jmol properly working on wikis. Brian. -- "First they ignore you, then they laugh at you, then they fight you, then you win." -- Gandhi, being prophetic about Linux. Brian Salter-Duke (Brian Duke) Email: b_duke(AT)bigpond(DOT)net(DOT)au |
From: Angel H. <ang...@ua...> - 2008-12-09 12:19:12
|
I'd like to keep this discussion going, so here is a little bit more, picking up on the possibilities to have Jmol supported in Wikipedia and other Wikis: On 30 Nov 2008 22:53, Nicolas Vervelle wrote: > > On the matter of security issues, there are at least 2 things to do : > * Being able to entirely deactivate the possibility to let arbitrary > Javascript being called by Jmol. I don't know if there's a way in > Jmol to disable this. There's a need to completely disable the > 'javascript' command in Jmol scripts. The problem is demonstrated by > http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_dem > o Do we still need this? (see below) > * Ensuring that the extension doesn't allow for true Javascript > injection (whatever text is entered by someone in the <jmol>tags, > this only creates Jmol applet and Jmol scripts, nothing else). I > think this means ensuring that in the generated page, the text is > always correctly escaped to prevent Javascript injection. This is implemented in the last update. > The second problem nees to be treated in the extension. My knowledge > on PHP and the security issues is limited (and I don't have much time > avaiable), so some help from someone knowing how to deal with the > script injection would be very useful. The way I've implemented it, any script passed to the Extension (inside the extension's <script> tag) containing the word "javascript" (case-insensitive) will be completely ignored. I gues it can be done so that only the javascript part is removed and the remaining script is preserved, but I don't know so much PHP as to do so. And the idea is that users-editors of wiki pages should not try at all to use javascript in the wiki pages. As a side effect, the <text>, <title>, <name>... tags of the extension cannot contain the forbidden word either (they are all parsed via the same function as script is). Not a big sacrifice. And on 1 Dec 2008 9:49, Brian Salter-Duke wrote: > I am just thinking aloud here. I think there could be a solution to add > a chaneg to medciawiki itself to have some specific Jmol tags, something > like: > > <jmolimage> ... </jmolimage> We already have the <jmol> tag added by the extension. Is there any difference intended? > avoiding all calls to Jmol itself. I don't quite understand. There is no call to Jmol until the extension inserts the Jmol code. And by using <jmolAppletButton> or <jmolAppletLink> one avoids Jmol to be loaded until the visitor requests it. > The parameters for jmolimage would > give everything that was needed, method, file names, etc. Mediawiki > itself would then be doing any chaecks that were needed. It would also > be easier for wikipedia editors and I suspect the wikipedia techs would > prefer this solution. Is this worth following up? I do not know > mediawiki and could be just talking nonsense. I think it is the JmolMediaWiki Extension that must do all this anyway, not the generic MediaWiki software. And it is doing so already, by using the different sub-tags of the <jmol> tag. Do you envisage any differences, Brian? Please ellaborate on that. The configuration in the server (LocalSettings.php) may block the use of external URLs for models, or of uploaded files, may block or impose the use of signed applet. The rest of the task in inside the Extension. > Another advantage of this approach is that wikipedia could limit the > mehtods available and perhaps limit them to file upload only. Already possible (see above). > The > mediawiki code would need changing anyway to allow use of Jmol files on > Commons as well as wikipedia. This needs further work, but is related to the above config. settings. |
From: Nicolas V. <nve...@gm...> - 2008-12-09 13:03:21
|
Hi, On Tue, Dec 9, 2008 at 1:21 PM, Angel Herraez <ang...@ua...> wrote: > I'd like to keep this discussion going, so here is a little bit more, > picking up on the possibilities to have Jmol supported in Wikipedia > and other Wikis: > > > On 30 Nov 2008 22:53, Nicolas Vervelle wrote: > > > > On the matter of security issues, there are at least 2 things to do : > > * Being able to entirely deactivate the possibility to let arbitrary > > Javascript being called by Jmol. I don't know if there's a way in > > Jmol to disable this. There's a need to completely disable the > > 'javascript' command in Jmol scripts. The problem is demonstrated by > > > http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_dem > > o > > Do we still need this? (see below) > > > > * Ensuring that the extension doesn't allow for true Javascript > > injection (whatever text is entered by someone in the <jmol>tags, > > this only creates Jmol applet and Jmol scripts, nothing else). I > > think this means ensuring that in the generated page, the text is > > always correctly escaped to prevent Javascript injection. > > This is implemented in the last update. > > > The second problem nees to be treated in the extension. My knowledge > > on PHP and the security issues is limited (and I don't have much time > > avaiable), so some help from someone knowing how to deal with the > > script injection would be very useful. > > The way I've implemented it, any script passed to the Extension > (inside the extension's <script> tag) containing the word > "javascript" (case-insensitive) will be completely ignored. > I gues it can be done so that only the javascript part is removed and > the remaining script is preserved, but I don't know so much PHP as to > do so. And the idea is that users-editors of wiki pages should not > try at all to use javascript in the wiki pages. This approach is interesting but I am not sure it covers all the possibilities. For example, I think you can still run Javascript with scripts calling other scripts : - Create a wiki page with contents corresponding to a Jmol script with Javascript in it. - Add a <jmol> tag in a page with a script calling the other script > As a side effect, the <text>, <title>, <name>... tags of the > extension cannot contain the forbidden word either (they are all > parsed via the same function as script is). Not a big sacrifice. Not a problem :) > And on 1 Dec 2008 9:49, Brian Salter-Duke wrote: > > The > > mediawiki code would need changing anyway to allow use of Jmol files on > > Commons as well as wikipedia. > > This needs further work, but is related to the above config. > settings. I am not sure using Jmol files on Commons needs any change. I thought that files in the Image namespace in Commons are simply exported to other wikis and kept up to date. Nico |
From: Brian Salter-D. <b_...@bi...> - 2008-12-10 00:29:25
|
On Tue, Dec 09, 2008 at 02:03:17PM +0100, Nicolas Vervelle wrote: > Hi, > > > On Tue, Dec 9, 2008 at 1:21 PM, Angel Herraez <ang...@ua...> wrote: > > > I'd like to keep this discussion going, so here is a little bit more, > > picking up on the possibilities to have Jmol supported in Wikipedia > > and other Wikis: > > > > > > On 30 Nov 2008 22:53, Nicolas Vervelle wrote: > > > > > > On the matter of security issues, there are at least 2 things to do : > > > * Being able to entirely deactivate the possibility to let arbitrary > > > Javascript being called by Jmol. I don't know if there's a way in > > > Jmol to disable this. There's a need to completely disable the > > > 'javascript' command in Jmol scripts. The problem is demonstrated by > > > > > http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_dem > > > o > > > > Do we still need this? (see below) > > > > > > > * Ensuring that the extension doesn't allow for true Javascript > > > injection (whatever text is entered by someone in the <jmol>tags, > > > this only creates Jmol applet and Jmol scripts, nothing else). I > > > think this means ensuring that in the generated page, the text is > > > always correctly escaped to prevent Javascript injection. > > > > This is implemented in the last update. > > > > > The second problem nees to be treated in the extension. My knowledge > > > on PHP and the security issues is limited (and I don't have much time > > > avaiable), so some help from someone knowing how to deal with the > > > script injection would be very useful. > > > > The way I've implemented it, any script passed to the Extension > > (inside the extension's <script> tag) containing the word > > "javascript" (case-insensitive) will be completely ignored. > > I gues it can be done so that only the javascript part is removed and > > the remaining script is preserved, but I don't know so much PHP as to > > do so. And the idea is that users-editors of wiki pages should not > > try at all to use javascript in the wiki pages. > > > This approach is interesting but I am not sure it covers all the > possibilities. > For example, I think you can still run Javascript with scripts calling other > scripts : > > - Create a wiki page with contents corresponding to a Jmol script with > Javascript in it. > - Add a <jmol> tag in a page with a script calling the other script > > > > > As a side effect, the <text>, <title>, <name>... tags of the > > extension cannot contain the forbidden word either (they are all > > parsed via the same function as script is). Not a big sacrifice. > > > Not a problem :) > > > > And on 1 Dec 2008 9:49, Brian Salter-Duke wrote: > > > The > > > mediawiki code would need changing anyway to allow use of Jmol files on > > > Commons as well as wikipedia. > > > > This needs further work, but is related to the above config. > > settings. > > > I am not sure using Jmol files on Commons needs any change. > I thought that files in the Image namespace in Commons are simply exported > to other wikis and kept up to date. I am fairly sure that this is not right. The code looks at Commons first for the image, and then on the local wiki. I could however be mistaken. Wikipedia images confuse me. Brian. > Nico > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ -- "The PROPER way to handle HTML postings is to cancel the article, then hire a hitman to kill the poster, his wife and kids, and fuck his dog and smash his computer into little bits. Anything more is just extremism." -- Paul Tomblin Brian Salter-Duke (Brian Duke) Email: b_duke(AT)bigpond(DOT)net(DOT)au |
From: Robert H. <ha...@st...> - 2008-12-10 13:36:25
|
All -- I'm pretty sure that if you invoke _jmol.noEval = true in your wiki code, you will completely shut down any JavaScript functionality of Jmol except callbacks. This setting cannot be changed within Jmol -- it is checked upon applet creation and cannot be changed within the applet. So it does not matter what you do after that. The functionalities that employ JavaScript in Jmol include: script "javascript:...." javascript "......" x = javascript(".....") isosurface FUNCTIONXY .... callback methods But, really, it's simpler than that if you want to disallow all callbacks and every last bit of JavaScript capability of the applet -- just don't have "mayscript" in the applet tag. For example: jmolSetDocument(0) var s = jmolApplet([width,height], script) s=s.replace(/mayscript/,"maynotscript") document.wrte(s) produces a Jmol applet with no JavaScript access whatsoever. Bob -- Robert M. Hanson Professor of Chemistry St. Olaf College 1520 St. Olaf Ave. Northfield, MN 55057 http://www.stolaf.edu/people/hansonr phone: 507-786-3107 If nature does not answer first what we want, it is better to take what answer we get. -- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900 |
From: Angel H. <ang...@ua...> - 2008-12-10 13:51:10
|
> All -- I'm pretty sure that if you invoke _jmol.noEval = true in your > wiki code, you will completely shut down any JavaScript functionality > of Jmol except callbacks. This setting cannot be changed within Jmol > -- it is checked upon applet creation and cannot be changed within the > applet. So it does not matter what you do after that. The > functionalities that employ JavaScript in Jmol include: > > script "javascript:...." > javascript "......" > x = javascript(".....") > isosurface FUNCTIONXY .... > callback methods Right, it seems to be working although I haven't tested all those possibilites yet. > But, really, it's simpler than that if you want to disallow all > callbacks and every last bit of JavaScript capability of the applet -- > > just don't have "mayscript" in the applet tag. Oh, great! Will that be obeyed by all browsers? I think to recall reading that support of the "mayscript" parameters is uneven across browsers. I will test that too. Thanks, Bob. We are taking big setps towards safe integration in wikis. |
From: Bob H. <ha...@st...> - 2008-12-10 14:27:49
|
It is true for all browsers because Jmol checks the tag itself and explicitly denies itself access On Dec 10, 2008, at 7:53 AM, "Angel Herraez" <ang...@ua...> wrote: >> All -- I'm pretty sure that if you invoke _jmol.noEval = true in your >> wiki code, you will completely shut down any JavaScript functionality >> of Jmol except callbacks. This setting cannot be changed within Jmol >> -- it is checked upon applet creation and cannot be changed within >> the >> applet. So it does not matter what you do after that. The >> functionalities that employ JavaScript in Jmol include: >> >> script "javascript:...." >> javascript "......" >> x = javascript(".....") >> isosurface FUNCTIONXY .... >> callback methods > > Right, it seems to be working although I haven't tested all those > possibilites yet. > > >> But, really, it's simpler than that if you want to disallow all >> callbacks and every last bit of JavaScript capability of the applet >> -- >> >> just don't have "mayscript" in the applet tag. > > > Oh, great! Will that be obeyed by all browsers? I think to recall > reading that support of the "mayscript" parameters is uneven across > browsers. > > I will test that too. > > Thanks, Bob. We are taking big setps towards safe integration in > wikis. > > > > --- > --- > --- > --------------------------------------------------------------------- > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, > Nevada. > The future of the web can't happen without you. Join us at MIX09 to > help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > Jmol-users mailing list > Jmo...@li... > https://lists.sourceforge.net/lists/listinfo/jmol-users |
From: A. H. <ang...@ua...> - 2008-12-10 21:02:52
|
On 10 Dec 2008 at 7:36, Robert Hanson wrote: > But, really, it's simpler than that if you want to disallow all > callbacks and every last bit of JavaScript capability of the applet -- > > just don't have "mayscript" in the applet tag. Ah, interesting. But then jmolButton() et al. do nothing. I mean, the button is not written to the page*. A very safe mode indeed, but not what we need for the Wiki. So I will go with the " _jmol.noEval" method. *) Rightly so, since they would not be able to send scripts to the applet. Oh, not exactly! If I add a button using <input type="button" value="cpk off" onClick="jmolScript('cpk off')"> it does send the script to the applet. So "mayscript" is unidirectional: its absence blocks Jmol from talking to javascript, and blocks Jmol.js from generating UI controls, but does not block Jmol from listening to javascript. Intriguing... (tested in WinXP, Firefox, IE7 and Opera) This is the reference I recalled: http://www.javasonics.com/support/check_liveconnect.php |
From: Robert H. <ha...@st...> - 2008-12-11 00:35:00
|
Something's not right. mayscript = false in no way prevents jmolButton from being created, and with mayscript=false, the jmolButton still works fine. Something else is going on there. Bob On Wed, Dec 10, 2008 at 3:14 PM, Angel Herráez <ang...@ua...> wrote: > On 10 Dec 2008 at 7:36, Robert Hanson wrote: >> But, really, it's simpler than that if you want to disallow all >> callbacks and every last bit of JavaScript capability of the applet -- >> >> just don't have "mayscript" in the applet tag. > > Ah, interesting. > But then jmolButton() et al. do nothing. I mean, the button is not written to the page*. A > very safe mode indeed, but not what we need for the Wiki. So I will go with the " > _jmol.noEval" method. > > *) Rightly so, since they would not be able to send scripts to the applet. > Oh, not exactly! If I add a button using > <input type="button" value="cpk off" onClick="jmolScript('cpk off')"> > it does send the script to the applet. > So "mayscript" is unidirectional: its absence blocks Jmol from talking to javascript, and > blocks Jmol.js from generating UI controls, but does not block Jmol from listening to > javascript. Intriguing... > (tested in WinXP, Firefox, IE7 and Opera) > > This is the reference I recalled: > http://www.javasonics.com/support/check_liveconnect.php > > > > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. > The future of the web can't happen without you. Join us at MIX09 to help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > Jmol-users mailing list > Jmo...@li... > https://lists.sourceforge.net/lists/listinfo/jmol-users > -- Robert M. Hanson Professor of Chemistry St. Olaf College 1520 St. Olaf Ave. Northfield, MN 55057 http://www.stolaf.edu/people/hansonr phone: 507-786-3107 If nature does not answer first what we want, it is better to take what answer we get. -- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900 |
From: Angel H. <ang...@ua...> - 2008-12-11 10:16:32
|
El 10 Dec 2008 a las 18:34, Robert Hanson escribió: > Something's not right. > > mayscript = false in no way prevents jmolButton from being created, > and with mayscript=false, the jmolButton still works fine. > > Something else is going on there. I though it weird, but that is tested on an independent page I made for the purpose (no wiki), and that's what I see in several browsers. And no javascript error raised. BTW, I think we are not making mayscript = false, we are removing the mayscript tag and adding a maynotscript tag (haven't actually checked this). So, the browser will behave as if no mayscript tag is defined. Under this condition, the page I mentioned says that Firefox 2 will do Javascript to Java and not Java to Javascript, while other browsers will do both. But in Ff3 I see that both work. My Ff2 (portable version) works as they say. |
From: Robert H. <ha...@st...> - 2008-12-11 13:25:37
|
OK, there are two issues here. mayscript and scripting. "maynotscript" is just my invention to remove the "mayscript" tag. You could do otherwise. I don't think it is browser-safe to use mayscript=false, because, as I recall, the original specification was just for the word "mayscript" in the applet tag, not any value associated with it. So some browsers might see "mayscript=false" as the same as "mayscript" JmolButtons. I really don't see how it is possible for any setting of mayscript to affect whether a JmolButton shows up or not on the page. Convince me. Bob I don't see how it is possible for "mayscript=false" to in any way affect jmolButton. On Thu, Dec 11, 2008 at 4:18 AM, Angel Herraez <ang...@ua...> wrote: > El 10 Dec 2008 a las 18:34, Robert Hanson escribió: > >> Something's not right. >> >> mayscript = false in no way prevents jmolButton from being created, >> and with mayscript=false, the jmolButton still works fine. >> >> Something else is going on there. > > I though it weird, but that is tested on an independent page I made > for the purpose (no wiki), and that's what I see in several browsers. > And no javascript error raised. > > BTW, I think we are not making mayscript = false, we are removing the > mayscript tag and adding a maynotscript tag (haven't actually checked > this). So, the browser will behave as if no mayscript tag is defined. > Under this condition, the page I mentioned says that Firefox 2 will > do Javascript to Java and not Java to Javascript, while other > browsers will do both. But in Ff3 I see that both work. My Ff2 > (portable version) works as they say. > > > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. > The future of the web can't happen without you. Join us at MIX09 to help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > Jmol-users mailing list > Jmo...@li... > https://lists.sourceforge.net/lists/listinfo/jmol-users > -- Robert M. Hanson Professor of Chemistry St. Olaf College 1520 St. Olaf Ave. Northfield, MN 55057 http://www.stolaf.edu/people/hansonr phone: 507-786-3107 If nature does not answer first what we want, it is better to take what answer we get. -- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900 |
From: Brian Salter-D. <b_...@bi...> - 2008-12-10 00:26:54
|
On Tue, Dec 09, 2008 at 01:21:01PM +0100, Angel Herraez wrote: > I'd like to keep this discussion going, so here is a little bit more, > picking up on the possibilities to have Jmol supported in Wikipedia > and other Wikis: [Nico's message snipped] > And on 1 Dec 2008 9:49, Brian Salter-Duke wrote: > > I am just thinking aloud here. I think there could be a solution to add > > a chaneg to medciawiki itself to have some specific Jmol tags, something > > like: > > > > <jmolimage> ... </jmolimage> > > We already have the <jmol> tag added by the extension. Is there any > difference intended? > > > avoiding all calls to Jmol itself. > > I don't quite understand. There is no call to Jmol until the > extension inserts the Jmol code. And by using <jmolAppletButton> > or <jmolAppletLink> one avoids Jmol to be loaded until the visitor > requests it. This is an example of an image inserted on wikipedia:- [[Image:Meissner effect zoom.jpg|thumb|200px|right|A [[magnet]] levitating above a [[high-temperature superconductor]] demonstrates the [[Meissner effect]].]] Everything is together. I presume the bits are handled by mediawiki. In contrast, a simple Jmol call is full of html/javascript like stuff. <jmol><jmolApplet><script>set spin X 10; spin on</script> <name>ethane_s1</name><color>palegreen</color><size>250</size> <uploadedFileContents>ethane_s.pdb</uploadedFileContents> </jmolApplet> <jmolButton><script>spin on</script><name>ethane_s1</name><text>Start spinning</text></jmolButton> <jmolButton><script>spin off</script><name>ethane_s1</name><text>Stop spinning</text></jmolButton> </jmol> What if it was like this:- [[Jmolimage:ethane_s.pdb|color=palegreen|script=spin X 10|script=spin on|size=250|button=(spin on,Start spinning)|button=(spin off,Stop spining)]] Jmolimage:ethane_s.pdb starts it all off and includes:- <uploadedFileContents>ethane_s.pdb</uploadedFileContents> color=palegreen includes <color>palegreen</color> size=250 includes <color>palegreen</color> script=spin X 10| script=spin on would generate:- <script>set spin X 10; spin on</script> button=(spin on,Start spinning) is interpreted as:- <jmolButton><script>spin on</script><name>ethane_s1</name><text>Start spinning</text></jmolButton> button=(spin off,Stop spining) is interpreted as:- <jmolButton><script>spin off</script><name>ethane_s1</name><text>Stop spinning</text></jmolButton> I suspect this would be easier for users and could likely be made more secure. However, I have no idea how this would be implemented. The mediawiki language seems to aim to remove as much direct html use as possible. > > The parameters for jmolimage would > > give everything that was needed, method, file names, etc. Mediawiki > > itself would then be doing any chaecks that were needed. It would also > > be easier for wikipedia editors and I suspect the wikipedia techs would > > prefer this solution. Is this worth following up? I do nopt>set spin > > X 10; spin on</script>t know > > mediawiki and could be just talking nonsense. > > I think it is the JmolMediaWiki Extension that must do all this > anyway, not the generic MediaWiki software. And it is doing so > already, by using the different sub-tags of the <jmol> tag. Do you > envisage any differences, Brian? Please ellaborate on that. > > The configuration in the server (LocalSettings.php) may block the use > of external URLs for models, or of uploaded files, may block or > impose the use of signed applet. The rest of the task in inside the > Extension. > > > > Another advantage of this approach is that wikipedia could limit the > > mehtods available and perhaps limit them to file upload only. > > Already possible (see above). I understand this. When the extension was first written, it was understandable that a number of different approaches were tried. Maybe it is time to limit these choices and make it simpler. Particularly on wikipedia, which has a large number of editors who are likely to be less familiar with Jmol than users on say the Jmol wiki, I think we have to decide. The choice is I think really between an uploaded file (on either wikipedia or Commons) and inline data. The latter will be seen as clumsy, but it makes it all self contained and does not mean that the whole upload business has to be altered - see below. The former would be better, but changes would be needed. > > The > > mediawiki code would need changing anyway to allow use of Jmol files on > > Commons as well as wikipedia. > > This needs further work, but is related to the above config. > settings. Whether Commons or the home wiki (say wikipedia or wikiversity) many changes would be needed. First, upload is restricted to files with certain extensions. We would have to decide which file types we wanted and allow those extensions to the upload. Second, we need to think about copyright issues on uploaded files and how these are going to be added. If you click on an image, it brings up the image page that displays both the image and all the upload, copyright, etc. details. How would this work for say a pdb file. So, third, we have a different image page. Adding an new prefix "Jmolimage" may facilitate this. Finally, we have to disguise the "Look on Commons first for the Jmol file; then look on the local wiki; then fail". I'm still thinking aloud here and the above is a bit different to what Angel is responding to. Brian. -- A child of five could understand this! Fetch me a child of five. -- Marx (guess which one) Brian Salter-Duke (Brian Duke) Email: b_duke(AT)bigpond(DOT)net(DOT)au |
From: Rzepa, H. <h....@im...> - 2008-12-10 06:59:49
|
>> > > I suspect this would be easier for users and could likely be made more > secure. However, I have no idea how this would be implemented. The > mediawiki language seems to aim to remove as much direct html use as > possible. >>> Our students use Jmol Mediawiki extensively. We have come up against the lack of a proper XML validator in mediawiki, which means that the more "XML" one asks the students to insert, the greater the chance of XML errors. I am increasingly having to cope with the student's work disappearing, to be replaced by a bald XMR error message instead. Gaining access to the history file to revert is also not entirely trivial. One can imagine what would happen if Wikipedia pages started to vanish in a similar manner (and of course, it could be done maliciously as well as accidentally). Does Wikipedia have a bot that can automatically undo these sorts of errors (the XML corruption is often such that repair is out of the question)? |
From: Angel H. <ang...@ua...> - 2008-12-09 13:39:53
|
El 9 Dec 2008 a las 14:03, Nicolas Vervelle escribió: > For example, I think you can stillrun Javascriptwithscripts > calling other scripts: > * Create a wiki page with contents corresponding to a Jmol script with > Javascript in it. > * Add a <jmol> tag in a page with a script calling the other script Aha, that's the sort of idea I wanted to hear (but had not imagined). Then maybe we should block the use of the "script" command too. After all, we shouldn't need too much Jmol scripting flexibility inside a Wiki; just basic display options that can be pasted in the page, not in independent files. I will test it this evening. |